mysql database has two functions: concat and updatexml, often when used in combination sql injection, by using the method herein and updatexml concat learning function, to understand the principles of this with an example embodiment of sql injection.
concat function mysql string concatenation function defined as follows:
First to verify functionality under concat function:
select concat('m','y','s','q','l')
Verification results: As shown defined, concat string connected up
If the SQL statements in concat, SQL statements can be executed it?
select concat((select last_name from users limit 0,1))
Validation results: concat sql statement can be executed ( this is very important on the back of sql injection )
select concat(0x7e,(select user()) ,0x7e)
Verification result: ASCII also be automatically escapes (is ASCII ~ 0x7E symbols)
Followed updatexml function, introduction to the Internet to find this function:
Functional verification function:
select updatexml(0,concat(0x7e,(select user()) ,0x7e) ,0)
Verification result: the concat injection sql statement execution, re-use of the error message returns an execution result updatexml sql statement . Here you may ask, do not execute sql statement it directly updatexml? I tried it, and can not, the reason may be updatexml second argument must be a string of it, so it needs the return value is a string concat function.
Next is the practical operation: Here is a site login request, if the user name is incorrect, returns Unknown user, if the wrong password returns Invalid password.
Try entering single quotation marks, the database returns an error, and that the table name Admins, indicating the presence sql injection:
First with concat to inject found or return Unknown user, you do not get other useful information:
Combined updatexml, return the database user root @ localhost in the error message, see here, we should be more in-depth understanding of the principles updatexml concat and injected it: take advantage of sql injection execution concat statement, re-use error message will updatexml sql statement to return the results :
Then look at which fields admins table are:
Finally, click Query admins table of user names and passwords according to id
For this login page, in fact, there is a better sql injection method, that is, the universal password ^ _ ^, using a universal password does not need to know the user name and password can log on, as follows:
That updatexml also keep doing it? In addition to performing as updatexml select statement, also perform insert, delete and other statements ah ~ universal password and log into the admin rights are not necessarily
A little bit of sentiment:
1. or said before: Be sure to input filter, be sure to intercept and handle database exceptions and error! ! !
2. concat and updatexml combination of just an idea for other types of databases, as long as these two functions functionally similar function to find it!
For reprint, please indicate the source, this is the respect for others the fruits of labor of ~