1. Introduction to Sql injection
Sql injection attack is an attack by inserting malicious Sql query or add statement into the input parameters of the application, and then parsing and executing it on the background Sql server. It is currently one of the most common means for hackers to attack the database.
2. Three-tier architecture of Web program
Three-tier architecture (3-tier architecture) usually divides the entire business application into:
- User Interface layer
- Business Logic Layer
- Data access layer
The purpose of distinguishing levels is the idea of "high cohesion and low coupling". In software architecture design, the hierarchical structure is the most common and important structure and is used in many types of software development.
Web applications driven by databases follow the idea of three-tier architecture and are divided into three layers:
- Presentation layer.
- Business logic layer (also called domain layer)
- Data access layer (also called storage layer)
The topology is shown in the figure below
In the picture above, the user accessed the laboratory building homepage and went through the following process:
- Enter www.shiyanlou.com in the Web browser to connect to the laboratory building server.
- The web server of the business logic layer loads the index.php script from local storage and parses it.
- The script connects to the DBMS (database management system) located in the data access layer and executes Sql statements.
- The database management system of the data access layer returns the Sql statement execution results to the Web server.
- The Web server of the business logic layer encapsulates the Web page into HTML format and sends it to the Web browser of the presentation layer.
- The web browser in the presentation layer parses the HTML file and displays the content to the user.
In a three-tier architecture, all communications must go through the middle layer. Simply put, the three-tier architecture is a linear relationship.
3. Detailed explanation of Sql injection vulnerability
3.1 Causes and threats of Sql injection:
As mentioned just now, when we access a dynamic web page, the web server will initiate an Sql query request to the data access layer. If the permission verification is passed, the Sql statement will be executed.
Sql requests sent directly within the website are generally not dangerous, but the actual situation is that many times it is necessary to dynamically construct Sql statements based on the user's input data. If the data input by the user is constructed into malicious Sql code, the web application has not processed the dynamic Reviewing the parameters used in the constructed Sql statement will bring unexpected dangers.
The threats brought by Sql injection mainly include the following points:
- Guessing the backend database is the most commonly used method to steal sensitive information from websites.
- Bypass authentication, such as bypassing verification to log into the website backend.
- Injection can use database stored procedures to perform privilege escalation and other operations.
3.2 Sql injection example 1. Guess the database
Next, we will use an example to give you a clearer understanding of how Sql injection guesses the database.
Use the DVWA penetration testing platform as the target of attack testing:
First enter 1 and view the echo (ID=1 in the URL, indicating that the PHP page passes parameters through the get method):