网站已通过SQL注入被黑客入侵 [英] Site has been hacked via SQL Injection
问题描述
最近,我的网站通过SQL注入被黑了.黑客使用了以下查询 获得我的数据库名称.我听不懂他们写的这个查询.
Recently my site was hacked via SQL injection. The hacker used the following query to get my DB name. I cannot understand this query they wrote.
查询:
=-999.9%20UNION%20ALL%20SELECT%20concat(0x7e,0x27,Hex(cast(database()%20as%20char)),0x27,0x7e),0x31303235343830303536,0x31303235343830303536,0x31303235343830303536--
运行查询后,它显示整数结果,例如"74545883
".
After the query was ran it showed an integer result, something like "74545883
".
您能解释一下查询的工作原理吗?
Can you explain how the query works?
推荐答案
它看起来像溢出攻击.他们对您现有的查询进行了UNION
编辑.用%20
,因为它会进行url编码:
It looks like an overflow attack. They UNION
-ed with your existing query. replacing all your %20
with (space) since its url-encoded yields:
=-999.9 UNION ALL SELECT CONCAT(0x7e,0x27,Hex(cast(database() as char)),0x27,0x7e),0x31303235343830303536,0x31303235343830303536,0x31303235343830303536-
分解:
-
=-999.9
刚刚结束您的当前查询 -
0x31303235343830303536
是NULL
-它们仅与现有查询中的列数匹配.如果SELECT * FROM users
和users
具有4列,则UNION
也必须具有4列.结果,他们只是使用NULL值来填充这些列. - 真正的困惑在于
CONCAT()
.他们将126、39,数据库名称作为十六进制值,39和126组合在一起 -
--
是mysql注释-之后将忽略查询的其余部分
- the
=-999.9
is just ending your current query 0x31303235343830303536
isNULL
- they are just matching the number of columns in your existing query. If you hadSELECT * FROM users
andusers
had 4 columns, theUNION
must also have 4 columns. As a result, they just used `NULL values to populate those columns.- the real confusion is in the
CONCAT()
. They are combining 126, 39, database name as hex value, 39, and 126 --
is a mysql comment - it ignores the rest of your query after
从这次攻击来看,我怀疑您没有将输入包装在mysql_real_escape_string()
中,从而使被攻击者可以跳出查询并执行自己的查询.
Judging from this attack, i suspect that you are not wrapping input in mysql_real_escape_string()
, which allowed to attacked to jump out of your query and execute their own.
请参见 owasp.org 了解更多信息.
这篇关于网站已通过SQL注入被黑客入侵的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!