Shulou(Shulou.com)06/02 Report--

Editor to share with you an example analysis of the principle of Union injection attacks in Web, I believe that most people do not know much about it, so share this article for your reference, I hope you will learn a lot after reading this article, let's go to know it!

1. Union injection attack

The test address for the Union injection attack is http://127.0.0.1/sqli/union.php?di=1.

When you visit the URL, the result returned by the page is shown in figure 6.

Figure 6. The result of the page when accessing id=1

Add a single quotation mark after the URL and visit it again, as shown in figure 7. The result returned by the page is different from that of id=1.

Figure 7 results of the page when accessing id=1'

Visit id=1 and 1, and because and 1 is true, the page should return the same result as id=1, as shown in figure 8. Visit id=1 and 1: 2, and because and 1: 2 is false, the page should return a different result from id=1, as shown in figure 9.

Figure 8 results of the page when accessing id=1 and 1 / 1 / 1

Figure 9 results of the page when visiting id=1 and 1 / 2

It can be concluded that there may be SQL injection vulnerabilities in the site.

Next, use the order by 1-99 statement to query the number of fields in the data table, such as visiting id=1 order by 3, and the page returns the same result as id=1, as shown in figure 10.

If you visit id=1 order by 4 and the page returns a different result from id=1, the field digit 3 is shown in figure 11.

Figure 10 results of accessing the dumb1 order by 3 page

Figure 11 what is the result of the page when accessing dumb1 order by 4

Query the contents of the parameter ID in the database, and then output the contents of the database to the page. Because the data is output to the page, you can use Union injection, and through the order by query results, the number of fields is 3, so the statement of Union injection is as follows.

Union select 1,2,3

As shown in figure 12, you can see that the page executes successfully but does not return the result of union select, because the code only returns the result of the first item, so the result obtained by union select is not output to the page.

Figure 12 results of visiting id=1 union select 1 page 2, 3

You can set the parameter ID value to let the server return the result of union select, for example, set the value of ID to-1, so that there is no data of id=-1 in the database, so the result of union select will be returned, as shown in figure 13.

Figure 13 results of visiting id=-1 union select 1 page 2, 3

The return result is 2: 3, which means that in union select 1 Magi 2 and 3, the positions of 2 and 3 can be entered into MySQL statements. We tried to query the current database name at location 2 (using the database () function), visit od=-1 union delect 1 database (), 3, and the page successfully returned the database information, as shown in figure 14.

Figure 14 using Union injection to obtain database ()

Once you know the database name, enter the following command to query the table name (the database name test is replaced according to the actual situation).

Select table_name from information_schema.tables where table_schema='test' limit 0,1

Try pasting the statement at position 2, where you need to add parentheses, and as shown in figure 15, the page returns the first table name of the database. If you need to see the second table name, modify the first digit in limit, for example, you can get the second table name of the database by using limit 1, as shown in figure 16.

Figure 15 using Union injection to get the first table name

Figure 16 using Union injection to obtain the second table name

Now that all the table names have been queried, the database name and table name are known, and the query field name is started. Here, take the emails table name as an example, the query statement is shown below.

Select column_name from information_schema.columns where table_schema='test' and table_name='emails' limit 0,1

Try pasting the statement at positions 2 and 3, and the parentheses are still necessary. As shown in figure 17, you get the first and second field names of the emails table.

Figure 17 using Union injection to obtain the first and second field names

When the database name, table name and field name are obtained, a malicious SQL statement is constructed to query the data of the database, such as the data corresponding to the query field email_id. The constructed SQL statement is shown below.

Select email_id from test.emails limit 0,1

As a result, as shown in figure 18, the page returns the first piece of data from email_id.

Figure 18 data acquisition using Union injection

2. Analysis of Union injection code

In the Union injection page, the program obtains the GET parameter ID, splices the ID into the SQL statement, queries the content of the parameter ID in the database, and then outputs the username and address in the first query result to the page. Because the data is output to the page, you can use the Union statement to query other data, the page source code is as follows.

When id=1 union select 1 is accessed, the SQL statement executed is:

Select * from users where 'id'=1 union select 1, 2 and 3 are all the contents of this article entitled "sample Analysis of Union injection attacks in Web". Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.