Share an example of using SQL injection vulnerability to drag the library

Using SQL injection vulnerabilities to log in to the backend and using SQL injection vulnerabilities to drag libraries are just a summary after I learned the relevant content, and there is no depth.

Same as the previous article, we need to create a data table and enter and exit several pieces of data in the table for testing purposes.
Create a table in the database:

The code is as follows:

CREATE TABLE `article` ( 
`articleid` int(11) NOT 
NULL
 AUTO_INCREMENT, 
`title` varchar(100) CHARACTER 
SET
 utf8 NOT NULL DEFAULT '', 
`content` text CHARACTER SET utf8 NOT NULL, 
PRIMARY 
KEY
 (`articleid`) 
) ENGINE=MyISAM AUTO_INCREMENT=7 DEFAULT CHARSET=latin1;

I will not post the code for inserting data into the table. You can download it and import it directly into the database.
Next, write a page that handles user requests. Here, we deliberately do not filter the data submitted by the user, leaving a SQL injection vulnerability for testing.
The code is as follows:

The code is as follows:

<?php 
$servername = "localhost"; 
$dbusername = "root"; 
$dbpassword = ""; 
$dbname = "test"; 
$id=$_GET[&#39;id&#39;];//id未经过滤 
$conn=mysql_connect($servername,$dbusername,$dbpassword) or die ("数据库连接失败"); 
mysql_select_db($dbname,$conn); 
mysql_query(&#39;set names utf8&#39;); 
$sql = "SELECT * FROM article WHERE articleid=&#39;$id&#39;"; 
$result = mysql_query($sql,$conn); 
$row = mysql_fetch_array($result); 
echo "<p>利用SQL注入漏洞拖库<p>"; 
if (!$row){ 
echo "该记录不存在"; 
exit; 
} 
echo "标题<br>".$row[&#39;title&#39;]."<p>"; 
echo "内容<br>".$row[&#39;content&#39;]."<p>"; 
?>

We enter directly in the browser:
127.0.0.1/marcofly/phpstudy/sqlinsert/showart.php? id=1
You can access a record with id 1 in the article table
The access results are as follows:

Next, we will use this Vulnerability (if you don’t know the vulnerability, you can only detect it through tools + manual detection). Let’s demonstrate how to download the article table.
Enter in the address bar: ' into outfile 'e:/sql.txt'%23
Analysis: %23 is the ASCII code of #, because if you directly enter # in the address bar, it will change to the database system. If it becomes empty, you need to enter %23 in the address bar, then it will become #, and then comment out the following sql statement.
After running, open the E drive and find an additional sql.txt file. After opening, there is a record in the table article.
Why is there only one record? Does this data table only have one record? This is not the case, because we only retrieve one record with the ID 1, so can we download all the records in the article table at once?
The answer is yes, as long as your constructed SQL statement is flexible enough (the flexibility of constructed SQL statements is raised again).
Analysis, when you enter 'into outfile 'e:/sql.txt'%23 in the URL address bar, it is merged into the sql query statement and becomes:
SELECT * FROM article WHERE articleid='5 ' into outfile 'e:/whf.txt'#'
After careful analysis, we can construct the SQL statement like this:
SELECT * FROM article WHERE articleid='' or 1=1 into outfile 'e: /whf.txt'#'
In this case, the WHERE clause is always true no matter what. In other words, the sql statement is equivalent to the following:
SELECT * FROM article into outfile 'e:/whf.txt'#'
Understand, the sql statement first executes the select statement to retrieve all the contents of the table article, and then executes into outfile 'e:/whf.txt' #'Export the content.
If you don’t believe it, you can execute it...
Using SQL injection vulnerabilities, we can guess the table name, column name, user password length (LEFT function), etc., of course, if we can directly follow the above demonstration If you export all the data in the table, there is no need to guess the table name, column name, etc.
I’m a little tired, so I’ll just write it here.
Using SQL injection vulnerabilities to log in to the backend and using SQL injection vulnerabilities to drag libraries are just a summary after I learned the relevant content. There is no depth. As mentioned at the beginning of the article, it is just a summary and has no other meaning.

【Related Recommendations】

1. Special Recommendation:"php Programmer Toolbox" V0.1 version Download

2. How to prevent sql injection? Introducing 5 ways to prevent sql injection

3. Share five famous SQL injection vulnerability scanning tools

4. Share a SQL injection Instance procedure

The above is the detailed content of Share an example of using SQL injection vulnerability to drag the library. For more information, please follow other related articles on the PHP Chinese website!