SQL injection for beginners in web security (1)
SQL injection causes
The occurrence of sql injection vulnerability needs to meet the following two conditions:
- User controllable parameters
- The incoming parameters are spliced to the SQL statement and brought into the database query
Generally speaking, the SQL statement used by the user to log in to the web page is:
select * from user where username='admin' and password='password';
And if the programmer did not filter the user's input at the beginning of the design of the webpage, so that the user's input can be brought into the database, then SQL injection can be generated at this time, the simplest one is to construct a universal password, here take dvwa have a test:
Open dvwa, modify the level to low, and select sql injection:
Enter as follows:
' or '1'='1'#
The input result is shown in the figure:
So what is the principle? First we look at the source code:
The sql statement is:
SELECT first_name, last_name FROM users WHERE user_id = '$id';
Take a look at what we entered earlier:
’ or ‘1’=‘1’#
Bring it into the sql statement, it becomes:
SELECT first_name, last_name FROM users WHERE user_id = '' or '1'='1'#';
The or statement is used here. As long as there is a true, the statement returns true. At this time, the statement will be brought to the database, and all "first_name" and "last_name" will be queried (the first quotation mark and the preceding quotation mark form a closed , Becomes ``, the following # is a comment character, and the following single quote is commented out)
sql injection method
SQL injection has get type, post type and cookie type. Because the author is a beginner, start with get type first. The normal injection steps are as follows:
Determine whether the injection point
echoed normal - the joint inquiry, echoing error - error injection
joint inquiry steps of:
determining character or numeric type
if it is character, judge closed the case
determine the number of fields
to determine the display position
to view the database version (because MYSQL4 .0 and MYSQL5.0 version injection method is different, but now generally version 5.0 or higher)
Get all database names (available or not, depending on the situation)
Get all table names in the current database
Determine key table column names
Get data
Take sqli-lab to test, here is the mysql database, open the first level of sqli-lab:
(you can enter in the url, here I use the hackbar plug-in)
Enter single quotes to report an error, and judge that there is an injection point:
Delete the single quotation mark, enter the single quotation mark, no error is reported, the judgment is a character type, and the closure is a single quotation mark (more on the principle later):
Use order by to determine the number of fields. Enter order by 3 to report an error, and enter order by 4 to report an error, indicating that the field is 3. Note that because it is a character type, you must add a comment at the end to comment out the quotation marks:
Then judge the display position, use union to splice select 1,2,3, and find that the page has not changed. It is judged that the previous id=1 occupies the display position, changed to id=-1, and found that 2 and 3 are displayed. Note 2, 3 is the display position:
Next is to check the database version, and by the way check the current database name (because the same database is used later, this step will be omitted in the following article):
Get all database names (this step is just a demonstration and will be omitted later):
Get all the table names in the current database, and determine that the administrator account password is stored in the users table:
Determine the key table column names are username and password:
The last step is to get the data:
At this point, the first level is complete.
So now to explain the principle of judging that the number type and the character type are closed:
- Digital sql statement:
select * from user where id=1;
- Character sql statement:
select * from user where id='1';
select * from user where id="1";
Take the number type as an example. No matter if you add single or double quotation marks, it will cause a statement error and report an error. Then both types of quotation marks report an error, and we can judge it as a number type;
For the character type, take the single quote type as an example, after adding the single quote:
id='1''
Will cause an extra single quotation mark after the statement, making the statement wrong, if you add double quotation marks:
id='1"'
The double quotation mark is wrapped by a single quotation mark, so the double quotation mark is also considered as a character, so no error will be reported, so it can be judged that it is closed by a single quotation mark. The double quote type is the same, except that the quotes are reversed.
Summary: Both types of quotation marks report errors as character types, single quotation marks report errors and double quotation marks do not report errors are closed with single quotation marks, double quotation marks report errors are not reported as double quotation marks, and the character type must be added with a comment at the end to comment out the extra quotation marks after closing. .
The author's injection here is for MYSQL database, so you need to understand the relevant knowledge of MYSQL:
After mysql5.0 version, there is an "information_schema" database by default, which has three tables:
SCHEMATA: Stores all database information.
Key field: schema_name-database name
TABLES: Store all data table information.
Key fields: table_schema——database name
-------------- table_name——data table name
COLUMNS: Store the information of all columns.
Key fields: table_schema——database name
-------------- table_name——data table name
-------------- column_name-column name
After understanding these, I believe the above sql statement will also understand>_<