How to use SQL Injection for database explosion, SQL Injection for database explosion

How to use SQL Injection for database explosion, SQL Injection for database explosion
What can SQL injection do?

I introduced the basic principles and experimental methods of SQL Injection in "SQL Injection basics". Next I will ask what SQL injection can do?

It is estimated that many of my friends think that using SQL injection can only obtain all records in the current table, but cannot obtain the content of other tables. Is this true?

Just as a thief crawled into the room from the window, could he only steal from the room? No, he can raster the entire house.

Don't believe it? Let's take a look at how to crack the MySQL database.

How to root a MySQL database

If you are a hacker and cannot know which tables and fields are in the system, how can you steal the database content?

The answer is that MySQL Data hasMetabaseIt will describe the databases of the entire MySQL server, the tables of each data, and the fields of each table. This is equivalent to telling others all the treasures of the house.

Then the metadatabase is a root, as long as you grasp the basis, along the following:

Metadatabase-> database list-> table list-> Field List-> table content

This tree-layered retrieval order can steal all the contents of the database. The following is a demonstration.

Where is the metadatabase?

I mentioned that MySQL has a metadatabase, but where is it hidden? Please log on to the MySQL database and runshow databases;To obtain the list of all databases, as shown in:

Database marked in red in the imageinformation_schemaIt is the metadatabase, which has all its applications and can be used to explore the original land.

Enterinformation_schemaDatabase:

The root of what we call isSCHEMATATable, which describes all the databases in MySQL.
Then ReuseTABLESTable, you can see the table name under the data, ReuseCOLUMNSTable, you can see the field names under each table. The following shows how to view the data in sequence.

View All databases

The SCHEMATA table describes all the database information. Only the standard select statement is required:

SELECT * FROM information_schema.SCHEMATA

To display all the contents of the table:

Please note that you will not access the table after entering a database from here, but will use<Database Name>. <Table Name>To access tables in a database. The precedinginformation_schema.SCHEMATAQueriesinformation_schemaUnder the databaseSCHEMATATable.

FigureSCHEMA_NAMEThe field is the database name. The query result shows that the MySQL server has five databases.

View table

With the Database List, You can further view all tables in a database (you can also view all tables in all databases ). For examplelyt_testFor all tables in the database, use the SQL statement:

SELECT TABLE_SCHEMA, TABLE_NAME FROM information_schema.TABLES WHERE TABLE_SCHEMA = 'lyt_test'

Shows the query result:

TABLE_NAMETable Name, left columnTABLE_SCHEMAIt is the database name. Because only the accounts table is in the lyt_test database, only one column is output.

View all fields in the table

Then, the COLUMNS table can be used to query all the fields in the table. The following SQL statement can be used to query all fields in the accounts table.Field nameAndType:
SELECT TABLE_NAME, COLUMN_NAME, DATA_TYPE FROM information_schema.COLUMNS WHERE TABLE_NAME = 'accounts'

Shows all fields and types in the accounts table:

View all records in the table

Viewing the content in the accounts table is even more a piece of cake. Anyone who has learned the database knows that the SQL statements are written as follows:
SELECT * FROM lyt_test.accounts

The result is as follows:

Now, I believe you have learned how to steal all the database content from MySQL.

Seek pivot points

A great physicist, amoumid, once said:

Give me a pivot. I can pick up the whole earth.

The previous section introduces how to design MySQL Data through metadatabase without knowing how to design MySQL Data.informatio_schemaStep by step, the entire database content is stolen.

So how can we use SQL injection to steal the entire database?, This is what you are lookingFULCRUM.

Do you still remember the experiment introduced in the previous article? Using SQL injection technology, all data in the userinfo table can be stolen. However, onlyWHEREPart, whileSELECT ... FROM ...Some fields and table names cannot be injected. How can we steal data from other tables?

This secret is used.UNIONStatement. Yes, standard SQL providesUNIONStatement.SELECTThe result is combined (that is, for twoSELECTResult set ).UNIONThe statement syntax is as follows:

SELECT column_name1(s) FROM table_name1UNIONSELECT column_name2(s) FROM table_name2

• 1
• 2
• 3

• 1
• 2
• 3

The only requirement is two.SELECTThe number of columns in the statement must be equal.

WithUNIONStatement, you can setSELECT * from userinfo WHERE ...AndSELECT * from lyt_test.accountsCombine the two results.

Etc. As a hacker, I didn't get the source code. How can I know?SELECT * from userinfoHow many columns does the query result have?
Obviously I don't know, but you can useTest MethodGet this value: inject in sequenceUNION SELECT 1, ... NSuch a statement to test. First trySELECT 1, AgainSELECT 1，2, And thenSELECT 1，2，3Until no running error occurs. You can test it on MySQL first. The result is as follows:

From the test results, we can seeSELECTThe result must be two columns; otherwise, an error occurs.

By the way, remember to injectWHEREAre there two conditions? (Name = 'name' ANDpasswd = 'passswd '), it may be a more complex condition in the actual code, or even difficult for hackers to guess.UNIONWhich variable should I insert? Make the entire SQL statement a legal query statement.

The best security method isUNION SELECT ...Inject to the first variable, and then addAnnotator, Comment out the subsequent statements without considering the following statements. In the MySQL database, use#Symbol.

If you have said so much, you can perform an injection test to verify it:

InusernameEnter in the text box:ivan' union select 1,2#Such:

PointloginShows the running result after the button:

NoteSQLStatement:

SELECT * FROM userinfo WHERE name = ‘ivan’ union select 1,2# AND passwd = ”

#Comment out the following SQL content. MySQL will directly kill it during parsing, which is equivalent to the following SQL statement:

SELECT * FROM userinfo WHERE name = ‘ivan’ union select 1,2

The result of select 1 and 2 isConstant rowIn the following example, we try to query data from the table, not completely a constant row.

Okay,UNIONAnd#Is the pivot of the database.

Practice Database explosion

Everything is ready.. Then let the wind blow up, blow more violent.

The following experiments are based on the database application demo developed in "SQL Injection basics". If you do not have basic knowledge about SQL injection, read this article; at the same time, it is recommended that SQL Injection beginners build the same data application demo in this article to experiment and test it.

Database explosion list

TousernameMedium injection:

ivan’ union select 1,SCHEMA_NAME from information_schema.SCHEMATA #

You can query the list of all databases, for example:

The database list is displayed in the red box. InUNION SELECT ...In the statement, the first column is constant 1, and the second column is the SCHEMA_NAME column in The information_schema.SCHEMATA table, which is just the database name.

Name of all tables in a database

To reduce the output result, only the table name in the lyt_test database is exposed.usernameMedium injection:

ivan’ union select 1,TABLE_NAME from information_schema.TABLES where TABLE_SCHEMA = ‘lyt_test’#

You can query all the tables in the lyt_test database, as shown in:

The difference is that there is only one accounts table in the lyt_test database, and the other has the same principle as that in the database burst, which is not explained in detail.

Blow all fields in a table

Only all fields in the accounts table are exposed.usernameMedium injection:

ivan’ union select 1, COLUMN_NAME from information_schema.COLUMNS WHERE TABLE_NAME = ‘accounts’ #

The result is shown in:

The field name is highlighted in red. What about the type? Modify the injection content:

ivan’ union select 1, DATA_TYPE from information_schema.COLUMNS WHERE TABLE_NAME = ‘accounts’ #

You can obtain the field type information, as shown in:

The marked red is the type of the first two fields, that isIDType:char,balanceType:float.

From the above we can find the rule:Each injection can obtain each list of data in the target table.If there are N tables in the table, you can obtain the complete table information by injecting N times.

Blow all records in a table

It is not written here. You can practice it yourself. It is exactly the same as above.

Summary

It was so easy to inject SQL statements into database explosion, but there are several necessary conditions

Have you mastered the essence of database explosion? Come and try.

 

 

 

 

Note: This article