Sqli and Sqli-labs Introduction
Sqli,sql injection, we call it SQL injection. What is SQL, English: Structured query Language, called the Structured Queries language. Common structured databases are MYSQL,MS SQL, Oracle, and PostgreSQL. The SQL language is the one we used to manage the database. When our application system uses SQL statements to manage the application database, it often uses stitching to form a complete database language, and the danger is that we can change the SQL statement when we splice the SQL statement. So that the data executes the statements we want to execute, that's what we often call SQL injection.
The original rational things we do not explain in detail here, from the sqli-labs below each level, you can really appreciate what is SQL injection. Ps: Some friends are familiar with the tool, such as SQLMAP, can analyze the principle of each level from the Sqlmap log. But I personally suggest first to understand the principle and then to use the tool. This way, you can also understand how the tool works when you use the tool. A step closer you should think about what you should write if you let yourself write code to implement the attack.
Ps: Because this work I am testing on multiple platforms and multiple browsers, so there may be different environments, but can explain the principle. Don't be picky here. At the beginning of the picture is a lot of chrome under the interception, and later found not very good, so the picture above the URL all pasted. Try to use Firefox, there are hackbar.
Sqli-labs Download
Sqli-labs is a game tutorial written by an Indian programmer to learn about SQL injection. The blog address is:
http://dummy2dummies.blogspot.hk/, there are some examples in the blog, many domestic blog content is from the author's blog translated. At the same time, the author also sent a set of related videos that can be viewed on YouTube. PS: Indians speak English with too much accent .... Make it a point to understand.
Consider here that some friends do not FQ, and then share the domestic address.
Http://pan.baidu.com/s/1bo2L1JT
Ps: Do not want to watch the video can directly ignore the video, the accent is really sore forehead, here originally want to record video, but now, time is relatively limited
Sqli-labs Project Address---GitHub gets: https://github.com/Audi-1/sqli-labs
(For security reasons, do not carry this.)
Sqli-labs Installation
The following environments need to be installed
- apache+mysql+php
- Tomcat+mysql+java (required for some levels)
If possible, it is recommended to install it separately under Windows and Linux:
Windows can be installed with Wamp, Phpstudy, Apmserv and other direct installation, Linux under the Web search tutorial for installation. For example, under Ubuntu, novices are basically installed by Software Center and Apt-get. This is not to repeat the installation of the environment.
My test environment is built directly under Windows using Wamp, Linux platform with ubuntu14.04,apache+mysql+php
?
At the same time, in the following several levels, need to use the Tomcat+java+mysql server, here because the apache+mysql+php has been installed, so we need to install Tomcat+jre+java connection MySQL jar, the specific process is not explained in detail.
Sqli-labs Installation
Extract the previously downloaded source to the Web directory, Linux Apache for/var/www/html, under Windows Wamp extracted under the WWW directory.
Modify the MySQL account password in the Sql-connections/db-creds.inc file
change user and pass to your MySQL account and password, visit the 127.0.0.1 page, click
To create the installation database, this is the end of the installation. So we can start the game.
Sqli-labs Introduction, download, installation