Author: Xiaohua QQ: 56111981 www.hackbase.com Transfer of the blog: http: //xiaohuar.blogchina.com articles intended to send to the magazine, because I'm too lazy to write, to write again on the hair on his BLOG up. Network security is a very popular topic, whether this expert is still an ordinary person, or more or less. In this environment, the invasion has become unprecedented. Everyone wants to be a master in this field. Several intrudes is now most popular with SQL injection and overflow. I am here to talk about the problem of SQL injection. In fact, SQL injection and overflows have the wonderfulness of the same work, all use the goal that does not meet the invasion according to normal thinking. Simple saying is that the author thinks that there is no intruder who wants to be comprehensive, there is no shortage of author's level, but I want to take the opportunity. Simple understanding of SQL injection is to construct a special SQL statement, letting the database execute, the database can be any one. Today's injection vulnerability is endless, there seems to be no safe web system. Regardless of domestic and foreign countries, there are similar articles. The small dish is amazed by the author, and the heart is full of fear and feelings. If I can also announce how good a few vulnerabilities! I will write some of myself and share it. I hope that you can make it fast by the rookie into a gossic. This is what everyone is most concerned about a loophole. Everyone finds a vulnerability can only look for the source code, there is no source code but the system that is injected into the vulnerability can only guess, it is particulartom. Many hosts on the Internet are all finished products, and its system source code can be from the Internet. As for how to determine which system is used by the host, you need to have some accumulation. This is not possible to describe the language, I will give a simple example. Take the mobile network 6 as an example, see a forum interface cool, 90% is a mobile network forum, then look at the version below knows that it is a network 6. At this time, you can go to Chinaz next to the mobile network 6 to read it, and there is no way asp. Of course, the vulnerability is published, I just tell you how to determine which web system used. How is the vulnerability discovered? In fact, there is nothing to say, mainly a solid basic knowledge, if you don't understand the HTTP protocol, don't catch the package, don't find a loophole, you will not use it, so it is best to make the basics. With basic knowledge, the rest is perseverance and patience. On the ability, now a lot of system vulnerabilities, Zhang San is found, Li Si is also found. It is mainly to see who is looking for, who is under the depths. Some vulnerabilities read the source code can't be found. The process of finding a vulnerability is also a process that is familiar with this web system, first understand its database structure, which is the most basic. Next, you have to read a file for a file. Don't read it first. Some pages will come to a session to judge, even if there is a vulnerability below. The process of finding a vulnerability is actually a process of a file reading. The following is taken as an example. First grasp the system flow. The so-called system is how the system is executed. The general system is beginning - intermediate - ending mode. The beginning is generally output between
in HTML, and there is no impact on our finding vulnerabilities. General documents will contain a lot of headers, everyone will feel dizzy, in fact, the header file is not used. Mainly the database connection file, the global configuration file, and the function library. We are very ignored that these things, and use it when you find a vulnerability, it is not too late. However, the function library with the input string filtering must take a look at it. The end is the output system copyright information. Some use SQL queries, but the use is not big here, we can look at it. The middle part is where we focus on attention. Secondly, focus on input variables. Because these variables are what we control, there is no foreign input variables, and it is not necessary to talk.Everyone must have such a concept, whether it is get, post, or a cookie method, only the variable submitted from the user can be specified by us, how much is it to make it? As for what filtering after the system gets variables, it is another thing. It is necessary to focus on the variables that can participate in SQL execution in the input variable, and some variables such as the action or PAGE is the control process. It is not used at all, and it is not necessary to change the value. Furthermore, we must profoundly understand the database, no comprehensive grasp of the database, it is likely to miss a lot of injection points, which is also the biggest difference between the master and rookie. Our common databases include Access, MySQL, and SQL Server, at least to have a deep understanding of them to find vulnerabilities. Two points and three aspects, so that it is easy to find out the findings and use 1 injection point, it is easy to use.
This vulnerability believes that there is already very few, unless the author is not concerned about the security of the program, there will be this vulnerability. Previous classic 'or' 1 = 1 belongs to this class
Typical similar (model, the following class)
Select * from Tablename where user = 'Request ("user")',
Select * from tablename where id = request ("id")
Some procedures have been filtered by these variables, but they are not full, or they can be summed up.
I believe that such a vulnerability can discover and it is also easy to use, not to say prevention. This vulnerability is easy to find, and there are very few. I have tried a few vulnerabilities that have a vulnerability, which is a similar vulnerability in several systems.
Figure one
Moving a plug-in change password injection vulnerability
Figure II
A PHP plug-in FTPID variable is not filtered vulnerability
2 Injection points are easy to discover, but use relatively difficult
This vulnerability is required to inject, the author is basically impossible to avoid it.
Typical similar
Select * from tablename where user = 'filterfunc (Request ("User"))'
Select * from tablename where id = filterfunc (Request ("ID"))
That is, the input variables are filtered, but not filtered, there is a line of life. Especially there is no filter quotation. This kind of utilization does exist, you don't look simple.
There is a program only filtered space, such as the previous BBSXP system. Especially when the data submitted by the user is when using cookies, the author is more unspeakable, making a simple filtration.
First talk about how to prevent, I will give you a PHP example.
Function getRequestVariables ()
{
Foreach ($ _POST AS $ PostKey => $ PostValue)
{
Global $ Postkey;
$ poskey = filter (Trim ($ PostValue)))));
}
Foreach ($ _GET AS $ GETKEY => $ getValue)
{
Global $ getKey;
$ getKey = filter (Trim ($ getValue)))
}
}
Thought is to put all the variables with this function to regularly filter, not all symbols are filtered, each variable is not the same. After doing filtration, you can filter the secondary filtration in the specific page. The purpose is to prevent the write prior from being forgotten, and once filtered minimizes the loss.
ASP can also use similar methods.
A few days ago, the cloud download system EDTI.asp file belongs to this class. Since the injection point is easy to find, it is necessary to talk about how to use it.
Take the Select * from tablename where id = filterfunc (Request ("ID")) is an example, if the system is only filtered, and we can also guess the username password ("such as" Exec Declare // -; " These are based on the system database structure.
Guess the username password length
Select * from tablename where id = 1 and (select count (*) from admin where id = 1 and let (username) = 1) = 1
The above ID = 1 is specified, depending on the specific situation, if the content is injected back to true (reinlease), the user name of the ID is 1 is 1, in order to continue guess, I want to basically don't be 20 The length is above (if it is, that person is too changed). The password is the same method. Guess characters are similar.
MySQL love is a bit different, because MySQL does not support subqueries (5.0 unclear). MySQL wants to use the following method (system support Union, now there are many system support):
Select * from tablename where id = 111111 Union Select [field match] from admin where id = 1
The above field match indicates that the number of fields to be equal, and the mysql column type check is very sent. There is NULL to complete the match, the above method allows the system to expose sensitive information. such as
SELECT A, B, C from Tablename Where id = 111111 Union Select Null, UserName, Null from admin where id = 1
As for the return to the true concept, it is whateous. It can be a server returns a sign, such as HTTP 500 is an internal error, and there is too much to experience it according to the page.
3 The injection point is very concealed, as long as you find it, you can use it.
This vulnerability requires a deep skill and long-term accumulation skills. The vulnerability is very small, but it has a wide effect after discovering. The prime network User-agent injection vulnerability and BBSXP5.0SQ1 vulnerability should belong to this class.
I can only have a throwing jade in this regard.
