Shulou(Shulou.com)05/31 Report--

This article mainly shows you "what is sql injection", the content is easy to understand, clear, hope to help you solve your doubts, the following let the editor lead you to study and learn "what is sql injection" this article.

Understanding SQL injection

From the very beginning, from the simplest beginning, we entered less-1 to start our SQL injection learning journey.

By changing the id value of http://localhost/sqlilabs/Less-1/?id=3, different content (username,password) is rendered on the page.

Then we can guess that the SQL statement in the background is to go to the corresponding data according to the id value passed in the foreground.

Then the SQL statement is written as follows:

Select username,password from table where id=input

Determine the existence of a SQL statement

Next, do the test, using the following statement:

Http://localhost/sqlilabs/Less-1/?id=3 and 1 # 1 http://localhost/sqlilabs/Less-1/?id=3 and 1 # 2

There is no change to the page at this time, which is not in line with our expected results, because when id=3 and 1 changes 2, the SQL statement changes to select username,password from table where id=3 and 1 changes 2 page should not have content.

Make sure there is a SQL statement

After using the previous statement, we use the following statement:

Http://localhost/sqlilabs/Less-1/?id=3'

When URl is the above SQL statement, the page displays the SQL execution error message You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '3percent' LIMIT 0Magi 1'at line 1.

The most critical error message is:

'3million 'LIMIT 051'

The outermost quotation marks are automatically added when mysql makes an error. Then the actual SQL statement is' 3percent 'LIMIT 0Pol 1. We found that the 3'we typed was surrounded by quotation marks, so the select username,password from table where id=input we guessed before was wrong, and the actual SQL statement in the background should be:

Select username,password from table where id='input'

SQL injection verification

After confirming that there is SQL injection and knowing the background SQL writing, we can inject our own SQL-injected code at this point.

Because we can control the value of id, the final input SQL statement will be:

Select username,password from table where id='input attack Code'

At this point, we can construct the following payload to verify our idea. Since our input is wrapped in a pair of single quotation marks, the statement we enter must not be affected by single quotation marks. Either close or comment out the single quotation marks. (please refer to the previous article)

# closed single quotation marks id=1 and'1' ='1 # # comments single quotation marks id=1 and 1 # 1 # or id=1 and 1 quotes 1 Murray +

When we use the above three payload, the results displayed on the page are as expected. Then we can also determine that the id parameter does have SQL injection. The SQL statement in the background is indeed written as select username,password from table where id='input'.

After determining the SQL statement, the next step is to inject the SQL injection code.

Perform SQL injection

It is critical to use SQL statements to take off your pants. If you only know that there is SQL injection but can't take off your pants, then in fact this vulnerability is very harmless to the site. How to construct the correct SQL statement to take off your pants is also very important, and the detailed steps of SQL injection will be explained in detail in the next article.

Injection type judgment

The SQL statement in this question is called character-based SQL injection, because our input is included in single quotation marks during the execution of the SQL statement. In fact, in the execution of the SQL statement, this id parameter is treated as a character-type data. In addition to character-based SQL injection, there are of course numeric SQL statements. So how to distinguish between the two?

Character SQL injection

In the section that determines that there is a SQL statement, the error message when we enter id=3' is the page is' 3percent 'LIMIT 0pl 1. We find that 3' is surrounded by quotation marks, which means that this is a character-based SQL injection.

Digital SQl injection

In less-2, when we also enter id=3', the error message on the page is' LIMIT 0Magne1, which means that it is a numeric injection and there is also a limit keyword, so we guess that the SQL injection in less-2 is:

Select username,password from table where id=input limit 0,1

All of the above can be verified by viewing the source code.

SQL sentence judgment

But in many cases, we can not return the error message of the sql execution statement through single quotation marks, so we can not get the injection type through the error message. Because many times there are all kinds of strange ways to write SQL statements in the background.

In less-3 and less-4, it is written as follows:

$sql= "SELECT * FROM users WHERE id= ('$id') LIMIT 0jue 1"

Parentheses are used in less-3 to wrap the user's input

$id=''. $id.''; $sql= "SELECT * FROM users WHERE id= ($id) LIMIT 0pl 1"

If you use double quotation marks to wrap the user's input in less-4, you will not be able to execute an error in the SQL statement even if you test in single quotation marks.

So in many cases, it is not enough to use a single symbol to judge, it is necessary to use different types of symbols for test judgment, including',',\, (, =, &, etc., and sometimes even use other probing methods, because you can't judge the writing of SQL statements in the background, and many website developers already have a certain degree of security awareness. It is possible that regular SQL probe statements cannot be used. There is a lot of information about other probe statements with multi-SQL injection on the Internet.

The above is all the content of this article "what is sql injection?" Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.