###### tags: `sql` `web`
# SQL Bases
[TOC]
# Find SQL Injection points
> Backend interacts with frontends
- http request-header
- get/post methods
So, we have to think about backend will catch what variables or information from the frontend
# Check Injection-code to have been executed
## Error
> Could try error syntax to know
- SQL syntax ', " (Let backend error and we could know this place has an injectable point
## Union
>Slove backend to hide the error message
We could try to inquire by using Union syntax
## Time-blid
> Also, we could try to use sleep() function to know whether this place has an injectable point
# Mysql
# SQL database
## Create the table
Example
```
CREATE TABLE Persons (
PersonID int,
LastName varchar(255),
FirstName varchar(255),
Address varchar(255),
City varchar(255)
);
```
# SQL syntaxs
Mysql-comment
```mysql=
-- comments
/* comments */
# comments
```
## Inquire syntaxs
### select
### select distinc
> The statement is used to return the distinc value
## where
where
e.g. where id=1 (similar like if();
<> is !=
Negative operator
---
between
---
in ()
Specify multiple values for the column
----
Search for pattern:
like "%\<str>" (%, Fuzzing search
like "\<str>%"
column like "%(str)%"
"_" occupy one character
Remark:
String also could compare
## and, or, not
## order by \<keyword>
sort result in ascending or descending order
DESC:
To sort record in descending orider
## limit
specify the number of records to return.
## alias
To give a table, or a column in a table, a temporary name
alias column:
alias table:
alias name that combine many columns.
Mysql syntax(use concat() function to combine
as can be omitted.
## Database();
the current database
## user();
user,hostname information
## @@datadir;
path
Padding
## Exists()
賊好用 (手動猜東西
this operator is used to test the existence of the record in a subquery.
## ascii()
Cooperate with select, we could display the ASCII encoding.
syntax: ascii(charactor)
return charactor 0xXX value
## substring()
Extract substring from string.
substring("name",strat position, extract ?chararctors)
## union
Condition
- Union is used to combine two or more select statements
- echo of columns have similar data type.
Conditions
- select statement within union must have the same of columns.
```sql=
union all
```
Distinct values by default, so we have to use union all to show duplicate records.
## count()
Display how many rows in this column
## group by
# constant
## version()
## @@basedir
## @@datadir
## @@hostname
## show root passwrod
## join
join is used to combined rows from two or more tables
## inner join
select record that having matching value in both tables
## left join
## right join
# Instances
```sql=
select * from customer where id =1 and updatexml(1,concat(0x7e,database(),0x7e,user(),@@datadir),1);#
```
And we could know there could inject something.
---
>Remark:
SQL syntax 又長又粗又大又黑的 XD
既不知幾 也不知彼 就沒有紅顏知己XD
侯智晟 : )
Email: moweheckerouo@gmail.com
Sign in with Wallet
Connect another wallet