Network security is a very popular topic, whether this expert is still an ordinary person, or more or less. In this environment, the invasion has become unprecedented. Everyone wants to be a master in this field. Several intrudes is now most popular with SQL injection and overflow. I am here to talk about the problem of SQL injection. In fact, SQL injection and overflows have the wonderfulness of the same work, all use the goal that does not meet the invasion according to normal thinking. Simple saying is that the author thinks that there is no intruder who wants to be comprehensive, there is no shortage of author's level, but I want to take the opportunity. Simple understanding of SQL injection is to construct a special SQL statement, letting the database execute, the database can be any one. Today's injection vulnerability is endless, there seems to be no safe web system. Regardless of domestic and foreign countries, there are similar articles. The small dish is amazed by the author, and the heart is full of fear and feelings. If I can also announce how good a few vulnerabilities! I will write some of myself and share it. I hope that you can make it fast by the rookie into a gossic. This is what everyone is most concerned about a loophole. Everyone finds a vulnerability can only look for the source code, there is no source code but the system that is injected into the vulnerability can only guess, it is particulartom. Many hosts on the Internet are all finished products, and its system source code can be from the Internet. As for how to determine which system is used by the host, you need to have some accumulation. This is not possible to describe the language, I will give a simple example. Take the mobile network 6 as an example, see a forum interface cool, 90% is a mobile network forum, then look at the version below knows that it is a network 6. At this time, you can go to Chinaz next to the mobile network 6 to read it, and there is no way asp. Of course, the vulnerability is published, I just tell you how to determine which web system used. How is the vulnerability discovered? In fact, there is nothing to say, mainly a solid basic knowledge, if you don't understand the HTTP protocol, don't catch the package, don't find a loophole, you will not use it, so it is best to make the basics. With basic knowledge, the rest is perseverance and patience. On the ability, now a lot of system vulnerabilities, Zhang San is found, Li Si is also found. It is mainly to see who is looking for, who is under the depths. Some vulnerabilities read the source code can't be found. The process of finding a vulnerability is also a process that is familiar with this web system, first understand its database structure, which is the most basic. Next, you have to read a file for a file. Don't read it first. Some pages will come to a session to judge, even if there is a vulnerability below. The process of finding a vulnerability is actually a process of a file reading. The following is taken as an example. First grasp the system flow. The so-called system is how the system is executed. The general system is beginning - intermediate - ending mode. The beginning is generally output between
in HTML, and there is no impact on our finding vulnerabilities. General documents will contain a lot of headers, everyone will feel dizzy, in fact, the header file is not used. Mainly the database connection file, the global configuration file, and the function library. We are very ignored that these things, and use it when you find a vulnerability, it is not too late. However, the function library with the input string filtering must take a look at it. The end is the output system copyright information. Some use SQL queries, but the use is not big here, we can look at it. The middle part is where we focus on attention. Secondly, focus on input variables. Because these variables are what we control, there is no foreign input variables, and it is not necessary to talk. Everyone must have such a concept, whether it is get, post, or a cookie method, only the variable submitted from the user can be specified by us, how much is it to make it? As for what filtering after the system gets variables, it is another thing.It is necessary to focus on the variables that can participate in SQL execution in the input variable, and some variables such as the action or PAGE is the control process. It is not used at all, and it is not necessary to change the value. Furthermore, we must profoundly understand the database, no comprehensive grasp of the database, it is likely to miss a lot of injection points, which is also the biggest difference between the master and rookie. Our common databases include Access, MySQL, and SQL Server, at least to have a deep understanding of them to find vulnerabilities. Two points and three aspects, unique examples of findings and 1 injection point is easy to discover, using it is also very simple, this vulnerability is very small, unless the author's simply does not care about the security of the program without this vulnerability. Previously classic 'or' 1 = 1 belongs to such typical similar (model, the following class) Select * from tablename where user = 'request ("user")', select * from tablename where id = request ("id) ") Some procedures have been filtered by these variables, but they are not complete, or they can be summed up. I believe that such a vulnerability can discover and it is also easy to use, not to say prevention. This vulnerability is easy to find, and there is very few. I have tried a few vulnerabilities that have a vulnerability, which is a similar vulnerability in several systems. Figure 1 Moving a plug-in change Password Injection Vulnerability Figure 2 A PHP plug-in FTPID variable unfiltered vulnerability 2 Injection point is easy to discover, but the use of relatively difficulty This vulnerability is to inject the injection requires high skill, the author is basically impossible to avoid. Typical Similar Select * from tablename where user = 'filterfunc (Request ("user")' select * from tablename where id = filterfunc (Request ("ID")) is also filtered with the input variable, but not filtered All, there is a line of life. Especially there is no filter quotation. This kind of utilization does exist, you don't look simple. There is a program only filtered space, such as the previous BBSXP system. Especially when the data submitted by the user is when using cookies, the author is more unspeakable, making a simple filtration. First talk about how to prevent, I will give you a PHP example. Function getRequestvariables () {foreach ($ _POST AS $ poskey => $ postvalue) {Global $$ Postkey; $$ Postkey = Filter (Trim ($ PostValue)));} foreach ($ _GET AS $ getKey => $ getValue) {Global $$ GetKey; $$ getKey = Filter (Trim ($ getValue)));}} The idea is to use this function to use this function to make regular advance filtering, not all symbols are filtered, each variable needs to be entered. Data is different. After doing filtration, you can filter the secondary filtration in the specific page. The purpose is to prevent the write prior from being forgotten, and once filtered minimizes the loss. ASP can also use similar methods. A few days ago, the cloud download system EDTI.asp file belongs to this class. Since the injection point is easy to find, it is necessary to talk about how to use it.
Take the Select * from tablename where id = filterfunc (Request ("ID")) is an example, if the system is only filtered, and we can also guess the username password ("such as" Exec Declare // -; " These are based on the system database structure. Guess the username password length Select * from tablename where id = 1 and (select count (*) from admin where id = 1 and let (username) = 1) = 1 or more ID = 1 is specified, depending on the specific situation, if Injecting the above content returns to true (then explained), indicating that the ID of the ID is 1 is 1, and continue to guess for the fake, I want to basically don't be above 20 lengths (if, that person is too absent). The password is the same method. Guess characters are similar. MySQL love is a bit different, because MySQL does not support subqueries (5.0 unclear). MySQL needs to use the following method (system support Union, there are many system support): select * from tablename where id = 111111 Union Select [field match] from admin where id = 1 The above field match indicates the number of fields of Tablename Consistency, MySQL column type check is very sent, there is NULL to complete match, the above method allows the system to expose sensitive information. For example, SELECT A, B, c from tablename where id = 1111111 Union Select Null, username, null from admin where id = 1 is that the return to the true concept is whateous. It can be a server returns a sign, such as HTTP 500 is an internal error, and there is too much to experience it according to the page. 3 The injection point is very hidden. As long as you find this vulnerability, you need a deep skill and long-term skill. The vulnerability is very small, but it has a wide effect after discovering. The prime network User-agent injection vulnerability and BBSXP5.0SQ1 vulnerability should belong to this class. You can only play a role in better ideas in this respect of: flowers QQ: 56111981 (Xiaohua) http://xiaohuar.blogchina.com reproduced must indicate the source
