Common SQL injection methods

Common SQL injection methods

WEB Security SQL Injection

Introduction:

When developing a website, for security reasons, it is necessary to filter the characters passed from the page. Usually, users can call the content of the database through the following interfaces: URL address bar, login interface, message board, search box, etc. This often leaves opportunities for hackers to take advantage of. At worst, the data may be leaked, and at worst, the server may be taken down.

1. SQL injection steps

a) Find the injection point and construct a special statement

The controllable parameters of the incoming SQL statement are divided into two categories
1. For numeric types, parameters do not need to be enclosed in quotation marks, such as ?id=1
2. For other types, parameters must be enclosed in quotation marks, such as?name="phone"

b) The user constructs a SQL statement (such as: 'or 1=1#;admin'# (this injection is also called PHP's universal password, which can bypass entering the password when the user name is known). I will explain it later)

c) Send the SQL statement to the DBMS database

d) DBMS receives the returned result, interprets the request into machine code instructions, and performs the necessary operations

e) DBMS Accept the returned result, process it, and return it to the user

Because the user constructs a special SQL statement, special results must be returned (as long as your SQL statement is flexible enough)

Below, I pass a Examples to demonstrate SQL injection in detail
2. Detailed explanation of SQL injection examples (the above tests assume that magic_quote_gpc is not turned on on the server)

1) Preliminary preparations
Let’s demonstrate first SQL injection vulnerability, log in to the backend administrator interface
First, create a data table for testing:

CREATE TABLE `users` (
`id` int(11) NOT NULL AUTO_INCREMENT,
`username` varchar(64) NOT NULL,
`password` varchar(64) NOT NULL,
`email` varchar(64) NOT NULL,PRIMARY KEY (`id`),UNIQUE KEY `username` (`username`)
) ENGINE=MyISAM AUTO_INCREMENT=3 DEFAULT CHARSET=latin1;

Add a record for testing:

INSERT INTO users (username,password,email)VALUES('MarcoFly',md5('test'),'marcofly@test.com');

Next, paste the login The source code of the interface

<html>
 <head> 
  <title>Sql注入演示</title> 
  <meta http-equiv="content-type" content="text/html;charset=utf-8" /> 
 </head> 
 <body> 
  <form action="validate.php" method="post"> 
   <fieldset> 
    <legend>Sql注入演示</legend> 
    <table> 
     <tbody>
      <tr> 
       <td>用户名：</td>
       <td><input type="text" name="username" /></td> 
      </tr> 
      <tr> 
       <td>密 码：</td>
       <td><input type="text" name="password" /></td> 
      </tr> 
      <tr> 
       <td><input type="submit" value="提交" /></td>
       <td><input type="reset" value="重置" /></td> 
      </tr> 
     </tbody>
    </table> 
   </fieldset> 
  </form>   
 </body>
</html>

Attached is the rendering:

When the user clicks the submit button, the form data will be submitted to the validate.php page , the validate.php page is used to determine whether the user name and password entered by the user meet the requirements (this step is very important, and is often the location of SQL vulnerabilities)

!                                         <!--前台和后台对接-->
<html>
<head>
<title>登录验证</title>
<meta http-equiv="content-type" content="text/html;charset=utf-8">
</head>
<body>
<?php
$conn=@mysql_connect("localhost",&#39;root&#39;,&#39;&#39;) or die("数据库连接失败！");;
mysql_select_db("injection",$conn) or die("您要选择的数据库不存在");
$name=$_POST[&#39;username&#39;];
$pwd=$_POST[&#39;password&#39;];
$sql="select * from users where username=&#39;$name&#39; and password=&#39;$pwd&#39;";
$query=mysql_query($sql);
$arr=mysql_fetch_array($query);
if(is_array($arr)){
header("Location:manager.php");
}else{
echo "您的用户名或密码输入有误，<a href=\"Login.php\">请重新登录！</a>";
}
?>
</body>
</html>

Have you noticed it? We will submit the user directly. The data (user name and password) are directly executed, and special character filtering is not implemented. You will understand later that this is fatal.
Code analysis: If the username and password match successfully, it will jump to the administrator operation interface (manager.php). If it fails, a friendly prompt message will be given.
Successful login interface:

Login failure prompt:

At this point, the preliminary work has been done Okay, next we will start our highlight: SQL injection

2) Construct SQL statement
After filling in the correct user name (marcofly) and password (test), click Submit, and it will be returned to Our "Welcome Administrator" interface.
Because the username and password we submitted are synthesized into the SQL query statement like this:

select * from users where username='marcofly' and password=md5('test')

Obviously, the username and password are the same as what we gave before , you will definitely be able to log in successfully. But what if we enter a wrong username or password? Obviously, I definitely can’t log in. Well, this is the case under normal circumstances, but for websites with SQL injection vulnerabilities, as long as a special "string" is constructed, you can still log in successfully.

For example: enter: ' or 1=1# in the user name input box, enter the password casually, the synthesized SQL query statement at this time is:

select * from users where username='' or 1=1#' and password=md5('')

Semantic analysis: "#" is a comment character in mysql, so the content after the pound sign will be regarded as comment content by mysql, so it will not be executed. In other words, the following two sql statements, etc. Valence:

select * from users where username='' or 1=1#' and password=md5('')

is equivalent to

select* from users where usrername='' or 1=1

because 1=1 is always true, that is, the where clause is always true. After further simplifying the sql, etc. The value is the following select statement:

select * from users

Yes, the function of this sql statement is to retrieve all fields in the users table

The above is an input method, here is another one Injection method, this method is also called PHP's universal password

If we know the user name, we can log in without a password. Suppose the user name is: admin

Construct the statement:

select * from users where username='admin'#' and password=md5('')

is equivalent to

select * from users where username='admin'

so that you can log in without entering a password.

The database will mistakenly think that you can log in without a user name, bypassing the background verification and achieving the purpose of injection.

also exploits vulnerabilities in SQL syntax.

See, a constructed SQL statement can have such terrible destructive power. I believe that after seeing this, you will begin to have a rational understanding of SQL injection~
Yes, SQL injection It's that easy. However, it is not so easy to construct flexible SQL statements according to the actual situation. After you have the basics, you can slowly explore on your own.
Have you ever thought about what if the data submitted through the background login window are filtered out by the administrator with special characters? In this case, our universal username' or 1=1# cannot be used. But this does not mean that we have no countermeasures. We must know that there is more than one way for users to interact with the database.

Recommended: "mysql tutorial"

The above is the detailed content of Common SQL injection methods. For more information, please follow other related articles on the PHP Chinese website!