Yiyiphi injini ye-SQL?

Inani leendawo kunye namaphepha kwi web lukhula chu. Ithathwe sokuphuhlisa bonke abo banako. Kunye nabasunguli Web abo basandula kuqalisa badla usebenzisa ikhowudi ezingakhuselekanga ubudala. Kwaye kudala kakhulu eziziimpazamo ezikhoyo zaphuli kunye imigewu. Kunabo. Enye ukuba semngciphekweni kakhulu yakudala - SQL-inaliti.

A bit mbono

Abantu abaninzi bayazi ukuba uninzi kweesayithi kunye neenkonzo kumsebenzi womnatha basebenzisa yokugcina zesiseko sedata ze SQL. Le structured ulwimi umbuzo ukuba ikuvumela ukulawula nokulawula nokugcinwa kwedatha. Kukho iinguqulelo ezininzi ezahlukeneyo ulawulo ledatha ledatha lesistim - Oracle, I SQL yam, Postgre. Kungakhathaliseki igama kunye nohlobo, basebenzisa iinkcukacha zombuzo efanayo. Kulapha ubuxoki sengozini enokubakho. Ukuba umphuhlisi ayiphumelelanga ukuphatha kakuhle kwaye ukholosile ukucela, ohlaselayo Ungathatha ingqalelo yoku kwaye usebenzise amaqhinga ezizodwa bakwazi ukufikelela kwi-database, uze emva koko - lonke ulawulo site.

Ukuze siphephe iimeko ezinjalo, kufuneka isebenze ngendlela efanelekileyo ikhowudi kunye esweni ngokusondeleyo ngendlela apho isicelo iyenziwa.

Khangela ukuba SQL-ziphene

Ukumisela ubukho sesichengeni kwi inethiwekhi ezinobunzima iinkqubo zekhompyutha wayigqiba ezenzekelayo. Kodwa ke unako ukwenza itshekhi elula ngesandla. Ukuze wenze oku, yiya kwenye test sites kunye bar idilesi ukuzama kunokubangela imposiso ledatha. Ngokomzekelo, omnye umbhalo kwisiza akakwazi ukuphatha isicelo kwaye ukusika kuzo.

Umzekelo, kukho nekiy_sayt / index.php? Id = 25

Eyona ndlela ilula - ukubeka 25 emva kokuba sicatshulwa uze uthumele isicelo. Ukuba akukho Imposiso yenzekile, nokuba kwisiza kunye lokucoca zonke izicelo zisingathwa ngokuchanekileyo, okanye ikhubaziwe ngokwezicwangciso kwemveliso yawo. Ukuba Eliphepha ilayishwe kwakhona neengxaki, ngoko ke ukuba sesichengeni SQL-isitofu na.

Emva kokuba wafumanisa, unga zama ukuba ayibulale.

Ukuze kusetyenziswe le mfuneko semngciphekweni ukwazi kancinci malunga amaqela SQL-imibuzo. Omnye wabo - UNION. Izisa ndawonye iziphumo zombuzo eziliqela omnye. Ngoko ke sinako ukubala inani kwimihlaba kule theyibhile. UMZEKELO wokuqala umbuzo ngu:

• nekiy_sayt / index.php? id = 25 UNION KHETHA 1.

Kwiimeko ezininzi, le ngxelo kufuneka lungenisa impazamo. Oku kuthetha ukuba inani amasimi akalingani 1. Ngoko ke, ukukhetha iinketho-1 okanye ngaphezulu, unako ukuseka inani labo ngqo:

• nekiy_sayt / index.php? id = 25 UNION KHETHA 1,2,3,4,5,6.

Oko kukuthi, xa uya kuphinda kuvela isiphoso, oko kuthetha ukuba inani emasimini ndiyaqikelela.

Kukho kwakhona enye indlela yokusombulula le ngxaki. Ngokomzekelo, xa kukho inani elikhulu amasimi - 30, 60 okanye 100. Lo myalelo GROUP BY. Amaqela It iziphumo umbuzo na isizathu, umzekelo id:

• nekiy_sayt / index.php? id = 25 IQELA BY-5.

Ukuba impazamo azamkelwanga, ngoko amasimi ngaphezu 5. Ngenxa yoko, wokusebenzisa iinketho ukusuka kuluhlu ebanzi, unako ukubala ukuba zingaphi yayo.

Lo mzekelo SQL-ziphene - kwabasaqalayo abafuna ukuzama ngokwabo kuvandlakanyo site yayo. Kubalulekile ukukhumbula ukuba imvume yokungena kwelinye inqaku ekhoyo ye-Code Criminal.

Eyona eziphambili ze-ziphene

Ukusebenzisa ubuthathaka ngu SQL-ngenaliti xa embodiments eziliqela. Okulandelayo zezona ndlela kakhulu ethandwa:

• I UNION ngombuzo SQL isitofu. Umzekelo elula olu hlobo sele zihlolwa ngasentla. It is baqaphela ngenxa imposiso ekutshekisheni data engenayo, ezo ezingafanelekanga yahluzwa.

• Imposiso-based ziphene SQL. Nanjengoko igama layo lixela, olu hlobo usebenzisa imposiso, ekuthumeleni amabinzana yabhalwa syntactically ayilunganga. Ngoko kukho iimbalelwano impendulo headers, ukuhlaziya idatha leyo kwenziwa kamva SQL-inaliti.

• Elibhalwe Master SQL inaliti. Le ngozi ugqibe ngokwenza izicelo ezilandelelanayo. Lubonakala ngokufakelwa ekupheleni umqondiso ";". Le ndlela lidla iyaphunyezwa ukufikelela ukuphunyezwa ukufunda nokubhala data okanye inkqubo yokusebenza imisebenzi, ukuba amalungelo ukuvumela oko.

Software yokufuna SQL-semngciphekweni

Ingaba apho SQL-inaliti, inkqubo ngokuqhelekileyo kuba namacandelo amabini - isayithi ukuskena semngciphekweni kunokwenzeka kwaye uzisebenzise ukuzuza ukufikelela kwidatha. Kukho ezinye izixhobo amaqonga phantse zonke ezaziwayo. ukusebenza kwabo kube lula kakhulu ekuhloleni website ukuqhekeza lakho SQL-inaliti.

Sqlmap

isikeni enamandla kakhulu ukuba usebenza zolwazi ezininzi. Ixhasa iindlela ezahlukeneyo ukuphunyezwa SQL-inaliti. Kuye Ukukwazi ukuqaphela ngokuzenzekelayo uhlobo lokugqitha asa nokuqhekeka kunye isichazi-magama. Langoku functional ulayishe lwefayile kunye download kwiseva.

Ufakelo Linux kwenziwa ngokusebenzisa imithetho:

• git clone https://github.com/sqlmapproject/sqlmap.git sqlmap-dev,
• cdsqlmap-dev /;
• --wizard ./sqlmap.py.

Kuba Windows luyafumaneka njengento ukhetho kunye kwilayini yomyalelo kwaye imbonakalo-mfanekiso yeprogram elungele umsebenzisi.

jSQL Inaliti

jSQL Inaliti - isixhobo cross-iqonga yokuvavanywa ukusetyenziswa semngciphekweni SQL. Okubhaliweyo kwiJava, ngoko ke le nkqubo kufuneka kufakelwe jre. Bakwazi ukusingatha GET izicelo, POST, okuphezulu okungaguqukiyo ephepheni, cookie. It has a ujongano elula lomzobo.

Ukufakelwa yale iphakheji software lumi ngolu hlobo lulandelayo:

wget https://github.com/`curl -s https: //github.com/ron190/jsql-injection/releases | grep-E kuyoze '/ron190/jsql-injection/releases/download/v[0-9]{1,2}.[0-9]{1,2}/jsql-injection-v[0-9] . {1,2} [0-9] {1,2} .jar '| intloko-n 1`

Usungulo kukuba ngokusebenzisa java umyalelo -jar ./jsql-injection-v*.jar

Ukuze uqalise isiza uvavanyo kwi SQL-sengozini, kufuneka ngenisa idilesi kwintsimi phezulu. Ngabo ahlukileyo e-GET ne POST. Ngenxa yoko entle, kuya kuvela uluhlu neetafile ezikhoyo kwi window ngasekhohlo. Uyakwazi ukujonga yaye bafunde ulwazi oluyimfihlo.

tab «page Admin» ingasetyenziswa ukufumana enqwelwaneni zolawulo. Kuyo ngokusebenzisa itemplates ezizodwa uphengulula ngokuzenzekelayo le nkqubo ubhala abasebenzisi nelungelo. Kubo ungafumana nje asa le password. Kodwa yena anayo kwebhokisi le program.

Emva yokufumana zonke semngciphekweni kunye isitofu imibuzo kuyimfuneko, esi sixhobo siza kuvumela umncedisi ukugcwalisa kwifayile yakho okanye, icala, ukulanda ukusuka apho.

SQLi Dumper v.7

Le program - lula ukusebenzisa isixhobo okufumana nokufezekisa semngciphekweni SQL. Ikhupha UN isekelwe phezu ekuthiwa-uDorkas. uluhlu lwabo ingafunyanwa kwi Internet. Dorca for SQL-ziphene - ezi itemplates akhethekileyo imibuzo uphendlo. Ngoncedo lwabo, unako ukufumana isiza isecicini ngokusebenzisa nayiphi na injini yokukhangela.

Izixhobo uqeqesho

Itsecgames.com kwindawo kukho iseti eyodwa izixhobo ovumela mzekelo ubonisa ukuba ukwenza njani isitofu SQL uze ulivavanye. Ukuze sizuze, kuyimfuneko ukukhuphela kwaye ufake. Le yomlando isethi iifayile, oko kukuthi isakhiwo wesiza. Ukuyifaka kuya kufuneka kwinkqubo okhoyo iseti server Apache web, I SQL yam and PHP.

Kuhlalutywe le archive kwifolda server web, kufuneka uye kule dilesi xa ufaka le software. A iphepha lokubhalisa yomsebenzisi. Apha kufuneka ukuba ufake iinkcukacha zakho uze ucofe «Dala». Ukuhambisa umsebenzisi ukuya screen entsha, le nkqubo umele ukhethe enye amatyala test. Phakathi kwazo kukho kokubili kuchaza ngenaliti, kunye nezinye izinto zovavanyo.

Iyafuna siqwalasela umzekelo uhlobo SQL-ziphene GET / Search. Apha kufuneka ukuba ukhethe uze ucofe «kugula». Phambi izakuvela umsebenzisi, kwaye search string bexelisa kwisiza movie. Ukuba ingasonjululwa bhanya kunokuba elide. Kodwa kukho 10. kuphela Umzekelo, unga zama ukufaka i-Iron Man. Iya kubonisa umboniso, ngoko ke siza kusebenza, neetafile iqulethe. Ngoku kufuneka ukukhangela ukuba abasebenzi abathile script okucoca, xa quote ethile. Ukuze wenze oku, dibanisa 'kwi bar idilesi. " Ngaphezu koko, oku kufuneka kwenziwe emva isihloko umboniso lowo. Le sayithi iya kunika Imposiso imposiso: Unayo impazamo yokuma kwezivakalsi yakho SQL; khangela manual olungqamana kuguqulelo umncedisi wakho SQL yam ukuba lwesivakalisi ilungelo ukuyisebenzisa kufutshane '%' 'kumgca 1, nto leyo ithi ukuba abalinganiswa basengabafundi awusingathwanga ngokuchanekileyo. Ngoko zama ukuba kufakwe endaweni isicelo sakho. Kodwa kuqala kufuneka abale inani emasimini. Isetyenziswa lalomyalelo, nto leyo ithe yaziswa emva kokuba uphindo: http://testsites.com/sqli_1.php?title=Iron+Man 'ukuze nge-2 - & inyathelo = search.

Lo myalelo ubonisa kuphela inkcazelo malunga umboniso, oko kukuthi, inani amasimi mkhulu kune 2. iqhagamshela kabini uxelela server ukuba ezinye izicelo kufuneka zilahlwe. Ngoku ke kufuneka ukuba lize kugxothela, ukubeka ukubaluleka ukwanda logama nje impazamo lingekho. Ekugqibeleni, oku kwenzeka ukuba imihlaba kuba 7.

Ngoku lixesha lokuba ukufumana into ibe luncedo wenqwelwana. Ngaba ukuguqula kancinane isicelo kwi bar kwidilesi, lwalizisa luhlobo: http://testsites.com/sqli_1.php?title=Iron+Man 'Union khetha 1, ledatha (), umsebenzisi (), 4, igama, 6, 7 evela kubasebenzisi - & inyathelo = uphendlo. Ngenxa yokuphunyezwa kwayo kuza kubonisa umtya kunye hashes password, nabanako lula zitshintshwe zibe imiqondiso uqondakale usebenzisa enye yeenkonzo online. A conjured kancinci wathatha igama entsimini login, unako ukufikelela yokungena yomnye umntu, ezifana admin wesiza.

Le mveliso uba iindidi inaliti iintlobo ubunzima, apho ukuziqhelanisa. Kufuneka kukhunjulwe ukuba isicelo kwezi zakhono kwi network kwiziza eyona ibe lityala lolwaphulo-mthetho.

Emigodini kunye PHP

Ngokuqhelekileyo, i-PHP-ikhowudi kwaye linoxanduva izicelo processing eyimfuneko evela kumsebenzisi. Ngenxa yoko, kweli nqanaba ufuna ukwakha kukuzikhusela SQL-ngenaliti in PHP.

Okokuqala, makhe ukunika izikhokelo ezimbalwa ezilula, ngokusekelwe apho kuyimfuneko ukwenza njalo.

• Data kufuneka uhlale phambili phambi kokuba zifakwe kwiziko ledatha. Oku kunokwenziwa mhlawumbi ngokusebenzisa amagama akhoyo, okanye ngokuququzelela imibuzo ngesandla. Apha kwakhona, kufuneka luthathele ingqalelo ukuba amaxabiso yamanani zitshintshele kudidi into efunekayo;
• Ayekwe zabangela izakhiwo zolawulo.

Ngoku kancinci malunga nemithetho wokuqulunqa imibuzo kwi SQL yam ukukhusela ngokuchasene SQL-inaliti.

Ekwenzeni naluphi na amazwi ukuze ubuze kubalulekile ukwahlula idata evela amagama SQL.

• * Khetha itheyibhile APHO igama = Zerg.

Kulo uqwalaselo, inkqubo basenokucinga ukuba Zerg - igama nayiphi intsimi, ngoko ke kufuneka ukuba Somrhaqa kuyo nkqo.

• KHETHA * kwitafile APHO igama = 'Zerg'.

Nangona kunjalo, kukho amaxesha xa ixabiso ngokwayo iqulethe kuchaphulo olu.

• KHETHA * kwitafile APHO igama = 'Côte d'Ivoire'.

Apha zijongane inxalenye Côte d, kwaye abanye ubonakala njengeqela, leyo, Kakade ke, hayi. Ngoko ke, i iphutha. Emva koko kufuneka olu hlobo lwe data zokuhlola. Ukuze wenze oku, sebenzisa umgca okekeleyo ngasemva - \.

• KHETHA * kwitafile APHO igama = 'cat-d \' Ivoire '.

Konke oku kungentla ubhekisela imiqolo. Ukuba intshukumo lwenzeka inombolo, ngoko akuyomfuneko naziphi luphindo okanye slashes. Noko ke, ukuba kufuneka ukuqalisa kukhokelela uhlobo data oyifunayo.

Kukho ingcebiso yokuba igama intsimi kufuneka abhijelwe backquotes. Olu phawu kwicala lasekhohlo keyboard, kunye tilde '~ ". Oku kukuqinisekisa ukuba SQL yam unako ngokuchanileyo ukwahlula igama yentsimi ukususela elingundoqo yakho.

umsebenzi Dynamic ne data

Amaxesha amaninzi, ukuze ukufumana naziphi data evela kuvimba kusetyenziswa imibuzo, eveliswa ngamandla. Umzekelo:

• KHETHA * kwitafile APHO 'inombolo $' inani =.

Apha, inombolo $ elitshintshayo ipasisiwe njengoko kumiselwa ixabiso yasendle. Kuza kwenzeka ntoni ukuba ufumana 'Côte d'Ivoire'? Imposiso.

Ukuze siphephe le nkathazo, Kakade, ungaquka "uphindo umlingo" Useto. Kodwa ngoku le datha iya kujongisiswa apho kuyimfuneko yaye akuyomfuneko. Ukongeza, ukuba ikhowudi ibhalwe ngesandla, umele uchithe ixesha elincinane kakhulu ukudala ukumelana ukuya ng inkqubo ngokwayo.

Kuba Ukongeza elizimeleyo isleshi Ungasebenzisa mysql_real_escape_string.

$ Inani = mysql_real_escape_string (Inombolo $);

$ Unyaka = mysql_real_escape_string ($ ngonyaka);

$ Query = "Faka IBE itafile (inombolo, unyaka, udidi) YOKUZIPHATHA ( 'inombolo $', '$ unyaka', 11)".

Nangona ikhowudi naqhama umthamo, kodwa ngokwenza oko kuya kusebenza ikhuseleke kakhulu.

placeholder

Placeholder - uhlobo yabamakishi apho inkqubo ibona ukuba le ndawo ufuna ukuba kufakwe endaweni umsebenzi okhethekileyo. Umzekelo:

$ Bavale = $ mysqli-> ukulungiselela ( "District Khetha Inani APHO Name =?");

$ Sate-> bind_param ( "s", $ inani);

$ Sate-> ozakuphunyezwa ();

Eli candelo le khowudi kuthatha uqeqesho isicelo template uze alibophe inani bume, nesebenza kuyo. Le ndlela ivumela ukuba ukwahlula processing umbuzo kunye nokuphunyezwa kwayo. Ngenxa yoko, oko ke onokusindiswa ukusetyenziswa ikhowudi ngolunya aba SQL-.

Yini umhlaseli

System Protection - yinto ebaluleke kakhulu, nto leyo ayikwazi bengahoywanga. Kakade ke, kuya kuba lula ukuba ukubuyisela indawo ikhadi soshishino esilula. Kwaye ukuba yinto enkulu portal, inkonzo, forum? Zintoni iziphumo ukuba ngaba ucinga ukhuseleko?

Okokuqala, hacker nawaphula ingqibelelo zombini isiseko kunye nokususa ngokupheleleyo. Ke ukuba umphathi isayithi okanye hoster akenzi yogcino, uya kuba ngamaxesha anzima. Ngaphezu kwako konke, bebe, ngokuhlaziya isayithi eyodwa, angaya omnye exhonyiweyo iseva enye.

Okulandelayo bubahlutha inkcazelo yobuqu yabatyeleli. kulinganiselwe kuphela ekuyileni hacker yonke into - Indlela yokusebenzisa. Kodwa nayiphi na imeko, iziphumo ayiyi kuba mnandi kakhulu. Ingakumbi xa eziqulathwe ulwazi zemali.

Kwakhona, umhlaseli luyakwazi ukudibanisa database wena uze abanike imali ukuze ukubuya.

abasebenzisi Ulwazi olungelulo egameni umlawuli site, umntu abayi kokuba, nako zisifake kangangoko iinyaniso ubuqhophololo.

isiphelo

Lonke ulwazi kweli nqaku kunikezelwe ngenjongo yolwazi kuphela. Sebenzisa kudingeka nje ukuba ukuvavanya iiprojekthi zabo xa sibona ukuba semngciphekweni kunye nazo.

Kuba kakhulu-olunzulu isifundo nobuchule ukuqhuba njani SQL-ngenaliti, kuyimfuneko ukuba uqale izakhono zophando ezikhoyo kunye neempawu ulwimi SQL. Njengoko imibuzo yenziwe, amagama, iindidi zedata, kwaye ukusetyenziswa kwazo zonke kuyo.

Kwakhona akakwazi ukwenza ngaphandle ekuqondeni ukusebenza PHP kunye nezinto HTML imisebenzi. Ukusetyenziswa ephambili amanqaku abasemngciphekweni ukuba isitofu - wokudibani- idilesi, kunye intsimi ezahlukeneyo search. Ukufunda imisebenzi PHP, indlela ukuphunyezwa kunye neempawu ziya bana phandle indlela yokuphepha iimpazamo.

Ubukho izixhobo ezininzi software esele zenziwe kuvumela olunzulu lihlaziya eyaziwa site semngciphekweni. Enye imveliso kakhulu ethandwa - kali linux. Lo mfanekiso kwenkqubo yokusebenza Linux-based, equlethe inani elikhulu izixhobo kunye neenkqubo linokuyiqhuba uhlalutyo olubanzi amandla site.

Yintoni ekufuneka uyazi ukuba zizame njani na isayithi? Yinto elula kakhulu - kuyimfuneko ukuba bazi ezinokuba semngciphekweni iprojekthi yakho okanye website ibe. Ingakumbi ukuba isitora online kwintlawulo online, apho idatha yomsebenzisi intlawulo sengozini ngenxa umhlaseli.

Zokufunda emsebenzini kwabasebenzi zokhuseleko iinkcukacha ezikhoyo uya kukwazi ukujonga ngaphandle isayithi ezahlukeneyo zokuhlola kunye nobunzulu. Iqala esuka elula HTML-iinaliti kunye nobunjineli ezentlalo yobuqhetseba.