Detailed introduction to sql injection-SQL-php.cn

Home

Database

SQL

Detailed introduction to sql injection

angryTom

Aug 06, 2019 pm 05:06 PM

sql

Detailed introduction to sql injection

1. First understand the principle of SQL injection:

SQL Injection: It is to insert SQL commands into the Web Submit a form or enter a domain name or query string for a page request, ultimately tricking the server into executing malicious SQL commands.

Specifically, it is the ability to use existing applications to inject (malicious) SQL commands into the backend database engine for execution. It can obtain an existence by entering (malicious) SQL statements in a web form. Security holes in the database on the website, rather than executing SQL statements as the designer intended. For example, many previous film and television websites leaked VIP membership passwords, mostly by submitting query characters through WEB forms. Such forms are particularly vulnerable to SQL injection attacks. (Sourced from Baidu)

That is to say, the website page contains parts that interact with the database (such as the search function of a news website), and when data is entered on the website, the data is programmed and passed to the database for execution. During the process, the website developers did not perform security processing on the corresponding data passed into the database (such as filtering special characters, encoding, etc.), allowing hackers to pass malicious code (that is, SQL commands containing illegal SQL statements) through the front end of the website. Enter the database and execute these SQL statements with hacker purposes in the database, causing database information leakage, damage and other consequences.

2. General classification of SQL injection

Classified according to injection point type

(1) Number Type injection point

Many web links have a similar structure http://www.example.com/12.php?id=1 Injections based on this form are generally called digital injection points , the reason is that the injection point id type is a number. In most web pages, such as viewing user personal information, viewing articles, etc., most of them use this form of structure to transfer id and other information, hand it to the backend, and query it out of the database The corresponding information is returned to the front desk. The prototype of this type of SQL statement is probably select * from table name where id=1. If there is injection, we can construct a SQL injection statement similar to the following for blasting: select * from table name where id=1 and 1=1

(2) Character injection point

The web link has a similar structure http://xwww.example.com/users.php?user=admin This form , the user type of its injection point is character type, so it is called character injection point. The prototype of this type of SQL statement is probably select * from table name where user='admin'. It is worth noting that compared with the numeric injection type SQL statement prototype, there are more quotes, which can be single quotes or double quotes. If there is injection, we can construct a SQL injection statement similar to the following for blasting: select * from table name where user='admin' and 1=1 ' We need to get rid of these annoying quotation marks.

(3) Search injection point

This is a special type of injection. This type of injection mainly refers to not filtering the search parameters when performing data searches. Generally, there is "keyword=keyword" in the link address. Some are not displayed in the link address, but are submitted directly through the search box form. The prototype of the SQL statement submitted by this type of injection point is roughly: select * from table name where field like '%keyword%' If there is injection, we can construct a SQL injection statement similar to the following for blasting: select * from table Name where field like '%test%' and '%1%'='%1%'

3. If you can determine whether there is SQL injection (novice summary, for reference only )

To put it simply:

All inputs may trigger SQL injection as long as they interact with the database

SQL injection is based on the data Submission methods can be divided into:

　 (1) GET injection: The method of submitting data is GET, and the location of the injection point is in the GET parameter part. For example, there is such a link http://xxx.com/news.php?id=1, id is the injection point.

　(2) POST injection: Use POST method to submit data. The injection point is in the POST data part, which often occurs in forms.

　(3) Cookie injection: HTTP requests will bring the client's Cookie, and the injection point exists in a certain field in the Cookie.

　(4) HTTP header injection: The injection point is in a certain field in the HTTP request header. For example, it exists in the User-Agent field. Strictly speaking, Cookie should actually be considered a form of header injection. Because during HTTP requests, Cookie is a field in the header.

After classifying according to the submission method, you will find that the longest locations where SQL injection occurs are in the link address, data parameters, cookie information, and HTTP request headers.

After understanding the locations where SQL injection may exist, we need to determine whether SQL injection can be triggered at these locations. The simplest way is to enter and 1=1 (and the transformed form of and 1=1) at the corresponding location. judge. For different injection point types, single quotes need to be added appropriately for character types, but not for numeric injection points.

4. Advanced classification of SQL injection (classified according to execution effect)

　(1) Boolean-based blind injection: That is, the injection of true and false conditions can be judged based on the returned page.

　(2) Time-based blind injection: That is, no information can be judged based on the content returned by the page. Use conditional statements to check whether the time delay statement is executed (that is, whether the page return time increases). .

　(3) Injection based on error reporting: That is, the page will return error information, or the result of the injected statement will be returned directly to the page.

　(4) Union query injection: Injection in the case of union can be used.

　(5) Heap query injection: The injection of multiple statements can be executed at the same time.

　(6) Wide byte injection: Using gbk is a multi-byte encoding, two bytes represent a Chinese character

This article is for your study only. Never maliciously attack other people's websites.

Recommended tutorial: SQL online video tutorial

The above is the detailed content of Detailed introduction to sql injection. For more information, please follow other related articles on the PHP Chinese website!

Statement

This article is reproduced at:博客园. If there is any infringement, please contact admin@php.cn delete

SQL Server使用CROSS APPLY与OUTER APPLY实现连接查询Aug 26, 2022 pm 02:07 PM

本篇文章给大家带来了关于SQL的相关知识，其中主要介绍了SQL Server使用CROSS APPLY与OUTER APPLY实现连接查询的方法，文中通过示例代码介绍的非常详细，下面一起来看一下，希望对大家有帮助。

SQL Server解析/操作Json格式字段数据的方法实例Aug 29, 2022 pm 12:00 PM

本篇文章给大家带来了关于SQL server的相关知识，其中主要介绍了SQL SERVER没有自带的解析json函数,需要自建一个函数(表值函数)，下面介绍关于SQL Server解析/操作Json格式字段数据的相关资料，希望对大家有帮助。

聊聊优化sql中order By语句的方法Sep 27, 2022 pm 01:45 PM

如何优化sql中的orderBy语句？下面本篇文章给大家介绍一下优化sql中orderBy语句的方法，具有很好的参考价值，希望对大家有所帮助。

Monaco Editor如何实现SQL和Java代码提示？May 07, 2023 pm 10:13 PM

monacoeditor创建//创建和设置值if(!this.monacoEditor){this.monacoEditor=monaco.editor.create(this._node,{value:value||code,language:language,...options});this.monacoEditor.onDidChangeModelContent(e=>{constvalue=this.monacoEditor.getValue();//使value和其值保持一致i

一文搞懂SQL中的开窗函数Sep 02, 2022 pm 04:55 PM

本篇文章给大家带来了关于SQL server的相关知识，开窗函数也叫分析函数有两类,一类是聚合开窗函数,一类是排序开窗函数,下面这篇文章主要给大家介绍了关于SQL中开窗函数的相关资料,文中通过实例代码介绍的非常详细,需要的朋友可以参考下。

如何使用exp进行SQL报错注入May 12, 2023 am 10:16 AM

0x01前言概述小编又在MySQL中发现了一个Double型数据溢出。当我们拿到MySQL里的函数时，小编比较感兴趣的是其中的数学函数，它们也应该包含一些数据类型来保存数值。所以小编就跑去测试看哪些函数会出现溢出错误。然后小编发现，当传递一个大于709的值时，函数exp()就会引起一个溢出错误。mysql>selectexp(709);+-----------------------+|exp(709)|+-----------------------+|8.218407461554972

springboot配置mybatis的sql执行超时时间怎么解决May 15, 2023 pm 06:10 PM

当某些sql因为不知名原因堵塞时，为了不影响后台服务运行，想要给sql增加执行时间限制，超时后就抛异常，保证后台线程不会因为sql堵塞而堵塞。一、yml全局配置单数据源可以，多数据源时会失效二、java配置类配置成功抛出超时异常。importcom.alibaba.druid.pool.DruidDataSource;importcom.alibaba.druid.spring.boot.autoconfigure.DruidDataSourceBuilder;importorg.apache.