Full access to SQL injection vulnerabilities-entry 1 _ MySQL

Full access to SQL injection vulnerabilities-article (1) with the development of B/S application development, more and more programmers are using this mode to write applications. However, due to the low entry threshold in this industry, the programmer's level and experience are also uneven. a considerable number of programmers did not judge the legitimacy of user input data when writing code, application security risks.

You can submit a piece of database query code and obtain the desired data based on the results returned by the program. this is called SQL Injection, that is, SQL Injection.

SQL injection is accessed from the normal WWW port, and it seems to be no different from the general Web page access, so the current municipal firewall does not alert SQL injection, if the administrator does not check IIS logs, it may be invisible for a long time.

However, the SQL injection method is quite flexible, and many unexpected situations may occur during the injection process. It is the fundamental difference between a master and a Cainiao to analyze the specific situation and construct clever SQL statements to obtain the desired data.

According to national conditions, ASP + Access or SQLServer accounts for more than 70% of Chinese websites, PHP + MySQ accounts for L20 %, and other websites are less than 10%. In this article, we will explain the methods and skills of ASP injection from entry-level, advanced to advanced. The PHP injection article was written by another NB-consortium friend zwell, it is expected to be useful to security workers and programmers. Do not skip this article if you are familiar with ASP injection, because some people still have misunderstandings about the basic injection judgment methods. Are you ready? Let's Go...

Entry

If you have never tried SQL injection before, remove the check box before IE menu> Tools> Internet Options> advanced => show Friendly HTTP error messages. Otherwise, no matter what error is returned by the server, IE only displays as an HTTP 500 server error and cannot receive more prompts.

Section 1. Principles of SQL injection

We start with a website www.19cn.com (note: the website owner has obtained the consent before this article is published, and most of the data is real data ).

On the home page of the website, named "IE cannot open new window of a variety of solutions" link, address: http://www.19cn.com/showdetail.ASP? Id = 49. we add a single quotation mark (') after this address. the server will return the following error message:

Microsoft JET Database Engine error '80040e14'

The syntax error of the string is in the query expression 'Id = 49.

/Showdetail. ASP, row 8

We can see the following points from the error prompt:

1. The website uses an Access database and connects to the database through the JET engine, instead of using ODBC.

2. The program does not determine whether the data submitted by the client meets the program requirements.

3. the table queried by this SQL statement has a field named ID.

From the above example, we can know that the principle of SQL injection is to submit special code from the client to collect information about programs and servers and obtain the information you think.

Section 2: Determine whether SQL injection can be performed

After reading the first section, some people will think: I also often test whether it can be injected. isn't it very easy? In fact, this is not the best method. why?

First of all, not necessarily the IIS of each server returns a specific error message to the client. if statements such as cint (parameter) are added to the program, SQL injection will not succeed, but the server also reports an error. the specific prompt is that an error occurs on the server when processing the URL. Contact the system administrator.

Second, some programmers who have a little knowledge about SQL injection think that it is safe to filter out single quotes. this is not a minority case. if you use single quotes for testing, the injection points cannot be tested.