sql二阶注入_二阶sql注入里面隐藏了一些东西

Summary :

总结：

Everyone knows what is SQL Injection, but just to give you a brief about SQL Injection, it is a code injection technique that might destroy your database. It usually occurs when you ask user for input, like their username or userid, and instead of a name or id, the user gives you SQL statement that you will unknowingly run on your database.

每个人都知道什么是SQL注入，但是只是向您简要介绍SQL注入，它是一种代码注入技术，可能会破坏您的数据库。 当您要求用户输入用户名或用户ID之类的内容时，通常会发生这种情况，而不是名称或ID，而是用户给出SQL语句，您将在不知不觉中在数据库上运行。

Example :

范例：

In SQL Injection 1=1 is always a true condition. If there is nothing to prevent a user from entering wrong input, a user can enter something like this :

在SQL注入中1 = 1始终是真实条件。 如果没有什么可以防止用户输入错误的输入，则用户可以输入以下内容：

The SQL statement above is valid and will return all the rows from the “Users” table, since OR 1=1 is always a TRUE condition.

上面SQL语句有效，并且将返回“ Users ”表中的所有行，因为OR 1 = 1始终为TRUE条件。

In SQL Injection “ “=” ” is also a true condition. For example see the below user login :

在SQL注入中，“ “ =” ”也是一个真实条件。 例如，请参见下面的用户登录名：

A hacker might get access to user names and passwords in a database by simply inserting “ OR “”=” into the user name or password text box.

黑客只需在用户名或密码文本框中插入“ OR” =“即可访问数据库中的用户名和密码。

The code at the server will create a valid SQL statement like this :

服务器上的代码将创建一个有效SQL语句，如下所示：

The SQL above is valid and will return all rows from the “Users” table, since OR “”=”” is always TRUE.

上面SQL有效，并将返回“ Users ”表中的所有行，因为OR“” =””始终为TRUE。

So this was the basic of SQL Injection. Let’s move to “Second Order SQL Injection”.

因此，这是SQL注入的基础。 让我们转到“ 二阶SQL注入 ”。

What is Second Order SQL Injection ?

什么是二阶SQL注入？

Second Order SQL Injection takes place when a web application takes user input from the user and stores that input into the database by escaping all the SQL meta-characters. Now when that input is used by the same application to do a database transaction without escaping that user supplied data is known as Second Order SQL Injection.

当Web应用程序从用户那里获取用户输入并将其输入转义为所有SQL元字符时，就会发生二阶SQL注入。 现在，当同一应用程序使用该输入来执行数据库事务而不逃避用户提供的数据时，称为二阶SQL注入。

In order to perform Second Order SQL Injection attack you should have the knowledge of how an application’s operations are getting performed on the back-end.

为了执行二阶SQL注入攻击，您应该了解如何在后端执行应用程序的操作。

In simple terms the exploit scenario will be like, a user is supplying sql statement which is stored by the application. Later that statement is used by the same user on the same web application to perform the attack.

简而言之，利用场景将类似于，用户正在提供由应用程序存储的sql语句。 稍后，同一用户在同一Web应用程序上使用该语句执行攻击。

How to find this vulnerability ?

如何找到此漏洞？

1. Go to your target website and try for SQL statement to detect SQL Injection
   转到目标网站并尝试使用SQL语句来检测SQL注入

From the above error you can check that this application is vulnerable to SQL Injection attack, let’s exploit Second Order SQL Injection.

从上面的错误中，您可以检查此应用程序是否容易受到SQL Injection攻击，让我们利用Second Order SQL Injection。

2. Go to Sign Up page and enter SQL Payload, because it will store the user-supplied data

2.转到“注册”页面并输入“ SQL有效负载”，因为它将存储用户提供的数据

3. Now again come back to the login panel and enter the same payload ‘or’’=’ in Username and password field

3.现在再次回到登录面板，并在“用户名和密码”字段中输入相同的有效负载“或” =“

4. You’ll be logged in directly

4.您将直接登录

I was logged into some another user’s profile where I found some credentials.

我登录到另一个用户的个人资料，在其中找到了一些凭据。

SQL Injection Cheat Sheet : http://www.securityidiots.com/Web-Pentest/SQL-Injection/

SQL注入备忘单 ： http : //www.securityidiots.com/Web-Pentest/SQL-Injection/

Mitigation : (Credits - PortSwigger )

缓解措施：( 信贷-PortSwigger)

Most effective way to prevent this kind of attacks is to used parameterized queries which are also known as prepared statements. One common defense is to double up any single quotation marks appearing within user input before incorporating that input into a SQL query. Another often cited defense is to use stored procedures for database access. While stored procedures can provide security benefits, they are not guaranteed to prevent SQL injection attacks.

防止这种攻击的最有效方法是使用参数化查询，这也称为预处理语句。 一种常见的防御方法是，将出现在用户输入中的任何单引号加倍，然后再将该输入合并到SQL查询中。 经常被引用的另一种防御方法是使用存储过程进行数据库访问。 尽管存储过程可以提供安全益处，但不能保证它们可以防止SQL注入攻击。