Shulou(Shulou.com)06/01 Report--

This article introduces the principle of SQL injection and code analysis, the content is very detailed, interested friends can refer to, hope to be helpful to you.

Preface

As we all know, learning security and understanding SQL injection is the top priority, because even now, SQL injection vulnerabilities still exist, but it is more difficult to dig SQL injection than before. And there are many knowledge points, so I would like to sum up here. Understand several common SQL injections by constructing defective code. The following is only to explain several injection principles, there is no detailed use of the process.

SQL injection principle

The generation of SQL injection vulnerability needs to meet two conditions.

Parameters can be controlled by the user: the content of the parameters transmitted from the front end to the back end can be controlled by the user.

Parameters into the database query: the passed parameters are concatenated to the SQL statement and brought into the database query.

Therefore, in the actual environment, developers should adhere to the "external parameters are not trusted principle" for development.

Several common SQL injection attacks

Union injection attack

Look at the code first.

In the union injection page, the program obtains the GET parameter id, does not filter the id value passed by the user, directly splices it into the SQL statement, queries the corresponding content of id in the database, and outputs the user and password in this query result to the page. Union injection attacks are carried out on the premise that the page is echoed.

Then there is the general idea of injection, judging the type, judging the number of fields, and using union to query the relevant data.

Boolean blind injection attack

Look at the code first.

In the Boolean blind note page, the program first obtains the GET parameter id, and determines whether there are dangerous characters such as union sleep benchmark through the preg_match () function. Then concatenate the parameter id into the SQL statement, query from the database, and return yes if there is a result, otherwise return no. So when you visit this page, the code returns only yes and no based on the query results, not any results in the database, so the previous union injection doesn't work here. Try to use Boolean blind injection.

Boolean blind note refers to the construction of SQL judgment statements to infer which SQL judgments are valid by looking at the returned results of the page. For example, we can determine that the length construction statement of the database name is as follows.

And length (database ()) > = 1 # increases in turn. Check the returned result.

From the above statement we can guess that the length of the database name is 4.

Then use the character-by-character judgment method to get the database name, the database name range is generally aquarz, the letter 0room9. The construction statement is as follows.

And substr (database (), 1Pol 1) = letters to be guessed (converted to hexadecimal)

Substr means to intercept, and the construction statement means to intercept the value of database (), one at a time, starting with the first one. Note here that limit is sorted from 0 and substr is sorted from 1 to distinguish from the limit statement. Because I know that the first letter of the database is d, so change it directly to d, and convert it to hexadecimal is 0x64. The results are as follows.

In the real environment, if you do it by hand, the workload is a bit heavy, so you can explode the letters you want to guess with the help of the blasting function of burp.

Similarly, you can use substr () to guess table names and fields. Construction statement

And substr ((select table_name from information_schema.tables where table_schema= library name limit 0Power1), 1Phone1) = the letter to be guessed (here the table name)

In this way, you can guess all the table names and fields, which can be exhausted by hand, with the help of burp or sqlmap.

Burst error injection attack

Look at the code first.

Check the code, in the error injection page, after the program obtains the GET parameter id, it splices the id into the SQL statement to query, if the execution is successful, it outputs the ok. If there is an error, it outputs the error information to the page through echo mysqli_error ($con). We can use this error echo to display what we want to query to the page through functions such as updatexml (), floor (), and so on.

For example, we get the value of user () through updatexml () and construct the following statement.

And updatexml (1 select user concat (0x7e, (select user ()), 0x7e), 1) # 0x7e is ~ hexadecimal coding

Found that the query gave the value of user ()

Similarly, we can query the value of database ()

And updatexml (1 select database concat (0x7e, (select database ()), 0x7e), 1) # 0x7e is ~ hexadecimal coding

The database name is queried.

We can query all the remaining table names and fields in this way, just by constructing the relevant SQL statement.

Time blind attack

Look at the code first.

Look at the code, in the time blind page, the program obtains the GET parameter id, determines whether there are union dangerous characters through the preg_match () function, and then splices the id into the SQL statement and brings it into the database query. If a result returns yes, no result returns no. No data in the database is returned.

It differs from Boolean blind injection in that time blind injection uses functions such as sleep () or benchmark () to make the execution time longer. Usually used in conjunction with if (expr1,expr2,expr3), the meaning of the if statement here is that if expr1 is true, if () returns expr2, otherwise expr3. So to judge the length of the database, we construct the following statement

If (length (database ()) > 3 length sleep (5), 1) # judge the length of the database. If it is greater than 3, sleep for 5 seconds, otherwise query 1

From the picture above, we can judge by the time that the length of the database is 4.

After getting the length, query the first letter of the database through substr (), which is similar to the Boolean blind note, and construct the following statement.

And if (substr (database (), 1jue 1) = the first letter of the library, sleep (5), 1)

Guess in turn. And so on, you can guess the complete database name, table name, field name and specific data. Manual work is still a huge project, usually with the help of tools.

Today, the principle and code of union injection, Boolean blind injection, error injection and time blind injection are briefly analyzed.

On the principle of SQL injection and code analysis is shared here, I hope that the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.