The white sql entry process

Others 2020-04-07 09:20:49 views: null

Mainly to see the next levixxxx write so profound things, and then look at their own point of feeling low, not easy to understand, so I decided to. . .

First of all, understand CRUD

Library table should not have to explain it.

1.insert into library table (column 1, row 2 ...) values ​​(value 1, value 2)

insert into 1.news values(3,’test’,’test’,3)

- String remember to use single quotes, the value is not

. 2.select row 1, column 2 from database table (column 1, column 2 ...) - ( "*" stands for all the column)

  • limit - Syntax: limit (starting subscript, article number) generally follows the end of the statement
  • select * from database tables - Query All
  • select id, title from the library table - the query "id" and "title" column

3.delete from the library table where id = 3 -. Delete "id = 3" that column

4.update library. Table 1 Column = set value, the column value condition 2 =

type = '2' where id = 2 - the "id = 2" in the "type" to 2

The most basic query

select * from 1.news where username='admin' and password='test'

select * from 1.news where username=' ' or ' '=' ' and password='test'

select * from 1.news where username= ' ' or  1=1#' and password='test'

- "- and # is the comment character, comment out the contents of the back."

  • As long as the line through the logic, pay attention to the closing parenthesis, single quote closed, pay attention now - source code provided - have closed in
  • Master password a 'or' a '=' a
  • Adhesive back data that would otherwise not get the data can be bonded in the data: the role of the union (will be mentioned later, clever use of relatively volatile)
  • order by (also mentioned later): the column used in determining

SQL injection primary

What is sql injection:

Parameter submitted by the user contains some characters into the attack with sql database queries, thus changing the semantics of data you want to get some

  • Anywhere possible sql injection, such as referer, cookie, body, URL, etc.
    [pictures of foreign chains dump fails, the source station may have a security chain mechanism, it is recommended to save the picture down directly upload (img-qqDWDcKd-1585889714798) ( / Common injection tool .png)]
    Common injection tool
    process

What type sql injection (injection manner is not the same as access to data classified):

1. Blind: according to the true and false logic to determine

  • Principle : By ascii code, does not support Chinese, converted to ascii code by comparing the size of the characters taken substr function, determines the size of the dichotomy, then converted to ascii code data, using Chinese hex function (the MySQL): Chinese convert to hexadecimal then converted

2.union Injection: directly through the union query to display the page, such as:

union select username from admin

3. Error displaying injection: the use of a database error messages were injected, plus a " '" error message is displayed, observe error messages or error messages like - (who need to inject a very high level, anyway, I can not ...)

4. Delay Injection: response time is determined by the sleep function page

sql injection can do:

1. Obtain (CRUD) database file

2. Reading and Writing Files

3. execute operating system commands

How to determine whether there is access:

Digital, character, search type

A very important table, you must keep in mind: information_schema.tables

function exists is determined whether a table exists:

existsselect 1 form information_schema.tables
1. Numeric:

  • true and false is false, true or false is true

    sql=select * from news where id=1 and 1=1sql=select * from news where id=1 order by 1

  • With the order by judge how many columns (by a few is the first of several columns, if the display is present, it does not show that this column does not exist, in order to determine usage above) and then union, some programmers will write the order by itself, there will xxxxxx order by order by xxxx situation, it will display a syntax error and so on, so everything to the actual subject.

  • Some table query shows only the first data, so the front should Negatives:? Such as id = 1 and 1 = 2

  • Some use of the union below
    Display position determination
    Determine the version of the query-bit display
    Query table name
    All inquiries bond account password account password

2. Character:
sql=select * from news where type=‘ xxx ’ “

sql=select * from news where type=1and1=1’ ”

In addition to before and after the need to construct a grammar, with other digital type are the same. (Excess can be commented 'with #)
Character
is determined by a number or character of the method: the first type is configured in accordance with the digital

Pseudo-static injection:

500 404 but is not given, the error message sql
Determine static injection
method of injection position after 1.html 1, the same token, determines a number or a character, a super sql injection tool markings injection

2. For example, the method turned out to be asd111.html, this time you can try to construct asd.php? Id = 111 or asd.asp? Id = 111, etc.

3. Remove method to see if normal .html

3. Search Type:
  • You must choose a keyword data, otherwise no matter how the results will not appear structure
select * from news where title like%xxxx%

- headline appeared in the middle of this character, fuzzy queries

select * from news where title like ‘ xxxx%

- start with xxx, ending with any character

select * from news where title like%xxxx ’

- at the beginning of any character, ending xxx
Closed configuration
to close by syntax itself, because the middle is empty %% characters, so all will be displayed.
example
Because it is submitted by post, so you can comment directly #, if get, to be url encoded, converted to% 23 #.

Universal Password:

select * from 1.news where username='admin'or 1=1# and password=''

Prior to learn to look at this very simple, looks at the situation constructed on it, usually do not know know admin password.

  • admin’ or ‘a’='a

  • admin’ or 1=1#(mysql)

  • admin’ or 1=1- -(sqlserver)

  • admin 'or 1 = 1; - - (sqlserver) ";" statement represents a multi-
    Statements related
    front or a condition, followed by a condition, it may not know the account password.

  • Usually super SQL injection tool, modification request packet, with the use of capture.

or 1=1#(mysql)
admin' or 1=1--(sqlserver)
admin' or 1=1;--(sqlserver) #  " ; "表示多语句

Is a front or condition, followed by a condition, it can not know the account password.

  • Usually super SQL injection tool, modification request packet, with the use of capture.
D1stiny
Published 13 original articles · won praise 0 · Views 447
Private letter concerns

Guess you like

Origin blog.csdn.net/m0_46230316/article/details/105290735
Recommended
Ranking
error: (-215:Assertion failed) !_img.empty() in function ‘cv::imwrite‘
Database migration between Navicat servers
Minimum number of rotation of the array: Array
balenaEtcher for mac (make a boot disk software) v1.5.67
Custom processing serialization and deserialization in jackson
Mu-en-mask system development software
Mastering Regular Expressions
Find mileage Java--
Web pages can not directly concern the public micro-channel number how to do? A key to arouse public concern number of micro-channel solutions
[CodeForces - 739B] Alyona and a tree Tree + [difference] + bipartite
Daily
More
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)

Code World

© 2018 codetd.com