Principles and dangers of SQL Injection

(Note: This example is only used for learning and communication)

SQL injection is the easiest mistake for web developers to make in daily development. Many children's shoes know SQL INJECTION and how to prevent it. However, they do not have enough knowledge about its harmfulness, therefore, a slight negligence in the development process will leave a vulnerability. This article does not describe what SQL injection (SQL injection) is, but uses a real case on the Internet to analyze the dangers of SQL injection and what attackers can do with these vulnerabilities. First of all, there are many boring people on the internet scanning your website vulnerabilities with various tools every day, so don't feel lucky, any of your program vulnerabilities may become the door for hackers to steal your information! For example, the voting system of a website is as follows:

Add an invalid character (single quotation mark) to the url to try to parse it.

 

The page shows an empty voting page. On the surface, the program receives parameters with invalid characters, but the database does not find the corresponding records.

Let's try again with the or keyword to build an SQL statement. Let's assume that the voting page uses a statement similar to the following:

 

SELECT * FROM vote WHERE voteid = $ _ GET ['res _ id'];
After or is entered, the SQL statement becomes like this:

SELECT * FROM vote WHERE voteid = $ _ GET ['res _ id'] or 1 = 1;

Because the following expression is always consistent, the result of executing this statement is the record corresponding to $ _ GET ['res _ id'] and the vote table (assuming the existing table) all records in. Let's take a look at the actual results:

 

The page displays all the data in the voting table, and stops my browser.--it seems that the program does have the SQL injection vulnerability, next, let's take a look at what information attackers can obtain through this vulnerability.

Generally, in addition to being able to obtain data in the vulnerability table (usually not very useful), attackers can use the union Syntax of SQL to obtain other tables in the database, even the data in other databases on the same machine (when accounts are shared), the SQL union syntax is used to combine the results of two SQL queries. There is a restriction, the number of fields returned by the two statements must be the same; otherwise, an error is reported. The typical syntax is as follows:

 

1. SELECT 1,2,3,4,5 FROM A UNION SELECT 6,7,8,9,10 FROM B; 

 

Through the above syntax, we can know that to union data on other tables, we must get two things:

1. The preceding SQL statement uses several fields, that is, when the program author generates a vote, several fields are obtained from the vote table.

2. Name of table B. At this time, the information_schema database of mysql can be used. This database stores some basic information about the mysql DATA table in view mode. Generally, all users can access part of the database. Here we use the tables table, which stores information about all the tables in the database, which is similar to the result of executing show table status.

Based on the second point, we can build an SQL statement to slowly try to get several fields in the first point, such as adding

1. union select 1 from information_schema.tables 

If the number of fields does not match, an error occurs in the SQL statement and no result is displayed:

When you try five fields, the page displays the correct results.

 

Replace field 4 with table_name to get the names of other tables in the database. The subsequent demonstration will not continue. Attackers can continue to obtain the table field name and directly read the data. If the user table is stored in the database, it will have a great impact.

The greater harm of SQL injection is that attackers can not only obtain your website data, but also directly generate website backdoors. The backdoor program can obtain all the permissions of web users, including adding, deleting, modifying, and querying databases, file modification.

Mysql supports the select .. into outfile function to write data to a file.

To sum up, SQL injection can indeed bring fatal harm to web applications. In fact, we usually pay more attention to variable initialization and variable filtering when writing programs, which is easy to prevent. Never ignore these details for a moment!

This article is for reference only. You are welcome to discuss it together.

Author: water drop blog