Notes for SQL Injection

type
status
date
slug
summary
tags
category
icon
password
SQL Injection is a kind of vulnerability that allows attackers to insert some codes into original SQL statements to trigger some evil function, such as dumping the database or writing . In this note, I will share some ideas about SQL injection.

Types

  • Error-based injection
  • Union-based injection
  • Stacked injection
  • Blind injection
    • Boolean-based injection
    • Time-based injection

Examples

Error-based Injection
(1) floor(rand(0)*2)
Principle: The result floor(rand(0)*2) not random. When a statement is executed, floor(rand(0)*2)will be executed two times, one of which during judgment whether the related result should be put into the virtual result table, while another one happens when the result of flood(rand(0)*2)is being put into the virtual result table. (1. Should or not; 2. What should be put in)
(2) updatexml()
Principle: The second parameter updatexml() for XPath expression. updatexml(xml_target, xpath_expr, new_xml)
(3) extractvaule()
(4) Overflow exp()
(5) Overflow bigint()
(6) Replication
(7) Misc

How To Utilize It

  1. Dumping the database. (password of administrators);
  1. Writing file. (write PHP into the web server directory - SELECT 'zhz' INTO OUTFILE('/var/www/html/backdoor.php'));
  1. Read file. (read sensitive files such as configuration files - SELECT LOADFILE('/etc/passwd')).
  1. Second-order SQL injection.

Prevention

  1. Filter keywors and symbols, sanitize the input. (Keywords such as UNIONSELECTFROMORAND, or Using GPC)
  1. Parameterized queries. (Pre-compile the SQL statement)
  1. Defend in depth. (Check the content of information flow between components on servers)

Interesting Payloads Collection

Loading...

© hazzel 2021-2025