网站已通过SQL注入被黑客入侵 [英] Site has been hacked via SQL Injection

问题描述

最近，我的网站通过SQL注入被黑了.黑客使用了以下查询 获得我的数据库名称.我听不懂他们写的这个查询.

Recently my site was hacked via SQL injection. The hacker used the following query to get my DB name. I cannot understand this query they wrote.

查询:

=-999.9%20UNION%20ALL%20SELECT%20concat(0x7e,0x27,Hex(cast(database()%20as%20char)),0x27,0x7e),0x31303235343830303536,0x31303235343830303536,0x31303235343830303536--

运行查询后，它显示整数结果，例如"74545883".

After the query was ran it showed an integer result, something like "74545883".

您能解释一下查询的工作原理吗?

Can you explain how the query works?

推荐答案

它看起来像溢出攻击.他们对您现有的查询进行了UNION编辑.用替换所有%20，因为它会进行url编码:

It looks like an overflow attack. They UNION-ed with your existing query. replacing all your %20 with (space) since its url-encoded yields:

=-999.9 UNION ALL SELECT CONCAT(0x7e,0x27,Hex(cast(database() as char)),0x27,0x7e),0x31303235343830303536,0x31303235343830303536,0x31303235343830303536-

分解:

1. =-999.9刚刚结束您的当前查询
2. 0x31303235343830303536是NULL-它们仅与现有查询中的列数匹配.如果SELECT * FROM users和 users 具有4列，则UNION也必须具有4列.结果，他们只是使用NULL值来填充这些列.
3. 真正的困惑在于CONCAT().他们将126、39，数据库名称作为十六进制值，39和126组合在一起
4. --是mysql注释-之后将忽略查询的其余部分

1. the =-999.9 is just ending your current query
2. 0x31303235343830303536 is NULL - they are just matching the number of columns in your existing query. If you had SELECT * FROM users and users had 4 columns, the UNION must also have 4 columns. As a result, they just used `NULL values to populate those columns.
3. the real confusion is in the CONCAT(). They are combining 126, 39, database name as hex value, 39, and 126
4. -- is a mysql comment - it ignores the rest of your query after

从这次攻击来看，我怀疑您没有将输入包装在mysql_real_escape_string()中，从而使被攻击者可以跳出查询并执行自己的查询.

Judging from this attack, i suspect that you are not wrapping input in mysql_real_escape_string(), which allowed to attacked to jump out of your query and execute their own.

请参见 owasp.org 了解更多信息.

这篇关于网站已通过SQL注入被黑客入侵的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！