How to perform sql injection

The so-called SQL injection is to insert a SQL command into a Web form to submit or enter a domain name or query string for a page request, and ultimately trick the server into executing malicious SQL commands.

Specifically, it is the ability to leverage existing applications to inject (malicious) SQL commands into the backend database engine for execution, which can be done through a web form Enter (malicious) SQL statements to obtain a database on a website with security vulnerabilities, rather than executing the SQL statements as intended by the designer. For example, many previous film and television websites leaked VIP member passwords, mostly by submitting query characters through WEB forms. Such forms are particularly vulnerable to SQL injection attacks.

SQL injection technology

Forced error generation

Identification of database type, version and other information is the basis of this type of attack The motivation lies. Its purpose is to collect database type, structure and other information to prepare for other types of attacks. It can be said to be a preparatory step for attacks. Obtain vulnerability information by exploiting the default error message returned by the application server.

Using non-mainstream channel technology

In addition to HTTP responses, data can be obtained through channels. However, most channels rely on the functions supported by the database to exist, so this The technology is not fully applicable to all database platforms. The non-mainstream channels for SQL injection mainly include email, DNS and database connections. The basic idea is: first package the SQL query, and then use the non-mainstream channels to feed the information back to the attacker.

Use special characters

Different SQL databases have many different special characters and variables, which can be obtained through some application systems that are insecurely configured or filtered poorly. Some useful information to provide directions for further attacks.

Use conditional statements

This method can be divided into three forms: content-based, time-based, and error-based. Generally, conditional statements are added after regular access, and the target of the attack is determined based on information feedback.

Using stored procedures

Through some standard stored procedures, while database vendors extend the functions of the database, the system can also interact with it. Some stored procedures can be defined by users. After collecting information such as the type and structure of the database through other types of attacks, commands to execute stored procedures can be constructed. This type of attack can often achieve the goals of remote command execution, privilege expansion, and denial of service.

Avoid input filtering technology

Although some filtering technologies can be used to prevent SQL injection for common encoding, there are many ways to avoid this situation. Open filtering, technical means that can generally achieve this include the use of SQL comments and dynamic queries, the use of truncation, the use of URL encoding and null bytes, the use of uppercase and lowercase variants, and expressions after nesting stripping, etc. With the help of these means, the inputted query can avoid input filtering, so that the attacker can obtain the desired query results.

Inference technology

can clarify the database schema, extract data and identify injectable parameters. This type of attack uses the feedback information input by the website to the user to infer the injectable parameters and database schema. After executing the query constructed by this attack, the answers obtained can only be true or false. Injection methods based on inference are mainly divided into two types: time-determined injection and blind injection. The former is to add statements such as "waitfor 100" to the injection statement, and determine whether the injection is successful and the derivation of the data value range based on the time when the query result appears; the latter is mainly "and l=l", "and l= 2” Two classic injection methods. These methods all ask questions that are indirectly related and can obtain responses, and then infer the desired information through the response information, and then carry out attacks.

The above is the detailed content of How to perform sql injection. For more information, please follow other related articles on the PHP Chinese website!