sql injection works and how to prevent sql injection (refer to the previous article)
https://www.cnblogs.com/KHZ521/p/12128364.html
(This chapter provides an injection for the MySQL database)
sql injection Category:
The injection type classification:
1.union joint injection
2. The error injection
3. Mekurachu
Boolean type blinds
Delay blinds
According to the injection position classification
get injection
post injection
Request header injection
Depending on the classification sql statement
Numeric injection
Character injection
sql injection steps of:
1. Looking injection point
What places may exist injection point (where all interaction with the database are likely to exist injection point)
Usually get request determines injection point manner, for example:? Id = 1 is assumed parameters are parameters used to carry the back id = 1 ', (note the single quotation marks, single quotation marks if the database query)?
? the above mentioned id = 1 '
// single quotes to make the database error, caused by a database exception (sometimes closed when using double quotes, single quotes are not being given a place in the presence of possible point of injection to try just fine) if submitted ? id = 1 '
// and id = 1 occurs when the obvious is not the same page, it indicates a potential injection point, of course, there may have been intercepted waf
// assume php sql statement to query sql = "select * from user where id='$id' limit 0,1"; If id is normally a successful query, add a single quotation mark (? Id = 1 ') it is an error because the sql statement becomes select * from user where id = '1' 'limit 0,1 it will appear abnormal sql
2. Analyzing injection or numeric character
Analyzing the type commonly used way (23% of the coding url #, indicates a comment in sql, 23% are represented by the following appears #): Analyzing the difference 1'and 1 = 1% 23 and 1 'and 1 = 2% 23 of
// assume php sql statement to query
sql = "select * from user where id = '$ id' limit 0,1";
assumed that the current value id 1'and 1 = 1% 23 for the current sql statement
select * from user where id = ' 1' and # =. 1. 1 '0,1 limit
ID value 1' and 1 = 2% 23 sql statement to
select * from user where id = ' 1' and 1 = 2 # 'limit 0,1
as a constant and 1 = 1 compares the determined character type closure distinguish true and false and 1 = 2 constant
Note: select * from user where id = " 1 'and 1 = 1 #" limit 0,1 is only determined once can not be determined closed symbols, and thus directly query id = 1 the result is the same
comments need not only single and added back closure numeric determination can also be determined by and and 1 = 1 and 1 = 2: Note 2
embodiment : sql = "select * from user where id = $ id limit 0,1"; to be passed is set to the id of 1 and 1 = 1 and 1 and 1 = 2 can be different according to the determination result of whether the page is a digital type ( because excess closed symbol does not exist is not necessary to add comments)
Tips: sql character can not add annotations to verify that we can construct special parameters allowed normal display: id = 1 'and' 1 '=' 1
such that the actual sql statement select * from user where id = ' 1' and '1'
retrieve data:
union joint injection:
What is injected into the joint union: union query data query the database by using union
Features: simple, echo location data, high efficiency
union conditions of use: two query must have the same column, so I want to use the union, you must first determine the number of columns in this query is how much
If not, there will be mistakes
We assume that the number of columns sql statement to query the current uncertainty is how much we can judge by the current query by using the order
If the specified number of columns equal to the current is smaller than the number of columns, the normal sentence,
The number of columns statement will be greater than the current use of the database exceptions, you can specify the field by the first few columns to determine the current query is based on the number of order
Specific steps:
1. Find the point of injection being given a single quote, prove the existence of the injection point
2. Analyzing the character type closure:
(1) attempt Numeric
id=1 and 1=1
id=1 and 1=2
= 1 and 1 = 1 comparison, the same results page id, and 1 = 2 if the database is performed, the results page with certain implantation id = 1 and 1 = 1 is certainly not so different numeric
(1) single quotes attempt
id=1' and 1=1--+
id=1' and 1=2%23
Proof closure symbol is a single quote
3. Analyzing order by using the number of fields:
id = 1 'order by 4% 23 page is not a normal result, the number of fields is not 4
id = Normal 1 'order by 3% 23 As a result, the number of segments in Table 3 Name
4. Analyzing the data echo position
id=-1' union select 1,2,3%23 在这里解释以下为什么使用-1,当我们正常使用id=1查询数据的时候,会正常查询到数据库中的内容,使用-1是为了使第一个查询语句查询到的结果为空,当第一个查询语句查询结果为空的时候,我们给定的1,2,3才会在页面中显示出来,有时候,可以使用id=1' and 1=2来使查询到的结果为空
由此可知2,3位置可以显示数据
5.查询数据内容:
(1)查询数据库名和版本信息
?id=-1' union select 1,database(),version()%23
(2)查询数据表名(可以通过limit控制查询第几个表)
查询到的表分别是1.emails 2.referers 3.uagents 4.users(账号密码信息可能存放在users表中)
(3)查询数据字段名
字段名分别为:1.id 2.username 3.password
(4)查询数据表内容
拿到了表名,字段名就可以直接在表中查询数据了。(也可以通过limit控制显示的行数)
报错注入的特点:(有的人会将报错注入分类到盲注里面)
学习报错注入之前,让我们先来学习几个sql函数
concat
updatexml 和 ExtractValue
效率增加函数:group_concat
报错注入的原理:
当sql语句拥有语法错误的时候,我们可以使用指定的错误的显示结果为我们向要的显示结果
只要页面的出现了详细的错误信息(明显不是服务器提供的专门的错误页面,而是打印出来的sql具体语法错误
)就可以尝试使用报错注入 例如:
构造注入语句:
将报错的语句指定为我们的xml语法错误(是因为xml解析的时候存在了xml没有的特殊字符0x7e(0x7e是16进制~的表示),当然,也可以直接使用xml解析中不存在的字符串,注意别忘了加引号哦)
不要问为什么这个报错可以把数据库的名字显示出来 你这就好像在问为什么select能够查找到数据一样
盲注:
先来学习一下我们需要用到的函数
left(字符串, 字符个数):截取字符串 返回从左往右数几个字符
substr(字符串,第几个字符,截取几个):截取字符串
mid() 同substr
ascii(字符) 将字符串转换为ASCII码(区别大小写)
ord() 同ascii函数
length() 返回字符串的长度
count() 返回字段数
盲注一般都会采用工具进行注入(太麻烦),但是盲注的原理大家还是了解的 (有时候工具不行,但是就是存在注入点,没办法,只能使用手工了)
get注入
post注入
请求头注入
数字型注入
字符型注入