Uyini umjovo we-SQL?

Isibalo amasayithi kanye namakhasi kuwebhu ukhula kancane. Ithathwe sokuthuthukisa wonke labo abakwaziyo. Futhi imfundamakhwela Web onjiniyela ngokuvamile zisebenzisa ikhodi ezingaphephile kanye ubudala. Futhi kudala eziningi izintuba izigebengu futhi izigebengu. Kunabo. Omunye ngishiyeka zakudala kakhulu - SQL-umjovo.

Nasi theory

Abantu abaningi bayazi ukuthi iningi amasayithi namasevisi kunethiwekhi usebenzisa isitoreji SQL egciniwe. Lena ehlelekile nombuzo ulimi elikuvumela ukuba ulawule uphinde uphathe isitoreji kwemininingwane. Kukhona izinguqulo eziningi ezihlukene ukuphathwa semininingwane uhlelo semininingwane - Oracle, MySQL, Postgre. Kungakhathaliseki ukuthi igama nohlobo, basebenzisa idatha efanayo nombuzo. Kulapha lapho kukhona khona ezingaba sengozini. Uma unjiniyela kuhlulekile ukusingatha kahle futhi ngokuphepha ukucela, umhlaseli angakwazi ukusizakala ethile lokhu bese ukusebenzisa amaqhinga ezikhethekile ukufinyelela database, bese - nakubo bonke abaphathi indawo.

Ukuze ugweme izimo ezinjalo, kudingeka kahle nokwandisa ikhodi bese ukuqapha eduze ngendlela lapho isicelo kucubungula.

Hlola SQL-umjovo

Ukuze usungule khona ukulimaza e inethiwekhi has a isisindo eseqedile ezenzakalelayo izinhlelo isofthiwe. Kodwa kungenzeka ukuba afeze isheke elula ngesandla. Ukuze wenze lokhu, iya kwelinye amasayithi test futhi kwibha yekheli ukuzama kubangele yephutha egciniwe. Ngokwesibonelo, iskripthi kusayithi ayikwazi ukuphatha isicelo futhi musa Ukunquma kubo.

Ngokwesibonelo, lapho nekiy_sayt / index.php?-Id = 25

Indlela elula - ukubeka 25 ngemva lesisho bese ukuthumela isicelo. Uma kungekho iphutha, noma esakhiweni kanye lemifanekiso zonke izicelo zenziwa ngendlela efanele, noma ikhubaziwe izilungiselelo okukhipha yabo. Uma ikhasi kabusha nezinkinga, ke bakha ukuba sengozini yokutheleleka SQL-lomjovo.

Ngemva kokuzwa, ungazama ayibulale.

Kute kwetfulwe isidingo sengozini ukwazi okuncane mayelana SQL-imibuzo amaqembu. Omunye wabo - UNION. Iletha ndawonye imiphumela nombuzo eziningi kuphume esisodwa. Ngakho singaba abale isibalo Amasimu ethebuleni. ISIBONELO nombuzo sokuqala:

• nekiy_sayt / index.php? id = 25 UNION KHETHA 1.

Ezimweni eziningi, leli rekhodi kufanele ukukhiqiza nephutha. Lokhu kusho ukuthi isibalo Amasimu akulingani 1. Ngakho, ngokukhetha ongakhetha 1 noma ngaphezulu, kungenzeka ukusungula inombolo yabo ngqo:

• nekiy_sayt / index.php? id = 25 UNION KHETHA 1,2,3,4,5,6.

Okusho ukuthi, lapho iphutha ngeke isavela, kusho ukuthi isibalo Amasimu ukuqagela.

Kukhona esinye isixazululo kule nkinga. Ngokwesibonelo, lapho inani elikhulu emasimini - 30, 60 noma 100 Lokhu GROUP umyalo BY. amaqembu It imiphumela umbuzo ngenxa yananoma yiziphi izizathu, isibonelo id ethi:

• nekiy_sayt / index.php? id = 25 GROUP BY 5.

Uma iphutha engakaze thola ngalesosikhathi izinkambu ezingaphezu kuka 5. Ngakho, esikhundleni ongakhetha kwibanga sasivumela ezibanzi, kungenzeka ukubala bangaki kubo empeleni.

Lesi sibonelo SQL-umjovo - Wabasaqalayo abafuna ukuzama ngokwabo e kuvivinywa isayithi yayo. Kubalulekile ukukhumbula ukuthi i-ezifana nokufinyelela okungagunyaziwe kuya kwesinye isihloko ekhona Criminal Code.

Izinhlobo ezinkulu umjovo

Ukuqalisa sengozini ngu SQL-umjovo e embodiments eziningana. Okulandelayo izindlela ethandwa kakhulu:

• I Union nombuzo SQL umjovo. Isibonelo elula yalolu hlobo isivele wahlola ngenhla. Kuyazeka ngenxa yephutha in kokuhlola idatha engenayo, ezingalotshwanga elicwengekileyo.

• Iphutha ezisekelwe SQL umjovo. Njengoba leli gama lisikisela, lolu hlobo futhi isebenzisa nephutha, ukuthumela izinkulumo sakhiwa olungile ayilungile. Khona-ke kukhona ukucabhela kumaheda impendulo, ukuhlaziya okungase kwenziwe kamuva SQL-umjovo.

• Estakiwe imibuzo SQL umjovo. Lokhu sengozini kunqunywa ngokwenza izicelo ngokulandelana. It libhekene kwalokho ekupheleni isibonakaliso ";". Lendlelanchubo yakhiwe ngokuvamile lwenteke ukufinyelela ukuqaliswa ukufunda nokubhala idatha noma uhlelo lokusebenza imisebenzi, uma amalungelo uyivumele.

Software sokufuna SQL-ngishiyeka

Ingabe ikhona i-SQL-umjovo, uhlelo ngokuvamile zinezigaba ezimbili - isayithi ziskenele ngishiyeka kungenzeka futhi uwasebenzise ukufinyelela idatha. Kukhona ezinye amathuluzi ezisekelweni cishe zonke ezaziwayo. ukusebenza yabo kusiza kakhulu kokuhlola iwebhusayithi ukwambula wakho SQL-umjovo.

Sqlmap

isithwebuli enamandla kakhulu esebenza yolwazi kakhulu. Isekela izindlela ezihlukahlukene ukuqaliswa SQL-umjovo. It has ikhono ukuqaphela ngokuzenzakalelayo uhlobo iphasiwedi hashi kwemifantu kanye nesichazamazwi. Yethula futhi zisebenza yokulayisha ifayela futhi thwebula kusuka server.

Ukufakwa ku-Linux wenziwa usebenzisa imiyalo:

• Git Clone https://github.com/sqlmapproject/sqlmap.git sqlmap-dev,
• cdsqlmap-dev /,
• --wizard ./sqlmap.py.

I-Windows iyatholakala njengoba inketho umugqa wemiyalo futhi isikhombimsebenzisi sokuqhafaza.

jSQL Injection

jSQL Injection - ithuluzi cross-platform ukuhlola ukusetshenziswa SQL ubungozi. Nakuba yabhalwa ngo-Java, ukuze uhlelo kumele ukufakwa JRE. Bakwazi ukusingatha THOLA izicelo, POST, unhlokweni, ikhukhi. It has a esibonakalayo elula sokuqhafaza.

Ukufakwa le iphakethe software simiswe ngalendlela lelandzelako:

wget https://github.com/`curl -S https: //github.com/ron190/jsql-injection/releases | grep-E -O '/ron190/jsql-injection/releases/download/v[0-9]{1,2}.[0-9]{1,2}/jsql-injection-v[0-9] . {1,2} [0-9] {1,2} .jar '| ikhanda-n 1`

Kwetfula ngokusebenzisa java umyalo -jar ./jsql-injection-v*.jar

Ukuze uqale isayithi test SQL-sengcupheni, udinga ukufaka ikheli emkhakheni phezulu. Ziyakwazi ehlukile GET futhi POST. Nge yalokho omuhle, uhlu kumathebula akhona izovela ifasitela elingakwesobunxele. Ungabuka futhi ufunde ulwazi oluthile oluyimfihlo.

ithebhu «kukhasi Lomqondisi» asetshenziswa ukuthola i-panel zokuphatha. On ke esebenzisa izifanekiso ekhethekile efuna ngokuzenzakalelayo uhlelo uloba abasebenzisi nelungelo. Kusukela kubo ungathola nje hashi of iphasiwedi. Kodwa anakho lamathuluzi zohlelo.

Ngemuva kokuthola yonke ubuthakathaka umjovo imibuzo ezidingekayo, ithuluzi kuzovumela iseva ukugcwalisa ifayela lakho noma, Ngakolunye uhlangothi, kusukela lapho.

SQLi Dumper v.7

Lolu hlelo - kulula ukuyisebenzisa thuluzi lokuthola futhi zisebenzise SQL ubungozi. Uveza UN isekelwe okuthiwa uDorka. uhlu yabo ingatholakala kuyi-Internet. Dorca ngoba SQL-umjovo - lawa izifanekiso olukhethekile semibuzo yakho yosesho. Ngosizo lwabo, ungathola indawo engase sengozini ngokusebenzisa iyiphi injini yokusesha.

Amathuluzi ukuqeqeshwa

Itsecgames.com esizeni kukhona isethi okhethekile amathuluzi evumela ukuthi isibonelo esibonisa indlela ukwenza SQL umjovo kanye usihlole. Ukuze sizuze, kubalulekile ukulanda futhi ifake. Ingobo yomlando iqukethe yamafayela, okuyinto isakhiwo isayithi. Ukuyifaka uzodinga ohlelweni akhona iqoqo Apache web server, MySQL kanye PHP.

Ukukhipha ingobo yomlando ifolda web server, une ukuya ikheli elifakiwe uma ufaka le software. Ikhasi nge yokubhalisa umsebenzisi. Lapha udinga ukufaka imininingwane yakho bese uchofoza «Dala». Ukuhambisa umsebenzisi isikrini esisha, uhlelo yenza ukuba ukhethe omunye okokuhlola. Phakathi kwabo kukhona kokubili kuchaza ngomjovo, kanye nezinye izinto eziningi test.

It kuyafaneleka ukucabangela isibonelo SQL-umjovo uhlobo GET / Search. Lapha udinga ukukhetha bese uchofoza «Hack». Ngaphambi umsebenzisi izovela, kanye-string belingisa isayithi movie. Ukuhlunga movie kungaba eside. Kodwa kukhona Ngokwesibonelo 10. kuphela, ungazama ukungena Iron Man. It zizobonisa ifilimu, bese isayithi usebenza, namatafula iqukethe. Manje kufanele uhlole ukuthi izinhlamvu ezikhethekile iskripthi izihlungi, e quote ethile. Ukuze wenze lokhu, engeza 'kwibha yekheli. " Ngaphezu kwalokho, kufanele lokhu kwenziwe ngemuva isihloko le filimu. Isayithi utawuphendvula Iphutha Iphutha: Une iphutha SQL yakho le-syntax; hlola imanuwali oluhambisana iseva inguqulo yakho MySQL ngoba syntax ilungelo lokusebenzisa eduze '%' 'elayinini 1, othi izinhlamvu namanje kungukuthi ukuphathwa ngokulungile. Ngakho ungazama bamelele isicelo sakho. Kodwa kumelwe siqale ukubala emikhakheni eminingana. Isetshenziselwa le oda, okuyinto yethulwa emva izingcaphuno: http://testsites.com/sqli_1.php?title=Iron+Man 'oda 2 - & isinyathelo = yokusesha.

Lo myalo ubonisa ulwazi mayelana ifilimu, ukuthi, inani imikhakha mkhulu kunezinhliziyo 2. ikhonco double ekutshela iseva ukuthi ezinye izicelo kufanele kulahliwe. Manje sinesizathu sokulungisa, ngokubeka ukubaluleka okwandisa nje iphutha akuphrinthiwe. Ekugcineni, kuvela ukuthi amasimu kuyoba 7.

Manje sekuyisikhathi sokuba uthole into elisizo base. Ingabe kancane ukuguqula isicelo kwibha yekheli, eyilethe ifomu: http://testsites.com/sqli_1.php?title=Iron+Man 'emunye ukhetha 1, egciniwe (), umsebenzisi (), 4, iphasiwedi, 6, 7 kwabanye abasebenzisi bethu - & isinyathelo = yokusesha. Ngenxa yalokho kokusebenza kwalo kungalimaza sibonise string ne hashes nephasiwedi, kungenziwa kalula ibe nezimpawu kuyaqondakala usebenzise eyodwa intanethi. A conjured kancane bese eyithola igama yasensimini ngemvume, ungathola ukufinyelela yekungena yomunye, ezifana admin isayithi.

Umkhiqizo has a isisindo zinhlobo umjovo izinhlobo, lapho abakuyo. Kufanele kukhunjulwe ukuthi isicelo lamakhono e inethiwekhi kumasayithi yangempela kungaba icala lobugebengu.

Umjovo kanye PHP

Njengomthetho, PHP-ikhodi futhi unesibopho ezidingekayo ukucubungula izicelo okuvela umsebenzisi. Ngakho-ke, kuleli zinga udinga ukwakha zizivikele SQL-umjovo e PHP.

Okokuqala, ake ukunikeza iziqondiso ezilula ezimbalwa, ngesisekelo okuyinto kubalulekile ukuba senze kanjalo.

• Idatha kumele njalo ukucubungulwa ngaphambi kokuba ibekwe zingene database. Lokhu kungenziwa noma ngokusebenzisa amazwi ekhona, noma ukuhlela imibuzo ngesandla. Nalapha futhi, kufanele inake ukuthi amanani ezinombolo kukhona eguquliwe nohlobo ukuthi kudingekani;
• Kugwenyiwe utshelwa izakhiwo ahlukahlukene control.

Manje okuncane mayelana nemithetho wokubhala imibuzo MySQL ukuze azivikele SQL-umjovo.

Ekubhaleni noma ikuphi ukuba ubuze kubalulekile ukuhlukanisa idatha kusuka angukhiye SQL.

• * KHETHA KUSUKELA ithebula LAPHO name = Zerg.

Kulesi ukumisa, uhlelo bangase bacabange ukuthi Zerg - igama noma iyiphi inkundla, ngakho udinga buyela kuyo izingcaphuno.

• KHETHA * KUSUKELA ithebula LAPHO name = 'Zerg'.

Nokho, zikhona izikhathi lapho ukubaluleka ngokwayo iqukethe izingcaphuno.

• KHETHA * KUSUKELA ithebula LAPHO name = 'Côte d'Ivoire.

Lapha kuphela ukuphatha ingxenye eCôte d, kanti bonke abanye kungenziwa waqonda njengoba iqembu, okuyinto Yiqiniso, cha. Ngakho-ke, kwenzeka iphutha. Khona-ke udinga lolu hlobo ledatha Ukuhlolwa. Ukuze wenze lokhu, sebenzisa udwi - \.

• KHETHA * KUSUKELA ithebula LAPHO name = 'cat-d \' Ivoire '.

Konke okungenhla libhekisela imigqa. Uma isenzo senzeka khona ngenombolo, khona-ke akudingi izingcaphuno noma amasileshi. Nokho, ukuthi kumele badingeke ukuqalisa eziholela oyifunayo uhlobo idatha.

Kukhona izincomo ukuthi igama wasensimini azungezwe backquotes. Lolu phawu kuyinto ohlangothini lwesobunxele kwekhibhodi, kanye tilde "~". Lokhu kwenzelwa ukuqinisekisa ukuthi MySQL kungaba ngokunembile ukuhlukanisa igama insimu elisemqoka yakho.

umsebenzi Dynamic ngedatha

Isikhathi esining impela, ukuze uthole noma iyiphi idatha kusuka database usebenzisa imibuzo, elakhiwe ngendlela enamandla. Ngokwesibonelo:

• KHETHA * KUSUKELA ithebula LAPHO 'inombolo $' inombolo =.

Lapha, inani $ variable sidlulile njengoba ekutholeni ukubaluleka emkhakheni. Kuzokwenzekani uma uthola 'Côte d'Ivoire? Iphutha.

Ukuze ugweme lokhu enkingeni Yiqiniso, ungafaka izilungiselelo "magic izingcaphuno". Kodwa manje idatha zizohlungwa lakufanele khona nalapho kuvumelana akudingekile. Ngaphezu kwalokho, uma isimiso kulotshiwe ngesandla, ungachitha isikhathi esincane nakakhulu ukuba amelana ngokuhlaziya uhlelo uqobo.

Ukuze kwalokho esizimele slash angasebenzisa mysql_real_escape_string.

$ Inombolo = mysql_real_escape_string (inombolo $);

$ Unyaka = mysql_real_escape_string ($ ngonyaka);

$ Umbuzo = "ufake etafuleni (inombolo, ngonyaka, ekilasini) IZIMO ( 'inombolo $', '$ ngonyaka', 11)".

Nakuba ikhodi anda ivolumu, kodwa engase kwakuphumelela kuphephe kakhulu.

izibambindawo

Izibambindawo - uhlobo izimpawu okuyiwona uhlelo ibona ukuthi lokhu endaweni udinga ithathe umsebenzi okhethekile. Ngokwesibonelo:

$ Sate = $ mysqli-> ukulungiselela ( "KHETHA District KUSUKELA Inombolo LAPHO Igama =?");

$ Sate-> bind_param ( "s", inombolo $);

$ Sate-> akhiphe ();

Le ngxenye ikhodi kuthatha ukuqeqeshwa isicelo isifanekiso bese sibopha inombolo variable, futhi ubulala ke. Le ndlela ivumela wena ekuhlukaniseni ukucutshungulwa nombuzo kanye nokuqaliswa kwalo. Ngakho, ungasindiswa kusukela ukusetshenziswa ikhodi enonya kukhona SQL-.

Yini ingase umhlaseli

UkuVikelwa KoHlelo - isemqoka kakhulu, engakwazi ukuba singasinaki. Yiqiniso, elula indawo ibhizinisi ikhadi kuyoba lula ukubuyisela. Futhi uma kuba enkulu portal, inkonzo, iforamu? Uyini umphumela kungaba, uma ukungacabangi zokuphepha?

Okokuqala, hacker kungaba ukwephula ubuqotho kokubili base bese uyalikhipha ngokuphelele. Futhi uma umlawuli indawo noma Hoster ayenzi isipele, uyoba nezikhathi ezinzima. Ngaphezu kwakho konke, nesigebengu, ngokuhlaziya kwisayithi elilodwa, ungaya nezinye ezithunyelwe iseva efanayo.

Okulandelayo lokweba ulwazi lomuntu siqu izivakashi. Indlela yokusebenzisa - konke kukhawulwe kuphela umcabango hacker. Kodwa noma kunjalo, imiphumela ngeke mnandi kakhulu. Ikakhulukazi uma siphethe imininingwane yezimali.

Futhi, umhlaseli angakwazi uhlangane semininingwane ngokwakho bese abanike imali yokubuyela yayo.

abasebenzisi ukudukisana egameni umlawuli indawo, umuntu abayi kokuba, kungaba futhi imiphumela yabo emibi ngangokunokwenzeka ukukhwabanisa amaqiniso.

isiphetho

Yonke imininingwane kulesi sihloko inikezelwe ngenhloso yolwazi kuphela. Sebenzisa kuphela kudingeka ukuhlola imiklamo yabo uma ithola ubuthakathaka ukubhekana nabo.

Ukuze uthole okwengeziwe ngo-Ukulifunda ngijule amasu indlela yokuqhuba SQL-umjovo, kubalulekile ukuqala langempela ucwaningo amakhono netimphawu ulimi SQL. Njengoba imibuzo ihlanganiswe, angukhiye, izinhlobo idatha, kanye nokusetshenziswa kwayo.

Futhi ngeke benze ngaphandle ukuqonda ukusebenza kwe PHP futhi izakhi-HTML imisebenzi. Ukusetshenziswa eyinhloko amaphuzu kusengcupheni ngenxa umjovo - ulayini ikheli kanye inkambu yokusesha ahlukahlukene. Ukufunda PHP imisebenzi, indlela yekusetjentiswa nezici ngeke ukuthola indlela yokugwema amaphutha.

Ukuba khona eziningi amathuluzi ngomumo eyenziwe isofthiwe uvumele ngo-ejulile analysis kusayithi eyaziwa ubungozi. Enye yemikhiqizo ethandwa kakhulu - cinta linux. Lesi sithombe se-operating system Linux-based, equkethe inqwaba amathuluzi kanye nezinhlelo ukuthi angafeza zihlolisisa wamandla indawo.

Yini odinga ukukwazi indlela Hack isayithi? Kulula kabi - kubalulekile ukuqaphela ubungozi ezingaba wephrojekthi yakho noma kuwebhusayithi. Ikakhulukazi uma kuyinto esitolo inthanethi nge lokukhokha online, lapho idatha yomsebenzisi yokukhokha kungenziwa ebucayini umhlaseli.

Ukuze ucwaningo lochwepheshe kwabasebenzi ezikhona ulwazi lwezokuphepha uzokwazi hlola isayithi ezahlukahlukene nokujula. Kusukela elula HTML-imijovo kakhulu nekhono lokushintsha izakhi bokweba imininingwane ebucayi nomphakathi futhi.