SQL injection: Wide-byte injection + two injection

SQL Injection Vulnerability

Principle: As the developer writes the operation database code, the external controllable parameter is directly stitched into the SQL statement, and is placed directly into the database engine without any filtering.

Attack Mode:

(1) When permissions are large, write directly to Webshell or execute system commands directly

(2) When the permissions are small, through injection to obtain Administrator password information, or modify the database content for fishing, etc.

Frequently occurring places:

Login page, get HTTP header (user-agent, CLIENT-IP, etc.), order processing, etc., HTTP header client-ip and x-forward-for often appear loopholes, in the place of shopping cart, often occurs two times injection;

1. Normal injection

A vulnerability that can be injected directly by injecting a union query without any processing. In the normal injection test, by looking for keyword-oriented mining, database operations: Select from, Mysql_connect, mysql_query, mysql_fetch_row, database query mode: UPDATE, INSERT, delete, etc.

2. Code injection

Before doing some operations, the program will often do some coding, and the function of coding is problematic, through the input transcoding function incompatible special characters, can cause the output character to become harmful data. Common encoding injections are caused by the MySQL wide byte and the Urldecode/rawurldecode function.

(1) wide byte injection

When PHP is connected to MySQL, when setting "Ser CHARACTER_SET_CLIENT=GBK" causes an injection of the encoding conversion problem, that is, the familiar wide-byte injection, when there is a wide-byte injection,%df%27 can filter in the program \ (% 5c) eaten. For example:when a wide-byte injection exists for/1.php?id=1, then:/1.php?id=-1 ' and 1=1%23 single quotes are escaped to ' but committed:/1.php?id=-1%df ' and 1=1%23,% DF and \ backslash (%5C) combination%DF%5C encoded is a Chinese character, when the single quotation mark still exists, it will be closed successfully, forming an injection vulnerability.

Formation reason: Because setting MySQL server client data encoding is GBK, set CHARACTER_SET_CLIENT=GBK when executing the statement GBK transcoding when the attack, usually set the method is: Set NAMES ' GBK ', equivalent to:

SET

Character_set_connection= ' GBK ',

Character_set_results= ' GBK ',

Character_set_client= ' GBK '

This coding design also has a vulnerability, it is recommended to use the official Mysql_set_charset way to set the encoding, after the call set NAMES also recorded the current encoding, reserved for the back mysql_real_escape_string processing characters used, A reasonable use of mysql_real_escape_string can still protect against this vulnerability.

Defense methods:

① Execute set NAMES ' GBK ' before executing the query, Character_set_client=binary set character_set_client to binary

② use Mysql_set_charset (' GBK ') to set the encoding, and then use the mysql_real_escape_string () function to filter by parameters

③ using the PDO method, in PHP 5.3.6 and the following version of the need to set up setattribute (Pdo:attr_emulate_prepares,false); To disable the emulation effect of the PREPARCD statements.

Example of a wide-byte injection test:

GBK encoded format input results:

Wide-byte injection success,%df\ ' is filtered to become%dr\ ', after encoding to become%df%5c, that is, the Chinese character "." Therefore, it can be bypassed to form an injection.

(2) two times UrlDecode injection

Most Web applications now typically filter the parameters to prevent injection. If a urldecode or Rawurldecode function is used somewhere, it causes two decoding to generate single quotation mark two-throw injection, that is, two injections.

Web applications typically use the Addslashes (), mysql_real_escape_string (), mysql_escape_string () functions, or open GPC to prevent injection, that is, to single quotation marks ("), double quotation marks (" "), backslashes (\) and null plus backslash escape.

Two injection test code:

Execution Result:

Principle: Since we submit the ID parameter to webserver, webserver will automatically decode once, assuming the target program opens the GPC, we submit the parameter id=1%2527, after the first decoding, the%25 decoding result is%, the parameter is id=1% 27, the second program uses the UrlDecode or Rawurldecode function to decode the ID parameter, the decoded result is id=1 ', then the single quotation marks successfully triggered injection.

3. SQL Injection Vulnerability Prevention

Here are three defense methods: precompilation, filter functions and classes, magic quotes.

(1), pre-compilation method: in the. NET language using SqlParameter to pre-compile the database query, in Java language using Preparestatement to pre-compile database query, in PHP using PDO prepare to pre-compile processing database query;

(2), filter functions and classes: two common use scenarios. One is the application of uniform filtering, such as the framework of the way the program is more, the other is to use the program before the SQL statement run. The functions commonly used by PHP are Addslashes (), mysql_escape_string (), msyql_real_string (), intval () functions, etc.

(3), magic quotes: There are usually two ways of data pollution: one is to apply the passive receive parameters, similar to get, post, etc., the other is to take an active parameter, similar to reading Remote Desktop page or file content. In PHP Magic Quotes configuration method, MAGIC_QUOTES_GPC is responsible for GET, POST, cookie value filtering, magic_quotes_runtime the database or the data obtained in the file filter.

Note: This article belongs to the author's own original, reproduced please indicate the source, if there are errors, please also point out, must correct, thank you!

SQL injection: Wide-byte injection + two injection