Examples of getting started with SQL Injection

Examples of getting started with SQL Injection

Preface

Before learning this article, you can refer to the basic knowledge necessary for SQL injection to learn the prerequisites for SQL injection.

Understanding SQL Injection

From the very beginning, we started our SQL Injection learning journey with less-1.

Changehttp://localhost/sqlilabs/Less-1/?id=3The id value of. Different Contents (username, password) are displayed on the page ).

Then we can guess that the SQL statement in the background is the corresponding data according to the id value passed in from the foreground.

The SQL statement is written as follows:

select username,password from table where id=input

Determine the existence of SQL statements

Next, perform the test and use the following statement to perform the test:

http://localhost/sqlilabs/Less-1/?id=3 and 1=1http://localhost/sqlilabs/Less-1/?id=3 and 1=2

At this time, the page does not change. This is not in line with our expectations, because whenid=3 and 1=2When the SQL statement is changedselect username,password from table where id=3 and 1=2The page should have no content.

Check whether an SQL statement exists.

If the previous statement is not enough, we use the following statement:

http://localhost/sqlilabs/Less-1/?id=3'

When the URl is the preceding SQL statement, the SQL Execution error message is displayed on the page.You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''3'' LIMIT 0,1' at line 1.

The most critical error information is:

''3'' LIMIT 0,1'

The quotation marks on the outermost layer are automatically added when an error occurs in mysql. The actual SQL statement is'3'' LIMIT 0,1. We found that the 3' we entered was enclosed by quotation marks, so we guessedselect username,password from table where id=inputIncorrect. The actual background SQL statement should be:

select username,password from table where id='input'

SQL Injection Verification

After confirming that SQL Injection exists and knowing the background SQL statement, we can inject our own SQL Injection code.

Because we can control the value of id, the final input SQL statement will be changed:

Select username, password from table where id = 'input attack Code'

In this case, we can construct the following payload to verify our ideas. Since our input is enclosed by a pair of single quotes, the input statement must be able not to be affected by single quotes. Either close the single quotes or comment out the single quotes. (Refer to the previous article)

# Close single quotes id = 1 and '1' = '1 ## comment single quotes id = 1 and 1 = 1 # Or id = 1 and 1 = 1 -- +

When we use the above three payloads, The results displayed on the page are as expected. We can also confirm that the id parameter exists in SQL injection. The SQL statement in the background is also written.select username,password from table where id='input'.

After the SQL statement is determined, the next step is to inject the SQL Injection code.

Execute SQL Injection

Using SQL statements to remove pants is critical. If you only know that SQL Injection exists but you cannot take off your pants, this vulnerability is very harmful to the website. It is also very important to construct correct SQL statements to take off your pants. In the next article, we will explain in detail the detailed steps of SQL injection.

Injection Type judgment

The SQL statement in this question is called "Statement-type SQL injection", because our input is included in single quotes during SQL statement execution. In fact, in SQL statement execution, this id parameter is treated as a character type data. In addition to balanced SQL injection, there are also numeric SQL statements. How can we distinguish the two?

Balanced SQL Injection

In the SQL statement sectionid=3'Yes. The error message on the page is'3'' LIMIT 0,1. We found that 3' is enclosed by quotation marks, which indicates that this is a stable SQL injection.

Digital SQL Injection

In less-2, when we enterid=3'The error message on the page is ' LIMIT 0,1It indicates that a digital injection still exists.limitKeyword, we guess the SQL Injection in less-2 is:

select username,password from table where id=input limit 0,1

You can view the source code for verification.

SQL statement judgment

However, when we use single quotes, the injection type cannot be obtained without returning the SQL statement execution error message. Many times, SQL statements in the background are written in a variety of strange ways.

The method in less-3 and less-4 is as follows:

$sql="SELECT * FROM users WHERE id=('$id') LIMIT 0,1"

Brackets are used in less-3 to enclose users' input.

$id = '"' . $id . '"';$sql="SELECT * FROM users WHERE id=($id) LIMIT 0,1";

If double quotation marks are used in less-4 to enclose users' input, you cannot start SQL statement execution errors even if you add single quotation marks for testing.

Therefore, it is not enough to use only a single symbol for judgment. Different types of symbols should be used for testing, including ',",\,(, =, &, and so on, and sometimes use other exploration methods, because you cannot determine the SQL statement writing in the background, at present, many website developers have a certain degree of security awareness, and may not be able to use conventional SQL exploration statements. There is a lot of information about other SQL Injection statements on the Internet.

Summary

There is no omnipotent way to judge SQL injection. You only need to constantly try it. After you have some experience, you will be conscious of the injection type, at the same time, the judgment on SQL injection will be faster. The above is all about this article. The above knowledge is far from enough if you want to test the security of websites on the network. The editor will continue to update more SQL Injection articles. Please stay tuned to the help house.