Some of the things written in front
Allow me to take a beating:
Originally saw Sqli-labs also several years ago, at that time played the front several levels, did not carry on. Recently because of a demand to think of Sqli-labs, so turned out to play the next. From the entertainment of each level to summarize the way of injection, this is entertainment in the fun, hoping to maintain a greater interest in learning to continue. And a lot of things do not forget, some small knowledge point is more like this, online search for a bit of relevant information, basically colleagues written by the blog in the Basic. The forehead of a heat decided to leave something behind the people (perhaps the dross may be the essence, all in your perspective), and decided to write a blog. After the blog finished the decision to summarize into a PDF document, more convenient to view. Originally wanted to record video, but the time requirements too long, so can only put down, here to see the late schedule or demand, if possible, the original author's video to mute the re-dubbing. Finally, I hope to be able to refer to the document in the following people can help, not in vain .
Why did you write this?
(1) The harm of SQL, how much of the site is to be compromised, the harm does not need to be said, the same network security situation today is a good, there are still a lot of web sites exist loopholes. Specific not table, you can go to the big src see.
(2) Many people think that SQL is so simple, at the same time a lot of people are flashy, the understanding of SQL injection in the end how deep, determine how you use the vulnerability of how unpredictable. Individuals want to use their own understanding of SQL injection to complete this game. Of course, there are a lot of SQL injection content, this is true! Because I wrote the hand sour.
(3) I used to be too miserable when I was studying, and most of the people came in through SQL when they started. At the same time, the world of SQL injection is really wonderful, and you will feel a lot when you see the payload of others using wisdom. All form your own understanding and use of methods, not mechanically. This document is where you want to help people who are learning.
How do you do this work?
Now the general idea is divided into three parts, but do not know that there is no time and energy to finish. The process of actually writing is time-consuming.
- , through the source code and manual way, all the injection method and the cause of the vulnerability to find out, and to learn. The requirement here is a "deep" understanding of each type of injection, understanding its rationale and the scenarios that might be applied to it.
- Using tools to attack, we recommend the use of Sqlmap here. In this process, to understand the use of sqlmap, the need to master the Sqlmap process and use methods, more energy, for some problems will be attached to Sqlmap source analysis.
- Self-implementation of automated attacks, this process, we based on common vulnerabilities, we write scripts to attack. The Python language is recommended here. At the same time, the Sql-labs system is written in PHP, where individuals think it is possible to take a look at each of the source code, and for some levels, you can try to add a few codes to enhance security.
Ps: Tool injection and automation injection may be delayed, see the second version. Please follow the blog.
How are you going to learn it?
- After the installation environment, hands-on experiments. There are problems in practice that can arouse interest more greatly.
- I can find some information in my blog (www.cnblogs.com/lcamry). or can consult others, humbly consult, fools. Three people will have my teacher Yan!
- Book Mountain has no Royal road as the path, diligence is the only way.
My related introduction
Blog:www.cnblogs.com/lcamry
Contact qq:646878467
After-school time and work outside time to write, time haste, while personal strength is limited, hope you criticize correct.
MySQL injected into the heavenly book before the words