Question

SQL is a programming language used to query or modify information stored within a database. A SQL injection is an attack in which the attacker executes arbitrary SQL commands on an application’s database by supplying malicious input inserted into a SQL statement. This happens when the input used in SQL queries is incorrectly filtered or escaped and can lead to authentication bypass, sensitive data leaks, tampering of the database, and RCE in some cases.

SQL 是一种编程语言，用于查询或修改数据库中存储的信息。SQL 注入是一种攻击，攻击者通过提供插入到 SQL 语句中的恶意输入，在应用程序数据库中执行任意 SQL 命令。当 SQL 查询中使用的输入未正确过滤或转义时，就会发生这种情况，这可能会导致绕过身份验证、敏感数据泄漏、篡改数据库以及在某些情况下引发 RCE 等问题。

SQL injections are on the decline, since most web frameworks now have built-in mechanisms that protect against them. But they are still common. If you can find one, they tend to be critical vulnerabilities that result in high payouts, so when you first start hunting for vulnerabilities on a target, looking out for them is still worthwhile. In this chapter, we will talk about how to find and exploit two types of SQL injections: classic SQL injections and blind SQL injections. We will also talk about injections in NoSQL databases, which are databases that do not use the SQL query language.

SQL 注入攻击正在减少，因为大多数 Web 框架现在都具有内置机制来保护它们。但仍然很普遍。如果您能发现一个，它们往往是关键漏洞，会导致高额赔款，因此当您首次开始在目标上寻找漏洞时，仍然值得寻找它们。在本章中，我们将讨论如何查找和利用两种类型的 SQL 注入：经典 SQL 注入和盲 SQL 注入。我们还将讨论 NoSQL 数据库中的注入，这些数据库不使用 SQL 查询语言。

Note that the examples used in this chapter are based on MySQL syntax. The code for injecting commands into other database types will be slightly different, but the overall principles remain the same.

请注意，本章中使用的示例基于 MySQL 语法。将命令注入到其他数据库类型的代码会略有不同，但总体原则仍然相同。