SQL digital injection details + iwesec instance

Tip: after the article is written, the directory can be generated automatically. Please refer to the help document on the right for how to generate it


This article is the author's study notes. It records in detail the author's understanding of SQL digital injection, and also introduces the complete process of using union joint query injection. At the end of this paper, the author uses iwesec and Webgoat to carry out practical combat. If there are deficiencies, please correct them.

Tip: the following is the main content of this article. The following cases can be used for reference

1, SQL digital injection principle

When the input parameter is an integer, such as ID, age, etc. If there is an injection vulnerability at this time, it can be considered as a digital injection vulnerability. It can be said that the digital vulnerability is the simplest one.
Its judgment steps are as follows:
Step 1: add * * "* * * (single quotation mark) after the parameter, and then an error is found on the page
(the purpose of this step is to judge whether there is an injection vulnerability. If no error is reported, it proves that there is no injection vulnerability here. An error will be reported only when the server regards this single quotation mark as an SQL statement, and there is an SQL injection vulnerability here.)

Step 2: add * * "and 1=1" * * "after the parameter, and the page returns to normal

Step 3: add and 1=2 after the parameter, and then the page returns an error, proving that there is a SQL digital injection vulnerability here

2, Complete injection process

The first step is to judge whether the injection point has been completed when judging whether it is digital injection.
The second step is to determine the number of columns. Use order by to guess the number of columns. order by 3 is sorted in ascending order based on the third column. If the following number is greater than the actual number of columns, an error will be reported. We use this feature to guess the number of columns. We can use dichotomy.

The third step is to judge the wrong point
We already know that the number of columns is three, so enter and 1=2 union select 1,2,3 later

union Union query is to combine the results of two queries and then output them together. However, since the first line is usually output, the output result should be the same as the previous result. Why not. Because we added and 1=2 to adjust the previous query statement to false, the natural output result is only 1, 2 and 3.
The fourth step is to get the database name
We always have a meta database called information after Mysql5_ Schema, which records all the information in the Mysql database, such as the name of the database, the name of the table and the name of the column.

Of course, we can also use the functions of the database to get some of the information we need. For example:

user()  //user name
@@datadir     //Database path
version()     //Database version
@@compile_version_os    //Operating system version

We get the name of the database as iwesec
The fifth step is to get the table name and column name
We use information_schema is a database to query the information we want to know

After finding out the table name, we continue to query the column name

The last step is to obtain data

3, Summary


Digital injection is the simplest vulnerability in SQL injection. Its main problem is to use union joint query and silence the previous normal query. information_ Remember the contents of the schema database.


There is little difference between numeric injection and character injection, except that character injection requires closed single quotation marks. Once the single quotation mark is closed, it becomes the same as numeric injection. When judging whether it is digital injection, the second and third steps can mainly distinguish between character injection and digital injection.

// This is the source code for testing the digital injection page
		<title>MySQL Digital type SQLi</title>
	<h2>MySQL Digital type SQLi</h2>
		<div class="alert alert-success">
			<p>/01.php?id=1 </p>
	echo $id."<br>";
	$sql="SELECT * FROM user WHERE id=$id LIMIT 0,1";
	echo $sql."<br>";
	if ($result) {
		<table class='table table-striped'>
		while ($row = mysql_fetch_assoc($result)) {
			echo "<tr>";
    			echo "<td>".$row['id']."</td>";
    			echo "<td>".$row['username']."</td>";
    			echo "<td>".$row['password']."</td>";
			echo "</tr>";
		echo "</table>";
//	echo '<font color= "#FFFFFF">';
//	echo "</font>";  



I hope this article is helpful to you. This article belongs to the author's study notes. If there are deficiencies, they can be discussed in the comment area. If there is a new understanding in the future, it will continue to be updated. I wish you academic progress and career success

Tags: Database SQL security

Posted on Sat, 04 Dec 2021 16:37:57 -0500 by cent