Sql injection (a)

0x01 sql injection principle

      It is through the use of loopholes in the query, the sql statement delivered to an attack means the server parsed and executed.

Sql injection of 0x02 common universal password

  How it works: the user makes a user name and password authentication, the site need to query the database. Query the database is to execute SQL statements, but in the query process, not some special symbols filter, such as single quotes ( ')

  For a chestnut:

  1. When a user logs, database queries executed in the background (SQL statement) is:

     [Select user_id, user_type, email From users Where user_id = ' username' And password = 'password'] .
      2. Since the time backstage during site database queries no single quotation marks filtering, when the input user name [admin] and password [universal] 1'or'1 time, SQL statements that are executed as follows:

     【Select user_id,user_type,email From users Where user_id=’admin’ And password=’1’or’1’】。

     3. Since the SQL statement logic operator having priority, precedence [=] and [], and [] or [] precedence, and are suitable for transitive. Therefore, this SQL statement is parsed in the background, it is divided into two:

     [Select user_id, user_type, email From users Where user_id = 'admin' And password = '1' ] and [ '1'] , the logical operation two or bool value, constant true .

       Query results SQL statement is TRUE, it means that the authentication is successful, you can also log into the system. Enter your user name [admin], password [1 ' or'1], you can log in successfully.

 

  Note: When using the universal password, or and background may put these and other sensitive words filtered point, you can try to bypass the case, bypassing the double-writing and other ways to bypass. I remember when pte examination of the first question is to examine the universal password, lowercase or misplaced, can be used to bypass Or. 

 

---

Benpian microblogging cited in section chiefs blog