Explanation and utilization of various types of SQL injection (2)

Others 2022-04-27 17:18:27 views: 0

3. Common Website Architecture

数据库Types we can judge by common architectures

asp + access

asp + mssql

asp.net + mssql

php + mysql

Jsp + oracle

Jsp + mysql

The specific model to be used needs to be obtained through scanning tools, or the default error information of the website obtained.

4. Obtain information and escalate rights

After knowing that there is injection at a certain point, the most direct way to get the content of the database is to useunion

UNIONinjection

UNIONIt is one of the operators that database administrators often use and can control

You can use it to concatenate SELECTthe query results of two or more statements

Its basic syntax is as follows:

SELECT colum1,colum2,colum3,…,columN FROM table1

UNION

SELECT colum1,colum2,colum3,…,columN FROM table2

If the application returns the data from the first (raw) query,
then by injecting an UNIONoperator after the first query and adding another arbitrary query, it can read any table that the database user has permission to access

Of course, such a useful statement has limitations

Use the UNION Get Data rule:
The number of columns returned by the two queries must be the
same SELECT , and the columns corresponding to the databases returned by the two statements must be of the same type or compatible

Usually only in the case of terminating injection, it can be quickly guessed and used, otherwise it is SQLmore convenient to use the original statement

UNIONstatement construction

example:

0x01 determines the number of columns:

UNION SELECT null,null,null,…,null FROM dual

Use to gradually increase nullthe number until it matches the number of columns in the original statement, and return to the normal page after a successful match

This is using 两个查询返回的列数必须相同this principle

Use ORDER BYto determine the number of columns in the original statement, you can use the halved search method to improve guessing efficiency

0x02 determines the column type:

UNION SELECT 1,’2’,null,…,null FROM dual

Here we first guess the first column as a number, and if the returned result is incorrect, it is judged as a character

If it is still incorrect, keep it nullunchanged (possibly binary type), and then complete the judgment of some or all types in turn

Of course, there are situations in which each approach does not apply

Union where it does not apply

The injection statement cannot be truncated, and the complete SQLquery
Webstatement is unclear. There are two SQLquery statements on the page, and the number of columns in the query statement is different

Guess you like

Origin http://43.154.161.224:23101/article/api/json?id=325742871&siteId=291194637
Recommended
Ranking
error: (-215:Assertion failed) !_img.empty() in function ‘cv::imwrite‘
Database migration between Navicat servers
Minimum number of rotation of the array: Array
balenaEtcher for mac (make a boot disk software) v1.5.67
Custom processing serialization and deserialization in jackson
Mu-en-mask system development software
Mastering Regular Expressions
Find mileage Java--
Web pages can not directly concern the public micro-channel number how to do? A key to arouse public concern number of micro-channel solutions
[CodeForces - 739B] Alyona and a tree Tree + [difference] + bipartite
Daily
More
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)

Code World

© 2018 codetd.com