来自其他数据库的 SQL select 注入 sql
[英]SQL select from other database with sql injection
问题描述
I was attacked by SQL injection and they got my database "root" user name and password.
我被 SQL 注入攻击,他们得到了我的数据库“root”用户名和密码。
But they also shows me some data from other database, which name this site definitely has no in its code.但他们也向我展示了来自其他数据库的一些数据,这个网站的代码中肯定没有这个名称。
Is it possible with SQL injection to select from other database (by user with full access)?是否可以将 SQL 从其他数据库注入 select(由具有完全访问权限的用户)? Or the only way for this is to use url that has access to this database.或者,唯一的方法是使用可以访问该数据库的 url。
If this is possible, what sql it has?如果这是可能的,它有什么 sql? So I can find it in my logs.所以我可以在我的日志中找到它。
3 个解决方案
解决方案1
0 2011-06-28 21:31:59
If they have your database root password, they can do anything.如果他们有您的数据库 root 密码,他们可以做任何事情。 SQL can most definitely select from other databases inside the same server, using the same mechanism as you do for referring to multiple tables: SQL 绝对可以从同一服务器内的其他数据库中获取 select,使用与引用多个表相同的机制:
select database1.table.field, database2.othertable.otherfield, etc...
Using 'root' to do your front-end facing stuff is NEVER a good idea.使用“root”来做你的前端工作从来都不是一个好主意。 Especially if you're writing vulnerable code.特别是如果您正在编写易受攻击的代码。 Always created a dedicated user with JUST the privileges you need.始终创建一个具有您需要的权限的专用用户。 A simple blog engine, for instance, does not need to the rights to alter a table, drop a database, or change privileges.例如,一个简单的博客引擎不需要更改表、删除数据库或更改权限的权限。
Your logs would only show GET query parameters.您的日志只会显示 GET 查询参数。 If all the hacking with POST calls, the logs will not contain the actual data sent, so most likely you're SOL on that front.如果使用 POST 调用进行所有黑客攻击,则日志将不包含发送的实际数据,因此您很可能是这方面的 SOL。 If you've got mysql binary logging enabled, there'll be a lot of every query executed.如果您启用了 mysql 二进制日志记录,那么每个查询都会执行很多。
解决方案2
0 2011-06-28 21:39:57
Certainly a MySQL query can reference any database that lives in the same instance of MySQL.当然,MySQL 查询可以引用位于同一 MySQL 实例中的任何数据库。
SELECT * FROM `databasename`.`tablename` ...
And it's also easy to get the list of database names if the attacker can use SQL injection to execute arbitrary queries as root:如果攻击者可以使用 SQL 注入以 root 身份执行任意查询,也很容易获得数据库名称列表:
SHOW DATABASES;
Or:或者:
SELECT DISTINCT table_schema FROM INFORMATION_SCHEMA.TABLES;
I encourage you to perform a thorough code review of all your code and be safer about writing dynamic SQL queries.我鼓励您对所有代码进行彻底的代码审查,并在编写动态 SQL 查询时更加安全。 You can use proper type coercion, string-escaping functions, and query parameters for most cases, but there are still more cases where you need to build dynamic SQL strings and those solutions don't help.在大多数情况下,您可以使用正确的类型强制、字符串转义函数和查询参数,但在更多情况下,您需要构建动态 SQL 字符串,而这些解决方案无济于事。
Review my presentation, SQL Injection Myths and Fallacies , or the chapter on SQL injection in my book SQL Antipatterns: Avoiding the Pitfalls of Database Programming for ideas.查看我的演示文稿, SQL Injection Myths and Fallacies ,或我的书中SQL injection 的章节:避免数据库编程错误的想法。
解决方案3
0 已采纳 2011-06-28 21:40:39
SHOW DATABASES;
This will give you a list of databases that you have access to.这将为您提供您有权访问的数据库列表。 root has access to all of them (in most installations). root 可以访问所有这些(在大多数安装中)。
to see the tables:查看表格:
SHOW TABLES IN `myDB`;
to see those tables structures you can do multiple things要查看这些表结构,您可以执行多项操作
SHOW CREATE TABLE `myDB`.`myTable`; /* This shows a executable query that can be used to recreate the table structure */
or
SHOW COLUMNS FROM `myTable` IN `myDB`; /* This shows a list of columns */
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.