MYSQL Injection Basics - Part 1

Language 2023-04-17 05:49:21 views: null

#Inject three points

controllable variable

Into the database query execution

The variable does not exist or the filter is not strict

#SQL injection classification

There are two types of SQL injection: numeric and character

Numeric: When the input parameter is an integer, it can be considered as a digital injection (but not absolute)

Select * from databaes. tables  where id=1

Character type: When the input parameter is a string, or is wrapped by ' " single quotes or double quotes, it is called a character type 

Select * from databaes. Tables where id=”1”

How to determine whether it is a character input or a numeric injection

1. Use and 1=1 and and 1=2 to judge (the digital type generally submits the content as a number, but the number is not necessarily a digital type)

Case presentation:

The first level of Sqlilabse (judging whether it is a number or a character)

 Use and 1=2 page is normal

Sqlilabse second pass

 Use and 1=2 to directly report an error without echoing

When you find that a website has an injection point, (without any filtering and protection measures) use and 1=2 to detect the reason

Because if he is a number, his query statement may be

Select * from databases.tables where ?id=3 and 1=2 Select * from databases.tables where ?id=3 and 1=2 If it is not established, the page will return an error

But if he is a character query

Select * from databases.tables where ?id=3 and 1=2 Select * from databases.tables where ?id="3 and 1=2" Since he is wrapped in double quotes, the and inside will not be included commanded to treat

Summary: Both submission and 1=1 and submission and1=2 in the first pass can display the page normally, so it is impossible to be a digital injection, that is, a character injection.

       The second level, submitting 1=2 conditions cannot be satisfied, the statement cannot be queried by the database, the page cannot be displayed normally, and it is judged as digital injection

2. Use "-" to query

Digital Demo:

 

Pay attention to ?id=3

 Page display name Dummy

directly at ?id=3-1

If he is a number, he will query the interface with id=2

Because 3-1=2

If the interface changes, it is determined that it is a digital injection, and if the page does not change, it is a character injection

 

At this point the content of the page has changed

Name: Angelina  

Make sure he's digital

Character demo:

 Confirm name: Dunmmy

Enter 3-1

Interface: Dummy

no change

Be sure to belong to the character type

Summary: When you are not sure whether it is a number or a character type, you can use the "-" sign to judge, because if it is a character type, it will perform calculations, so 3-1 will calculate 2, and the query finds 2 result, and then return to the interface. But the character type will not operate

Note: It is best not to use the "+" sign, because the plus sign may sometimes be interpreted as a space

#closure 

1. Closed way

'     ''     ')     ")      '))   "))

2. The role of closure 

Manually submit the closed symbol to end the query statement in the previous paragraph, and then add other statements later. The parameters required by the query and the unnecessary statements can be commented out with comment symbols

Suppose it is a character injection point

sql语句:select * from databatase.tables where id="3" 

If the closure is not used, the sql statement we construct is

sql语句:select * from databatase.tables where id="3 and 1=1"

In this way, our injection statement cannot perform its function, because it is wrapped in double quotes.

use closed

sql statement: sql statement: select * from database.tables where id= " 3 " and 1=1 --+

The blue is the double quotation mark that comes with it, and the red is the double quotation mark we entered. We use the red double quotation mark to close him in advance

Then the following and 1=1 statement can be tested normally without interference, but the blue double quotes that come with it later will not work because we have commented it out.

3. Notes 

Comment: "--+" " # " "%23" "/**/" "--%20"

Notes for internal training : /*! SQL statement */ Only mysql can recognize it, which is often used to bypass waf  

例如:select *from databases.tables where id=1 

Use inline injection: select *from databases.tables where id=-1   /*! union */ /*! select */ 1,2,3,4 

       Comment out: use the comment symbol to temporarily deactivate the program block.

                    To "comment out" a certain program means not to run it temporarily (rather than delete it)

Case presentation:

sqlilabs-first pass

 Just like this first level, he is a character type injection, we enter ' he reports an error

Guess his SQL statement:

Select *from databases.tabel wehre id="3' "

 We can comment out his own "

Guess the Sql statement:

Select *from databases.tabel wehre id="3 ' --+ "

becomes only one ' single quote

 At this point, we can write the sql statement behind us to determine whether there is an injection point

Sql statement

Select *from databases.tabel wehre id="3 'and 1=2 --+"

#Determine the closing method

1. Echo through error report

See https://mp.csdn.net/mp_blog/creation/success/129761719 for details

 Just drop a single quote or just throw a double quote in

Take out the error message

Analyze the cause of the error

First of all, the green single quotation marks before and after them are a corresponding relationship, they are a pair

The red part is another pair

At the end there is only one single quotation mark left, he can’t find another double quotation mark, so he reports an error

Because his original sentence is ' '3' ' limit 0,1

3 The positions on the left and right sides are ' ', use single quotes to wrap it, make sure it is a character type, use single quotes to close

2. Judging the closing method (by blind injection, no error message is displayed)

First of all, judge that the page is normal and id=1 is normal 

Just throw in a single quotation mark, and the page will report an error 

Add --+ after ?id=1 ' and ask him to comment out the following

Guess the original SQL statement select * from databases.tables where id='1'

Guess the sql injection statement select * from databases.tables where id='1'--+' 

When the representative asked me to make a single quotation mark, the page error was equivalent to deliberately making him make an error, and he could not find it out, so our page is false.

His page is true when I remove the single quotes. Otherwise, comment out the redundant interface

In reality, you can only compare one by one to guess the special. for example

test statement

http://127.0.0.1/sqli-labs-master/Less-8/?id=1'
http://127.0.0.1/sqli-labs-master/Less-8/?id=1"
http://127.0.0.1/sqli-labs-master/Less-8/?id=1')
http://127.0.0.1/sqli-labs-master/Less-8/?id=1")

See which error is reported, and then take out the error statement separately

testing such as 

http://127.0.0.1/sqli-labs-master/Less-8/?id=1') --+

Use --+ to comment out the following content to see if the page is echoed normally. If so, make sure he is using

('1') is closed in this way

Guess you like

Origin blog.csdn.net/m0_72755466/article/details/129743910
Recommended
Ranking
Filecoin-the core mission of storing the most important information of mankind
Release of rush monitoring software version
Why does parseInt warn of using valueOf
Arduino与Proteus仿真实例-MAX6955驱动8位16段LED仿真
How can I define index on inherited fields in MongoDB with Spring Data?
Gradio: a new frontier for interactive Python data applications
JavaScript implements checkbox selection
JAVA study notes—IO flow
Test set: 23 groups of basic test function introduction and images (provide python code)
Ubuntu22.04 of golang builds beego development environment
Daily
More
2024-07-28(0)
2024-07-27(0)
2024-07-26(0)
2024-07-25(0)
2024-07-24(0)
2024-07-23(0)
2024-07-22(0)
2024-07-21(0)
2024-07-20(0)
2024-07-19(0)

Code World

© 2018 codetd.com