A Method of not using annotator during SQL Injection

Author: Emperor
Source: http://www.2chuizi.com/blog/read.php? 355
Although the technology is reprinted without borders, Please retain the source

Generally, at an SQL injection point, we always try to execute SQL statements in multiple sentences to achieve the desired purpose.

With the increasing security awareness, parameter filtering becomes more and more meticulous. Sometimes we are not allowed to complete some operations in multiple sentences. in the past few years, ";" has been used as an important criterion for multi-sentence execution. In fact, we all know that the multi-sentence symbol is not like this, TAB, space, returns can be used to execute multiple SQL statements. I have encountered many examples of filtering "--". Sometimes, even if it is filtered out, we will not be concerned about it due to various situations, but sometimes it will not work.

The exploitation of SQL injection vulnerabilities is always determined by the script. we usually think that there are only injection points of the simplified or search type. to close the single quotation marks, we have to use "--" to comment out the subsequent characters. In fact, this is not exactly the case. there are also many injection points that require the use of annotators before they can run successfully in the case of multiple sentences. in fact, whether it is numeric or numeric, if the annotator cannot be used, it is not impossible to complete the operation, but you can still try it. Although it cannot be guaranteed that the operation will succeed, but there are also a few more opportunities.

First, let's talk about why sometimes we don't need to use "--" to comment on subsequent operations for digital injection points. in general, the most common case is also the most basic case. if the parameter is a number, we usually write in the script: "select * from news where id =" & id. The obtained parameter has no content. Our statement can be attached directly, you only need to ensure that the statements we execute in multiple statements are correct. in injection points of the statement type, the statement is written as follows: "select * from news where name = '" & name & "'". After you add the statement you want to execute, a single quotation mark is still displayed, therefore, adding a annotator at the end of a statement makes it ineffective.

If the annotator is filtered out, the dot of the comment type is hard to handle. We usually use it to guess what the table is. or simply find a digital point to use. unfortunately, the number type is not entirely possible. If the script writes: "select * from news where classid =" & classid & "order by id desc", after we attach our own statement, there are still many conditions and other factors that damage our statements. The key of the annotator is reflected.:

 

 

 

In fact, it can break through the annotator, so that it is easy to think of without any key methods, but it is complicated. what can we do most when we have an injection point, no matter whether an error is reported or not? Generally, you can guess whether tables, fields, and their content can be used. we can open the injection point to see what is displayed in the current database, through the file name, content classification, content body, or simply use the injection point for brute force guesses, it is not difficult to guess which table is used for the current injection point, or even to know exactly which field and row of content.

With these, we can make some attempts. you do not have to worry about the restrictions and conditions in the SQL statements in the script. At least we know which table it is. the example above shows that the news table is used for analysis from the injection point. Of course, we can use multiple sentences to play the crossword game ,:

 

 

Now we can see that we have successfully executed the desired SQL statement without a annotator. You can write about it at the injection point:

Http://www.bkjia.com/xxx. asp? Id = 1; the statement you want to execute; select top 1 * from news

Then, it is easy to know how to do this, for example:

 

In actual operation, you can write:

Http://www.bkjia.com/xxx. asp? Name = admin'; the statement you want to execute; select top 1 * from news where '1' = '1

In short, it gives a change, just a few more chances. the situation is changeable and cannot be applied to all instances. It is better to perform temporary analysis. even if the conditions are consistent, the results of multi-table join queries are unknown.