Shulou(Shulou.com)06/01 Report--

Introduction:

As the injection that has occupied the first place of OWASP Top 10 for a long time, as to what is OWASP, please refer to Baidu encyclopedia OWASP.

Introduction to SQL injection:

The so-called SQL injection is to deceive the server into executing malicious SQL commands by inserting SQL commands into the Web form to submit domain names or enter the query string requested by the page. Specifically, it is the use of existing applications, the ability to inject (malicious) SQL commands into the background database engine execution, it can be input in the Web form (malicious) SQL statements to get a security vulnerability on the site of the database, rather than in accordance with the intention of the designer to execute SQL statements. [1] for example, many previous film and television websites leaked VIP member passwords mostly through the query characters submitted by WEB forms, which are particularly vulnerable to SQL injection.

Injection principle

The failure of the program command to properly handle the user input results in the execution of unexpected commands or access to data. In other words, the reason for the injection is to accept that the relevant parameters are directly brought into the database for query operation without correct processing. Initiating injection * requires confirmation of the submission of controllable parameters (data) and SQL command related points

Classification of sql injection

According to the mode of data transmission: get type, post type, Cookie type.

According to the type of data: numeric, character

According to the injection mode:

Injection pattern based on federated query

Injection mode based on error reporting

Blind injection based on Boolean

Time-based blind injection

Injection mode of heap query

General steps of sql injection

The basic steps of sql injection (this is basically the same as that of sqlmap)

Determine what type of injection is, whether the keyword is filtered, and whether it can be bypassed.

Get database user, version, currently connected database and other information

Get information about a database table

Get column information

And finally got the data.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.