Shulou(Shulou.com)06/02 Report--

This article mainly introduces the example analysis of the principle of secondary injection attack in Web, which is very detailed and has a certain reference value. Interested friends must read it!

Secondary injection attack

Test addresses for secondary injection attacks: http://127.0.0.1/sqli/double1.php?username=test and http://127.0.0.1/sqli/double2.php?id=1. Among them, the function of the double1.php page is to register the user name and the place to insert the SQL statement; the function of the double2.php page is to read the user name and user information through the parameter ID.

The first step is to visit the double1.php?username=test', as shown in figure 40.

Figure 40 registered user name test'

From the results returned from the page, you can see that the user name test' uses an ID of 9 and accesses double2.PHP?id=9. The result is shown in figure 41.

Figure 40 access to test' information

From the returned result, you can see that the server returned an error of MySQL (syntax error caused by an extra single quote). At this time, go back to the first step and visit double1.php?username=test' order by 1 to get a new id=10. When you visit double2.php?id=10 again, the page returns blank. Try again, visit double1.php?username=test' order by 10Mushroom to get a new id=11, and when you visit double2.php?id=11 again, the page returns an error message (Unknown column '10' in' order clause'), as shown in figure 42.

Figure 42 results of accessing order by 10

This shows that the blank page is returned normally, and by constantly trying, the author judges that there are a total of three fields in the database.

Visit double1.php?username=test' union select 1 and 2, get a new id=12, visit double2.php?id=12, and find that the page returns the 1 and 2 fields in union select, as shown in figure 43.

Figure 43 results of using the Union statement

In the position of 2 or 3, insert our statements, such as accessing double1.php?username=test' union select 1jigma user (), 3Mutual id=13, getting a new id=13, and then accessing double2.php?id=13 to get the result of user (), as shown in figure 44, using this method to get the data in the database.

Fig. 44 obtaining data by secondary injection

Secondary injection code analysis

The code of the double1.php page in the secondary injection is as follows, which realizes the simple user registration function. The program obtains the parameter password of the GET parameter username, then splices username and password into the SQL statement, and inserts the insert statement into the database. Because parameter username is escaped using addslashes (single quotation marks are escaped so that single quotation marks cannot be closed), and parameter password hashes MD5, there is no SQL injection vulnerability here.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.