1. First understand the principle of SQL injection:
SQL Injection: It is to insert SQL commands into the Web Submit a form or enter a domain name or query string for a page request, ultimately tricking the server into executing malicious SQL commands.
Specifically, it is the ability to use existing applications to inject (malicious) SQL commands into the backend database engine for execution. It can obtain an existence by entering (malicious) SQL statements in a web form. Security holes in the database on the website, rather than executing SQL statements as the designer intended. For example, many previous film and television websites leaked VIP membership passwords, mostly by submitting query characters through WEB forms. Such forms are particularly vulnerable to SQL injection attacks. (Sourced from Baidu)
That is to say, the website page contains parts that interact with the database (such as the search function of a news website), and when data is entered on the website, the data is programmed and passed to the database for execution. During the process, the website developers did not perform security processing on the corresponding data passed into the database (such as filtering special characters, encoding, etc.), allowing hackers to pass malicious code (that is, SQL commands containing illegal SQL statements) through the front end of the website. Enter the database and execute these SQL statements with hacker purposes in the database, causing database information leakage, damage and other consequences.
2. General classification of SQL injection
Classified according to injection point type
(1) Number Type injection point
Many web links have a similar structure http://www.example.com/12.php?id=1 Injections based on this form are generally called digital injection points , the reason is that the injection point id type is a number. In most web pages, such as viewing user personal information, viewing articles, etc., most of them use this form of structure to transfer id and other information, hand it to the backend, and query it out of the database The corresponding information is returned to the front desk. The prototype of this type of SQL statement is probably select * from table name where id=1. If there is injection, we can construct a SQL injection statement similar to the following for blasting: select * from table name where id=1 and 1=1
(2) Character injection point
The web link has a similar structure http://xwww.example.com/users.php?user=admin This form , the user type of its injection point is character type, so it is called character injection point. The prototype of this type of SQL statement is probably select * from table name where user='admin'. It is worth noting that compared with the numeric injection type SQL statement prototype, there are more quotes, which can be single quotes or double quotes. If there is injection, we can construct a SQL injection statement similar to the following for blasting: select * from table name where user='admin' and 1=1 ' We need to get rid of these annoying quotation marks.
(3) Search injection point
This is a special type of injection. This type of injection mainly refers to not filtering the search parameters when performing data searches. Generally, there is "keyword=keyword" in the link address. Some are not displayed in the link address, but are submitted directly through the search box form. The prototype of the SQL statement submitted by this type of injection point is roughly: select * from table name where field like '%keyword%' If there is injection, we can construct a SQL injection statement similar to the following for blasting: select * from table Name where field like '%test%' and '%1%'='%1%'
3. If you can determine whether there is SQL injection (novice summary, for reference only )
To put it simply:
All inputs may trigger SQL injection as long as they interact with the database
SQL injection is based on the data Submission methods can be divided into:
(1) GET injection: The method of submitting data is GET, and the location of the injection point is in the GET parameter part. For example, there is such a link http://xxx.com/news.php?id=1, id is the injection point.
(2) POST injection: Use POST method to submit data. The injection point is in the POST data part, which often occurs in forms.
(3) Cookie injection: HTTP requests will bring the client's Cookie, and the injection point exists in a certain field in the Cookie.
(4) HTTP header injection: The injection point is in a certain field in the HTTP request header. For example, it exists in the User-Agent field. Strictly speaking, Cookie should actually be considered a form of header injection. Because during HTTP requests, Cookie is a field in the header.
After classifying according to the submission method, you will find that the longest locations where SQL injection occurs are in the link address, data parameters, cookie information, and HTTP request headers.
After understanding the locations where SQL injection may exist, we need to determine whether SQL injection can be triggered at these locations. The simplest way is to enter and 1=1 (and the transformed form of and 1=1) at the corresponding location. judge. For different injection point types, single quotes need to be added appropriately for character types, but not for numeric injection points.
4. Advanced classification of SQL injection (classified according to execution effect)
(1) Boolean-based blind injection: That is, the injection of true and false conditions can be judged based on the returned page.
(2) Time-based blind injection: That is, no information can be judged based on the content returned by the page. Use conditional statements to check whether the time delay statement is executed (that is, whether the page return time increases). .
(3) Injection based on error reporting: That is, the page will return error information, or the result of the injected statement will be returned directly to the page.
(4) Union query injection: Injection in the case of union can be used.
(5) Heap query injection: The injection of multiple statements can be executed at the same time.
(6) Wide byte injection: Using gbk is a multi-byte encoding, two bytes represent a Chinese character
This article is for your study only. Never maliciously attack other people's websites.
Recommended tutorial: SQL online video tutorial
The above is the detailed content of Detailed introduction to sql injection. For more information, please follow other related articles on the PHP Chinese website!