Continue SQL injection if the resource ID does not exist

By: zwell
It seems that SQL injection is a common practice. In fact, it is not the case. During the development of Pangolin, I have encountered too many special cases and continue to use in-depth injection methods. Here we will talk about the injection method when the resource ID does not exist.

What is "resource ID does not exist? For example, suppose the url is a http://www.bkjia.com/news.php? Id = 9999999, but the resource corresponding to 9999999 does not exist. In this case, the traditional SQL injection tool cannot determine the injection point (Pangolin can inject drops), let alone extract data. In many cases, a large number of such vulnerabilities on the Internet are missed by testers and developers.

Maybe you want to ask, should this situation basically not exist? Let me list several examples:

1. When crawling a webpage, you will find many links that are not noticed by humans, and the resources of the corresponding ID have been deleted for some reason, but are not deleted on the page;
2. The developer cleaned up the data and did not consider deleting the old script file;
3. The developer has left a form interface (for example, entering the id to query the corresponding resource). By default, there is no parameter. In this case, we do not know how the resource id is represented; this is the most common scenario.

In short, there are many such cases. I have seen it N times.

Back to the topic, why can't a general injection tool make a decision? Let's review the correct judgment process of the injection tool:

1. Based on the HTTP status?
2. Based on the page length (this is the first method proposed by Pangolin)
3. Based on keywords, it was previously manually input. Until Pangolin was the first to provide a super powerful and intelligent [automatic analysis keyword] technology (currently no tool can surpass this algorithm ).

Okay, let's take a look. In the case of an error resource id: the status code is 200, the page length returns are consistent, and keywords cannot be extracted (because there are indeed no keywords to be extracted ). At this time, the automation tools all stopped and thought there was no vulnerability. Is there a way to continue the injection?

Actually, it is okay. It can also extract data quickly. How can this problem be solved?

1. The error reporting mode is the most common in mssql, and mysql is also acceptable, but few people know it.
2. Construct a false correct resource ID.

One method is not explained here. I will try again later. Here we will talk about the second method: constructing a false correct resource ID. It's okay. Let's start with two examples.

Http://www.bkjia.com/news.php? Id = 9999999 is definitely not a resource, so http://www.bkjia.com/news.php? Id = 9999999 or 1 = 1 can I? Http://www.bkjia.com/news.php? Id = 9999999 or 1 = 1? Do you understand? The database returns the first record in the default sorting by or 1 = 1. In this case, http://www.bkjia.com/news.php? As a whole, id = 9999999 or 1 = 1 is a correct resource page.

It is estimated that many of my friends are ready to go here. Haha, it's not over yet. You can do it manually. automation tools are still not handled. In the end, you still cannot inject it quickly. Here I will introduce how Pangolin is implemented:

A) Obtain an impossible resource ID, such as 1111.1.
B) if the content returned by page a is the same as before, congratulations. You can determine that this is a non-existent resource page.
C) When B is met, request 9999999 or 1 = 1 and 9999999 or 1 = 1 respectively to determine the injection type.
D) The key is here. Now we need to regard the content of c as a correct page and extract forged keywords. This depends on the tool algorithm.

Are you finished? No, the last step is worse. In the error reporting mode, you can only guess one byte or one byte (I know some friends who know the technology change are stuck here ), the system will generate a large number of errors, so the union select mode will be ineffective. Last step: Add a plus sign '+' to the end of -- Comment. Hey, why? Think about it as a homework exercise .......