Youji Technology website SQL Injection Vulnerability

Although SQL injection is not as common as before, it still exists in some small and medium websites. For example, a URL of the website



The simplest way to detect the SQL injection vulnerability is to add a single quotation mark (') after the parameter 332 to observe the program response. If an error log is generated, it indicates that the SQL injection vulnerability may exist. Website response



Directly print the background error. This error indicates that the background database may be Microsoft's ACESS. If you want to continue verification, you can change 332 to 330 + 2, however, 330 + 2 requires url encoding, that is, 330% 2b2. If the returned interface is the same, the vulnerability exists. If you want to manually detect the database name, table name, field name, and data, you can try to spell out various SQL commands by yourself.

Here I use the sqlmap tool. sqlmap is written in python. Because it is an explanatory language, it can be used across platforms. This tool is installed by default in linux, taking backtrack 5 as an example. First, test the database name, such:



The results show that the SQL injection vulnerability exists. The background database is acess, but no database name is detected. Then directly test the table name, such:




The database name is detected and two table names are listed. You can use sqlmap to check the column name and download data. For sqlmap usage, see Backtrack Command Parsing (information gathering ).