Jekeseni wa SQL ndi chiyani?

chiwerengero cha malo ndi masamba pa intaneti ikukula bwinobwino. Anatengedwa chitukuko cha amene mungathe onse. Ndipo novice kutukula Web zambiri ntchito malamulo osakhala akale. Ndipo amalenga zambiri munakhazikitsa zigawenga ndi hackers. Kuposa iwo. Mmodzi wa vulnerabilities kwambiri powerenga - SQL-jekeseni.

A pang'ono chiphunzitso

Anthu ambiri akudziwa kuti ambiri mwa malo ndi ntchito pa maukonde ntchito kusungiramo SQL Nawonso achichepere. Iyi ndi ndondomeko chinenero afunsa kuti amalola kuti kudziletsa ndi kusamalira kusunga deta. Pali ambiri Mabaibulo osiyanasiyana kasamalidwe Nawonso achichepere dongosolo Nawonso achichepere - Oracle, MySQL, Postgre. Kaya dzina ndi mtundu, iwo amagwiritsa ntchito deta chomwecho kafufuzidwe. Pamene pagona chiopsezo angathe. Ngati mapulogalamu analephera kusamalira bwino ndipo adzatsekeredwa kupempha, ndi tizilomboto tingalandire ili ndi ntchito njira yapadera kuti tidzalowe Nawonso achichepere, ndiyeno - ndi kasamalidwe malo onse.

Kupewa zoterezi, muyenera bwino konza malamulo ndiponso kuwayang'anira mosamala m'njira imene pempho lichitidwa kukonzedwa.

Yang'anani SQL-jekeseni

Kukhazikitsa pamaso pa chiopsezo ku maukonde ali ndi kulemera kwa anamaliza machitidwe makina mapulogalamu. Koma n'zotheka kuchita cheke yosavuta pamanja. Kuchita izi, kupita ku malo mayesero mu keyala kuyesera chifukwa zolakwa Nawonso achichepere. Mwachitsanzo, script pa malo sangathe kusamalira pempho osati chepetsa iwo.

Mwachitsanzo, pali nekiy_sayt / index.php? ID = 25

Chophweka njira - kuika 25 amagwira ndi kutumiza pempho. Ngati palibe cholakwika zinachitika, kapena pa malo ndi fyuluta zopempha zonse zakonzeka molondola, kapena wolemala mu zoikamo linanena bungwe lawo. Ngati tsamba ndi n'kupakiranso ndi mavuto, ndiye kusatetezeka kwa SQL-jekeseni ndi.

Pambuyo atatulukira, mungayesere kuchotsa izo.

Kukhazikitsa izi chiopsezo kufunika amadziwa pang'ono za magulu SQL-mafunso. Mmodzi wa iwo - UNION. Umabweretsa pamodzi zotsatira zingapo kafufuzidwe mu chimodzi. Kotero ife tikhoza awerengere nambala ya kumunda tebulo. CHITSANZO kafufuzidwe woyamba ndi:

• nekiy_sayt / index.php? ID = 25 UNION Sankhani 1.

Nthawi zambiri, nkhani imeneyi ayenera kupanga kulakwitsa. Izi zikutanthauza kuti chiwerengero cha minda si wolingana 1. Choncho, kusankha options 1 wamkulu, n'zotheka kukhazikitsa chiwerengero chawo enieni:

• nekiy_sayt / index.php? ID = 25 UNION Sankhani 1,2,3,4,5,6.

Ndiko kuti, pamene cholakwika silidzandionanso kuoneka, ndiye kuti chiwerengero cha minda kupeka.

Palinso njira ina vuto ili. Mwachitsanzo, pamene ambiri minda - 30, 60 kapena 100. Izi GULU lamulo NDI. magulu izo zotsatira za kafufuzidwe pa malo ena aliwonse, mwachitsanzo ID:

• nekiy_sayt / index.php? ID = 25 GULU NDI 5.

Ngati cholakwa sichinayambe analandira, ndiye minda kuposa 5. Choncho, m'malo options kuchokera osiyanasiyana zinthu zambiri, n'zotheka kudziwa angati wa iwo.

Izi Mwachitsanzo SQL-jekeseni - kwa oyamba amene mukufuna kuyesa okha chiyesedwe cha malo ake. Nkofunika kukumbukira kuti mwayi wosaloleka nkhani ina kupezeka kwa Code Wachifwamba.

The mitundu ikuluikulu ya jekeseni

Kukhazikitsa chiopsezo ndi SQL-jekeseni mu embodiments angapo. Otsatira njira wotchuka:

• The UNION ndi funso SQL jekeseni. Chitsanzo yosavuta wa mtundu uwu kale anafufuza pamwamba. Iwo anazindikira chifukwa cholakwa mu afufuze deta ukubwera, amene osasankhidwa.

• Cholakwika ofotokoza SQL jekeseni. Monga dzina lake likunenera, mtundu amagwiritsanso kulakwitsa, kutumiza mawu wapangidwa syntactically pachithunzichi. Ndiye pali kudutsana wa maheda Poyankha, kupenda zomwe angathe kuchitidwa kenako SQL-jekeseni.

• Zakhala zikuzunza m'miyoyo mafunso ndi SQL jekeseni. chiopsezo Izi anatsimikiza mtima kuchita zokhumba motsatizana. Iwo amakhala ndi Kuwonjezera pa mapeto a chizindikiro ";". Njira imeneyi kawirikawiri akuyendera kulumikiza kukhazikitsa kuwerenga ndi kulemba deta kapena opaleshoni dongosolo ntchito ngati mwayi kuwalola.

Mapulogalamu yofunafuna SQL-vulnerabilities

Kodi pali chifukwa SQL-jekeseni, pulogalamu kawirikawiri ndi zigawo ziwiri - malo aone kuti vulnerabilities zotheka ndi kuwagwiritsa ntchito kuti apeze mwayi kwa deta. Pali zida zina nsanja pafupifupi onse odziwika. magwiridwe awo facilitates kwambiri afufuze webusaiti osokoneza wanu SQL-jekeseni.

Sqlmap

wamphamvu kwambiri sikana ntchito ndi zinasokoneza makompyuta kwambiri. Iwo amathandiza njira zosiyanasiyana kukhazikitsa SQL-jekeseni. Amatha kuti basi kuzindikira mtundu wa achinsinsi chete akulimbana ndi dikishonale. Pano ndi zinchito Kwezani file ndi Download kuchokera Seva a.

Unsembe pa Linux imagwiridwa ntchito malamulo:

• git choyerekeza https://github.com/sqlmapproject/sqlmap.git sqlmap-Dev,
• cdsqlmap-Dev /,
• ./sqlmap.py --wizard.

Windows alipo ngati njira ndi mzere lamulo ndi mawonekedwe mawonekedwe wosuta.

jSQL jekeseni

jSQL jekeseni - mtanda-nsanja chida kudziyesa ntchito vulnerabilities SQL. Zinalembedwa Java, kotero dongosolo ayenera kuikidwa JRE. Angakonze BWINO zopempha, POST, chamutu, keke. Iwo ali yabwino mawonekedwe mawonekedwe.

The unsembe wa phukusili mapulogalamu motere:

wget https://github.com/`curl -s https: //github.com/ron190/jsql-injection/releases | grep-E -o '/ron190/jsql-injection/releases/download/v[0-9]{1,2}.[0-9]{1,2}/jsql-injection-v[0-9] . {1,2} [0-9] {1,2} .jar '| mutu-n 1`

Afunika pogwiritsa ntchito lamulo Java -jar ./jsql-injection-v*.jar

Pofuna kuyamba mayeso malo pa SQL-chiopsezo, muyenera kulowa adiresi m'munda pamwamba. Iwo ali osiyana kutenga ndi POST. Ndi zabwino, mndandanda wa matebulo zilipo chidzaonekera windo la kumanzere. Mutha kuona kuti mudziŵe zina zachinsinsi.

tsamba «boma tsamba» ntchito kupeza mapanelo utsogoleri. Pa pogwiritsa ntchito zidindo wapadera basi amasanthula dongosolo akulemba ogwiritsa mwayi. Kwa iwo mukhoza kupeza chabe chete a achinsinsi pa. Koma iye ali mu zoikira zida za pulogalamuyi.

Pambuyo kupeza vulnerabilities ndi jekeseni atafunsira zonse zofunika, chida adzalola makina lembani file wanu kapena, Tikawonetsetsa kukopera kumeneko.

SQLi Dumper v.7

pulogalamuyi - yosavuta kugwiritsa ntchito chida kupeza ndikukhazikitsa SQL vulnerabilities. Amalima UN zachokera otchedwa Dorika. mndandanda awo angapezeke pa Intaneti. Dorca kwa SQL-jekeseni - izi ndi zidindo wapadera wa mafunso kufufuza. Ndi thandizo lawo, mungapeze malo zingakhale pachiopsezo kudzera injini aliyense kufufuza.

Zida maphunziro

Itsecgames.com pa malo pali wapadera Zida zogwiritsira ntchito kuti amalola Mwachitsanzo zikusonyeza mmene kuchita SQL jekeseni ndi kuyesa izo. Kuti tipindule, m'pofunika kukopera kwabasi. The Archive lili ya owona, umene uli kapangidwe ka malo. Kukhazikitsa angawathandize mu dongosolo analipo a akonzedwa a Apache ukonde Seva, MySQL ndi Php.

Kungomasula ndi Archive mu chikwatu ukonde Seva, muli kupita ku adiresi analowa pamene khazikitsa izi pulogalamu. Tsamba kulembetsa wosuta. Apa mukufuna kulowa mbiri yanu ndi kumadula «Pangani». Kupita wosuta kwa nsalu yotchinga latsopano, dongosolo chimakulimbikitsani kusankha mmodzi wa milandu mayeso. Pakati pawo pali onse anafotokoza jekeseni, ndi zambiri zinthu zina mayeso.

Ndi bwino kuganizira chitsanzo cha SQL-jekeseni mtundu Pezani / Search. Apa muyenera kusankha izo ndi kumadula «Hack». Patsogolo wosuta adzaoneka, ndipo kafukufuku chingwe onyenga filimu malo. Kuthetsa mafilimu akhoza kukhala yaitali. Koma pali 10. yekha Mwachitsanzo, mungayesere kulowa Iron Man. Iwo adzasonyeza filimu, ndiye malo ntchito, ndi magome muli. Tsopano tiyenera kufufuza ngati Zosefera otchulidwa wapadera script, mu amagwira makamaka. Kuti tichite zimenezi, kuwonjezera 'mu keyala. " Ndiponso, izi ziyenera kuchitika pambuyo mutu filimuyo. malo adzakupatsani Mphulupulu cholakwa: Muli vuto mu SQL malembedwe anu; fufuzani Buku logwirizana wanu MySQL Baibulo Seva kwa malembedwe kugwiritsa ntchito pafupi '%' 'pa mzere 1, umene umati zilembo adakali kuwagwiritsa ntchito molondola. Kotero inu mukhoza kuyesa m'malo pempho lanu. Koma choyamba tiyenera awerengere nambala ya minda. Izo ntchito dongosolo ili, amene umayamba pambuyo makoti: http://testsites.com/sqli_1.php?title=Iron+Man 'kuti ndi 2 - & kanthu = kufufuza.

Lamulo limeneli amasonyeza yekha zokhudza filimu, kuti, chiwerengero cha minda ndi wamkulu kuposa 2. hyphen awiri akuuza polumikiza kuti zokhumba zina ziyenera kuchotsedwa. Tsopano tili ndi kuthetsa, kuika kuwonjezeka kufunika bola zolakwa si kusindikizidwa. Pomaliza, likukhalira kuti m'minda adzakhala 7.

Tsopano ndi nthawi kuti zinthu zothandiza kunja maziko a. Kodi pang'ono kusintha pempho mu keyala, n'kupita nawo kwa mawonekedwe: http://testsites.com/sqli_1.php?title=Iron+Man 'ogwirizana kusankha 1, Nawonso achichepere (), wosuta (), 4, achinsinsi, 6, 7 kuchokera kwa ogwiritsa - & kanthu = kufufuza. Chifukwa cha kukhazikitsa angasonyeze chingwe ndi hashes achinsinsi, zomwe zikhoza n'kukhala zizindikiro zomveka pogwiritsa ntchito misonkhano Intaneti. A conjured pang'ono ndipo anatola dzina munda ndi malowedwe, mungapeze mwayi kulowa wina, monga boma la malo.

mankhwala ali ndi kulemera mitundu jekeseni mitundu, zomwe amachita. Tiyenera kukumbukira kuti ntchito maluso amenewa maukonde pa malo enieni akhale ndi mulandu chigawenga.

Jekeseni ndi Php

Monga ulamuliro, ndi Php-malamulo ndi udindo zokhumba zofunika processing akubwera kuchokera wosuta. Choncho, pa mlingo muyenera kumanga chitetezo SQL-jekeseni mu Php.

Choyamba, tiyeni kupereka malangizo ochepa osavuta, pa maziko amene m'pofunika kutero.

• Data ayenera kukonzedwa asanakhale anaika mu Nawonso achichepere. Izi zikhoza kuchitika ngakhale mwa kugwiritsa ntchito mawu alipo, kapena kukonza mafunso pamanja. Apanso, ayenera kuganizira kuti mfundo M'ndandanda ali otembenuka kwa mtundu umene kutero;
• Kukanidwa chinachititsa nyumba zosiyanasiyana kulamulira.

Tsopano pang'ono za malamulo yolemba mafunso mu MySQL kuti adziteteze SQL-jekeseni.

Mu kukafola mawu alionse QUERY n'kofunika kupatukana deta ku SQL mawu.

• Sankhani * pagome KUMENE dzina = Zerg.

Mu kasinthidwe izi, dongosolo amaganiza kuti Zerg - dzina la m'munda wanu uliwonse, kotero muyenera enclose mu makoti.

• Sankhani * pagome KUMENE dzina = 'Zerg.

Komabe, pali nthawi zina pamene phindu lokha lili makoti.

• Sankhani * pagome KUMENE dzina = 'Côte d'Ivoire.

Kuno kusamalira gawo la Côte D, ndi ena akhoza amaona timu chomwe kumene, ayi. Choncho kulakwitsa amapezeka. Ndiye muyenera mtundu uwu deta mosamala. Kuchita izi, ntchito backslash - \.

• Sankhani * pagome KUMENE dzina = 'mphaka-D \' Ivoire.

Zonsezi pamwambapa amatanthauza mizere ya. Ngati kanthu amatenga malo angapo, ndiye sizikusoweka aliyense zolemba kapena slashes. Komabe, iwo ayenera pangafunike mokakamiza kuyambitsa mtundu anakhumba deta.

Pali ayamikira kuti dzina munda ayenera unazunguliridwa mu backquotes. chizindikiro ichi ndi kumanzere kwa kiyibodi, pamodzi ndi tilde "~". Izi ndi kuonetsetsa kuti MySQL ankatha kudziwa kusiyanitsa dzina la mundawo kwa nfundo yaikhulu wanu.

Mphamvu ntchito deta

Nthawi zambiri, kuti deta aliyense kuchokera Nawonso achichepere pogwiritsa ntchito mafunso, kwaiye pompopompo. Mwachitsanzo:

• Sankhani * pagome KUMENE chiwerengero = '$ chiwerengero.

Apa, variable $ chiwerengero wadutsa monga tipeze phindu la mmunda. Kodi chingachitike n'chiyani ngati izo zifika 'Côte d'Ivoire'? Cholakwika.

Pofuna kupewa mavuto zimenezi, mukhoza zikuphatikizapo "matsenga makoti" Zikhazikiko. Koma tsopano deta adzakhala ndisanabadwe n'kofunika kutero ndi Sikuti. Komanso, ngati code linalembedwa ndi dzanja, mungathere pang'ono nthawi zambiri kulenga kugonjetsedwa ndi akulimbana dongosolo yokha.

Pakuti Kuwonjezera osadalira pa slash angathe kugwiritsa ntchito mysql_real_escape_string.

$ Number = mysql_real_escape_string ($ chiwerengero);

$ Chaka = mysql_real_escape_string ($ chaka);

$ Akafufuzidwe = "Ikani MU tebulo (nambala chaka, kalasi) MFUNDO ( '$ chiwerengero', '$ chaka, 11)".

Ngakhale kuti malamulo ndi kuchuluka M'BUKU, koma zingakhale izo ntchito owopsa.

placeholders

Placeholders - mtundu wa zolembera chimene dongosolo amadziwa kuti ili ndi malo muyenera kulowetsamo ntchito yapadera. Mwachitsanzo:

$ Sate = $ mysqli-> kukonzekera ( "Sankhani District KWA Number KUMENE Dzina =?");

$ Sate-> bind_param ( "s", $ chiwerengero);

$ Sate-> kudzapereka ();

Chigawo chino cha ndondomekozi akatenga maphunziro pempho Chinsinsi kenako chimalimbitsa chiwerengero variable, ndipo udzapereka izo. Njira imeneyi zimathandiza inu anagawa processing kafufuzidwe ndi kukhazikitsa. Choncho, angathe kupulumutsidwa ku ntchito ya malamulo njiru ndi SQL-.

Kodi mphamvu ndi tizilomboto

Protection System - chinanso chofunika kwambiri, omwe sangathe kuwasamalira. Kumene, losavuta khadi ntchito malo simudzavutika kubwezeretsa. Ndipo ngati ndi chachikulu zipata, utumiki, Forum? Kodi zotsatira zake ngati inu simukuganiza za chitetezo?

Choyamba, owononga akhoza kuswa umphumphu wa onse m'munsi ndi kuchotsa kwathunthu. Ndipo ngati malo woyang'anira kapena hoster sizikupanga kubwerera, mudzakhala ndi nthawi yovuta. Koposa zonse, ndi wakubayo, akulimbana ndi malo wosakwatiwa, mukhoza kupita kwa wina anaika mu Seva chomwecho.

Chotsatira ndi kuba nkhani kapena wa alendo. Kagwiritsidwe - zonse malire ndi malingaliro a owononga a. Koma Mulimonsemo, zotsatira zake osati wosangalatsa kwambiri. Makamaka ngati mfundo zachuma.

Komanso tizilomboto akhoza kuphatikiza Nawonso achichepere wekha akulanda ndalama kubweranso kwake.

Zabodza ogwiritsa m'malo mwa woyang'anira malo, munthu iwo kukhala, ingakhalenso zotsatira zoipa zotheka chinyengo mfundo.

Pomaliza

mfundo zonse m'nkhani ino amaperekedwa zolinga pazankhani yekha. Ntchito muyenera ayese ntchito zawo pamene detects vulnerabilities ndipo amawaitana.

Kwa kwambiri kuphunzira mozama za maluso a mmene kuchita SQL-jekeseni, m'pofunika kuyamba ndi mphamvu zenizeni kafukufuku ndi maonekedwe a chinenero SQL. Monga mafunso analemba, mawu, mitundu deta ndi ntchito zonse.

Simungakhoze kuchita popanda kumvetsetsa ntchito Php ndi zinthu HTML ntchito. The ntchito yaikulu mfundo osatetezeka jekeseni - mzera adiresi, ndi m'munda zosiyanasiyana kufufuza. Kuphunzira ntchito Php, njira kukhazikitsa ndi nkhani muganize momwe kupewa.

Kupezeka kwa okonzeka zopangidwa zida zambiri mapulogalamu mpata mozama kusanthula pa malo kudziwika vulnerabilities. Chimodzi mwa zinthu otchuka - Kali Linux. chithunzi cha dongosolo Linux ofotokoza opaleshoni, lomwe lili ndi chiwerengero chachikulu cha zipangizo ndi mapulogalamu kuti akhoza kukwaniritsa yoyesa mphamvu malo.

Kodi mukufuna kudziwa mmene kuthyolako malo? Ndi yosavuta - m'pofunika kudziwa vulnerabilities lingathe ntchito yanu kapena webusaiti. Makamaka ngati ndi sitolo pa Intaneti ndi malipiro online, pamene deta malipiro wosuta akhoza kusweka ndi tizilomboto ndi.

Phunziro katswiri wa wogwila ogwira mudziwe chitetezo adzatha onani malo osiyanasiyana muyezo ndi kuya. Kuyambira a-jakisoni HTML wosalira zambiri komanso kusintha makhalidwe a anthu ndi yofuna.