Create a table in the database:
| The code is as follows: | |
Create table 'article '( 'Articleid' int (11) not null AUTO_INCREMENT, 'Title' varchar (100) character set utf8 not null default '', 'Content' text character set utf8 not null, Primary key ('articleid ') ) ENGINE = MyISAM AUTO_INCREMENT = 7 default charset = latin1; |
|
After inserting data in a table, I will not post code. you can download the data and import it directly to the database.
Next, write a page for processing user requests. here, we intentionally do not filter the data submitted by the user, leaving an SQL injection vulnerability for testing.
The code is as follows:
| The code is as follows: | |
$ Servername = "localhost "; $ Dbusername = "root "; $ Dbpassword = ""; $ Dbname = "test "; $ Id = $ _ GET ['id']; // The id is not filtered. $ Conn = mysql_connect ($ servername, $ dbusername, $ dbpassword) or die ("database connection failed "); Mysql_select_db ($ dbname, $ conn ); Mysql_query ('set names utf8 '); $ SQL = "SELECT * FROM article WHERE articleid = '$ ID '"; $ Result = mysql_query ($ SQL, $ conn ); $ Row = mysql_fetch_array ($ result ); Echo" Database theft using SQL injection "; If (! $ Row ){ Echo "this record does not exist "; Exit; } Echo "title "; Echo "content "; ?> |
|
Enter the following in the browser:
| The code is as follows: | |
Http: // 127.0.0.1/marcofly/phpstudy/sqlinsert/show.php? Id = 1 |
|
You can access a record with id 1 in the article table.
The access result is as follows:
Next, we will take advantage of this vulnerability (only tools and manual detection can be used without knowing it) to demonstrate how to download the article table.
In the address bar, enter:
| The code is as follows: | |
| 'Into outfile' e:/SQL .txt '% 23 | |
Analysis: % 23 is the # ASCII code. because you enter # directly in the address bar and it will become null in the database system, you need to enter % 23 in the address bar before it will become #, then comment out the following SQL statement.
After running the statement, open the e-disk and find an additional SQL .txt file. after opening the file, it contains a record in the table article.
Why is there only one record? Does the data table have only one record? This is not the case because we only retrieve one record with id 1. can we download all the records in the article table at a time?
The answer is yes, as long as your SQL statements are flexible enough (the flexibility to construct SQL statements is proposed again ).
For analysis, when you enter 'into outfile' e:/SQL .txt '% 23 in the URL address bar, the statement is merged into the SQL query statement:
| The code is as follows: | |
|
|
After careful analysis, we can construct an SQL statement like this:
| The code is as follows: | |
| SELECT * FROM article WHERE articleid = ''or 1 = 1 into outfile 'E:/whf.txt '#' | |
In this case, the WHERE clause is always true. In other words, the SQL statement is equivalent to the following:
| The code is as follows: | |
| SELECT * FROM article into outfile 'E:/whf.txt '#' | |
Now, the SQL statement first executes the select statement, retrieves all the content in the table article, and then executes the into outfile 'E:/whf.txt '#' command to export the content.
If you don't believe it, execute ......
With the SQL injection vulnerability, we can guess the table name, column name, user password length (LEFT function), and so on. of course, if you can export all the data in the table as shown above, you do not need to guess the table name.
Bytes. In the data...
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
