SQLi
Chess@NISRA
Whoami
-
NISRA 107 年度核心幹部 -
108 年度行政院網路攻防演練攻擊手 -
AIS3 2018/2019/2020 學員
Chess Kuo
誰 我 敢 會 說 跟 這 他 是 決 軟 鬥 體
Agenda
-
What is SQL
-
Build Environment
-
Basic Syntax
-
What is SQLi
Agenda
-
What is SQL
-
Build Environment
-
Basic Syntax
-
What is SQLi
Structured
Query
Language
Database
Table
Column
-
Create -
Read -
Update -
Delete
How to use
SQL Engine
Agenda
-
What is SQL
-
Build Environment
-
Basic Syntax
-
What is SQLi
s.nisra.net/sqli_vm
需安裝 Extension Pack
nisra:nisra
ssh nisra@localhost
mysql -unisra -p -h127.0.0.1
http://localhost
Agenda
-
What is SQL
-
Build Environment
-
Basic Syntax
-
What is SQLi
-
SHOW DATABASES ;
- 列出所有 DB
-
CREATE DATABASE <db_name> ;
- 新增一個 DB
-
USE <db_name> ;
- 選擇使用該 DB
-
DROP DATABASE <db_name> ;
- 刪除一個 DB
Database
Lab01
新增一個叫做 "test" 的 DB
並且使用它
-
SHOW TABLES;
- 列出所有 Table
-
DROP TABLE <tb_name> ;
- 刪除一個 Table
Table
CREATE TABLE <tb_name> (
<col_name1> type,
<col_name2> type,
<col_name3> type,
...
)
Table
-
INT
-
TINYINT
-
SMALLINT
-
BIGINT
-
FLOAT
-
DOUBLE
Type
-
CHAR(n)
-
VARCHAR(n)
-
DATE
-
TIME
-
DATETIME
-
TIMESTAMP
Type
| CHAR(4) | VARCHAR(4) | |
|---|---|---|
| ' ' | ' ' | ' ' |
| 'ab' | 'ab ' | 'ab' |
| 'abcd' | 'abcd' | 'abcd' |
| 'abcdefg' | 'abcd' | 'abcd' |
Type
-
DATE
- '1970-01-01'
-
TIME
- '00:00:00'
-
DATETIME
- '1970-01-01 00:00:00'
-
TIMESTAMP
- 1597065553
Lab02
新增一張 table 叫做 people
且有下列 column
| col_name | type |
|---|---|
| id | INT |
| name | 長度 10 的字串 |
| birth | DATE |
Column
-
SHOW COLUMNS FROM <tb_name>;
- 列出該表中的欄位
Select
切換到 DB
employees
-
指定欄位 SELECT <col>[, <col> ...] FROM <tb> -
全選
SELECT * FROM <tb>
-
庫名、表名、欄位名可加重音符 (`)
-
字串會加上單引號 ( ' )
Lab03
將 employees 這個 table 印出來看看
where
查詢的條件 ( filter 的概念 )
SELECT * FROM <tb> WHERE <condition>
where
Ex. 在 1960 後出生的人
SELECT * FROM employees WHERE birth_date >= date('1960-01-01')
Lab04
將男性員工列出來
Lab04
將男性員工列出來
SELECT * FROM employees
WHERE gender='M'
where
多個條件
SELECT * FROM <tb> WHERE <condition> OR/AND <condition>
Lab05
1960 後出生的男員工
Lab05
1960 後出生的男員工
SELECT * FROM employees
WHERE birth_date >= DATE('1960-01-01')
AND gender = 'M'
ORDER BY
依照 XX 排序
SELECT * FROM <tb> ORDER BY <col>
ORDER BY
依照生日排序
SELECT * FROM <tb> ORDER BY birth_date
ORDER BY
-
正序 (default)
-
ASC
-
-
反序
-
DESC
-
ORDER BY
依照生日排序
SELECT * FROM <tb> ORDER BY birth_date DESC
LIMIT
限制輸出筆數
SELECT * FROM <tb> LIMIT from, n
LIMIT
從第 6 筆開始輸出 3 個
SELECT * FROM employees LIMIT 5, 3
LIMIT
從第 6 筆開始輸出 3 個
Insert
-
指定欄位
INSERT INTO <tb>(<col>)
VALUES (<val>)
-
全部欄位都要給值
INSERT INTO <tb>
VALUES (<val>, ...)
test
people
Lab06
把自己的資料寫進去 id 是 1
Lab06
把自己的資料寫進去 id 是 1
INSERT INTO people
VALUES (1, 'chess', DATE('1970-01-01'))
Lab06-2
再新增幾筆資料進去 id 不要重複
Delete
DELETE FROM <tb>
WHERE <condition>
不加 where 會將整個 table 內容清空 !!!!!!!!!!!!!!!!!!!!!!!!
Lab07
把 id 1 刪掉吧 只有 ID 1 喔
Lab07
把 id 1 刪掉吧
DELETE FROM people
WHERE id=1
Update
UPDATE <tb>
SET <col>=<val>, ...
WHERE <condition>
不加 where 會將 table 中該欄位直接毀滅 !!!!!!!!!!!!!!!!!!
Lab08
把 某個特定 id 的名字改成 QQ,
生日改成 2020/01/01
Lab08
把 某個特定 id 的名字改成 QQ,
生日改成 2020/01/01
UPDATE people
SET name='QQ', birth=DATE('2020-01-01')
WHERE id=2
Agenda
-
What is SQL
-
Build Environment
-
Basic Syntax
-
What is SQLi
SQLi in PHP
INSERT INTO `Students`(name)
VALUES('XXX')
Robert'); DROP TABLE Students;--
INSERT INTO `Students`(name) VALUES('Robert'); DROP TABLE Students;-- ')
INSERT INTO `Students`(name) VALUES('Robert'); DROP TABLE Students;-- ')
-
SQLi
-
有回顯
-
-
Blind SQLi
-
沒有回顯
-
-
通用
-
Stacked Queries
-
-
SQLi
-
Union Based
-
Error Based
-
-
Blind SQLi
-
Boolean Based
-
Time Based
-
' or 1=1#--
user=?
pass=?
SELECT *
FROM users
WHERE user='$user' AND pass='$pass'
user=xxx
pass=bbb
SELECT *
FROM users
WHERE user='xxx' AND pass='bbb'
user=xxx' or 1=1#--
pass=
SELECT *
FROM users
WHERE user='xxx' or 1=1#--' AND pass=''
SQLi 01
http://beef.nisra.net:8901
SQLi 02
hint : 多行註解
http://beef.nisra.net:8902
END
[20201201] NISRA - SQLi
By Chess Kuo
