sqli-labs————SQL injection basics

Others 2022-04-27 16:04:37 views: 0

Injected classification

Based on the response received from the server

  • Error based SQL injection
  • SQL Injection for Union Query
  • SQL Injection for Heap Queries
  • SQL blind injection


            Time-based             blind SQL injection based on Boolean SQL injection

            Error-based blind SQL injection

SQL query (data type) based on how the input is processed

  • string based
  • number or integer based

Injection based on degree and order (where the impact occurred)

  • first-order injection
  • second order injection

First-order injection means that the input injection statement directly affects the WEB, and the result appears.

The second-order injection is similar to the stored XSS, which means that the input and submitted statements cannot directly affect the WEB application, and indirectly cause harm to the WEB through other assistants. This is called the second-order injection.

based on the location of the injection point

  • Injection of form fields via user input
  • Injection via Cookie
  • Injection via server variables (header-based injection)

System function

Commonly used functions for database injection

  • version()————Database version information
  • user() —— database username
  • database() --- database name
  • @@datadir()————Database path
  • @@version_compile_os——OS version

String chaining function

  • concat(str1,str2,...) concatenate strings without delimiters
  • concat_ws(separator,str1,str2,.....) concatenate strings with separators
  • group_concat(str1,str2,....) concatenates all strings of a group and separates each piece of data with a comma

Reference: https://blog.csdn.net/Fly_hps/article/details/80223915

Statements generally used to try

or 1=1--+
'or 1=1--+
"or 1=1--+
)or 1=1--+
')or 1=1--+
") or 1=1--+
"))or 1=1--+
The general code is: 
id=id=_GET['id'];

$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";

Two points are considered here:

One is to close the preceding ', and the other is to deal with the following '. Generally, two ideas are used, closing the quotation marks or commenting out, and commenting out the use of --+ or # (%23)

Introduction to the union operator

The union operator is used to combine the result sets of two or more SELECT statements. Note that SELECT statements inside UNION must have the same number of columns. The columns must also have the same data type, and the order of the columns must be the same in each SELECT statement.

SQL union syntax:

SELECT column_name(s) FROM table_name1
UNION
SELECT column_name(s) FROM table_name2
Note: By default, the UNION operator selects different values. If duplicate values ​​are allowed, use UNION ALL.

 injection process


guess database
select schema_name from information_schema.schemata

Guess the data table of a library
select table_name from information_schema.tables where table_schema='xxxxx'

Guess all columns of a table
Select column_name from information_schema.columns where table_name='xxxxx'

Get the content of a column
Select *** from ****

Guess you like

Origin http://43.154.161.224:23101/article/api/json?id=325693725&siteId=291194637
Recommended
Ranking
error: (-215:Assertion failed) !_img.empty() in function ‘cv::imwrite‘
Database migration between Navicat servers
Minimum number of rotation of the array: Array
balenaEtcher for mac (make a boot disk software) v1.5.67
Custom processing serialization and deserialization in jackson
Mu-en-mask system development software
Mastering Regular Expressions
Find mileage Java--
Web pages can not directly concern the public micro-channel number how to do? A key to arouse public concern number of micro-channel solutions
[CodeForces - 739B] Alyona and a tree Tree + [difference] + bipartite
Daily
More
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)

Code World

© 2018 codetd.com