SQL injection là một phương pháp cho phép hacker lợi dụng lỗ hổng của việc kiểm tra dữ liệu đầu vào của Website và các thông báo lỗi của hệ quản trị cơ sở dữ liệu trả về để inject (tiêm vào) và thi hành các câu lệnh SQL bất hợp pháp. SQL injection giúp cho các Hacker thực hiện các lệnh như select, insert, update, delete v.v. ngay trên trình duyệt web, thậm chí là server mà ứng dụng đó đang chạy.

Mặc dù, đã trải qua rất nhiều năm kể từ khi lỗ hổng SQLi đầu tiên được phát hiện.SQLi vẫn là lỗ hổng rất phổ biến trong ứng dụng web. Hầu như các vụ đánh cắp thẻ tín dụng (CC) đều được khai thác từ lỗ hổng này. Trước đây các Shop bán hàng Online hầu như bị khai thác SQL injection để đánh cắp thông tin của người mua hàng. Bây giờ thì đỡ hơn nhiều rồi.

11 08 2018 04 35 54 - Thực hành khai thác lỗi SQL injection với Sqli-labs

Nhằm mục đích trau dồi kỹ năng phát hiện lỗ hổng SQLi. Thành viên DDos (của diễn đàn WhiiteHat) giới thiệu tới các bạn sqli-labs project. Project này bao gồm 65 bài lab khác nhau với độ khó tăng dần. Nội dung của sqli-labs bao gồm gần như tất cả các con đường có thể dẫn tới lỗi SQLi như: GET/POST request, User-Agent…

Thực hành khai thác lỗi SQL injection với Sqli-labs

Để cài đặt sqli-lab, các bạn cần:

  • PHP
  • MySQL
  • Apache server

Bạn có thể cài phần mềm Xamp (bản 5.6) hoặc Ampp để giả lập môi trường PHP, MySQL trên Windows. Hoặc thực hành ngay trên máy ảo Linux (Centos, Ubuntu, Kali Linux).

Bước 1: Tải Xamp (dùng bản 5.6)về và tiến hành cài đặt như bình thường.

Xóa tất cả các file trong thư mục: C:\xampp\htdocs

Bước 2: Mở Xampp Contorl Panel lên

Nhấn vào nút Start Apache, MySQL. (Nếu Start không được thì xem cách fix lỗi ở bài này)

11 08 2018 03 42 24 - Thực hành khai thác lỗi SQL injection với Sqli-labs

Bước 3: Bạn tải gói cài đặt Sqli-labs tại link bên dưới

Download SQLi-labs

Bước 4: Giải nén file vừa tải về, và copy vào thư mục C:\xampp\htdocs

Bước 5: Truy cập vào đường dẫn http://localhost trên trình duyệt Web.

Click vào Setup/reset Database for labs để bắt đầu cài đặt dữ liệu cho Sqli-labs

Nếu bạn thấy như hình bên dưới thì đã cài thành công.11 08 2018 04 22 19 - Thực hành khai thác lỗi SQL injection với Sqli-labs

Bước 6: Quay trở lại trang chủ localhost và click vào SQLi-LABS Page-1(Basic Challenges) để bắt đầu học từ bài 1.

Thực hành khai thác lỗi SQL injection với Sqli-labs
5 (100%) 4 votes

131 BÌNH LUẬN

  1. You are so interesting! I do not believe I’ve truly read a single thing like that before.
    So nice to discover someone with some original thoughts on this
    subject matter. Really.. many thanks for starting
    this up. This website is something that’s needed on the web, someone
    with a little originality!

  2. I’m impressed, I must say. Actually hardly ever do I encounter a weblog that’s both educative and entertaining, and let me inform you, you may have hit the nail on the head. Your concept is excellent; the problem is something that not enough persons are talking intelligently about. I am very completely satisfied that I stumbled across this in my search for one thing regarding this.

  3. Undeniably believe that which you said. Your favorite reason appeared to
    be on the internet the easiest thing to be aware of. I say to you,
    I definitely get annoyed while people think
    about worries that they plainly do not know about. You managed to hit the nail upon the
    top as well as defined out the whole thing without having side effect ,
    people can take a signal. Will probably be back to
    get more. Thanks

  4. Hiya! Quick question that’s entirely off topic. Do you know how
    to make your site mobile friendly? My website looks weird when browsing from my iphone.

    I’m trying to find a template or plugin that might be able to fix this problem.

    If you have any suggestions, please share. Thanks!

  5. Good day! This is my 1st comment here so I just wanted to give a quick shout out and tell you
    I genuinely enjoy reading through your articles.
    Can you recommend any other blogs/websites/forums that cover the same subjects?
    Appreciate it!

  6. Greetings! This is my first visit to your blog!
    We are a group of volunteers and starting a new project in a community in the same niche.
    Your blog provided us valuable information to work on. You have done a extraordinary job!

  7. I’ve been browsing online more than 2 hours today, yet I never found any interesting
    article like yours. It’s pretty worth enough for me. In my
    view, if all site owners and bloggers made good content
    as you did, the net will be much more useful than ever before.

  8. You’re so cool! I do not believe I’ve read through anything like that before.
    So wonderful to find another person with a few original
    thoughts on this topic. Seriously.. thank you for starting this up.
    This web site is one thing that’s needed on the web, someone with some originality!

  9. I’ve been surfing online more than three hours today, yet I never found any interesting article
    like yours. It’s pretty worth enough for me. Personally, if all web
    owners and bloggers made good content as you did, the internet will be a lot more useful than ever before.

  10. First of all I want to say terrific blog! I had a quick question which I’d like to ask if you don’t mind.
    I was curious to know how you center yourself and
    clear your head before writing. I’ve had difficulty clearing
    my mind in getting my thoughts out there. I do enjoy writing however it just seems like the first 10 to 15 minutes are lost simply just trying to figure out how to begin. Any suggestions or
    tips? Kudos!

  11. Hello there, I found your site by the use of Google whilst looking for a similar topic, your web site got here up,
    it appears to be like good. I’ve bookmarked it in my
    google bookmarks.
    Hello there, simply became alert to your weblog
    thru Google, and located that it is truly informative.
    I am going to be careful for brussels. I’ll be grateful for those who proceed this in future.
    Numerous folks might be benefited out of your writing.

    Cheers!

  12. hello there and thank you for your info – I’ve definitely picked up something new from right here.

    I did however expertise some technical issues using this
    web site, since I experienced to reload the web site a lot of times previous to I could get it to load properly.

    I had been wondering if your web hosting is OK?
    Not that I’m complaining, but slow loading instances times will sometimes affect your placement in google and can damage your quality score if advertising and marketing with Adwords.
    Well I’m adding this RSS to my email and can look out for
    much more of your respective fascinating content.

    Ensure that you update this again soon.

  13. Amazing blog! Do you have any tips for aspiring writers?
    I’m hoping to start my own site soon but I’m a little lost
    on everything. Would you recommend starting
    with a free platform like WordPress or go for a
    paid option? There are so many options out there that I’m
    totally confused .. Any recommendations? Thanks a lot!

  14. Howdy! This article couldn’t be written any better! Going through this post reminds me of my previous roommate! He always kept talking about this. I will forward this post to him. Pretty sure he’s going to have a very good read. Thanks for sharing!

BÌNH LUẬN

Please enter your comment!
Please enter your name here