Builder pain forever: Look at SQL injection practices

Source: Internet
Author: User

We have already talked about the principles and ideas of SQL injection before. For such a universal attack, it is difficult for the website builder to prevent it. At present, many automatic injection tools are available, but for those who are deeply studying the technology, better understanding of the essence of SQL injection will be more confident in the attack.
Of course, you can easily enter the background of your website with your intrusion experience and manual injection skills. You need to know that tool hackers and manual hackers are at two levels. All tools are used. However, many people cannot access manual tools.

In Web intrusion technology, SQL injection is the most eye-catching, but in SQL injection, another widely used technology is called "instant injection ", of course, this is a manual technique, that is, joint query of databases. "Instant injection", as its name implies, can get a password for instant injection, which is faster than a fully automated SQL injection tool in practice.
  
Vulnerability Detection

We have found an injection point (which is not difficult for the vast network) and added a single quotation mark to the URL to submit it. We found that the page has changed, and the exception indicated that we can leave it empty. It is preliminarily estimated that the management program of this database is not MS SQLServer, but another common-Access. Fortunately, transient injection can be used to kill these two data management systems.

Use and 1 = 1 and 1 = 2 to check whether the page is the same. Submit such http://www.myxxxxx.org/showarticle.asp? Id = 2107 and 1 = 1, and it turns back to the original normal page. Next submit http://www.myxxxxx.org/showarticle.asp? Id = 2107 and 1 = 2. An exception occurs again on the page. The injection vulnerability already exists.
  
Note that % 20 is the URL encoding format of spaces in the address bar. When the database management system is SQLServer, an error message of the program is displayed when a single quotation mark is added to the URL, while ACCESS usually has no content on the page.

Number of fields to be guessed

 

Database-Table segment-field content is our Penetration Process. The two adjacent links are one-to-multiple relationships from the front to the back. In the injection process, the database name is very unimportant. We do not need to consider the name of the table segment to be guessed before using "instant injection, instead, check whether there is a table in the database that contains the total number of fields we have guessed.

Assuming this table has 10 fields, submit: http://www.myxxxxx.org/showarticle.asp? Id = 2107 order by 10. The Order command is actually used for sorting in SQL statements. We can also use it to guess the number of fields. If an exception occurs on the page, the statement is incorrect.

In order to improve efficiency, the trade-off number of 10 is 5. Submit http://www.myxxxxx.org/showarticle.asp? Id = 2107 order by 5: The page is still abnormal and NO content is displayed. This indicates that the number of fields is too large. This kind of separation method is used to cut down step by step.
  
When the number of fields to be guessed is less than or equal to (<=) the actual total number of fields, the page remains normal. When the number of fields to be guessed is greater than the actual total number of fields in the (>) table, the page appears frequently. This is why the total number of fields to be guessed is reduced rather than the increase when an exception occurs on the page.

When submitting http://www.myxxxxx.org/showarticle.asp? When id = 2107 order by 3, the page is finally normal!

Through the above steps, we can finally determine that there must be such a table in the database, which has three fields.
  
Prediction table name

After obtaining the total number of fields, we still need the table name. Assuming that there is a table named "Users", submit URL: http://www.myxxxxx.org/showarticle.asp? Id = 2107 and 1 = 2 union select 1, 2, 3 from users. spaces are automatically converted to % 20. After the submission, nothing is displayed on the page, indicating that the users table does not contain drops.

Again guess admin, these are common indications: http://www.myxxxxx.org/showarticle.asp? Id = 2107 and 1 = 2 union select 1, 2, 3 from admin. The expected page is displayed.

After the "current location" of this page, the path information is no longer written, but it is changed to "1", while there is only one "2" in the body content ", fields 1 and 2 can be displayed on the page.

Field content


Why is instant injection faster than automated SQL Injection tools? Because it does not guess the password one by one, it is directly cracked, but like the above operation, it will fail! Didn't I submit a http://www.myxxxxx.org/showarticle.asp before? Id = 2107 and 1 = 2 union select 1, 2, 3 from admin, admin. Is "1" and "2" displayed on the following page? Here, "1" and "2" can be directly displayed on the page. If we change the numbers in the URL that can be displayed on the page to the field name, then the field content (including the user name and password) can be seen directly on the page.
  
Assume that if there are 23 fields, you need to write http://www.myxxxxx.org/showarticle.asp? Id = 2107 and 1 = 2 union select 1, 2, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19,20, 21,22, 23 from admin, the last number is the total number of fields.
  
Assume that the field name for storing the user name is user, and the field name for storing the password is pass. Submit http://www.myxxxxx.org/showarticle.asp? Id = 2107 and 1 = 2 union select user, pass, 3 from admin, of course there will also be errors, but know the MD5 class value, it indicates that the field content is exposed.
    
Background intrusion

Log on to the background and work out the original password on the MD5 cracking website. Then you can control the password at will. In fact, when we use the automatic injection tool for detection, we find that the admin table does have three fields id, username and password. Let's see if it's the same as what we see on the page? I only spent about three minutes on this website (of course, experience and luck are very important, and I have to accumulate common table names and field names), and I ran for seven minutes.

This intrusion idea can help us better understand the essence of SQL intrusion and improve the intrusion efficiency. However, luck is also very important.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.