3. Common Website Architecture
数据库
Types we can judge by common architectures
asp + access
asp + mssql
asp.net + mssql
php + mysql
Jsp + oracle
Jsp + mysql
The specific model to be used needs to be obtained through scanning tools, or the default error information of the website obtained.
4. Obtain information and escalate rights
After knowing that there is injection at a certain point, the most direct way to get the content of the database is to useunion
UNION
injection
UNION
It is one of the operators that database administrators often use and can control
You can use it to concatenate SELECT
the query results of two or more statements
Its basic syntax is as follows:
SELECT colum1,colum2,colum3,…,columN FROM table1
UNION
SELECT colum1,colum2,colum3,…,columN FROM table2
If the application returns the data from the first (raw) query,
then by injecting anUNION
operator after the first query and adding another arbitrary query, it can read any table that the database user has permission to access
Of course, such a useful statement has limitations
-
Use the
UNION
Get Data rule: -
The number of columns returned by the two queries must be the
sameSELECT
, and the columns corresponding to the databases returned by the two statements must be of the same type or compatible
Usually only in the case of terminating injection, it can be quickly guessed and used, otherwise it is SQL
more convenient to use the original statement
UNION
statement construction
example:
0x01 determines the number of columns:
UNION SELECT null,null,null,…,null FROM dual
Use to gradually increase null
the number until it matches the number of columns in the original statement, and return to the normal page after a successful match
This is using 两个查询返回的列数必须相同
this principle
Use ORDER BY
to determine the number of columns in the original statement, you can use the halved search method to improve guessing efficiency
0x02 determines the column type:
UNION SELECT 1,’2’,null,…,null FROM dual
Here we first guess the first column as a number, and if the returned result is incorrect, it is judged as a character
If it is still incorrect, keep it null
unchanged (possibly binary type), and then complete the judgment of some or all types in turn
Of course, there are situations in which each approach does not apply
-
Union
where it does not apply -
The injection statement cannot be truncated, and the complete
SQL
query
Web
statement is unclear. There are twoSQL
query statements on the page, and the number of columns in the query statement is different