SQL injection vulnerability attack

Language 2023-09-17 04:51:41 views: null

Article directory

1 Introduction

Insert image description here

Suppose you log in to a paid website with your username and password, the website server will check whether you are a VIP user, and user data is placed in the database. The server usually queries the database and adds data to the database. Delete, modify and check operations require the use of SQL language.

Insert image description here

However, as SQL injection attackers, we do not know what the password of the website is, or even what the user name is, so we cannot play our cards according to the normal routine.
At this time weInstead of entering normal data, the data is converted into code, causing the server's normal query to the database to become abnormal code execution.Then the attacker can perform what he wants.

The following code is a normal query operation. Only when the username and password match, the login can be successful.

select * from users
where
username='栈老师' and password='123456'

But if the server does not filter the data entered by the user, it will be very dangerous! For example, if we add a single quotation mark at the end of the user name, when SQL is executed, the content inside a pair of quotation marks will be regarded as character data. However, because the quotation marks here are not paired, this query statement will directly report an error. ,If the server returns this SQL error message directly to the user at this time, then the attacker will know the specific reason for the error.This opens the door to SQL injection attacks.

2. Log in without password

If we add two - after the single quote in the username, things will be different.Within mysql, when the system encounters two horizontal bars, it will think that from here to the end of the line, the content in between is comments, and comments will not be regarded as code execution.It is equivalent to only executing the previous part of the SQL statement.

So you only know the username, even without a password, you can still log in. The code is as follows:

select * from users
where
username='栈老师' --' and password='123456'

3. Log in without username or password

The above is the case where only the username is known but the password is not known. So what if we don’t even have the correct username information?
When the SQL statement encounters the where keyword, it will determine whether the condition is true or false. We put the condition here in or to splice it together. Because one side of or is true, then the whole is true, so we only need to add one more As long as the condition is true,For example, 1=1. Even if the user information is wrong, the logical judgment of where will always be true.

Then even if you don’t know the username and password, you can still log in:

select * from users
where
username='栈老师' or 1=1

4. Merge tables to obtain username and password

We all know that we can merge two tables using the union keyword, like this:

select * from table1
union
select * from table2

MySQL stipulates that the table name does not need to be specified after the union select, as long as the number of columns in the two tables is the same and the data types correspond.
So we use null directly after select to replace the column name. null means no value,However, the union must ensure that the number of columns on both sides of the merge is consistent. An attacker can measure the number of columns in the table by increasing the number of nulls.

select * from products
union
select null, null, null

The attacker now knows the information of another table (user table) through other methods, so he can put the column name of the table in the null position and specify the selected table name.
However, in addition to ensuring that the number of columns is consistent, union must also ensure the similarity of data types, otherwise the merge cannot be performed.
In fact, after the attacker determines the number of columns, he will also judge the data type, such as testing column by column. Once you've tested it's time to put everything together.
First, use single quotes to forcibly terminate the data content where it can be injected, and add two horizontal bars to invalidate subsequent statements, so that the SQL statement will not report an error.

In this way, the attacker can inject a union statement here:

select * from products
where name = 'apple'
union
select null, username, password from users --'

此时,账号密码信息就这样被合并到 products 表中了!

Insert image description here

Guess you like

Origin blog.csdn.net/m0_52861684/article/details/132807741
Recommended
The sixth meeting of openKylin Community Ecology Committee was successfully held
Alibaba Cloud officially releases Tongyi Qianwen 2.5
Python 3.13 releases first Beta: experimental free-threading mode and JIT, improved interactive interpreter
Stack Overflow used my code to train large AI models and banned my account.
Pop!_OS’s COSMIC desktop completes App Store listing
Report: Django is still the first choice for 74% of developers
"Internet Investment and Financing Operation in the First Quarter of 2024" Research Report
15 years ago, he was on the "FFmpeg pillar of shame", and today he still has to thank us - Tencent QQPlayer avenges its shame?
Ranking
Python handwritten digit recognition, the corresponding mathematical formulas and Detailed procedures
Der M-Chip-Mac implementiert mehrere Android-Emulatoren
CentOS 명령줄 모드에서 화면이 항상 켜져 있도록 설정 ---- 예상한 효과를 얻지 못했습니다.
Teach you step by step how to use GDB to debug programs: a comprehensive guide from entry to mastery
python3 pip ipython installation
A lot of python crawler source code sharing -- talk about the little thing about python crawler
Agile Sprint in Alpha Stage (7)
Access URL in Unity
FunctoinDemo form
MS SQL common SQL statements (6): create, modify, delete triggers and other operations sq
Daily
More
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)

Code World

© 2018 codetd.com