Character-type SQL injection

Character-type SQL injection

Very early based on the DVWA implementation of the character type of SQL injection, but always feel that they do not understand the special clear, this time to see some of the online explanation, try to summarize. Here is my shallow opinion, please criticize to see.

Basic principle

Look at this SQL statement

1. $query="select first_name from users where id=‘$_GET[‘id‘]‘";

This SQL statement is based on the user input ID in the users table to find the corresponding first_name, the normal user will certainly input such as, and so on. But what if someone enters such a content?

1. 1‘ union select database() #;

In this case, this SQL statement becomes

1. select first_name from users where id=‘1‘unionselect database()#‘

In this way, we can not only get id=1 's first_name, but also get the relevant information of the current database, which developers have not thought of. The above is just an example of a simple SQL injection.
Fundamentally, when the developer's input to the user is not strictly filtered, the user can control the database by entering the SQL statement, resulting in a SQL injection vulnerability.

Several basic steps of SQL injection

1. Determine the type of injection vulnerability and the parameters that are problematic
2. Determine number of fields
3. Analyze database and data table related information
4. Implement specific attacks

Character-type SQL injection

Set DVWA security level to Low

(1) Determine problem parameters and vulnerability type

You can see that in the URL, the parameter is the ID, when the input 1 ' times wrong, when the input 1 "normal display, you can determine the problem parameter is the ID, the vulnerability type is a character type.
(2) Determine number of fields
You can use the Union keyword to connect to our own query statements only if you have determined the number of fields. You can use order by to determine the number of fields
For example:
Enter 1 ' ORDER by 1 #
indicates the order by the first field, when the input order by x error, it means that there is no such field, you can get the number of fields output. In this system, after testing, the number of output fields is 2.

(3) Determine database and data tables
Now that we know the number of fields in the output, we can use the keyword union. First try to determine the name of the data, design the following payload
1 ' Union Select Database (), 2 #
Get the content you want

The database name is DVWA.
With the database the next step is to determine what data tables are in it, and we can use the MySQL database information_schema to know that this information_schema is the database used to store all the information in the MySQL database. Are some of the data tables in this database
There are tables databases, which are used to store the information in the data table. Insert the following payload
1 ' Union select table_name,1 from Information_schema.tables where table_schema= ' Dvwa ' #
Get the data sheet

The users watch will know that they put a lot of good things ... However, we don't know what fields are in this data table, so we need to use the database of Class column. Insert the following payload
1 ' Union select column_name,2 from Information_schema.columns where table_name= ' users ' and table_schema= ' Dvwa ' #
It's got a lot of data.

(4) Specific implementation of the attack means
Both the user and password fields we know, so let's see.
Insert the following payload
1 ' union select User,password from Users #
OK, get it!

But sorry, passwords are MD5 encrypted, and MD5 encryption is irreversible, some software may crack MD5 value, is to do a very big data table, so many strings of MD5 value and itself into a row of records, and then enumeration, if the luck is good, you enter the MD5 value exactly in this table, Then output the corresponding string, if it does not exist, then decipher the failure. This tells us the password is not set so simple, if your account is in the database is taken off the library, the password is more complex, at least the hacker can not directly get your password.

From for notes (Wiz)

Character-type SQL injection