When your talent
When you can not afford to hang on ambition
Then you should stop learning
Code audit online learning experiment, while CE are practical operation, while finishing notes later when convenient to look for quick reference.
table of Contents
SQL injection vulnerability audit
Examples of byte wide injection
SQL injection vulnerability audit
Summary:
SQL injection attacks means that by constructing a special input passed as a parameter Web applications, and these inputs are mostly in some combination of SQL syntax, and then perform the operation by the attacker to execute SQL statements, mainly because no detailed program filtering data input by the user, so that illegal data intrusion. Generating SQL injection, or because the code is encoded imperfect. Imperfect code programming is often because the process does not take into account the robustness and security of the code. Encoded imperfections, as long as the use of several functions by specification can be effectively avoided. Between the code and coding are two different aspects of the problem, we will SQL injection is also divided into two categories:
-
Common SQL injection: the most common sql injection vulnerability because no user input filter or filter lax produced, injected into integer type and character, usually directly through the union joint inquiry can be carried out database queries.
-
Coding SQL injection: to defend against SQL injection, some applications will encode user input, but a function of the encoding process itself, there are some problems, can lead to enter special characters by some coding functions are not compatible, it will become dangerous character output data the most common is the byte wide Mysql injection.
We are here primarily for a wide byte injected into the narrative, and then add back the general understanding of SQL injection, such as the need to learn SQL injection knowledge
Please visit the following link:
https://blog.csdn.net/god_xiangyu/article/category/9106861
A wide byte injection
Byte wide injection principle
While it called for all programs unicode will be used, all of the sites use utf-8 encoding, unified international norms, but there are still many sites still using a coding their own country (such as gbk), as their default encoding type. To defend against common Sql injection, some sites will open magic_quotes_gpc
or use addslashes、mysql_real_escape_string
isochronous function user input filter, this time the input parameters in single quotation marks exist, it will be forced to add \(转义符)
and shift escaped. In this way indeed defense Sql injected a certain degree, but if the database is used just GB2312, GBK, GB18030 code byte width, will cause injection bytes wide.
Examples of byte wide injection
Example:
code show as below:
-
<?php
-
# Open non-persistent MySQL connection
-
$conn=mysql_connect(
'localhost',
'root',
'');
-
# MySQL database function sets the activity.
-
# If successful, the function returns true. If it fails, false is returned
-
# Set the database, and specify the default database data
-
mysql_select_db(
"CA_sql",$conn);
-
-
# Mysqli_query () function to execute a query against the database
-
mysql_query(
"SET NAMES 'GBK'",$conn);
-
-
# Addslashes () function returns a backslash before the predefined character string
-
$uid = addslashes($_GET[
'id']);
-
$sql =
"SELECT * FROM books where tid='$uid'";
-
-
# Mysqli_query () function to execute a query against the database
-
$result = mysql_query($sql,$conn);
-
print_r(
'SQL:'.$sql.
'<br />');
-
-
# Mysql_fetch_row () function Fetch a row from the result as a numeric array
-
print_r(mysql_fetch_row($result));
-
-
# Mysql_close () function closes the non-persistent MySQL connection
-
mysql_close();
-
?>
Log in to access byte wide success inject instance page
Enter the ?id=1
echo normal:
Input ?id=1'
and no error message, you can see because of the '
do escape, became ':
Input id=-1' union select database(),user(),version()%23
is not successful implantation, because the single quotation marks later in the closed union statement is not executed. (Use -1
instead 1
because sometimes sql query echo length is limited, the use of -1
finding out any data in order to echo the query results back union):
We know that mysql will be \
encoded to %5c
, so we consider the possibility coupled with the front %df
, combined into %df%5c
, that does not exactly correspond to the coding of 運
the word it? The answer is yes! Byte wide two bytes represent a character, so \ i.e. become% df% 5c and behind a character "Win", success using this approach bypasses the escape, the so-called injection bytes wide.
[Note]: <actually only can be used% df, as long as the first byte ascii code larger than 128, substantially on it. For example, we do not DF%, with% A1 may be:> input id=-1%df' union select database(),user(),version()%23
(corresponding to # 23%): As shown above, the query succeeds
As shown above, the query succeeds
Defense byte wide injection
For injection byte wide, there are several ways of defense:
-
Mysql_set_charset function using the character set used by the connection, and then calls the user input to filter mysql_real_escape_string.
-
The character_set_client set to binary (binary)
-
Use parameterized queries, pdo query
I do not need freedom, just carrying her dream
Move forward one step to go, she's never heavy