Author: NB Alliance - Kotake (QQ: 48814)
Speech
With the development of B / S mode application development, programmers who use this model to write applications have become more and more. But due to the entry of this industry
The threshold is not high, the level of programmers is uneven, quite large part of the programmer does not enter the user when writing code.
The legality is judged to make the application have security hazards. Users can submit a database query code, obtain the result returned by the program, obtained
Some of the data he wants, this is the so-called SQL INJECTION, which is SQL injection.
SQL injection is accessed from normal WWW port, and the surface looks with the general web page access, so the current market
The firewall will not issue an alert to SQL injection. If the administrator does not view the habit of the IIS log, it may be found for a long time.
However, the technique of SQL injection is quite flexible, and there will be many unexpected situations when injected. Can you analyze according to specific circumstances
, Construct a smart SQL statement to successfully obtain the desired data, is the fundamental difference between the master and the "rookie".
According to national conditions, domestic websites use ASP Access or SQLServer to account for more than 70%, PHP MySQ accounts for L20%, and there are less than 10% of others. In this article
We started from the entry, advanced to advanced explanation of the method and techniques of ASP injection, and the article injected from the NB Alliance Zwell wrote Zwell
I hope to use the security workers and programmers. For friends who know the ASP injection, please don't skip the entry, because some people have the basic judgment of the injected
There is also a misunderstanding method. Are you ready? Let's go ...
Entry
If you haven't tried SQL injection before, then first step first put the IE menu => Tool => Internet option => Advanced => Show friendly HTTP
Error message out the hook in front. Otherwise, no matter what the server returns, IE is only displayed as HTTP 500 server error, and more
Tips.
Section 1, SQL injection principle
Here we start starting from a website www.19cn.com (Note: This article has been approved before the discipline of the station, most of which is real data).
On the home page of the website, there is a link called "IE can't open a new window", the address is:
Http://www.19cn.com/showdetail.asp?id=49, we add single quotes after this address, the server will return the following error
prompt:
Microsoft Jet Database Engine Error '80040e14'
String syntax errors in Query Expressions' ID = 49 ''.
/SHOWDETAIL.ASP, line 8
From this error prompt we can see the following:
1. The website is used by the Access database, connects the database via the JET engine, not through the ODBC.
2. The program does not determine whether the data submitted by the client meets the program requirements.
3. This SQL statement is inquired with a field of ID.
From the above example we can know that the principle of SQL injection is to submit special code from the client, resulting in collecting programs and servers.
Information to get the information you want to get. In the second section, it is determined whether SQL injection can be performed.
After reading the first quarter, some people will feel: I am also often the test can be injected. Is this not very simple?
In fact, this is not the best way, why?
First, it is not necessarily that IIS of each server returns a specific error prompt to the client. If the program is added, the program is added, the statement is added.
SQL injection is not successful, but the server will also report an error, the specific prompt information is wrong on the server when processing the URL. Please and system administrators
connection.
Second, some of the programmers in part of SQL injection, think that as long as the single quadrature is filtered out, this is not a small number, such as
If you use a single quotation, you can't measure the injection point.
So, what kind of test method is more accurate? The answer is as follows:
1 http://www.19cn.com/showdetail.asp?id=49
2 http://www.19cn.com/showdetail.asp?id=49 and 1 = 1
3 http://www.19cn.com/showdetail.asp?id=49 and 1 = 2
This is the classic 1 = 1, 1 = 2 test method, how to judge? See what the three URLs returned above:
Performance of can be injected:
1 Normal display (this is inevitable, otherwise it is wrong)
2 Normal display, content is basically the same as 1
3 prompts BOF or EOF (when the program does not do any judgment), or the record cannot be recorded (judges RS.eof), or the display is empty (the process
ON Error ResMe next)
It is easier to judge if it cannot be injected. 1 is also normal display, 2 and 3 generally have a program defined error message, or time to switch
Error.
Of course, this is just the incoming parameter is the judgment method used by the digital type. When the actual application, there will be characters and search type parameters, I will
The "SQL Injection General Steps" of the Intermediate Party will be analyzed.
In the third quarter, judgment the database type and injection method
Different database functions, the injection method is different, so before the injection, we must also judge the type of database. general
ASP's most common database is Access and SQL Server, and more than 99% of websites on the Internet are one of them.
How to let the program tell you what database it uses? come and see:
SQLServer has some system variables, if the server IIS prompt is not closed, and SQL Server returns an error prompt, then it can be directly
The error information is obtained, the method is as follows:
http://www.19cn.com/showdetail.asp?id=49 and user> 0
This sentence is very simple, but it contains the essence of SQLServer's unique injection method. I also found this effect in a unintentional test.
Legal guessing method. Let me see the meaning of it: First, the statement in front is normal, focus on and user> 0, we know,
User is a built-in variable of SQLServer, which is the user name currently connected, and the type is nVarchar. Take a nvarchar value with int
Number 0, the system will try to turn nVARCHAR's value to int type. Of course, the process will definitely errors, and SQLServer's error prompt is: syntax when the nVARCHAR value "ABC" conversion data type INT is syntax Error, huh, ABC is the value of the variable user, so
The force of scrap blowing got the username of the database. In the subsequent space, everyone will see a lot of statements with this method.
By the way, it is well known that SQLServer's user sa is a role of equivalent adminstrators, got SA privileges, almost will
I can get the Administrator of the host. The above method can be very convenient to test whether it is logged in with sa, pay attention to: if it is SA
Login, the prompt is a column that converts "DBO" into int to occur, not "SA".
If the server IIS is not allowed to return an error prompt, how do you determine the database type? We can get from Access and SQLServer and
Hands, Access and Sql Server have its own system table, such as the table that stores all objects in the database, Access is in the system table
[msysObjects], but read the table in the web environment will prompt "No Permissions", SQL Server is in the table [sysobjects], in the web environment
You can read it normally.
In the case where you can inject, use the following statement:
http://www.19cn.com/showdetail.asp?id=49 and (select count (*) from sysobjects> 0
http://www.19cn.com/showdetail.asp?id=49 and (Select Count (*) from MsysObjects> 0
If the database is SQL Server, then the page of the first URL with the original page http://www.19cn.com/showdetail.asp?id=49 is
The same; and the second URL, because the table MsysObjects can not be found, it will prompt an error, even if the program has fault tolerance, the page is also with the original page.
completely different.
If the database is access, then the situation is different, the page of the first URL is completely different from the original page; the second URL,
Depending on whether the database settings allow reading the system table, it is generally not allowed, so it is also completely different from the original URL. In most cases, use
The first URL can know the database type used by the system, and the second URL only uses the verification when IIS error prompts.
(Getting started) --------------------------------------------- --------------------------- Description: Using the NBSI-NB Alliance SQL Injection Analyzer can detect various SQL injection vulnerabilities and decoding, Improve the efficiency of guessment. Copyright: This article is my original serial article, starting from www.54nb.com, welcome to all the sites to reprint, please keep copyright information, the media magazine reprint
Contact me first.
