Objective
Before learning this article, as for learning the prerequisites for SQL injection, you can refer to a previously written SQL injection of the necessary basic knowledge.
Understanding SQL Injection
Start from the simplest start, into the less-1 to start our SQL injection learning journey.
By changing http://localhost/sqlilabs/Less-1/?id=3
The ID value, the page renders a different content (Username,password).
Then we can guess that the SQL statement in the background is based on the foreground incoming ID value to the corresponding data.
Then the SQL statement is written as:
Select Username,password from table where id=input
To determine the existence of an SQL statement
Next, do the test by using the following statement:
Http://localhost/sqlilabs/Less-1/?id=3 and 1=1
http://localhost/sqlilabs/Less-1/?id=3 and 1=2
There is no change in the page at this time, which is not consistent with what we expect, because when id=3 and 1=2
the SQL statement changes to the select username,password from table where id=3 and 1=2
page there should be no content.
To determine the existence of an SQL statement
After using the previous statement, we use the following statement:
Http://localhost/sqlilabs/Less-1/?id=3 '
When the URL is the SQL statement above, the SQL execution error message is displayed on the page You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''3'' LIMIT 0,1' at line 1
.
One of the most critical error messages is:
''3'' LIMIT 0,1'
The outermost quotation mark is automatically added when MySQL goes wrong. So the actual SQL statement is '3'' LIMIT 0,1
. We found that the 3 ' enclosed in quotes we entered, then we guessed select username,password from table where id=input
incorrectly, the actual background of the SQL statement should be:
Select Username,password from table where id= ' input '
SQL injection Validation
After you've identified the SQL injection and you know the background SQL, then we can inject our own SQL injected code.
Because we can control the value of the ID, the resulting SQL statement is changed to:
Select Username,password from table where id= ' input attack code '
At this point we can construct the following payload to verify our ideas. Since our input is wrapped by a pair of single quotes, the statements we enter must be able to be affected without quotation marks. Either close the single quotation marks or comment out the single quotes. (Refer to the previous article)
#闭合单引号
id=1 and ' 1 ' = ' 1 #
#注释单引号
id=1 and 1=1 # or id=1 and 1=1--+
When we use these 3 payload, the results of the page display are in line with expectations. Then we can also determine that the ID parameter does exist in SQL injection. The background of the SQL statement is also true select username,password from table where id='input'
.
After the SQL statement is identified, it is injected into the SQL injection code.
Execute SQL injection
It is critical that you use SQL statements to remove pants. If you simply know there is a SQL injection but you can't get out of your pants, the vulnerability is really small for the site. It is also important to construct the correct SQL statement for pants off, and the detailed steps of SQL injection are explained in detail in the next article.
Injection type judgment
The SQL statement in this argument is called a character-type SQL injection because our input is enclosed in quotation marks in the execution of the SQL statement, which is actually used as a character-type data in the execution of the SQL statement. In addition to the character-type SQL injection, there are, of course, numeric SQL statements. So how do you differentiate between the two?
Character-type SQL injection
In the section on determining the existence of the SQL statement, when we enter the id=3'
error message for the page is '3'' LIMIT 0,1
. We found that the 3 ' is surrounded by quotes, which means that this is a character-type SQL injection.
Digital SQL injection
In Less-2, when we enter the same id=3'
page, the error message is ' LIMIT 0,1
, then it is a numeric injection and there are limit
keywords, then we guess the SQL injection in Less-2 is:
Select Username,password from table where id=input limit 0,1
All of the above can be validated by looking at the source code.
SQL statement judgment
However, many times we do not return the error message of SQL execution statement by means of single quotes, so we cannot get the injection type through the error message. Because many times in the background of the SQL statements will have a variety of strange writing.
The writing in Less-3 and Less-4 is as follows:
$sql = "SELECT * from Users WHERE id= (' $id ') LIMIT 0,1"
Parentheses are used in less-3 to wrap the user's input
$id = ' "'. $id. '"';
$sql = "SELECT * from Users WHERE id= ($id) LIMIT 0,1";
Double quotes are used in less-4 to wrap the user's input, so you can't start a SQL statement execution error Even if you add a single quote to the test.
So it's not enough to say that it's a lot of time just to use a single sign to use different types of symbols for testing, use include ', ', \, (,=,&, and so on, and even sometimes use other probing methods, because you can't judge the background of the SQL statement, And now many web site developers have a certain sense of security, may not be normal SQL probe statements can be used. There is a lot of information on the web for other probing statements with multiple SQL injections.
Summarize
There is no one-size-fits-all approach to SQL injection, only constant experimentation, and when you have a certain experience, you will be conscious of the type of injection and will be quicker to judge the SQL injection. The above is the entire content of this article, if you want to the actual network site security testing, the above knowledge is far from enough. Small knitting will continue to update more SQL injected articles, please continue to focus on the cloud-dwelling community.