How to log on to the background with the SQL Injection Vulnerability

As early as 02 years ago, many foreign technical articles on SQL Injection Vulnerabilities started in China around 05 years ago.
Today, we are talking about whether the SQL injection vulnerability has become a result of tomorrow, and many websites in China have already completed the vulnerability. However, there must be a few hundred secrets. intrusion is accidental, but security is definitely not inevitable.
A few days ago, the "database theft" event, which was so popular on the Internet, gave us a security warning.
When developing a website, for security reasons, you need to filter the characters passed from the page. Generally, you can use the following interfaces to call the database content: URL address bar, logon interface, message board, and search box. This often leaves an opportunity for hackers. If it is light, data is leaked, and the server is heavy.
Now, many website developers know it, but they do not know why, and so do their younger siblings. It is hoped that this will serve as an example for beginners.
1. SQL Injection steps
A) Search for injection points (such as logon interfaces and message boards)
B) construct an SQL statement by yourself (for example, 'or 1 = 1 #, which will be explained later)
C) Send SQL statements to the database management system (DBMS)
D) The DBMS receives the request and interprets the request as a machine code command to perform necessary access operations.
E) The DBMS accepts and processes the returned results and returns them to the user.
Because you have constructed special SQL statements, special results will be returned (as long as your SQL statements are flexible enough ).
Next, I will use an instance to demonstrate SQL injection.
Ii. Detailed description of SQL Injection instances (the above test assumes that magic_quote_gpc is not enabled on the server)
1) Preparations
First, we will demonstrate the SQL injection vulnerability and log on to the background administrator interface.
First, create a data table for the test: Copy codeThe Code is as follows: create table 'users '(
'Id' int (11) not null AUTO_INCREMENT,
'Username' varchar (64) not null,
'Password' varchar (64) not null,
'Email 'varchar (64) not null,
Primary key ('id '),
Unique key 'username' ('username ')
) ENGINE = MyISAM AUTO_INCREMENT = 3 default charset = latin1;

Add a record for testing:Copy codeThe Code is as follows: insert into users (username, password, email)
VALUES ('marcofly ', md5 ('test'), 'marcofly @ test.com ');

Next, paste the source code of the logon interface:Copy codeThe Code is as follows: <Head>
<Title> SQL Injection demonstration </title>
<Meta http-equiv = "content-type" content = "text/html; charset = UTF-8">
</Head>
<Body>
<Form action = "validate. php" method = "post">
<Fieldset>
<Legend> SQL Injection demonstration </legend>
<Table>
<Tr>
<Td> User name: </td> <input type = "text" name = "username"> </td>
</Tr>
<Tr>
<Td> password: </td> <input type = "text" name = "password"> </td>
</Tr>
<Tr>
<Td> <input type = "submit" value = "submit"> </td> <input type = "reset" value = "reset"> </td>
</Tr>
</Table>
</Fieldset>
</Form>
</Body>
</Html>

Attached:

When you click the submit button, the form data is submitted to validate. php page, validate. the php page is used to determine whether the user name and password entered by the user meet the requirements (this step is critical and often lies in the SQL vulnerability)
The Code is as follows:Copy codeThe Code is as follows: <Head>
<Title> logon verification </title>
<Meta http-equiv = "content-type" content = "text/html; charset = UTF-8">
</Head>
<Body>
<? Php
$ Conn = @ mysql_connect ("localhost", 'root', '') or die (" database connection failed! ");;
Mysql_select_db ("injection", $ conn) or die ("the database you want to select does not exist ");
$ Name = $ _ POST ['username'];
$ Pwd = $ _ POST ['Password'];
$ SQL = "select * from users where username = '$ name' and password =' $ pwd '";
$ Query = mysql_query ($ SQL );
$ Arr = mysql_fetch_array ($ query );
If (is_array ($ arr )){
Header ("Location: manager. php ");
} Else {
Echo "your username or password entered incorrectly. <a href = \" Login. php \ "> Please log on again! </A> ";
}
?>
</Body>
</Html>

Note that no, we directly execute the data submitted by the user (user name and password) without filtering special characters. You will understand that this is fatal.
Code Analysis: If the username and password match successfully, the Administrator operation interface (manager. php) is displayed. If the user name and password match successfully, a friendly prompt is displayed.
Logon success page:

Logon Failure prompt:

At this point, the preliminary work has been completed. Next we will start our major role: SQL Injection.
2) construct an SQL statement
After you fill in the correct username (marcofly) and password (test), click submit and return to the "Welcome administrator" interface.
This is because the user name and password submitted are merged into the SQL query statement as follows:
Select * from users where username = 'marcofly 'and password = md5 ('test ')
Obviously, the user name and password are the same as what we have previously given, and you will surely be able to log on successfully. But what if we enter an incorrect user name or password? Obviously, you cannot log on. Well, under normal circumstances, but for websites with SQL injection vulnerabilities, as long as a special "string" is constructed, they can log on successfully.
For example, in the username input box, enter 'or 1 = 1 #, and enter the password as needed. The merged SQL query statement is as follows:
Select * from users where username = ''or 1 = 1 # 'and password = md5 ('')
Semantic Analysis: "#" is a annotator in mysql, so that the content after the well number is considered as the comment content by mysql, so that it will not be executed. In other words, the following two SQL statements are equivalent:

Copy codeThe Code is as follows: select * from users where username = ''or 1 = 1 # 'and password = md5 ('')

EquivalentCopy codeThe Code is as follows: select * from users where username = ''or 1 = 1

Because 1 = 1 is always true, that is, the where clause is always true. After this SQL statement is further simplified, it is equivalent to the following select statement:
Select * from users
Yes, this SQL statement is used to retrieve all fields in the users table.
TIPS: if you do not know the single quotes in 'or 1 = 1 #, You can echo the SQL statement on your own.
As you can see, a constructed SQL statement has such a terrible destructive power. I believe you have a rational understanding of SQL injection ~
Yes, SQL injection is so easy. However, it is not that easy to construct flexible SQL statements based on actual conditions. With the foundation, you can explore it slowly.
Have you ever wondered if the data submitted through the background login window is filtered out by the Administrator with special characters? In this case, our universal Username 'or 1 = 1 # cannot be used. However, this does not mean that we have no countermeasures. We need to know that there are more ways for users to deal with databases.
For more information about SQL injection, see another blog: Database theft using SQL Injection
Original article: WEB development _ Xiaofei
Reprinted Please note: http://www.cnblogs.com/hongfei/archive/2012/01/12/sql-injection-tuoku.html