How to implement sql injection attack

This article mainly focuses on the meaning of SQL injection and how to perform SQL injection. The applicable people are mainly testers. Understanding how to perform SQL injection can help us test SQL attack vulnerabilities in login, publishing and other modules. As for how to prevent SQL injection, it should be understood that developers should understand it ~ but as a great Testing and clarifying the principles will allow us to understand the causes of bugs more thoroughly~ Okay, without further ado, let’s get to the point~

Recommended course: MySQL Tutorial

How to understand SQL injection (attack)?

SQL injection is an attack technique that adds SQL code to input parameters and passes it to the server for parsing and execution.

SQL injection attack is when the input parameters are not filtered, and then directly spliced ​​into the SQL statement for analysis, and the execution reaches unexpected behavior, which is called SQL injection attack.

SQL injection attack principle:

A SQL injection attack occurs when an application uses input content to construct a dynamic SQL statement to access the database. SQL injection can also occur if the code uses stored procedures that are passed as strings containing unfiltered user input. SQL injection could allow an attacker to use application login to execute commands in the database.

This problem can become serious if the application uses an overly privileged account to connect to the database. In some forms, the content entered by the user is directly used to construct dynamic SQL commands, or is used as input parameters for stored procedures. These forms are particularly vulnerable to SQL injection attacks. When many website programs are written, the legality of user input is not judged or the variables in the program are not handled properly, causing security risks in the application. In this way, the user can submit a database query code and obtain some sensitive information or control the entire server based on the results returned by the program, so SQL injection occurs.

SQL injection is accessed from the normal WWW port, and on the surface it looks no different from ordinary Web page access, so the firewalls currently on the market will not issue an alert for SQL injection. If the administrator does not check the IIS log Habits may be invaded without being noticed for a long time. However, the SQL injection method is quite flexible. You will encounter many unexpected situations during injection, and you need to construct clever SQL statements to successfully obtain the desired data.

How does SQL injection occur?

1. Cracking the backend database is the most commonly used method to steal sensitive information from a website.

2. Injection can use the stored procedure of the database to perform privilege escalation and other operations

3. The attacker uses the input parameters sent to the SQL server to construct executable SQL code (can be added to the get request , post request, http header information, cookie)

How to conduct SQL injection attack?

Taking the PHP programming language and mysql database as examples, we will introduce the construction skills and construction methods of SQL injection attacks

1. Numeric injection

In the browser address Enter the column: learn.me/sql/article.php?id=1. This is a get interface. Sending this request is equivalent to calling a query statement:

$sql = "SELECT * FROM article WHERE id =",$id

Under normal circumstances, an id= should be returned. 1 article information. Then, if you enter: learn.me/sql/article.php?id=-1 OR 1 =1 in the browser address bar, this is a SQL injection attack and may return relevant information of all articles. Why is this so?

This is because id = -1 is always false, 1=1 is always true, and all the entire where statements are always true, so the where condition is equivalent to not adding the where condition, then the query result is equivalent to the entire Contents of a table

2. String injection

There is such a user login scenario: the login interface includes username and password input boxes, and a submit button. Enter username and password and submit.

This is a post request. When logging in, call the interface learn.me/sql/login.html, first connect to the database, and then perform parameter verification on the user name and password carried in the post request parameters in the background, that is, sql query process. Assume that the correct user name and password are user and pwd123. Enter the correct user name and password and submit, which is equivalent to calling the following SQL statement:

SELECT * FROM user WHERE username = 'user' ADN password = 'pwd123'

Since the user name and password are both strings, the SQL injection method will The data carried by the parameter becomes a string annotated in mysql. There are 2 comment methods in mysql:

1) '#': All strings after '#' will be treated as comments

User name input: user'# (single Close the single quote to the left of user), enter the password as you like, such as: 111, and then click the submit button. Equivalent to the SQL statement:

SELECT * FROM user WHERE username = 'user'#'ADN password = '111'

'#' is commented out, equivalent to:

SELECT * FROM user WHERE username = 'user'

2) '-- ' (there is a space after --): '- - 'The following strings will be treated as comments

User name input: user'-- (note that there is a space after - and a single quote closes the single quote to the left of user). Enter the password at will, such as :111 and click the submit button. Equivalent to the SQL statement:

SELECT * FROM user WHERE username = 'user'-- 'AND password = '111'
SELECT * FROM user WHERE username = 'user'-- 'AND password = '1111'

'-- ' is commented out, equivalent to:

SELECT * FROM user WHERE username = 'user'

因此，以上两种情况可能输入一个错误的密码或者不输入密码就可登录用户名为'user'的账号，这是十分危险的事情。

The above is the detailed content of How to implement sql injection attack. For more information, please follow other related articles on the PHP Chinese website!