A common SQL Injection Attack Method

LCX

SQL injection is a term used to describe how to pass SQL code to an application that is not intended by developers. SQL injection attacks are commonly described in terms of using hacker to carefully construct SQL statements and execute them in the original web programs (such as forums and message books) to obtain host permissions, user passwords, and other information, to achieve port 80 intrusion. SQL injection attacks vary depending on the statements used to construct SQL statements and the systems or web programs that are infiltrated into the host. However, I have summarized a general SQL injection attack method, which is simple and practical, that is, cross-Table subquery of SQL injection with access.

Let's take a look at the instance first and then summarize it. Dynamic net is a type of article by www. aspsky. net Development and Maintenance of open source code article management system, widely used in China; because of its list. the ASP file does not filter the Input submitted by the user for SQL query. As a result, remote attackers can exploit this vulnerability to launch SQL injection attacks.
Related code in list. asp:
SQL = "select Aclass. class, anclass. nclass, article. title, article. classid, article. nclassid from article, Aclass, anclass where article. classid = Aclass. classid and article. nclassid = anclass. nclassid and article. articleID = "& request (" ID ")

Cainiao who do not understand ASP seem to have a big head. It's okay. Let me analyze it. The database name used in the Internet article is article. MDB. After you open it with acess2000, You Can See figure 1.

In Figure 1, Aclass, admin, anclass, and article are the table names of article. MDB. The article table stores collected articles, as shown in figure 2.

The admin table stores the Administrator name and password of the dynamic network document, as shown in figure 3.

The other two tables named aclas and anclass are used to store the classification of articles. The list code above Selects all the information about the document you want to read from the table names. For example, if the ArticleID in Figure 2 has 102, that is, id = 102 in list. ASP code, then we can see this situation, as shown in figure 4.

. This is an article titled damware's experience. It belongs to the Technical Library and the ArticleID code is 102. You can find this information in article. MDB. However, the program writer will not expose the content of the Admin table here. However, according to the list. ASP source code, the author of the dynamic network does not limit the attributes of the ID, that is, in figure 4, http: // 192.168.1.3/WZ/list. asp? In id = 102, 102 can be changed to anything else. If it is changed to 56, 33, or 47, it shows another article in the database, however, we add a condition to the back of the equation like 1 = 1 or 2 = 2 and place the value in the SQL statement for query. The URL is changed to http: // 192.168.1.3/WZ/list. asp? Id = 102 and 11 = 11, as shown in Figure 5.

The error page appears. Note that I have tested a lot of dynamic network Article systems, and the format of errors is different. Some of them are normal post display, and then the 0x800a000d error occurs at the end, while others only have one row of errors. Then we add a non-real equation like 1 = 2 or 1 = 3 to query the value in the SQL statement. The URL is changed to http: // 192.168.1.3/WZ/list. asp? Id = 102 and 11 = 1. check what is displayed, as shown in figure 6.

See no. It shows the page where the relevant article is not found. Here we find a rule, as long as ID = 102 is followed by a condition that is not a true equation, there will certainly be a page in Figure 6 that does not find the relevant article. If the 0x800a000d error occurs or another representation is shown in figure 5, it means that the equation behind id = 102 is a condition come true.

Then I will learn an SQL statement and a function. Using one statement and one function, we can get the password of the dynamic net Article, which is very simple. See figure 2. The table name is admin, and the field names are ID, username, password, and flag. ID is the serial number of the automatic example. You can see the username and password at a glance that the flag is the user level set by the program writer. 1 indicates a Super User, 2 indicates an administrator, and 3 indicates a common user, with different permissions. After understanding the table structure, let's learn this SQL statement: Select ID from Admin where flag = 1 means to select the id value of flag = 1 from the admin table, figure 3 shows that the id value of flag is 1 is 11, that is, the value of this statement is 11. Of course, you can extend this statement, for example, select ID from Admin where passowrd = 123 or select username from Admin where passowrd = 123, it means to select the id value of passwrod = 123 and the username value of Password = 123, which is similar to the English statement. Another function is left. Like left (LCX, 1), it indicates selecting the first character on the left from the LCX field, which is L. Left (LCX, 2) indicates that the left two characters are selected from the LCX field, which is LC.

The preparation is complete. Let's get started. We first construct an SQL statement to judge the ID of the first administrator in the admin table of the dynamic network document database. (Because there are more than one system administrator for a dynamic network article, as shown in figure 3 ). Let's submit the following statement: http: // 192.168.1.3/WZ/list. asp? Id = 102 and 1 = (select Min (ID) from Admin where flag = 1 ). Ah, it seems that a function min () is missing here, which means the minimum value. As shown in figure 3, the minimum id value in the admin table is 11, so select Min (ID) from Admin where flag = 1 should be 11, so this statement becomes http: // 192.168.1.3/WZ/list. asp? Id = 102 and 1 = 11. According to the patterns we have found, the webpage shows that no relevant articles have been found, as shown in figure 7.

Let's try it one by one until we change the 1 of this statement to 11, and the statement is changed to http: // 192.168.1.3/WZ/list. asp? Id = 102 and 11 = (select Min (ID) from Admin where flag = 1), the result is http: // 192.168.1.3/WZ/list. asp? Id = 102 and 11 = 11. What is the result? Figure 8.

An error occurred. This indicates that the ID of the first administrator is 11. After obtaining the minimum id value, we can decrypt the password. The construction statement is as follows: http: // 192.168.1.3/WZ/list. asp? Id = 102 and 11 = (select ID from Admin where left (password, 1) = 'X, statement 11 is the ID of the first administrator we have previously determined. Select ID from Admin where left (password, 1) = 'X' refers to finding the id value of the 1st-bit password X in the admin table. In the SQL statement, it is not the value of a number that must be enclosed in single quotes. The value of X is written by yourself. We can set the value of X to 2. Obviously, in Figure 3, we can see that the value of passowrd is 123, and left (password, 1) should be equal to 1, then select ID from Admin where left (password, 1) = '2' is naturally no such ID value. So list. asp? There is another condition behind id = 102 that is not a true equation, so no related articles are found, which indicates that the password 1st is not 2. Figure 9.

Let's use select ID from Admin where left (password, 1) = '1' to try it. Ha, an error is displayed, as shown in figure 10.

This indicates that Id = 102 is followed by a condition-come-true equation. The first password of the first administrator is 1. If you have guessed the 1st bits, Let's guess the 2nd bits, http: // 192.168.1.3/WZ/list. asp? Id = 102 and 11 = (select ID from Admin where left (password, 2) = '1x ') read this statement carefully and change the value of X to 2, figure 11.

An error occurs again, indicating that the first two passwords are 12. We can calculate the password as soon as we get it is 123. You can change the left (password) function to the Len (passowrd) function, using http: // 192.168.1.3/WZ/list. asp? Id = 102 and 11 = (select ID from Admin where Len (password) = 'num') to determine the password length first. You can also learn ASC () by yourself () and the mid () function, which can quickly calculate the keyboard range of the password and quickly obtain the password value. In a word, no matter what SQL statements you construct or what functions you write, as long as the relevant articles are not found on the page, it means that the password in this SQL statement is not your set value, ID is followed by an inequality. If other values are displayed, you guess the password. ID is followed by an equation. Similarly, you can change the password in the SQL statement to username to calculate the Administrator's username.

Let's take a look at the show. ASP source code first:
SQL = "select * from download Where id =" & request ("ID "),
Now you understand this statement. Find the software with ID = * from the download table. Similarly, the show. asp file does not filter the Input submitted by the user for SQL query. As a result, remote attackers can exploit this vulnerability to launch SQL injection attacks.

The download table in its database stores the software information you want to download, while the admin table stores the system administrator information. The admin table has four fields: ID, admin, PWS, and regsex, which are respectively stored in the administrator serial number, user name, password value, and gender identification. Regsex = 0 indicates that the Administrator is a boy. We also found a rule, if you are in the show. if there is an inequality behind ASP, the page where the software cannot be found will appear. If there are other pages, it indicates show. ASP is followed by an equation that conditions come true.

In the same way as the dynamic network document, we can determine the id value of the 1st administrators. The statement is as follows: http: // ip/down1.0/show. asp? Id = 2 and x = (select Min (ID) from Admin where regsex = 0), where you can write the value of X at will. Id = 2 indicates the page where the software information is displayed normally. Compare it with the above text on the Internet. After testing, you will understand that if the software cannot be found, it means that the X value you write is not the id value of the first administrator, if others are displayed, you have guessed the ID of the first administrator. Assume that the ID of the first 1st administrators is 1. Let's guess the password. Http: // ip/down1.0/show. asp? Id = 2 and 1 = (select ID from Admin where left (PWS, x) = 'X') to guess the password. Note that the password field in the admin table of the system downloaded by the hacker is PWS, so PWS must be written in the SQL statement. Let's take a look at the case where I guess the wrong password. I tested it on the local machine. The URL used is http: // 192.168.1.3/asp/D1/show. asp? Id = 2 and 1 = (select ID from Admin where left (PWS, 1) = '1') Fig 12.

This software is not available, indicating that the password with 1st bits is not 1. Let's take a look at the password. The URL used is http: // 192.168.1.3/asp/D1/show. asp? Id = 2 and 1 = (select ID from Admin where left (PWS, 2) = 'ad') Figure 13,

If the software information is displayed normally (not the page without the software), it indicates that the password is correct, and the first two are ad.

Through the above two examples of SQL Injection Analysis, you should learn a common SQL injection attack method, that is, cross-Table subquery of SQL injection with access. The workflow can be defined as: the intrusion is like an ASP + acess program. Its submit SQL program page features an ASP page with digital parameters, such as http: // URL/tagret. asp? Id = num; the intrusion method is to first download a script that is the same as the web program you want to intrude, analyze whether the ASP page with numeric parameters has input to the SQL query submitted by the user for filtering the parameters (that is, num). Open the database and familiarize yourself with the structure of each table, then, the SQL statement for cross-Table query is carefully constructed, and the write condition after the ID is true or is not a true equation. The correct password is determined based on the returned information.

Some may say that the user name and password should not be exhausted one by one? If the password of the other party is 16 characters and different letters or ASCII characters are used, you may have to guess the sky is bright. Yes. At this time, programmers are required to write programs to implement SQL injection attacks. Therefore, to be a hacker, it will never work without learning programming, and learning only one language is not advisable. I have a script written by Wawa to attack the database of the dynamic network article and I modified the script based on this script to download the 1.0 script (2.0 I don't have the source code, no analysis ). The usage is very simple. First open a dynamic network article system and find a page where the article is normally displayed. Figure 4. Then run the dvtxt. pl Command in DOS. In this case, dvtxt. pl 127.0.0.1/TXT/list. asp 53 "no related articles found ". Note that because it is a Perl script, you need to install a Perl parser on your local machine. Let's take a look at the commands I run. Figure 14.

Wait for a while and the program line results will come out, as shown in Figure 15.

The intrusion script downloaded by thieves is similar to this one. You can download it and try it on your own. I put both my feet on my website at http://www.netsill.net/lcx/sql-acess.rar. Because the parameter specified in the Downloaded Program of the attacker is regsex = 0, my script can only deduce that the Administrator is a boy's password, my script of the girl administrator cannot be detected. :-). I believe that if you read this article and understand the principle of cross-Table subquery, you can also write an SQL injection with access cross-Table subquery attack program based on the Wawa script. Good luck!