LCX
SQL INJECTION is a professional term that describes the use of SQL code to an application that does not have the developer. SQL INJECTION attack is a point, that is, through HACKER, the SQL statement is performed in the original web program (like the forum, the message), reaches the host authority, user password, and other information, thereby implementing the 80-port invasion. SQL INJECTION attacks are different from the system or web program of the intrusion host due to the statement of SQL, and the method is also a variety of ways. But I summarize a common SQL INJECTION attack method, simple and practical, that is, SQL Injection With Access's cross-table check.
We still look at the instance first, then summarize. The moving network article is an article management system open by www.aspsky.net development and maintenance. It is very wide in China; because its list.asp file does not filter the user submission to the input to SQL query, leading to remote attack You can use this vulnerability to perform SQL injection attacks. Try to see related code in list.asp: SQL = "Select aclass.class, arivlass.nclass, article.title, article.classid, article.nclassid from article, aclass, anclass where article.classid = aclass.classid And article.nclassid = anclass.nclassid and article.ArticleID = "& request (" id ")
The rookie who doesn't understand the ASP seems to be a bit big, nothing, I will parse it. The database name used by the movie article is Article.mdb, and you open it with the Acess 2000, see Figure 1. ACLASS, Admin, ANCLASS, and ARTICLE in Figure 1 are Article.mdb's table name. The articles stored in Article table are collected, Figure 2. The admin table stores the moving network article administrator name and password, Figure 3. There are also aclas, and the other two tables of Anclass are classified in the store. The LIST code on the upper side is to select all the information you want to see from these table names. If ArticleID in Figure 2 has 102, it is the id = 102 in the list.asp code, then the situation we see is like this, Figure 4. . It is an article, the topic is Damware's experience, which belongs to the technical library, and ArticleID code is 102, and some information you can find in Article.mdb. But the program writer is definitely not exposed here. However, see the list of the list. The author does not limit the attribute of the ID, that is, in http://192.168.1.3/wz/list.asp?id=102 in Figure 4 we can casually Change to another, change to 56 or 33 or 47 it is a paper showing another article in the database, but we add a condition as a true equality like 1 = 1 or 2 = 2 to put it on In the SQL statement, the URL is changed to http://192.168.1.3/wz/list.asp?id=102 and 11 = 11, Figure 5. The error page will appear. Note that I tested a lot of mobile network articles system, there is a wrong form, some are normal to display the article, and there is a 0x800A000D error in the tail, and there is only one line of errors. We will add a condition that is not true, and then put its value in the SQL statement in the SQL statement. URL is changed to http://192.168.1.3/wz/list.asp?id= 102 and 11 = 1 See what will show, Figure 6. Seeing that there is no, it appears that there is no page for related articles. Here we discover a law, as long as the ID = 102 is added, it is not true, it will definitely find the page of the related article. If a 0x800A000D error or other expression is shown in Figure 5, it will indicate that the ID = 102 is a true equality.
Come with me to learn a SQL statement and a function, the use of a statement and a function, we can get the password of the mobile network article, very simple. Look at Figure 2, the table name is admin, the field name is ID, Username, Password, Flag. The ID is the serial number of the automatic discharge, UserName and Password you understand that Flag is the user level set by the programmaker. 1 means a super user, 2 is an administrator, 3 is a normal user, with different permissions. Understand the structure of the table, let's learn this SQL statement: select id from admin where flag = 1 means selecting the ID value of Flag = 1 from the admin table, see Figure 3 I know that FLAG is 1 ID value is 11 That is to say, the value of this statement is 11. Of course, this statement can also be delayed, like select id from admin where passowrd = 123 or select username from admin where passowrd = 123, it is the value of the ID value of PassWrod = 123 and the value of the username selected by Password = 123, respectively. , Understand, and English statement is very similar. Again is the function is left (). Like LEFT (LCX, 1) means that the first character is selected from the field LCX, which is L. LEFT (LCX, 2) indicates that the left two characters from the field LCX is LC.
Ready to do it, let's start. Let's construct a SQL statement to determine the ID value of the first administrator of the Administrator in the article in the network article database. (Because some of the network article system administrators more than one, it is one in Figure 3). Let's submit such a statement http://192.168.1.3/wz/list.asp?id=102 and 1 = (SELECT MIN (ID) from admin where flag = 1). Yeah, this seems to miss a function min (), which means the smallest value. Look at Figure 3, the ID minimum is 11, so SELECT MIN (ID) from admin where flag = 1 should be 11, so this statement becomes http://192.168.1.3/wz/list .asp? id = 102 and 1 = 11, according to the laws we have discovered, here the webpage should be displayed without finding related articles, like Figure 7. We tried until 1 changed this statement into 11, the statement became http://192.168.1.3/wz/list.asp?id=102 and 11 = (select min (id) from admin where flag = 1), the result is http://192.168.1.3/wz/list.asp?id=102 and 11 = 11, what is the result? Figure 8. There is a mistake. This shows that the ID value of the first administrator is 11. After getting the smallest ID value, let's decide your password. The constructor is as follows: http://192.168.1.3/wz/list.asp? Id = 102 and 11 = (Select ID from admin where left (password, 1) = 'x'), explain that 11 in the statement is The ID value of the first administrator we were previously judged. Select ID from admin where left (password, 1) = 'x', refers to the ID value of the first bit of the password in the admin table, in the SQL statement, not the value of the number to be caused by single quotes Come, where x value is written casually. We specify that the value of x is 2 to try, it is obvious, in Figure 3 we see the value of Passowrd is 123, Left (password, 1) should be equal to 1, then select id from admin where left (password, 1) = '2' naturally there is no such ID value. So List.asp? There is also a condition in real equality outside of the ID = 102, so the display did not find the relevant article, this shows that the first bit of the password is not 2. Figure 9. We try with Select ID from admin where left (password, 1) = '1', ha, there is an error, Figure 10. This shows that Id = 102 is a condition that is true and equivalent, and the first source of the first administrator is 1. Guess 1st, let's guess the second, http://192.168.1.3/wz/list.asp? Id = 102 and 11 = (Select ID from admin where left (password, 2) = '1x' ) Carefully see this statement, we will change the value of X to 2, Figure 11. There is an error, indicating that the first 2-bit password is 12. Let us in order, soon, you can get a password is 123.
Where you can change to the Len (Passowrd) function, use http://192.168.1.3/wz/list.asp?id=102 and 11 = (select id from admin where len (password) = ' Num ') This is to determine the length of the password first, you can also learn the ASC () and MID () functions, use it to quickly calculate the keyboard range of the password, and quickly get the password value. In short, no matter what SQL statement or what function you construct, as long as the page display does not find a related article, you will explain that the password in this SQL statement is not your setting, and the ID is an inequality; if Displaying others, you explain that you guessed the password, and the ID follows a equality. The same reason, you can change the password in the SQL statement to username to make an administrator's username. Let's break the throne download system 1.0 to try, first look at the show.asp source: SQL = "SELECT * from Download WHERE ID =" & Request ("ID"), this statement you understand now, from the Download table Find the software of ID = *. Also in the show.asp file, there is no filtering to pass the input to the SQL query, causing the remote attacker to use this vulnerability to perform SQL injection attacks.
The Download Table in its database is stored in the software information you want to download, and the admin table is system administrator information. There are four fields in the admin table, named, admin, pws, regsex, and stored in administrator serial numbers, usernames, and password values and gender. RegSex = 0 means that the administrator is a boys. We also discovered a law. If you follow a inequality behind Show.asp, you will not find the page of the software. If there is any other, it indicates that the show.asp is a true equality.
With the same way as the movie article, let's judge the ID value of the first administrator, the statement is http: //ip/down1.0/show.asp? Id = 2 and x = (SELECT MIN (ID) From admin where regsex = 0), where the value you write. ID = 2 refers to a page that can display software information normally. And the moving network article written in the above, the same. I would like to understand that if the software is displayed, if you don't find the software, you will explain that the X value written is not the first administrator's ID value, showing that you guessed the ID value of the first administrator. . Assume that we have obtained the ID value of the first administrator is 1, let's guess the password. Guess the password with http://ip/down1.0/show.asp? Id = 2 and 1 = (select id from admin where left (pws, x) = 'x'). Note that because the field of the Sikiki download system is a PWS field, the PWS is also written in the SQL statement. Let's take a look at the case where I guess the wrong password, I am tested in this machine, using the URL is http://192.168.1.3/asp/d1/show.asp?id=2 and 1 = (Select ID from admin where left (PWS, 1) = '1') Figure 12. Show no software, indicating that the first bit of the password is not 1. Let's take a look at the case I guess the password. The URL used is http://192.168.1.3/asp/d1/show.asp?id=2 and 1 = (Select ID from admin where left (pws, 2) = ' AD ') Figure 13, the software information is normally displayed (not displayed without the software) indicates that the password I guess, the first two is AD. Through the above two SQL INJECTION analysis, you should learn a common SQL INJECTION attack method, which is the cross-list of SQL INJECTION WITH Access. Its workflow can be defined as: The invasive object is an ASP Acess program, which is submitted to the SQL program page feature is an ASP page with digital parameters, like this http: //url/tagret.asp? Id = NUM; invading The means is to download one of the same scripts as the Web program you want to invader, and the ASP page of the analysis with digital parameters is the parameter is also the input to the NUM filtering user. The input is passed to the SQL query; open the database, familiar with the structure of each table, Then carefully construct the SQL statement of cross-table, the write conditions are true or untrue, and according to the return information is different, it is correct.
