0. PHPStorm Code debugging method

phpstorm Startup debugging method :

add &XDEBUG_SESSION_START=PHPSTORM You can start debugging

phpstorm Method of dynamically modifying variables during debugging :

Press on specific variables during debugging F2 You can modify the variable content or right-click and press Set Value... option

1. Joint query injection

Utilization premise :

There are display bits on the page

advantage :

Convenient and fast , Easy to use

shortcoming :

Display bit required

to subdivide :

* Character injection

Practice it : 

Successful injection :

It can be constructed as follows to determine whether there is character type injection :

* Integer injection

  Practice it :


  Combined injection and utilization order by and group by Determine the number of columns in the table

order by The column number can be followed , For example, sorting in the first column is order by 1 and so on

if order by The selected column number does not exist , It will display normally

If the selected column number is too large , The following error will be reported

In this way, the dichotomy slowly reduces the scope and can quickly determine the total number of columns , So as to facilitate joint injection

If not available order by, You can use group by To determine the number of columns  

  It can be constructed as follows , That is, it is followed by an arithmetic expression , If 1+2 Query and direct write 3 The same result indicates the existence of integer injection :

2.  Method of listing all databases with injection

The most important database is information_schema, Among them 3 A very important table :

* schemata Tabular schema_name Include database name
* tables In the table table_schema Corresponding database name , table_name This corresponds to the set of table names that exist in the database
* columns In the table column_name Corresponding column name ,table_schema and table_name Corresponding database and table names
Get all database name methods :

  Results obtained :

  Method to get the table name of a specific database :

  Results obtained :

Method to get the column name of a specific table :

  Results obtained :

 3. Load_file as well as into outfile Use of

adopt mysql utilize load_file() Function sum selectt ... into outfile ... To read and write files

1. load_file() Function read content

Windows If under mysql configuration file my.ini in

default secure_file_priv Option does not exist by default ( Namely secure_file_priv=null), The query is displayed as NULL. In this case, it is not allowed to pass any file mysql Read and write (mysql5.2 This is the default setting for future versions )

2. limit mysqld Import of , Export can only occur on /tmp Directory secure_file_priv=/tmp/

3. incorrect mysqld Import of , Export as limit secure_file_priv=

Linux The next is /etc/my.cnf file

utilize mysql A file was read remotely  


use load_file Function to read the contents of the file :

* Absolute path
* Must be root Read file permissions
* secure_file_priv Cannot be NULL
2. select into outfile Write content

  Conversion of file name to is not allowed 16 Binary to write

use select...into outfile... Conditions for writing file contents :

* Absolute path
* Must be root Permission to write to file
* secure_file_priv Cannot be NULL
* Single and double quotation marks can be used ( Because the file must have single and double quotation marks )
  Try to use load_file Read local content :

   Results obtained :

  It seems that there is no result , Choose to view the source code and immediately find the contents of the file

  Try to use select ... into outfile ... write file

 4. Error-based SQL injection ( Error injection )

Utilization premise :

No bits need to be displayed on the page , But output is required sql Statement execution error message , such as mysqli_error() or mysql_error()

advantage :

No display bits are required

shortcoming :

need mysql_error() perhaps mysqli_error() Error reporting information

Columns should be considered in conjunction with joint query injection
-- Note here that the error message is 2 column , Because there is an error in one of the columns . If you start select If there are multiple columns in, a new column should be added in the later union injection select 1, 2 union
select count(*), (concat(floor(rand(0)*2), (select user())))x from mysql.user
group by x;
The second method does not need to consider the number of columns , as long as where Just the back :
select 1 from dual where 1=1 and (select 1 from (select
count(*),concat((select user()),floor(rand(0)*2))x from mysql.user group by x)a)
Let's take an example :

extractvalue Error injection

Pass here extractvalue() Error injection , There are restrictions on the display of content. Only parts can be displayed

To solve this problem, use substr Function to get the following content

 extractvalue(xml string,
String to extract ) Similar should be written after the original in '/../../...' Formatted string , But what we put at the top here is 0x7e Namely ~ symbol . Therefore, an error is reported , It returns the contents of the string to be extracted , That is, the information we need

updatexml Error injection

It also has the problem of incomplete display , For complete content, you can substr Obtained by segment display

stay sqli Try to use extractvalue Error reporting and injection xmlupdate Error injection :

This is the use of extractvalue Error injection :

This is the use of xmlupdate Error injection :

 5. Boolean-based blind SQL injection (bool Blind injection )

Utilization premise :

There are no display bits on the page , No output SQL Statement execution error message

It is not normal to return positive only through the page

advantage :

No display bits are required , No error messages are required

shortcoming :

Slow speed , It takes a lot of time

Used here sleep() function , Sleep if successful 10 second

here 1=2 Absolutely not , If id It's a double quotation mark package , Then it can run normally here ( Double quotation mark direct extraction 1 Ignore subsequent non numeric content ), If it is a single quotation mark , It should be an error, that is, nothing is displayed .

This method finds the corresponding user name through the dichotomy of letters

Why is there no echo bit ?

If you encounter no matter sql There is no echo when the statement is executed correctly or fails , Only the following can be used bool Injection attempts to inject and cooperate with dichotomy , If there is a delay ascii Within the corresponding range

  Try experiment :

 6. Stack SQL injection

This injection method is rarely used , Because now use mysqli_multi_query() function , The function is not multiple sql Execute together , Instead, execute only one .

If you want to execute multiple sql sentence , Need to add mysqli_next_result() implement .

  This causes Stack Injection to execute only the first one sql sentence , The following statement cannot be executed , Look at an example :

  hinder select sleep(5) Cannot execute , Unless mysqli_next_result() call .

7. Wide character injection

The purpose of wide character injection is to solve addslashes() The problem of adding escape to functions such as . The premise of its use is mysql Wide bytes will be used , For example, set wide byte encoding sql sentence :
set names gbk/gb2312/GB18030/BIG5...
utilize phpstorm debugging , Take an example :

  Joint injection is used here , Internal call 3 second preg_replace(), hold \ Replaced with \\\, And escaped single quotation marks and double quotation marks . 

After the function returns, it is found that the single quotation mark has been escaped

  If you set the character set to gbk perhaps gb2312 Wide characters like .mysql Will put ascii Code greater than 128(%80) The character of is regarded as the first byte of Chinese character ( There are Chinese characters altogether 2 Bytes ,
greater than 128 The following byte will be used as the second byte of Chinese characters )

Take advantage of this feature , We construct such an injection statement

The result input part is like this

  The whole statement becomes like this , This eliminates the problem of escape .

  The content is displayed successfully

How to quickly determine whether there is sql injection ?

* Four arithmetic , See if the corresponding value is returned , such as 2-1 and 1 Are they equal , If equal, it may be an integer or there is no injection problem
* See if there is an error , utilize ' and " Symbol , See if there is an error message
* and 1=1/and 1=2 See if the page changes , If there is no change, there is probably no injection
* Time based and sleep(10) See if the page returns after a period of time
Injection mode classification :

* Joint query injection
* Error based injection
* be based on bool injection
* Time based injection
* Stack Injection
Injection type classification :

* Character injection
* Integer injection
( Unfinished )