First, let's take a look at the general steps of SQL injection:
The first section, the general step of SQL injection
First, judge the environment, find an injection point, determine the database type, which is already told in the entry.
Secondly, according to the type of injection parameter, the original appearance of the SQL statement is reconstructed in the mind, and the parameter type is mainly divided into the following three:
(A) ID = 49 The parameters of this type of injected are digital type, and the original SQL statement is approximately as follows:
SELECT * FROM table name Where field = 49
The injected parameter is ID = 49 and [query condition], that is, the generated statement:
SELECT * FROM table name where field = 49 and [query condition]
(B) Class = Continuous drama The parameters of the injected parameters are character patterns, and the SQL statement is substantially as follows:
SELECT * FROM table name where field = 'series of series
The parameters of the injected are class = series 'and "query conditions] and' '=', that is, the generated statement:
SELECT * FROM table name where field = 'series of series' and "query conditions] and '' = ''
(C) No filtering parameters when searching, such as keyword = keyword, SQL statement is roughly as follows:
SELECT * FROM table name where field like '% keyword%'
The injected parameter is keyword = 'and'% 25 '=', ie generating statement:
SELECT * FROM table name Where field Like '%' and [query conditions] and '%' = '%'
Next, replace the query condition into a SQL statement, guess the table name, for example:
ID = 49 and (select count (*) from admin)> = 0
If the page is the same as ID = 49, the additional condition is established, that is, the table admin exists, that is, it does not exist (please keep this method). So loop until you guessed the name.
After guess, replace count (*) into a count (field name), and specifically depends the word name.
Some people will say: There are some casual components here. If the name is very complicated, it will not have to play. Speaking is right, this world does not have 100% successful hackers
Technology, flies are not seamless eggs, no matter how many technologies, a hacker, because others' procedures are not strict or not enough awareness, they have to start.
I have a little bit, saying it back, for SQL Server library, there is a way to let the program tell us the name and field name, we will introduce in the advanced article.
Finally, after the table name and column name are successful, use the SQL statement to obtain the value of the field, and the most common method is introduced. - Although this method is slow,
But it is definitely a feasible method.
We will give an example, known in the form of the username field, first of all, we take the first record, test length:
http://www.19cn.com/showdetail.asp?id=49 and (SELECT TOP 1 LEN (UserName) from admin> 0
First: If the UserName length of TOP 1 is greater than 0, the conditions are set; then> 1,> 2,> 3 this test, until the condition is not established, such as> 7 is established,> 8 is not established, that is, Len (username = 8
Of course, no one will be stupid from 0, 1, 2, 3 one test, how to look at each play. After getting the length of the username, use MID (username, n, 1) to intercept the nth character, and then
ASC (MID (Username, N, 1)) Get ASCII code, such as:
ID = 49 and (SELECT TOP 1 ASC (MID (username, 1, 1)) from admin)> 0
It is also a step-by-step method to get the ASCII code of the first character. Note that English and digital ASCII code can be used between 1-128, and can be used to accelerate the guess if it is written.
Preface testing, efficiency will have great improvement.
In the second section, SQL injection common functions
People with SQL language bases, the success rate is much higher than those who are not familiar during SQL injection. We must improve our SQL level, especially some common functions and orders.
Access: ASC (Character) SQLServer: Unicode (Character)
Role: Return to a character's ASCII code
Access: chr (Digital) SQLServer: nchar (number)
Role: In contrast to ASC, return characters according to ASCII code
Access: MID (String, N, L) SQLServer: Substring (String, N, L)
Role: Returns the string from the N-character starting a sub-string of the length L, ie the string between N to N L
Access: ABC (Digital) SQLServer: ABC (Digital)
Role: Return to the absolute value of the number (it will be used when guess the Chinese characters)
Access: a Between B and C SQLServer: a betWeen B and C
Role: Judgment a bound between B and C
Section III, Chinese processing method
In the injection of the Chinese characters are common things, some people want to fight back in the Chinese characters. In fact, as long as you know Chinese coding, "Chinese phobia" can quickly overcome.
Let's talk about a little common sense: Access, Chinese ASCII code may have a negative number, take out the negative of the negative, with ABS () to take the absolute value, the Chinese characters unchanged.
In SQL Server, Chinese ASCII is positive, but since it is a two-bit encoding of Unicode, the ASCII code cannot be obtained using a function ascii (), and the function unicode () must be used to return the corresponding Chinese character with the nchar function.
After understanding the two points above, if you think Chinese guess is actually almost the same as English? In addition to the function of use, it is important to pay attention to the specification, the method is nothing wrong.
