Detailed introduction to sql injection
1. First understand the principle of SQL injection:
SQL Injection: It is to insert SQL commands into the Web Submit a form or enter a domain name or query string for a page request, ultimately tricking the server into executing malicious SQL commands.
Specifically, it is the ability to use existing applications to inject (malicious) SQL commands into the backend database engine for execution. It can obtain an existence by entering (malicious) SQL statements in a web form. Security holes in the database on the website, rather than executing SQL statements as the designer intended. For example, many previous film and television websites leaked VIP membership passwords, mostly by submitting query characters through WEB forms. Such forms are particularly vulnerable to SQL injection attacks. (Sourced from Baidu)
That is to say, the website page contains parts that interact with the database (such as the search function of a news website), and when data is entered on the website, the data is programmed and passed to the database for execution. During the process, the website developers did not perform security processing on the corresponding data passed into the database (such as filtering special characters, encoding, etc.), allowing hackers to pass malicious code (that is, SQL commands containing illegal SQL statements) through the front end of the website. Enter the database and execute these SQL statements with hacker purposes in the database, causing database information leakage, damage and other consequences.
2. General classification of SQL injection
Classified according to injection point type
(1) Number Type injection point
Many web links have a similar structure http://www.example.com/12.php?id=1 Injections based on this form are generally called digital injection points , the reason is that the injection point id type is a number. In most web pages, such as viewing user personal information, viewing articles, etc., most of them use this form of structure to transfer id and other information, hand it to the backend, and query it out of the database The corresponding information is returned to the front desk. The prototype of this type of SQL statement is probably select * from table name where id=1. If there is injection, we can construct a SQL injection statement similar to the following for blasting: select * from table name where id=1 and 1=1
(2) Character injection point
The web link has a similar structure http://xwww.example.com/users.php?user=admin This form , the user type of its injection point is character type, so it is called character injection point. The prototype of this type of SQL statement is probably select * from table name where user='admin'. It is worth noting that compared with the numeric injection type SQL statement prototype, there are more quotes, which can be single quotes or double quotes. If there is injection, we can construct a SQL injection statement similar to the following for blasting: select * from table name where user='admin' and 1=1 ' We need to get rid of these annoying quotation marks.
(3) Search injection point
This is a special type of injection. This type of injection mainly refers to not filtering the search parameters when performing data searches. Generally, there is "keyword=keyword" in the link address. Some are not displayed in the link address, but are submitted directly through the search box form. The prototype of the SQL statement submitted by this type of injection point is roughly: select * from table name where field like '%keyword%' If there is injection, we can construct a SQL injection statement similar to the following for blasting: select * from table Name where field like '%test%' and '%1%'='%1%'
3. If you can determine whether there is SQL injection (novice summary, for reference only )
To put it simply:
All inputs may trigger SQL injection as long as they interact with the database
SQL injection is based on the data Submission methods can be divided into:
(1) GET injection: The method of submitting data is GET, and the location of the injection point is in the GET parameter part. For example, there is such a link http://xxx.com/news.php?id=1, id is the injection point.
(2) POST injection: Use POST method to submit data. The injection point is in the POST data part, which often occurs in forms.
(3) Cookie injection: HTTP requests will bring the client's Cookie, and the injection point exists in a certain field in the Cookie.
(4) HTTP header injection: The injection point is in a certain field in the HTTP request header. For example, it exists in the User-Agent field. Strictly speaking, Cookie should actually be considered a form of header injection. Because during HTTP requests, Cookie is a field in the header.
After classifying according to the submission method, you will find that the longest locations where SQL injection occurs are in the link address, data parameters, cookie information, and HTTP request headers.
After understanding the locations where SQL injection may exist, we need to determine whether SQL injection can be triggered at these locations. The simplest way is to enter and 1=1 (and the transformed form of and 1=1) at the corresponding location. judge. For different injection point types, single quotes need to be added appropriately for character types, but not for numeric injection points.
4. Advanced classification of SQL injection (classified according to execution effect)
(1) Boolean-based blind injection: That is, the injection of true and false conditions can be judged based on the returned page.
(2) Time-based blind injection: That is, no information can be judged based on the content returned by the page. Use conditional statements to check whether the time delay statement is executed (that is, whether the page return time increases). .
(3) Injection based on error reporting: That is, the page will return error information, or the result of the injected statement will be returned directly to the page.
(4) Union query injection: Injection in the case of union can be used.
(5) Heap query injection: The injection of multiple statements can be executed at the same time.
(6) Wide byte injection: Using gbk is a multi-byte encoding, two bytes represent a Chinese character
This article is for your study only. Never maliciously attack other people's websites.
Recommended tutorial: SQL online video tutorial
The above is the detailed content of Detailed introduction to sql injection. For more information, please follow other related articles on the PHP Chinese website!
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
1387
52
What is the difference between HQL and SQL in Hibernate framework?
Apr 17, 2024 pm 02:57 PM
HQL and SQL are compared in the Hibernate framework: HQL (1. Object-oriented syntax, 2. Database-independent queries, 3. Type safety), while SQL directly operates the database (1. Database-independent standards, 2. Complex executable queries and data manipulation).
Usage of division operation in Oracle SQL
Mar 10, 2024 pm 03:06 PM
"Usage of Division Operation in OracleSQL" In OracleSQL, division operation is one of the common mathematical operations. During data query and processing, division operations can help us calculate the ratio between fields or derive the logical relationship between specific values. This article will introduce the usage of division operation in OracleSQL and provide specific code examples. 1. Two ways of division operations in OracleSQL In OracleSQL, division operations can be performed in two different ways.
Comparison and differences of SQL syntax between Oracle and DB2
Mar 11, 2024 pm 12:09 PM
Oracle and DB2 are two commonly used relational database management systems, each of which has its own unique SQL syntax and characteristics. This article will compare and differ between the SQL syntax of Oracle and DB2, and provide specific code examples. Database connection In Oracle, use the following statement to connect to the database: CONNECTusername/password@database. In DB2, the statement to connect to the database is as follows: CONNECTTOdataba
Detailed explanation of the Set tag function in MyBatis dynamic SQL tags
Feb 26, 2024 pm 07:48 PM
Interpretation of MyBatis dynamic SQL tags: Detailed explanation of Set tag usage MyBatis is an excellent persistence layer framework. It provides a wealth of dynamic SQL tags and can flexibly construct database operation statements. Among them, the Set tag is used to generate the SET clause in the UPDATE statement, which is very commonly used in update operations. This article will explain in detail the usage of the Set tag in MyBatis and demonstrate its functionality through specific code examples. What is Set tag Set tag is used in MyBati
What does the identity attribute in SQL mean?
Feb 19, 2024 am 11:24 AM
What is Identity in SQL? Specific code examples are needed. In SQL, Identity is a special data type used to generate auto-incrementing numbers. It is often used to uniquely identify each row of data in a table. The Identity column is often used in conjunction with the primary key column to ensure that each record has a unique identifier. This article will detail how to use Identity and some practical code examples. The basic way to use Identity is to use Identit when creating a table.
How to implement Springboot+Mybatis-plus without using SQL statements to add multiple tables
Jun 02, 2023 am 11:07 AM
When Springboot+Mybatis-plus does not use SQL statements to perform multi-table adding operations, the problems I encountered are decomposed by simulating thinking in the test environment: Create a BrandDTO object with parameters to simulate passing parameters to the background. We all know that it is extremely difficult to perform multi-table operations in Mybatis-plus. If you do not use tools such as Mybatis-plus-join, you can only configure the corresponding Mapper.xml file and configure The smelly and long ResultMap, and then write the corresponding sql statement. Although this method seems cumbersome, it is highly flexible and allows us to
How to use SQL statements for data aggregation and statistics in MySQL?
Dec 17, 2023 am 08:41 AM
How to use SQL statements for data aggregation and statistics in MySQL? Data aggregation and statistics are very important steps when performing data analysis and statistics. As a powerful relational database management system, MySQL provides a wealth of aggregation and statistical functions, which can easily perform data aggregation and statistical operations. This article will introduce the method of using SQL statements to perform data aggregation and statistics in MySQL, and provide specific code examples. 1. Use the COUNT function for counting. The COUNT function is the most commonly used
How to solve the 5120 error in SQL
Mar 06, 2024 pm 04:33 PM
Solution: 1. Check whether the logged-in user has sufficient permissions to access or operate the database, and ensure that the user has the correct permissions; 2. Check whether the account of the SQL Server service has permission to access the specified file or folder, and ensure that the account Have sufficient permissions to read and write the file or folder; 3. Check whether the specified database file has been opened or locked by other processes, try to close or release the file, and rerun the query; 4. Try as administrator Run Management Studio as etc.
