Article directory
When performing SQL injection, after determining the injection point, the first thing to do is to determine the injection type. The injection type is divided into character type and numeric type. After the injection type is determined, the next SQL injection can continue.
The following formula is applicable to the situation with data echo. If there are only page changes but no data echo, you need to use Boolean blind injection. If there is no change in the page, you need to use time blind injection to judge. Boolean blind injection and time blind injection are not right here. To explain, only the most basic situation with data echo is described.
in conclusion
Keeping the following conclusions in mind, the injection type can be determined in three steps. The specific principles will be analyzed later:
- Judging whether it is a number or a character type: After
?id=1 and 1=2judging, if the display is abnormal, it means it is a number type. If the display is normal, it is a string type, and the following steps need to be continued to judge.- Determine what character type the symbol is:
- Single quote test: by
?id=1'observing the echo- Double quote test: by
?id=1"observing the echo- Determine the character type: if which symbol is echoed as an error message, it indicates the character type of the symbol, and then use the corresponding symbol to close and perform SQL injection
principle
1. Assuming digital injection
After entering ?id=33 and 1=2, it is displayed like this in the sql statement
select * from cms_article where id=33 and 1=2;
The condition of id=33 can find the normal content, but after adding it and 1=2 , the normal content will not be displayed, which means that what we added is and 1=2parsed by mysql, so the normal content will not be displayed. ?id=1 and 1=2Therefore, you can observe the display situation through the input, so as to deduce whether it is a digital injection. If it is not a digital injection, it must be a character injection, so you need to make the next step: whether it is a single quote or a double quote character .
2. Assume that it is a double quote character injection
1. After we enter ?id=1'the single quote test, it is displayed in the sql statement like this
select * from cms_article where id="33'";
From the results, we can know that mysql ignored the single quotes we entered, and only took the 33 we passed in, thus finding out the data. After many attempts, I replaced the single quotes with other punctuation marks, and the data can be found normally.
Therefore, it can be concluded that: when the query condition is a string, mysql will stop searching when it encounters the first symbol, and will only fetch the content before the first symbol, and display it normally. If the query condition is a number, then When the symbol is reached, an error will be reported, as shown in the figure:
So we can use this feature to directly determine character injection.
2. After we enter ?id=1"the double quotation mark test, it is displayed in the SQL statement as follows:
select * from cms_article where id="33"";
You can see that the double quotes we entered closed the first quote in the sql statement, and then caused an error as shown below:
Final conclusion: If we determine that this is a character type injection, if we use double quotes and cause an error, it means that it is a character type of double quotes.
3. The principle of the single quote character is exactly the same as that of the double quote character