##Basic Principles of SQL Injection
WEB technology is developing rapidly, but the traditional craft of spelling SQL with bare hands is still favored by quite a few developers. After all, compared to learning a complex set of ORM rules, doing it by hand is more convenient and intuitive. Usually people who write SQL by themselves should have heard thatSQL injection is dangerous, but they always think to themselves: My SQL statement is so simple that it cannot be injected.
Simple scenario
There is a WEB interface that provides input of product names and displays corresponding price, production date and production location information. For example, enter Hammer display:Price | Place of production | Date of production | |
---|---|---|---|
12.98 | American | 2019.11.07 | |
29.98 | Canada | 2019.11.11 |
. If we want to realize the above function, then we can roughly guess that the SQL statement used by the server is as follows:
SELECT ? FROM ? WHERE ? LIKE '%Hammer%';
where? means that we currently do not know the specific table name and field name, and this SQL is unique What can be manipulated is the input content inside single quotes '%Hammer%'. If we directly enter a single quote in the search box. That is, it becomes
select ? from ? where ? Like '%'%';
. After splicing like this, it will cause a SQL syntax error and no results will be obtained. We need to use
-- to comment out the last single quote. <pre class="brush:sql;toolbar:false;">select ? from ? where ? Like &#39;%&#39;; -- %&#39;;</pre>
is followed by the comment content (you can also use #), so that you can get all the product information. So far, I still haven’t smelled it. Danger signal.
Place of production | Date of production | ||
---|---|---|---|
American | 2019.11.07 | Club Hammer | |
Canada | 2019.11.11 | Paring Knife | |
China | 2019.11.11 | Boning Knife | |
China | 2019.01.01 |
Hold on to the expandable single quote part in the previous step. Let’s try a simple delay statement:
select ? from ? where ? Like '%Hammer%' and 1 = SLEEP(2); -- %';At this time, the query will take 2 seconds to return the result. If the time is extended, use the script to query several times, and the database connection pool can be restored in one go. run out. Of course, there are even more destructive ones!
select ? from ? where ? Like '%Hammer%'; drop table xxxx; -- %';You can directly delete the table/database. As for how to know which tables are in the database (that is, how to determine xxxx in the previous SQL sentence)?
Do whatever you want union
We need to know what tables this database has! Only in this way can you get useful information.
You can use union to put the contents of different tables together. Give it a try:select ?,?,?,? from ? where ? Like '%Hammer%' UNION (select 1,2,3,4 from dual); -- %';##Product
Place of production | Date of production | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
American | 2019.11.07 | Club Hammer | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Canada | 2019.11.11 | 1 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
3 | 4 |
可以看到我们把假数据1,2,3,4成功地拼接到搜索结果中。 Mysql系统自带的信息都存在information_schema数据库中。我们试着在里面找找有用的信息。 select ? from ? where ? Like '%Hammer%' UNION (select TABLE_NAME,TABLE_SCHEMA,3,4 from information_schema.tables); -- %';
现在知道了这些数据库名和表名,所有人都对它为所欲为了!(包括上面执行的DROP)。 看着列表一猜就能知道我们目前查的是products表,接下来我们再把products具体的字段也挖出来。 select ? from ? where ? Like '%Hammer%' UNION (select COLUMN_NAME,TABLE_SCHEMA,3,4 from imformation_schema.columns where table_name = 'products'); -- %';
所以,通过上面2步,我们知道了表名和字段名,那么查询API的完整SQL应该是(把上面的?都补全啦): select name,price,address,updated_at from products where name like '%Hammer%'; 通过不断重复以上几个步骤,你就可以通过这一个小小的入口把数据库的所有信息(比如上面发现的user表 |
The above is the detailed content of Quickly understand the basic principles of sql injection. For more information, please follow other related articles on the PHP Chinese website!