SQL injection attack and defense second Edition reading note two--sql injection test

Looking for SQL injection

The primary goal of this phase is to identify the exceptions in the server response and determine whether the SQL injection vulnerability is generated, then determine the type of SQL query that runs on the server side (Select,update,insert or delete), and where the attack code is injected into the query (such as from, Where or order BY, etc.)

We need to focus on: get,post,cookie,host,referer,useragent.

The main techniques involved in understanding and leveraging SQL injection vulnerabilities include rebuilding the code that developers write in Web applications and envisioning the content of remote SQL code. If you can imagine the code that the server is executing, you know exactly where to end the single quotation mark and where to start adding single quotes.

Manipulating parameters

Change the parameter to apply an unexpected value

Add single quotation marks (')

Replace the string or number equivalent for example: MySQL: Bike and bi ' ke equivalent in SQL Server bike and bi ' + ' ke equivalent number is reduced by large number if the result is the same as the injection

Change the string to a number, or vice versa

Further confirmation with the And,or

Database error

When a user requests to trigger a database error, there are several possible responses

Displays the SQL error on the page, which is visible to the Web browser user.

Hide SQL errors in the Web page source code for debugging

Jump to another page when an error is detected

Returns HTTP error code 500 (internal server error) or HTTP redirect Code 302

A common error page may be displayed if the appropriate processing error is applied but the result is not displayed

SQL Blinds

An attacker could manipulate an SQL statement, and the application would return different values for the true or false condition, but the attacker could not retrieve the query results.

Inline SQL injection

numeric or string equivalent substitution

Test with AND OR

End-of-SQL injection

Comment characters

SQL Server, Oracle,postgresql-(single-line comment)/* */(Multiline comment)

MySQL--(followed by a blank line comment) # (single line comment)/* * */(Multiline comment)

Execute multiple statements

All versions after SQL Server 6.0 are supported and allow the following statements to be executed:

Select Foo from bar; Select Foo2 from Bar2;

This feature is also introduced after MySQL4.1, but it does not support this feature by default.

Oracle does not support multiple statements.

Time delay

SQL Server; waitfor delay ' 0:0:5 ';--

MySQL Benchmark (1000000,encode (' hello ', ' Mom ')

SQL injection attack and defense second Edition reading note two--sql injection test