sql注入新手
SQL injection is a web security vulnerability that allows an attacker to alter the SQL queries made to the database. This can be used to retrieve some sensitive information, like database structure, tables, columns, and their underlying data.
SQL注入是一个网络安全漏洞,攻击者可以利用它更改对数据库SQL查询。 这可用于检索一些敏感信息,例如数据库结构,表,列及其基础数据。
For example, suppose an application uses the following query to fetch someone’s login details:
例如,假设应用程序使用以下查询来获取某人的登录详细信息:
SELECT USERNAME,PASSWORD from USERS where USERNAME='<username>' AND PASSWORD='<password>';Here, username and password is the input provided by the user. Suppose an attacker gives the input as ' OR '1'='1 in both fields. Therefore, the SQL query will look like:
在此, username和password是用户提供的输入。 假设攻击者在两个字段中均以' OR '1'='1作为输入。 因此,SQL查询将类似于:
SELECT USERNAME,PASSWORD from USERS where USERNAME='' OR '1'='1' AND PASSWORD='' OR '1'='1';This query results in a true statement, and thus, the user gets logged in. This example depicts the most basic type of SQL injection.
此查询产生一个正确的语句,因此用户登录。此示例描述了SQL注入的最基本类型。
SQL injection can be used anywhere to fetch any sensitive information from the database.
SQL注入可用于任何地方以从数据库中获取任何敏感信息。
Note: This was the most basic example and meant only for understanding purposes. You’ll mostly not find any such cases in the real world.
注意:这是最基本的示例,仅用于理解目的。 在现实世界中,您几乎找不到任何此类案例。
You can use this cheat sheet to see how to make queries over different SQL database providers.
您可以使用此备忘单来查看如何在不同SQL数据库提供程序上进行查询。
如何检测SQL注入的存在? (How to Detect the Presence of SQL Injection?)
In most cases, SQL injection can be detected easily by providing invalid parameters, like ', '' a' or 1=1--, "a"" or 1=1--", or a = a, a' waitfor delay '0:0:10'--, 1 waitfor delay '0:0:10'--, %26, ' or username like '%, and etc. You can then observe the changes in the behavior of the application.
在大多数情况下,可以通过提供无效参数(例如' , '' a' or 1=1-- , "a"" or 1=1--" or a = a , a' waitfor delay '0:0:10'--来轻松检测SQL注入a' waitfor delay '0:0:10'-- , 1 waitfor delay '0:0:10'-- , %26 , ' or username like '%等),然后可以观察应用程序行为的变化。
You may try to analyze the length of the response from the server and also the time it takes to send the response. Payloads like ', a' or 1=1--, and etc. might show changes in the response by the database server. But if there’s no change, then we try to trigger time delays using a payload like a' waitfor delay '0:0:10'--. This might make the server delay for a specific time before sending a response.
您可能会尝试分析服务器响应的长度以及发送响应所花费的时间。 有效a' or 1=1-- (例如' , a' or 1=1--等)可能显示数据库服务器响应中的更改。 但是,如果没有变化,那么我们尝试使用有效载荷来触发时间延迟,例如a' waitfor delay '0:0:10'-- 。 这可能会使服务器在发送响应之前延迟特定时间。
After determining if the website is vulnerable to SQL Injection, we can try to extract some sensitive information from the database.
确定网站是否容易受到SQL Injection攻击后,我们可以尝试从数据库中提取一些敏感信息。
Before that, we need to identify the number of columns the SQL Query returns. This is essential because if we try to extract an unequal number of columns than what the query actually returns, then it will return an error.
在此之前,我们需要确定SQL查询返回number of columns 。 这很重要,因为如果我们尝试提取的列数与查询实际返回的列数不相等,那么它将返回错误。
We can determine the number of columns by using the order by command. For example:
我们可以使用order by命令确定列数。 例如:
www.onlineshopping.com/products.php?pid=8 order by 1 -- //
www.onlineshopping.com/products.php?pid=8 order by 2 -- If the parameter is a string then you need to add ' after it.www.onlineshopping.com/products.php?usr=b' order by 3 -- //
www.onlineshopping.com/products.php?usr=a' order by 4 -- //The significance of -- is that it's a comment indicator in SQL, which makes the rest of the query a comment. Now to preserve the space after --, we add any character after that so that space doesn't get ignored in the HTTP request. We might also use # or /* */ for comments depending on the SQL database provider.
的意义--是,它是在SQL注释指示符,这使得查询注释的其余部分。 现在要在--之后保留space ,我们在其后添加任何字符,以便在HTTP request中不会忽略space 。 根据SQL数据库提供程序的不同,我们也可以使用#或/* */作为注释。
Continue this process until you encounter an error. If you encounter an error while using the payload order by 5 but not while using order by 4, this means that the query returns 4 columns.
继续此过程,直到遇到错误。 如果在使用有效负载order by 5时遇到错误,但在使用order by 4 order by 5时遇到错误,则意味着查询返回4列。
如何使用SQL注入进行利用 (How to Exploit Using SQL Injection)
Once you know that the application is vulnerable to SQL injection and you have identified the number of columns, we try to find necessary information about the database, like DB name, DB user name, DB version, table names, column names of the required table, and etc. Check out the SQL injection cheat sheet to find the respective queries.
一旦您知道该应用程序容易受到SQL注入攻击并确定了列数,我们就会尝试查找有关数据库的必要信息,例如DB name , DB user name , DB version , table names ,所需表的column names ,等等。签出SQL注入备忘单以找到相应的查询。
SQL注入的类型 (Types of SQL Injection)
Error-based: This type of SQL injection relies on the
error messagesbeing thrown by the database server, which might provide us some useful information regarding the database structure.基于错误的 :这种SQL注入依赖于数据库服务器抛出的
error messages,这可能会为我们提供有关数据库结构的一些有用信息。Union-based: This technique uses the SQL
UNIONoperator to combine the results of twoSELECTqueries and return a single table. It allows an attacker to extract information from other tables by appending the results to the original query made to the database.基于联合的 :此技术使用SQL
UNION运算符组合两个SELECT查询的结果并返回一个表。 通过将结果附加到对数据库进行的原始查询,攻击者可以从其他表中提取信息。Blind Injection: This happens when the application is vulnerable to
SQL Injectionbut the results of theSQL queryare not returned in theHTTP response. In this case, we query the database for any true/false statement and see the changes for both true and false conditions. It is of two types:盲注入 :当应用程序容易受到
SQL Injection攻击,但SQL queryHTTP response的结果未在HTTP response返回时,就会发生这种情况。 在这种情况下,我们在数据库中查询任何true / false语句,并查看true和false条件的更改。 它有两种类型:Content-based: In this technique, the database server is queried with any conditional statement and the
responsefrom the server is analyzed for any difference while sending atruecondition and afalsecondition.基于内容的 :在此技术中,将使用任何条件语句查询数据库服务器,并在发送
true条件和false条件时分析服务器的response是否存在任何差异。Time-based: This technique relies on injecting an SQL query that makes the database wait for a specific time based on the specified condition. The time taken by the server to send back a response determines if the query is true/false.
基于时间的 :此技术依赖于注入SQL查询,该查询使数据库根据指定的条件等待特定的时间。 服务器发送回响应所花费的时间确定查询是对还是错。
Out-of-band injection(uncommon): This is not a very common type of
SQL Injectionas it depends on the features being enabled on the database server. It relies on the database server's capability to make a web request likeHTTP,DNS, andftpto send data to the attacker.带外注入 (不常见):这不是
SQL Injection一种非常常见的类型,因为它取决于数据库服务器上启用的功能。 它依赖于数据库服务器发出HTTP,DNS和ftp类的Web请求以将数据发送给攻击者的能力。
如何保护您的代码免受SQL注入? (How to protect your code from SQL Injection?)
Never construct a query directly with the user’s input. Instead, use Parameterized Statements. They make sure that the inputs passed into SQL queries are treated safely.
切勿直接用用户输入构造查询。 而是使用Parameterized Statements 。 他们 确保安全处理传递给SQL查询的输入。
It’s always good the sanitize the user input. Also, proper input validation should be done for example, a name can’t be digits or a phone number can’t be alphabets. However, this can be bypassed at times.
清理用户输入始终是一件好事。 另外,应进行适当的输入验证 ,例如,名称不能为数字或电话号码不能为字母。 但是,有时可以绕开它。
Use a safe driver to interact with your SQL Database. They automatically prevent against all SQL Injection attacks. For example, SQLAlchemy for python.
使用安全的驱动程序与SQL数据库进行交互。 它们自动防止所有SQL注入攻击。 例如,适用于pythonSQLAlchemy。
资源资源 (Resources)
SQL Map is an open-source tool that
automatesthe process ofdetectingandexploitingSQL injection vulnerabilities.SQL Map是一个开放源代码工具,可
automatesdetecting和exploitingSQL注入漏洞的过程。This repository has some cool resources on
SQL Injection. This includes some cheat sheets and a lot of useful payloads that can be used depending on the use case.该存储库在
SQL Injection方面有一些很酷的资源。 其中包括一些备忘单和许多有用的有效负载,具体取决于用例。
翻译自: https://medium.com/better-programming/a-beginners-guide-to-sql-injection-163c1ad2257f
sql注入新手
扫一扫
1382
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
