2017-2018-2 20179204 "Network attack and Defense practice" 11th Week study summary SQL injection attack and practice

the 1th section studies the principle of buffer overflow, at least for two kinds of database differential study 1.1 principle

Inside the computer, the input data is usually stored in a temporary space, the temporary storage space is called a buffer, the length of the buffer has been pre-defined by the program or the operating system. Fill the buffer with data, if the length of the data is longer than the buffer itself capacity, then the data will overflow storage space, and these overflow data will be overwritten on the legitimate data, this is the truth of buffer and buffer overflow.

See this blog buffer overflow attack

1.2 Oracle Database

Research on buffer overflow attack for Oracle database

1.3 MySQL Database

MySQL is an open-source relational database system.

MySQL contains a mysql_real_connect () function that does not adequately check user-supplied parameter values, which can be exploited by local or remote attackers for buffer overflow attacks that may be used to corrupt the database or execute arbitrary instructions.

Attackers can take advantage of SQL injection attacks, or can upload malicious script to the server, by passing an extra long string as the Mysql_real_connect () function parameter, can trigger overflow, carefully build the submission data may execute arbitrary instructions on the system with database process privileges.

The

2nd section studies the discovery and injection techniques of SQL injection points for different data types

Depending on the type of variable parameter that is submitted, the SQL injection point has different classifications, different injection points, and the things to be aware of when injecting it are also different. The SQL injection point is divided into the following 3 types according to the type of submission parameter:

2.1 Digital Injection point

, such as "http://****?id=55", which is called "Digital injection point" because of the "number" of these injected parameters.

The SQL statement submitted by such an injection point is roughly the same: Select * from table name where field =55

When we submit the injection parameter as "http://****?id=55 and[query condition]" , the complete SQL statement submitted to the database is: Select * from table name where field =55 and [query condition]

2.2-character injection point

shape like "http://****? class= Date "This type of injected parameter is" character "and is therefore referred to as the" character type "injection point.

The SQL statement submitted by such an injection point is roughly the same: select * from table name where field = ' Date '

When we submit the injection parameter as "http://****class= date and[query bar The complete SQL statement submitted to the database is: select * from table name where field = ' Date ' and [query condition]

2.3 Search Injection Point

This is a special type of injection. This kind of injection is mainly refers to in the data search without filtering the search parameters, generally in the link address has "keyword= keyword", some do not display the link address, but directly through the search box form submission.

The SQL statement submitted by such an injection point is roughly the same: select * from table name where field like '% keyword% '

When we submit injection parameter "keyword= ' and[query condition] and '% ' = ', the finished SQL statement submitted to the database is:
select * from table name where field like '% ' and [query condition] and '% ' = '% '

The 3rd section studies buffer Overflow prevention methods, at least for two programming languages to differentiate research

Buffer overflow attacks have always been the primary means of hacking, depending largely on the many functions in a C or C + + program that have buffer overflow vulnerabilities. These vulnerabilities cause buffer overflows to be easily implemented in relation to other attack methods. Buffer overflow attack, the light can cause computer system chaos, restart or panic, more serious will allow the attacker to gain access to the host's super privilege, thereby controlling the host, perform some destructive behavior. Such as: Steal important information, view internal confidential information, tamper with important files, delete useful data and so on. However, because the attacker obtains the super privilege of the attacking host, he can delete the record in the host activity log, so that he can control the host for a long time and not be discovered by the machine owner.

3.1 C language

Analysis and solution of buffer Overflow Vulnerability in C language source program

Beware of buffer overflows (those unsafe library functions in C)

Preventing buffer overflow--c/c++ language security issues

3.2 C + + language

Buffer overflow attacks for C + + programs

The 4th section uses at least two kinds of database injection attack Tools 4.1 tnscmd10g

Allows us to inject commands into the Oracle database

4.2 Sqlsus

Sqlsus is an open source MySQL injection and Takeover tool, Sqlsus written in Perl, based on the command line interface. Sqlsus can get the database structure, inject your own SQL statements, download files from the server, crawl Web sites writable directories, upload and control backdoors, clone databases, and so on. The best two point is that the injection gets the data very fast, and the other biggest feature is the automatic search for writable directories.

  生成配置文件  编辑配置文件  修改 our $url_start = "":写入地址  启动并且测试`sqlsus test.conf`  获取数据库数据  查看全部数据库名字  sqlsus > get database

Kali Linux Database evaluation software Sqlsus Tutorial

4.3 sqlninja

In the field of SQL injection has always been sqlmap as magical, but Sqlninja also has its own characteristics. Sqlninja is a Perl-written one specifically for Microsoft SQL. Server's SQL Injection tool, which focuses on getting a shell.

The advantages of Sqlninja are as follows:

  1）一个专门针对Microsoft SQL.Server的sql注入工具  2）可找到远程SQL服务器的标志和特征（版本、用户执行的查询、用户特权、xp-cmdshell的可用性、身份验证模式等）  3）“sa”口令的强力攻击  4）如果找到口令后，就将特权提升为“sa”  5）如果原始的xp——cmdshell被禁用后，就创建一个定制的xp_shell  6）使用纯粹的ASCII GET/POST请求来上载netcat.exe程序（以及其他任何可执行的程序），因此并不需要FTP连接。  7）为了找到目标网络的防火墙所允许的端口，可以实施针对目标SQL服务器的TCP/UDP端口扫描。  8）逃避技术，这是为了使注入式代码“模糊”不清，并且混淆/绕过基于签名的IPS和应用层防火墙。  9）采用“盲目执行”攻击模式，在其他模式失效时，可以用于发布命令并执行诊断。  10）在sqlninja生成的SQL代码上，执行的是自动化的URL编码，这使得用户可以更精细地控制漏洞利用的字符串。  11）如果得到权限为sa，可以结合msf进一步对目标主机进行渗透。

Sqlninja have very few parameters

-m Specifies the attack mode with the following several

  1）t/test 测试连接是否是注入点  2）f/fingerprint 指纹识别，判断用户，数据库，xp_cmdshell是否能用等等  3）b/bruteforce 暴力破解sa密码，可以-w指定字典，也可以不适用字典，这样sqlninja就会自己穷举  4）e/escalation 提权用，必须用-p指定sa的password，成功就会把当前数据库用户加入到sa组里面  5）x/resurrectxp 尝试恢复xp_cmdshell  6）u/upload 使用get和post上传二进制文件，-p可以指定sa的password，-g表示只生成上传文件，但并不上传  7）s/dirshell 获取目标主机的shell  8）k/backscan 查看开放的目标端口  9）r/revshell 反弹会一个shell，和dirshell相反  10）d/dnstunnel 指定使用dns作为传输通道，可用-p可以指定sa的password，为什么有这个模式，因为可能服务器连接icmp都禁止。同样，想要使用这个模式得先用upload模式上传dnstun.exe  11）i/icmpshell 当dirshell和revshell都失败的情况下，可以用这个模式把shell藏在icmp里，但是先要上传icmpsh.exe  12）-f<file> 指定配置文件，sqlninja没有类似sqlmap的“-u”参数，注入网址是写在配置文件里的，默认是sqlninja.conf

4.4 Sqlmap

Sqlmap is an open-source penetration testing tool that is primarily used to automate the detection and implementation of SQL injection attacks and infiltrate database servers. Sqlmap is equipped with a powerful detection engine for advanced penetration test users, not only can obtain the fingerprint information of different database, HA can extract data from the database, but also can handle the potential file system and execute the system commands through the out-of-band data connection.

SQL injection--SQLMAP Automation injection tool

2017-2018-2 20179204 "Network attack and Defense practice" 11th Week study summary SQL injection attack and practice