What SQL injection can do
In the "SQL Injection Basics" article describes the basic principles of SQL injection and the experimental methods, then you need to ask, what can SQL injection in the end?
It is estimated that many friends would think that using SQL injection can only fetch all the records in the current table, but not the contents of the other tables.
Just as the thief crawled into the room from the window, could he only steal things in the room? No, he can looted the whole house.
Don't believe it? So let's see how MySQL can be exploded.
How to uproot a MySQL database
If, as a hacker, there is no way to know what tables are in the system, which fields are in the table, how do you steal the contents of the database?
The answer is that the MySQL data has a meta-database that describes what databases the entire MySQL server has, what tables each data has, and what fields each table has, which is tantamount to telling people what they have in their own house.
The meta-database is a root, as long as it captures this basis, along:
Table contents, List of tables, table list, database list, meta database
This tree-like hierarchical retrieval order, you can completely steal the entire database content, the following to show you.
Where's the meta-database?
There's a meta-database in MySQL just now, but where is it hiding? Don't worry, please log in to the MySQL database and run show databases;
the command to get a list of all the databases as shown in:
The red color of the database information_schema
is the meta-database, inside the application, you can explore virgin land.
Enter information_schema
the database to see what data tables are in it and use the following command:
The root of what we call is the SCHEMATA
table, which describes all the databases under MySQL.
Then using the table, you TABLES
can see the table name under the data, and then, using the COLUMNS
table, you can see the field names under each table. The following shows how to view the data in turn.
View all databases
The schemata table describes all database information, just the standard SELECT statement:
SELECT * FROM information_schema.SCHEMATA
You can display the contents of the table all:
Note that the table is accessed from the standard format of < database name >.< table name > , since it is no longer entered into a database. The above information_schema.SCHEMATA
representation queries the information_schema
table under the database SCHEMATA
.
The field in the graph SCHEMA_NAME
is the database name, and the MySQL server has 5 databases from the query results.
View Table
With the list of databases, you can further see all the tables under a database (all the tables under all databases are now also viewable). For example lyt_test
, look at all the tables under the database, using SQL statements:
SELECT TABLE_SCHEMA, TABLE_NAME FROM information_schema.TABLES WHERE TABLE_SCHEMA = ‘lyt_test‘
The query results are as follows:
TABLE_NAME
Represents the table name, the left column TABLE_SCHEMA
is the database name, because the Lyt_test database has only accounts the table, so the output is only one column.
View all fields in a table
Then use the columns table to query all the field information for the table, and use the following SQL statement to query all the field names and types of the accounts table:
SELECT TABLE_NAME, COLUMN_NAME, DATA_TYPE FROM information_schema.COLUMNS WHERE TABLE_NAME = ‘accounts‘
Query out the Accounts table for all field and type information as shown in:
View all records in a table
Viewing the contents of the accounts table is a piece of cake, learned the database of all know that SQL is written as follows:
SELECT * FROM lyt_test.accounts
The results are as follows:
Well, here I believe you've learned how to steal all the database content from MySQL.
Looking for a fulcrum.
A great physicist, Mead, once said:
Give me a fulcrum, I can pry up the Earth
In front of the technical introduction in the case of not knowing how MySQL data design, through the meta-database, step by step informatio_schema
to steal the entire database content.
So how do you use SQL injection to steal an entire database? , this is the Fulcrum to look for.
Do you remember the experiment that was introduced in the last article? With SQL injection technology, you can steal all the data from the UserInfo table. But the portion of the SQL that can be injected is only WHERE
partial, and the SELECT ... FROM ...
fields and table names in the section are not injected, so how can you steal data from other tables?
The secret is to use UNION
statements. Yes, standard SQL provides UNION
statements that combine two SELECT
results (that is, a union of two SELECT
results). UNION
The syntax of the statement is as follows:
SELECT column_name1(s) FROM table_name1UNIONSELECT column_name2(s) FROM table_name2
The only requirement is that SELECT
the number of columns in the two statement be equal.
With the UNION
statement, you can combine SELECT * from userinfo WHERE ...
the SELECT * from lyt_test.accounts
two results together.
And so on, as a hacker, did not get the source code, how to know how SELECT * from userinfo
many columns of query results?
Obviously, it is not known, but it is possible to get this value by means of a heuristic : Inject UNION SELECT 1, ... N
Such a statement in turn to test. Try first, SELECT 1
SELECT 1,2
then, and then SELECT 1,2,3
until the error is not run. You can test it on MySQL first, as shown in the results:
From the test results, it is known that the result after Union SELECT
must be two columns, or else an error will occur.
Yes, remember when it was injected.WHERE
Is there a two-condition after? (name = 'name ′andpas swd=′ PASSSWD '), in the actual code may be more complex conditions, and even hackers are difficult to guess the conditions, that thisUNION
The language should be inserted in that variable? Makes the entire SQL still a legitimate query statement.
It is best to be safe to UNION SELECT ...
inject into the first variable, then add a comment symbol at the end of the injection, comment out the post statement, and not consider what the following statement is. In the MySQL database, #
annotations can be implemented using symbols.
Say so much, you can do a bit of injection testing, verify:
In the username
text box, type: ivan‘ union select 1,2#
, such as:
Click login
the button to run the result as shown:
Please leave a note on the statement generated in the red box SQL
:
SELECT * from userinfo WHERE name = ' Ivan ' union select 1,2# and passwd = "
#
Comment out the following SQL content, MySQL resolves it directly to kill it, equivalent to the following SQL statement:
SELECT * from userinfo WHERE name = ' Ivan ' union select
The result of select 1, 2 is a constant row , and in the following example, an attempt is to query data from a table, not exactly a constant row.
All right, UNION
and that #
's the fulcrum of the bomb vault.
Practice Explosion Library
Everything is ready, only owed the East wind . Let the wind blow up and blow it more violently.
The following experiments are based on the "SQL Injection Foundation" in the development of the database application demo to experiment, if the reader does not have the basic knowledge of SQL injection, it is recommended to look at this article, but also suggested that the SQL injection of beginners in this article to build the same data application demo to test A.
Exploded Database list
To username
inject in:
Ivan ' Union select 1,schema_name from INFORMATION_SCHEMA. Schemata #
You can query all database lists such as:
The icon in the Red box is the list of databases. We have the UNION SELECT ...
first column in the statement constant 1, and the second is information_schema. This column is schema_name in the Schemata table, which is exactly the database name.
Explode all the table names under a database
To reduce the output, only the table name under the Lyt_test database is exploded and username
injected into:
Ivan ' Union select 1,table_name from INFORMATION_SCHEMA. TABLES where Table_schema = ' lyt_test ' #
You can query all the tables under the Lyt_test database, as shown in:
The difference is that the Lyt_test database has only accounts a table, and the other is the same principle as the exploded database, without much explanation.
Explode all fields under a table
All the fields below the accounts table are only exploded here, and username
injected into:
Ivan ' Union Select 1, column_name from INFORMATION_SCHEMA. COLUMNS WHERE table_name = ' accounts ' #
The results are as follows:
Red is the field name. So what's the type? Modify the injected content as:
Ivan ' Union Select 1, data_type from INFORMATION_SCHEMA. COLUMNS WHERE table_name = ' accounts ' #
You can get the field type information as shown in:
The red ones are the types of the previous two fields, that is ID
char
, the type is, and the type is balance
float
.
The rule can be found from the above: each injection can get to each list data in the target table , if the table has n tables, injection n times can get the complete table information.
Explode all the records under a table
This is not written here, the reader can practice their own, the original is exactly the same as above.
Summarize
The original SQL injection burst database is so easy, but there are a few prerequisites
- A metabase information_schema appears in MySQL, which describes the table-and-field tree for all databases---all MySQL servers
- SQL language provides
UNION
statements that can be added to steal other data to merge into the injected SELECT
results
- MySQL expands on SQL and provides annotations so that
#
injections can do whatever they want
is the essence of the bomb vault mastered? Come on, try it.
Note: This article is transferred from http://blog.csdn.net/linyt/article/details/52966555#
How to use SQL injection to explode a database