#Inject three points
controllable variable
Into the database query execution
The variable does not exist or the filter is not strict
#SQL injection classification
There are two types of SQL injection: numeric and character
Numeric: When the input parameter is an integer, it can be considered as a digital injection (but not absolute)
Select * from databaes. tables where id=1
Character type: When the input parameter is a string, or is wrapped by ' " single quotes or double quotes, it is called a character type
Select * from databaes. Tables where id=”1”
How to determine whether it is a character input or a numeric injection
1. Use and 1=1 and and 1=2 to judge (the digital type generally submits the content as a number, but the number is not necessarily a digital type)
Case presentation:
The first level of Sqlilabse (judging whether it is a number or a character)
Use and 1=2 page is normal
Sqlilabse second pass
Use and 1=2 to directly report an error without echoing
When you find that a website has an injection point, (without any filtering and protection measures) use and 1=2 to detect the reason
Because if he is a number, his query statement may be
Select * from databases.tables where ?id=3 and 1=2 Select * from databases.tables where ?id=3 and 1=2 If it is not established, the page will return an error
But if he is a character query
Select * from databases.tables where ?id=3 and 1=2 Select * from databases.tables where ?id="3 and 1=2" Since he is wrapped in double quotes, the and inside will not be included commanded to treat
Summary: Both submission and 1=1 and submission and1=2 in the first pass can display the page normally, so it is impossible to be a digital injection, that is, a character injection.
The second level, submitting 1=2 conditions cannot be satisfied, the statement cannot be queried by the database, the page cannot be displayed normally, and it is judged as digital injection
2. Use "-" to query
Digital Demo:
Pay attention to ?id=3
Page display name Dummy
directly at ?id=3-1
If he is a number, he will query the interface with id=2
Because 3-1=2
If the interface changes, it is determined that it is a digital injection, and if the page does not change, it is a character injection
At this point the content of the page has changed
Name: Angelina
Make sure he's digital
Character demo:
Confirm name: Dunmmy
Enter 3-1
Interface: Dummy
no change
Be sure to belong to the character type
Summary: When you are not sure whether it is a number or a character type, you can use the "-" sign to judge, because if it is a character type, it will perform calculations, so 3-1 will calculate 2, and the query finds 2 result, and then return to the interface. But the character type will not operate
Note: It is best not to use the "+" sign, because the plus sign may sometimes be interpreted as a space
#closure
1. Closed way
' '' ') ") ')) "))
2. The role of closure
Manually submit the closed symbol to end the query statement in the previous paragraph, and then add other statements later. The parameters required by the query and the unnecessary statements can be commented out with comment symbols
Suppose it is a character injection point
sql语句:select * from databatase.tables where id="3"
If the closure is not used, the sql statement we construct is
sql语句:select * from databatase.tables where id="3 and 1=1"
In this way, our injection statement cannot perform its function, because it is wrapped in double quotes.
use closed
sql statement: sql statement: select * from database.tables where id= " 3 " and 1=1 --+ "
The blue is the double quotation mark that comes with it, and the red is the double quotation mark we entered. We use the red double quotation mark to close him in advance
Then the following and 1=1 statement can be tested normally without interference, but the blue double quotes that come with it later will not work because we have commented it out.
3. Notes
Comment: "--+" " # " "%23" "/**/" "--%20"
Notes for internal training : /*! SQL statement */ Only mysql can recognize it, which is often used to bypass waf
例如:select *from databases.tables where id=1
Use inline injection: select *from databases.tables where id=-1 /*! union */ /*! select */ 1,2,3,4
Comment out: use the comment symbol to temporarily deactivate the program block.
To "comment out" a certain program means not to run it temporarily (rather than delete it)
Case presentation:
sqlilabs-first pass
Just like this first level, he is a character type injection, we enter ' he reports an error
Guess his SQL statement:
Select *from databases.tabel wehre id="3' "
We can comment out his own "
Guess the Sql statement:
Select *from databases.tabel wehre id="3 ' --+ "
becomes only one ' single quote
At this point, we can write the sql statement behind us to determine whether there is an injection point
Sql statement
Select *from databases.tabel wehre id="3 'and 1=2 --+"
#Determine the closing method
1. Echo through error report
See https://mp.csdn.net/mp_blog/creation/success/129761719 for details
Just drop a single quote or just throw a double quote in
Take out the error message
Analyze the cause of the error
First of all, the green single quotation marks before and after them are a corresponding relationship, they are a pair
The red part is another pair
At the end there is only one single quotation mark left, he can’t find another double quotation mark, so he reports an error
Because his original sentence is ' '3' ' limit 0,1
3 The positions on the left and right sides are ' ', use single quotes to wrap it, make sure it is a character type, use single quotes to close
2. Judging the closing method (by blind injection, no error message is displayed)
First of all, judge that the page is normal and id=1 is normal
Just throw in a single quotation mark, and the page will report an error
Add --+ after ?id=1 ' and ask him to comment out the following
Guess the original SQL statement select * from databases.tables where id='1'
Guess the sql injection statement select * from databases.tables where id='1'--+'
When the representative asked me to make a single quotation mark, the page error was equivalent to deliberately making him make an error, and he could not find it out, so our page is false.
His page is true when I remove the single quotes. Otherwise, comment out the redundant interface
In reality, you can only compare one by one to guess the special. for example
test statement
http://127.0.0.1/sqli-labs-master/Less-8/?id=1'
http://127.0.0.1/sqli-labs-master/Less-8/?id=1"
http://127.0.0.1/sqli-labs-master/Less-8/?id=1')
http://127.0.0.1/sqli-labs-master/Less-8/?id=1")
See which error is reported, and then take out the error statement separately
testing such as
http://127.0.0.1/sqli-labs-master/Less-8/?id=1') --+
Use --+ to comment out the following content to see if the page is echoed normally. If so, make sure he is using
('1') is closed in this way