SQL InjectionTm hiu v khi nim, phng thc khai thc

nullKhi nim- SQL injectionSQL Injection l g?SQL Injection l mt k thut l mt k thut cho php nhng k tn cng li dng l hng ca vic kim tra d liu u vo trong cc ng dng web v cc thng bo li ca h qun tr c s d liu tr v inject (tim vo) v thi hnh cc cu lnh SQL bt hp php.

GRAVITYnullmc lcCc dng li1Cng c tm kim v khai thc l hng23Cch phng trnhGRAVITYnullcc dng LIKhng lc nhng k t escape (nh Version ca MySQL l 4Nu nh trang web khng tm ra c d liu => Version ca MySQL khng phi l 4 GRAVITYnullCng c tm kim l hng tm ra l hng SQL thng tn rt nhiu bc v kh phc tp

V th, c rt nhiu cng c phc v kim tra v tm kim l hng SQL

V d:SQLmapBobcatAbsintheSQLninjaGRAVITYnullCng c tm kim l hng- SQLmapSQLmap l cng c m phc v tm kim v kim tra l hng SQL

Cng c c vit bng python nn c th chy trn nhiu h iu hnh

Mt v d chy sqlmap$ python sqlmap.py -u "http://www.victim.com/get_int.php?id=1" --union-use--passwords -U SYS

[hh:mm:50] [INFO] testing if User-Agent parameter 'User-Agent' is dynamic.[hh:mm:51] [INFO] GET parameter 'id' is unescaped numeric injectable with 0parenthesis.[hh:mm:51] [INFO] the back-end DBMS is Oracleweb server operating system: Linux Ubuntu 8.10 (Intrepid Ibex)web application technology: PHP 5.2.6, Apache 2.2.9back-end DBMS: OracleGRAVITYnullCch phng trnhLy d liu trc tip ca ngi dng nhp vo qua mt tham s cho mt hm c kim tra v x l

$stmt = $dbh->prepare("SELECT * FROM users WHERE USERNAME = ? AND PASSWORD = ?");$stmt->execute(array($username, $pass));GRAVITYnullCch phng trnhThay k t escape thnh k t khc

$mysqli = new mySqli('hostname', 'db_username', 'db_password', 'db_name');$query = sprintf("SELECT * FROM `Users` WHERE UserName='%s' AND Password='%s'", $$mysqli->real_escape_string($Username), $$mysqli->real_escape_string($Password));$mysqli->query($query);GRAVITYnullCch phng trnhChuyn d liu nhp vo thnh dng khcV d :K t c nhp vo l "5' or '1'='1'"

SELECT * FROM users WHERE id = unhex(35262333393b206f7220262333393b31262.)GRAVITY