Analysis of SQL Injection conditions and principles

Script intrusion is very popular on the Internet, and the Script Injection Vulnerability is popular among hackers. Whether it's an old bird or a new dish, it will be fascinated by its great power and flexible moves. It is precisely because of the prevalence of injection attacks that the injection tools on the market are endless. Well-known tools include the NBSI of Xiaozhu, the HDSI of the instructors, and the injection tool of the ah d. This makes it easy for the dishes to master the injection vulnerability. However, the tool is dead, but the injection method is active. Whether the SQL Injection statements can be flexibly constructed based on the actual situation to obtain the information you want is the fundamental difference between the experts and the dishes. It is impossible to improve the principle of using only tools. Of course, when encountering some special circumstances, those who only use tools can only give up. Therefore, learning to manually inject your own SQL Injection statements is a required course for hackers.

Anti-spoofing basics:

To learn how to inject manually, you have to mention the database system.

1. Introduction

Database systems are divided into databases and database management systems! Databases are the places where data is stored, and database management systems are the software for database management! The storage section of data in the database is called the data model! There are four common data models: hierarchical model, mesh model, relational model, and object-oriented model. The relational data model is the most important data model, and ACCESS, MSSQL, and ORACLE are all relational model database systems. Among them, ACCESS and MSSQL database systems are the most common! These are all theoretical knowledge and I hope you can understand them.

2. Basic Concepts

Table: A table is a basic component of a relational database! It is arranged by combination of rows and columns into relevant information. A row is usually called a record and a column is called a field. Each field is called a field! Each record consists of multiple fields. Each field is called a field name, and the value of each field is called an estimate field value. Each row in the table, that is, each record has the same structure. 1.

In Figure 1, this table contains 14 rows, that is, 14 records. There are four columns, that is, four fields. The names of the four fields are job_id (the values of the corresponding fields 1, 2, and 3 are the values of this field, the values of the following three fields are distinct !) , Job _ desc, min_lvl, and max_lvl. Because this article is not dedicated to database knowledge, we will only talk about some of the most important concepts here. If you are interested, you can view the relevant database information on your own!

3. Injection Conditions

Only dynamic pages that call databases can have the injection vulnerability. dynamic pages include asp php jsp cgi. This article only describes ASP page injection. So what is the page for calling the database? For example:

Asp? Id = php? Id = is used to call the database page. "? "The id added after is called a variable. Note that this variable can be changed at will. The value after" = "is called a parameter! This parameter can also be changed! Everyone must be flexible in their thinking, so they must learn how to put it apart and not be too rigid.

4. Analysis of injection vulnerability principles:

If the program does not effectively filter the variables submitted by the user, it is directly included in the query statement. In this way, we can submit statements with the data query function, add it to the information to be submitted by the program, and then judge the content in the database based on the information returned by the server! In this case, you may not understand it very well. It doesn't matter. Let's take a look.

The basics have been completed.

Practice

If you are new to injection, the first step is to right-click the IE icon on the desktop, click Properties, click "advanced", and then pull down the scroll bar, find "display"

"Friendly HTTP Error message", remove the preceding check box, and click "OK" to get more information returned by the server.

Part 1: manual ACCESS database Injection

1. Determine whether the injection vulnerability exists:

I believe everyone should know this! Add and 1 = 1 and 1 = 2 to the URL of a database call, if and 1 = 1 is added, the returned result is normal (that is, the page is the same as when and 1 = 1 is not added ), the addition of and 1 = 2 returns an error (different from the page when and 1 = 2 was not added), which proves that the page has an injection vulnerability. For example:

Http://www.xxx.com/a.asp? Id = 7. For this webpage, we add and 1 = 1 (two spaces, one before and, one between and 1 = 1 !), The URL becomes

Http://www.xxx.com/a.asp? Id = 7 and 1 = 1. Open this webpage with IE and return to normal! Add and 1 = 2 to the end, and the URL becomes

Http://www.xxx.com/a.asp? Id = 7 and 1 = 2. Use IE to open the webpage and return an error! This shows the Web http://www.xxx.com/a.asp? Id = 7 injection vulnerability, which is an injection point! (Web pages with the injection vulnerability are called injection points !) However, not all pages can be judged in this way. Some pages, whether you add and 1 = 1 or and 1 = 2, return error pages, is there no injection vulnerability on such pages? Not necessarily! Such as this page: http://www.xxxxxx.com/ B .asp? Id = ade7. No matter whether we are and 1 = 1 or and 1 = 2, it returns an error page! At this time, we will try to use another method to test the vulnerability. This method can be said to be a variant of and 1 = 1 and 1 = 2. The original web site is like this: http://www.xxxxxx.com/ B .asp? Id = ade7, now let's turn it into this: [url] http://www.xxxxxx.com/ B .asp? Id = ade7 [/url] and 1 = 1. Open it with IE and check whether the returned result is normal! If it is normal, you can use this address to further test whether the vulnerability exists. (If the response is abnormal, the page is likely to have no injection vulnerability !) : [URLs] http://www.xxxxxx.com/ B .asp? Id = ade7 [/url] and 1 = 2, open this url with IE, if an error is returned, then this url http://www.xxxxxx.com/ B .asp? The injection vulnerability exists when id = 1!

A. Numeric parameter Injection Point Analysis

At this moment, some friends must ask, why is it impossible to use and 1 = 1 and 1 = 2 at the beginning! Don't worry. Let's first look at the differences between the two injection vulnerabilities?

(Do not tell me that the second website has a few more characters than the first one.) I believe you have seen that the parameter followed by the second website is ade7, which is a character! The parameter followed by the first URL is 7, which is a number! This is why the statements used to test the vulnerability are different! Those who have learned the database should know that in the query, the value of the character type should be enclosed in single quotes, that is, the character type data. Suppose that the query statement corresponding to the first injection page is like this (every page that calls the database will have one or several corresponding query statements, used to query the content in the database !)

: Select * from table name where id = 7. This is the original query statement. This statement is correct and can be found in the database! However, if we add and 1 = 1 after the URL, then this query statement will be changed to select * from table name where id = 7 and 1 = 1 (now we know that the variables mentioned in the analysis of injection vulnerability principles are not filtered !), Here we need to talk about some knowledge about the database. In this statement, and is a logical operator! (This is all you need to remember.) It means "and" in Chinese! As mentioned in high school mathematics, the two sentences connected with "and" must be true, or the entire sentence is not true! For example, Apple and elephants are both fruits. This sentence is wrong. Apple is a fruit, but an elephant is not! Now we can understand that the two sentences connected with "and" must be true, or the entire sentence is not true. If Apple and pear are both fruits, this sentence is correct. After knowing the usefulness of and, let's look at the sentence "select * from table name where id = 7 and 1 = 1, and the select * from table name where id = 7 must be correct. (why? If this query statement is incorrect, this injection page is problematic! So the sentence before and must be correct !). Let's look at "and". 1 = 1. You don't have to say it. That's right. (isn't it difficult to say that it's not equal to one ?) Based on the and usage, we can now determine that the query statement select * from table name where id = 7 and 1 = 1 is still correct! So it can still correctly query information from the database and return it to us!

The sentence: select * from table name where id = 7 and 1 = 2, it must be wrong, this query statement cannot be used to query information from the database correctly, so we will see an error page! The above is the analysis when the injection point parameter is int (integer type.

B. Injection Points Analysis of parameter types

As we did just now, let's take a look at the query statement on the second injection page, for example, the select * from table where id = ade7 (why is it enclosed in quotation marks? See the previous section !). The original query statement looks like this. If we still use the numeric parameter to test the vulnerability, the statement will become like this: select * from table where id = ade7 and 1 = 1 and

Select * from table where id = ade7 and 1 = 2, because the program will automatically query the content in the quotation marks. If we submit the statement in the preceding two statements, the program queries the records whose id values are ade7 and 1 = 1 and ade7 and 1 = 2, in this case, the result is not found (you do not want to tell me that there are exactly two records in the database: ade7 and 1 = 1 and 1 = 2 ). Some may ask, why not the query id is ade7, and then and 1 = 1? Well, I will answer you now. Even if you can query records whose id value is ade7, this sentence is also wrong. How can 1 be equal to 1? Right? What's more, the program cannot query ade7. More importantly, it is prepared that the value of a field in the database cannot be ade7, because this string contains only one quotation mark. If this string is directly stored in the database, the program reports an error! How is it? Do you understand? Now let's talk about how to test it with and 1 = 1 and 1 = 2! This query statement is also used:

Select * from table where id = ade7. If we add and 1 = 1 after the URL, the query statement will become

Select * from table where id = ade7 and 1 = 1 (the outermost layer of quotation marks is automatically added by the Program! Is this statement correct? Let's analyze it. If we submit a statement, the program will automatically query records whose id value is ade7! Because this record exists (if it does not exist, it is a problem with this webpage !), And followed by 1 = 1 is correct, so this statement is correct! If we replace and 1 = 1 with and 1 = 2, the statement becomes select * from table where id = ade7 and 1 = 2, we can see that this statement is correct! How can 1 be equal to 2? Right? All right, injection points of parameter types