Key points when judging injection points
- Determine whether there is SQL injection in the access target URL?
- If there is SQL injection, what kind of SQL injection is it?
TIPS: As long as it is a dynamic web page with parameters and the web page accesses the database, there may be SQL injection.
Determine the SQL injection point
1. Classic single quotation mark judgment method
http://xxx/test.php?id=1' , if the page returns an error, there is SQL injection.
The reason is that both character and integer types will report an error because the number of single quotes does not match.
2. Determine the injection type
Usually SQL injection is divided into two types: numeric + character
1. Digital type:
Usually the statement type is select * from <table name> where id = x. We usually construct and 1=1 and and 1=2 to determine whether there is an injection vulnerability.
Case:
2. Character type:
The usual statement type is select * from <table name> where id = 'x'. We usually construct and '1'='1 and and '1'='2 to determine whether there is an injection vulnerability.
Case:
Regression Testing
Enter t to query the data
Input 1, no data can be found
Construct t' and '1'=1' input
http://192.168.179.128/bWAPP/app/sqli_1.php?title=t' and '1' ='1 #&action=search
http://192.168.179.128/bWAPP/app/sqli_1.php?title=t%' and '1'='1' #&action=search
View SQL statement
For learning about the usage of SQL statements, you can refer to https://www.cnblogs.com/leeyongbard/p/9379255.html
Finish
The above is the method for judging SQL injection vulnerabilities. I hope it will be helpful for you to refer to in the future. You will become more proficient with more practice.