Shulou(Shulou.com)06/01 Report--

What is SQL injection

SQL injection * (SQL Injection), or injection * * for short, is one of the most common security vulnerabilities in Web development. It can be used to obtain sensitive information from the database, or to use the characteristics of the database to add users, export files and other malicious operations, and it is even possible to obtain the highest privileges of database and even system users.

The reason for SQL injection is that the program does not effectively filter the user's input, which makes the * * user successfully submit the malicious SQL query code to the server, and the program incorrectly executes the * * user's input as part of the query statement after receiving, resulting in the original query logic being changed and additional malicious code carefully constructed by the * * user.

SQL injection instance

Many Web developers do not realize that SQL queries can be tampered with and treat SQL queries as trusted commands. Unexpectedly, SQL queries can bypass access control, thereby bypassing authentication and permission checking. What's more, it is possible to run host-system-level commands through SQL queries.

Here are some real examples to explain how SQL injection works.

The test code is as follows:

First, let's take a look at the code: $uid=$_GET ['id']; / get the get value $sql= "SELECT * FROM userinfo where id=$uid"; / / execute the SQL statement $conn=mysql_connect (' localhost','root','root'); mysql_select_db ("sql", $conn); / / Database configuration $result=mysql_query ($sql,$conn); / / query the SQL statement print_r ('current SQL statement:'. $sql.')

Results:'); print_r (mysql_fetch_row ($result)); / / there is no filtering for printout, so you can directly query the relevant information using a simple SQL injection statement. From the screenshot, you can see that the original SQL statement has been injected with changes, using the UNION query to the current user.

Another instance of injection of version 1.3 of the latest version of Dom CMS. Vulnerability file member/mypay.php (lines 14-40)

If (empty ($_ SESSION ['duomi_user_id'])) {showMsg ("sign in first", "login.php"); exit ();} elseif ($dm=='mypay') {$key=$_POST [' cardkey']; if ($key== ") {showMsg (" Please enter the recharge card number ","-1 "); exit;} $pwd=$_POST ['cardpwd']; if ($pwd==") {showMsg ("Please enter the recharge card password", "- 1"); exit } $sqlt= "SELECT * FROM duomi_card where ckey='$key'"; $sqlt= "SELECT * FROM duomi_card where cpwd='$pwd'"; $row1 = $dsql- > GetOne ($sqlt); if (! is_array ($row1) OR $row1 ['status'] 0) {showMsg ("incorrect recharge card information", "- 1"); exit;} else {$uname=$_SESSION [' duomi_user_name']; $points=$row1 ['climit'] $dsql- > executeNoneQuery ("UPDATE duomi_card SET usetime=NOW (), uname='$uname',status='1' WHERE ckey='$key'"); $dsql- > executeNoneQuery ("UPDATE duomi_card SET usetime=NOW (), uname='$uname',status='1' WHERE cpwd='$pwd'"); $dsql- > executeNoneQuery ("UPDATE duomi_member SET points=points+$points WHERE username='$uname'"); showMsg ("Congratulations! Recharge successfully! " , "mypay.php"); exit;}} else {

The "cardpwd" variable here is passed into the database as a POST commit without filtering to cause injection. The POC is constructed as follows (note that you need to register a user here and see lines 1-17 of the file for login details):

Http://localhost/member/mypay.php?dm=mypayPOST 0x7e (0x7e, (USER ()), 0x7e, 1)) and '1cards 1)

From Weizhi Notes (Wiz)

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.