2017-2018-1 20179215 "Linux kernel Fundamentals and analysis" 12th week assignment

Introduction to the basic principles of SQL injection grouping: and 20179205 Wang Yazhe together to complete the experiment one, experimental description 1.1 SQL injection? SQL injection attacks are passed into the Web application by constructing special inputs, which are mostly combinations of SQL syntax that execute an attacker's actions by executing SQL statements. SQL injection means that the Web application does not judge the legality of user input data, and an attacker can add additional SQL statements at the end of a pre-defined query statement in a Web application to spoof the database server to execute unauthorized arbitrary queries, thereby further obtaining the corresponding data information. The SQL injection threat representation can be reflected in the following points:

    ●绕过认证，获得非法权限    ●猜解后台数据库全部的信息    ●注入可以借助数据库的存储过程进行提权等操作

A typical approach to SQL injection attacks:

    ●判断应用程序是否存在注入漏洞    ●收集信息、并判断数据库类型    ●根据注入参数类型，重构SQL语句的原貌    ●猜解表名、字段名    ●获取账户信息、攻击web或为下一步攻击做准备

The 1.2 Web program's three-tier architecture three-tier architecture (3-tier architecture) is typically divided across business applications into:

• Interface Layer (User Interface layer)
• Business Logic Layer
• Data access layer.

The purpose of distinguishing hierarchy is to think of "high cohesion and low coupling". In the design of software architecture, layered structure is the most common and most important structure is applied to many types of software development. The idea of a database-driven Web application that complies with the three-tier architecture is also divided into three tiers:

• The presentation layer.
• Business Logic layer (also called domain layer)

• Data access layer (also known as storage layer)

  The topology looks like this:

? When we visit a Dynamic Web page, the WEB server initiates a SQL query request to the data access layer and executes the SQL statement if permission validation passes. The SQL requests sent directly from this site are generally not dangerous, but the reality is that it is often necessary to dynamically construct SQL statements in conjunction with the user's input data, and if the data entered by the user is constructed into malicious SQL code, the WEB application does not review the parameters used by the dynamically constructed SQL statement. Pose an unexpected risk. Second, the experimental process? This experiment will build a SQL injection environment through LAMP, two experiments are introduced SQL injection blasting database, SQL injection bypass authentication two knowledge points. 1. SQL injection Example one. The Guess database (1) as shown, first download the file and unzip the run:

(2) Enter the Firefox browser, enter the Web address: localhost/dvwasql, click Create/reset Database to create:

(3) Enter the login interface, the default user name is: admin Password: password

(4) Adjust the Security level to low

(5) Enter the SQL injection page to start the injection:

(6) Enter 1 First, check the Echo (id=1 in the URL, indicating that the PHP page passes the parameters via the Get method):

(7) What SQL statements are actually executed in the background? Click View Source to see the original code:

As you can see, the actual execution of the SQL statement is:

SELECT first_name, last_name FROM users WHERE user_id = ‘1‘;

We return the information we need by controlling the value of the parameter ID. If we do not make a common sense, such as entering 1 ' ORDER by # in the input box, the actual executed SQL statement will become:

SELECT first_name, last_name FROM users WHERE user_id = ‘1‘ order by 1#`;(按照Mysql语法，#后面会被注释掉，使用这种方法屏蔽掉后面的单引号，避免语法错误)

The meaning of this statement is to query the users table for data user_id 1 and rank by the first field. (8) When input 1 ' ORDER by # and 1 ' ORDER BY * are returned to normal, when entering 1 ' ORDER by 3#, an error is returned:

As a results, there are only two fields in the Users table and the data is two columns. Next we continue to obtain information using the Union Select Union query. The Union operator can combine query result collections of two or more two SELECT statements into a single result set, which is the execution of a federated query. Note that when you use union queries you need to have the same number of columns as the main query, and we've already learned that the number of main query columns is 2, and then it's good to do it. Enter 1 ' Union Select Database (), User () #进行查询:

• Database () will return the names of the databases used by the current Web site.

• User () will return the username that executed the current query.

  The actual execution of the SQL statement is:

  Select First_Name, last_name from users WHERE user_id = ' 1 ' union Select Database (), User () # ';
  

  By returning information, we successfully obtained:
• The current Web site uses a database of DVWA.

• The currently executing query user name is [email protected] .

  Similarly we enter 1 ' Union select version (), @ @version_compile_os # to query:
• Version () Gets the current database versions.

• @ @version_compile_os Gets the current operating system.

  The actual execution of the SQL statement is:

  Select First_Name, last_name from users WHERE user_id = ' 1 ' union select version (), @ @version_compile_os # ';
  

  (9) Next we try to get the table name in the DVWA database.

  By experience we can boldly guess the fields of the users table as user and password, so enter: 1 ' union select User,password from users# to query:

  2. SQL injection instance two. Authentication Bypass (1) as shown, download the file and unzip the run:

  (2) Enter the Firefox browser, enter the URL: localhost/sql2, in order to initialize the data:

  
  

(3) After the preparation is completed, we go to the homepage to find this is a normal login page, just enter the correct username and password to log in successfully. We first try to enter the user name 123 and password 123 login, found prompt error. (4) According to the first experiment, we try to enter 123 ' or 1=1 # in the username, the password also input 123 ' or 1=1 #:

Why is it possible to login successfully? Because the actual execution of the statement is:

select * from users where username=‘123‘ or 1=1 #‘ and password=‘123‘ or 1=1 #‘

Following the Mysql syntax, the content behind the # is ignored, so the above statement is equivalent (in fact the password box does not enter anything else):

select * from users where username=‘123‘ or 1=1

Because the judgment statement or 1=1 is established, the result of course returns true, successfully logged in. (5) Try not to use # shielded single quotation marks, the use of manual closure: we try to enter 123 ' or ' 1 ' = ' 1 in the username, the password also input 123 ' or ' 1 ' = ' 1 (no less single quotes, otherwise there will be syntax errors):

The actual execution of the SQL statement is:

select * from users where username=‘123‘ or ‘1‘=‘1‘ and password=‘123‘ or ‘1‘=‘1`

Two or statements make and before and after two judgments are always equal to true, so can successfully login. Summary? Generally speaking, SQL injection usually exists in ASP Dynamic Web pages with parameters such as HTTP://xxx.xxx.xxx/abc.asp?id=XX, sometimes there may be only one parameter in a Dynamic Web page, sometimes n parameters, sometimes integer parameters, Sometimes it is a string parameter and cannot be generalize. In short, if it is a dynamic Web page with parameters and this page accesses the database, there is a possibility of SQL injection. If the ASP programmer does not have security awareness and does not perform the necessary character filtering, there is a large likelihood of SQL injection. As for how to prevent SQL injection attacks: Please refer to http://blog.csdn.net/testeralai/article/details/26478469

2017-2018-1 20179215 "Linux kernel Fundamentals and analysis" 12th week assignment