Advanced SQL injection

1. avoid input filtering

Input filtering exists both externally and internally, externally belonging to the Web application firewall WAF, intrusion prevention system IPs, intrusion detection system IDs, internal code to filter the input

Filter select,insert and other SQL keywords and ' |, and other characters

(1) Case variant: Change the keyword to select * from UserINFO because the filter is for all uppercase or all lowercase, it is rarely filtered by the combination of casing and case. If a single filter will affect the user's normal input.

(2) Using SQL Comment: PHP uses stristr (' A ', ' B ') to determine the first occurrence and return of B in a, by

Determines whether the input contains keywords and is case insensitive and binary safe. are followed by a space to check

Use/**/instead of space to replace with like

(3) Using URL encoding: URL encoding is done through the browser, different browser encoding method. IE11 use gb2312,firefox3.2 use UTF-8, decoding is based on the encoding mode of the server decoding, so often the development process will appear in Chinese did not encode it will lead to garbled problems, that is, browser encoding and server decoding inconsistency problem. This also produces the difference between get and post, and get is automatically encoded by the browser. But post is determined by the charset in the request header ContentType encoding mode and tells the server how to decode it. Therefore, when using URL encoding to bypass SQL filtering and get injection to consider the browser encoding mode and server decoding mode, a random page can see the server decoding mode. JS Ajax technology is the same. Escape is the code for GB2312, Urlencordcompontent is for UTF-8.

Some for the Chinese query will be in the previous paragraph UTF-8 encoding and then UTF-8 (iso-8859-1), the server side reverse decoding. Dual URL encoding is required.

Original injection: C ' and if (current_user () = ' [email protected] ', 1,0) #ww

C '%2f%2a%2a%2fand%2f%2a%2a%2fif%28current_user%u0023%29%3d ' Root%40localhost '%2c1%2c0)%3B%23ww

(4) Working with Dynamic queries: SQL Server allows execution of statements with exec (")

EXEC (' select * from sysobjects ')

Misuse of character connections bypasses SQL filtering

EXEC (' s ' + ' e ' + ' l ' + ' e ' + ' + ' + ' + ' + ' + ' + ' + ' + ' + ' + '/**/*/**/f ' + ' r ' + ' O ' + ' m/**/s ' + ' y ' + ' s ' + ' o ' + ' B ' + ' j ' + ' e ' + '

Use char () to construct a single character without introducing any quotation marks.

Sqlsever can be directly used in the declaration of variables, assigned to 0x 16 binary

DECLARE @query varchar (100)

Set @query =0x73656c656374202a2066726f6d207379736f626a65637473

EXEC (@query)

(5) Use NULL characters: Many IDs or WAF are written by native code such as C + +. For null characters, truncation stops processing.

%00 ' UNION SELECT PASSWORD from tblusers WHERE username= ' ADMIN '--

Native code refers to code that can be executed directly on the CPU without the need for external application libraries such as virtual machine sandboxes.

(6) For stripping the string: The first time after stripping will not iterate the filter, so you can selselectect to inject

2. second-order SQL injection

(1) Cause: An attacker would need to store the target value or something useful in the database at the time of the first injection. The target value is then read out through the second query.

Application Example: Set the user name to ' +substring (@ @version, 1,50) + ' when adding a user

The database is inserted in the following statement: INSERT into userinfo values (' +substring (@ @version, 1,50) + ', ' wwww ');

This will insert the version information into the User name field, at random to see the user name to know the database version number and other information.

The key consideration is that the string connectors of different databases also close the quotation marks before and after, so that the injected statement can be executed and saved in the database.

The main consideration is the user name and other information in the process of the specific processing, filtering or stripping, or by encoding, capitalization and other methods of a

A try

During the insert process, such as user name, the user name is often set to XXX ' union SELECT COUNT (*), COUNT (*) from XXX and other information to carry out second-order injection, in the face of the case of input filtering to bypass.

(2) Looking for second-order injection points: Common tools can not be swept out, only by hand injection.

1. Find data items that can be manipulated and stored by the user

2. Detecting the feasibility of illegal character injection

3. Try the URL encoding, case conversion and other tricks to bypass input filtering

4. Collection of sensitive information pages that may be exposed by the program

5. Develop code to verify SQL injection, first explicit and then blind.

Defense: All operations provided to the database are parameterized and fixed on the query result set structure.

3. Other ideas

(1) Using hybrid attacks: Use cross-site and SQL injection hybrid attacks, if the ID is an easily injected parameter, the following statement

id=123 ' Union Select 1, ' <script>alert (1) </script> ', 1

(2) Use authenticated channel: Some SQL injection vulnerability is required to take advantage of the administrator login to access the point. So you can forge requests through cross-site first.

(3) using the Oracle Execute OS command, a table with a table name containing a malicious shell command was successfully created by double quotation marks containing the table name. Again by Sql*plus to execute the script will be stripped of quotes, will! resolves to a Unix command, and $ is windows,vms.

Advanced SQL injection