Next, we continue to learn how to get the content you want to get from the database, first, let's take a look at the general steps in SQL injection:
The first section, the general step of SQL injection
First, judge the environment, find an injection point, determine the database type, which is already told in the entry.
Secondly, according to the type of injection parameter, the original appearance of the SQL statement is reconstructed in the mind, and the parameter type is mainly divided into the following three:
(A) ID = 49 The parameters of this type of injected are digital type, and the original SQL statement is approximately as follows:
SELECT * FROM table name Where field = 49
The injected parameter is ID = 49 and [query condition], that is, the generated statement:
SELECT * FROM table name where field = 49 and [query condition]
(B) Class = Continuous drama The parameters of the injected parameters are character patterns, and the SQL statement is substantially as follows:
SELECT * FROM table name where field = 'series of series
The parameters of the injected are class = series 'and "query conditions] and' '=', that is, the generated statement:
SELECT * FROM table name where field = 'series of series' and "query conditions] and '' = ''
(C) No filtering parameters when searching, such as keyword = keyword, SQL statement is roughly as follows:
SELECT * FROM table name where field like '% keyword%'
The injected parameter is keyword = 'and'% 25 '=', ie generating statement:
SELECT * FROM table name Where field Like '%' and [query conditions] and '%' = '%'
Next, replace the query condition into a SQL statement, guess the table name, for example:
ID = 49 and (select count (*) from admin)> = 0
If the page is the same as ID = 49, the additional condition is established, that is, the table admin exists, that is, it does not exist (please keep this method). So loop until you guessed the name.
After guess, replace count (*) into a count (field name), and specifically depends the word name.
Some people will say: There are some casual components here. If the name is very complicated, it will not have to play. It is very pair, this world does not exist 100% successful hacker technology, flies do not seamless eggs, no matter how many technologies, a few hackers, because others are not strict or not, the user is not confidential. I have to get it.
I have a little bit, saying it back, for SQL Server library, there is a way to let the program tell us the name and field name, we will introduce in the advanced article.
Finally, after the table name and column name are successful, use the SQL statement to get the value of the field, and the most common method is described below. Although this method is very slow, it must be feasible Methods.
(Source: 9cbs)
