Lưu ý: Không thử tấn công website, hệ thống của cá nhân, tổ chức khác bằng phương pháp này, mọi hành vi như vậy đều là vi phạm pháp luật Việt Nam. Bài viết chỉ nhằm mục đích học hỏi, mọi hành vi phá hoại không được khuyến khich.
Because a Vietnam is no longer Bug.
1. What is SQL injection?
SQL injection, or SQLi, was first mentioned when discussing vulnerabilities in web applications. SQLi has been around for a long time, but it still exists and has a serious impact on web applications. Due to changing times, people and families have moved to FrameWork so the error only appears on these FrameWork. So the job of finding SQLi errors is very difficult (not impossible).
So, what is SQLi?
For a proper understanding as well as other details, please go to SQLi at wikipedia .
For me, the simple way is as follows:
1 2 | SQLi là lỗi cho phép ta chèn các ký tự đặc biệt đã phá vỡ, điều khiển câu truy vấn theo ý muốn của ta. |
Since this is no longer a new error, there will be a lot of talking about SQLi theory, so I will not go into the theory that I will give examples so we can better understand it.
A few links about SQLi:
- https://www.acunetix.com/websitesecurity/sql-injection/
- https://www.owasp.org/index.php/SQL_injection
- https://portswigger.net/web-security/sql-injection
- https://whitehat.vn/threads/tim-hieu-ve-sql-injection-va-cach-phong-chong.11591/
- https://viblo.asia/p/tim-hieu-ve-sql-injection-testing-RQqKLv90l7z
Above is the reference link, including both English and Vietnamese. I think I should read English for many words and understand data.
2. Classification
According to folklore, sQLi is divided into two main categories: SQLi (aka SQLi normal), Blind SQLi
2.1. Normal SQLi
Normal SQLi is the type when we query, the web application can return results that match that query. From that, we can rely on that result to judge whether our query is appropriate or not.
For example, in the above lab we have an ID
input box to check someone’s information in the system. If that ID
is available on the system, the system will display the information to us. If not, nothing will display as shown below.
Notice in the URL in the 2 pictures above, Figure 1 I enter ID=1
and Figure 2 I enter ID=6
results of 2 different images. One guy gave out information and one didn’t.
Now we will proceed to exploit. The pieces of data entered to exploit are called payloads.
We can find the appropriate payload for me, and I will use the payload collection collected on GG: https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SQL Injection
For this type, it is possible that when exploiting the web application, an error message (this is because the system has not disabled the error notification function). From information fired from the error will help us easier to exploit.
Using the appropriate payload segments, I have printed out the name of the columns in the users
table.
Now all you have to do is get the user
information and password
of the admin.
2.2 Blind SQLi
Above, I have spoken in detail about the example of normal SQLi
. In this section, I will talk about the theory of how to exploit Blind SQLi. As for the example I will leave a post to talk about it for food .
Hearing the name, we probably have some idea about it. Blind SQLi is the type that we have true or false query, the results still do not show up to users. From here we need to use a few tricks to conduct mining. We have the techniques to exploit blind SQLi: time-base, TRUE / FALSE
This part I will talk in detail in the following article!