foreword
In sql injection, the problem of intercepting strings is often used. For example, injection without echoing becomes blind. In this case, it is often necessary to guess and solve one character by one character. In the process, it is necessary to use Truncate the string. This article mainly lists three functions and some use cases in the function injection process.
Three major functions: mid(), substr(), left()
mid() function
The role of the mid() function is to intercept a part of the string. mid(column_name,start,length)
parameter |
describe |
column_name |
Required. The field to extract characters from. |
start |
Required. Specifies the starting position (the starting value is 1 ). |
length |
Optional. The number of characters to return. If omitted, the MID() function returns the remaining text. |
For example: str="123" mid(str,2,1) The result is 2
Use cases in SQL combat:
(1) MID(DATABASE(),1,1)>'a', check the first place of the database name, MID(DATABASE(),2,1) to check the second place of the database name, and check each character in turn. (2) MID((SELECT table_name FROM INFORMATION_SCHEMA.TABLES WHERE T table_schema=0xxxxxxx LIMIT0,1),1,1)>'a' Here, the column_name parameter can be a sql statement, and you can construct a sql statement yourself for injection.
Substr(), substring() function
Substr() and substring() function implement the same function, both intercept strings.
string substring(string, start, length)
string substr(string, start, length)
The parameter description is the same as the mid() function, the first parameter is the string to be processed, start is the start position, and length is the length of the interception.
Use cases in SQL combat:
(1) substr(DATABASE(),1,1)>'a', check the first position of the database name, substr(DATABASE(),2,1) check the second position of the database name, and check each character in turn. (2) substr((SELECT table_name FROM INFORMATION_SCHEMA.TABLES WHERE T table_schema=0xxxxxxxLIMIT 0,1),1,1)>'a' Here, the string parameter can be a sql statement, and you can construct a sql statement yourself for injection.
left() function
Left() gets the specified number of characters in the left part of the string
Left( string, n ) string is the string to be intercepted, and n is the length.
Use cases in SQL combat:
(1) left(database(), 1)>'a', check the first position of the database name, left(database(), 2)>'ab', check the first two positions of the database name. (2) The same string can be a self-constructed sql statement.
ord() function
The ord() function returns the ASCII code of the first character and is often used in combination with the above functions.
For example, ORD(MID(DATABASE(),1,1))>114 means to detect whether the first ASCII code of database() is greater than 114, which is 'r'
I won't introduce it too much here, and it will be provided one after another in the subsequent tests!