SQL Injection Tool Practice

Source: Internet
Author: User
Tags base64 html header sql injection protection access database

Program Introduction

The Super SQL Injection tool (ssqlinjection) is an HTTP protocol-based self-package SQL injection tool that supports SQL injection anywhere in the HTTP protocol, supports various types of SQL injection, and supports HTTPS mode injection.
The Super SQL injection tool currently supports BOOL type blind, error display injection, union injection, support for access, MySQL5 above, SQL Server, Oracle and other databases.
The Super SQL injection tool uses C # development, the bottom of the socket package for HTTP interaction, greatly improve the efficiency of the package, compared to C # HttpWebRequest speed increased 2-5 times.
The Super SQL Injection tool supports blind environment to obtain the world language data, solves the various common injection tools in the blind environment can not support the Chinese and other multi-byte encoding data.
Tool Features:

1.  支持任意地点出现的任意SQL注入2.  支持各种语言环境。大多数注入工具在盲注下,无法获取中文等多字节编码字符内容,本工具可完美解决。3.  支持注入数据发包记录。让你了解程序是如何注入,有助于快速学习和找出注入问题。4.  依靠关键字进行盲注,可通过HTTP相应状态码判断,还可以通过关键字取反功能,反过来取关键字。

The program runs and needs to be installed. Net Framework 4.0. Run environment WIN7,WIN8 Environment has been tested, other environments please self-test.

1. Basic Information configuration

1.1. Address
The open program fills in the base configuration with the domain name or IP address that needs to be injected into the address.

1.3. SSL
If the HTTPS transmission Web page needs to select SSL, select SSL will switch to port 443, and if it is a different port, modify the port address.

1.4. Timeout
The program uses the socket transmission, the timeout for each HTTP request, and if it exceeds this time, the program discards the request, in seconds.

1.5. Encoding
When the program obtains the HTML webpage, it uses the decoding method, the program will automatically recognize the page encoding, if the recognition fails, will use this encoding to decode. The encoding can see "charset=xxx" in the Content-type or HTML header of the corresponding header of the HTTP.

1.6. Injection type
The program currently supports the BOOL blind, union injection, error display injection, has basically covered all injected to obtain data mode.
Delay injection can choose the bool blind, in the judging mode to choose the time to judge, the current delay only support MySQL database.

1.6.1.Bool Blinds
The bool blind uses the code of the database, such as the Astor Code (ASCII code) or Unicode, Hex, to convert the target data to a number, using an AND condition to determine the value of the number, and then converting it to a string based on the corresponding encoding when the judgment is complete.
Currently, the bool blinds support databases such as access, MySQL5, SQL Server, Oracle and other languages in the world, such as Chinese, Japanese, and traditional Chinese. Fixed a variety of injection tools in the blind environment can not obtain the Chinese and other multibyte-encoded characters.

1.6.2. Union Injection
Union injection uses the Union union query of the database to fetch the data.
Currently, the blind environment supports databases such as access, MySQL5, SQL Server, and Oracle.

1.6.3. Error display Injection
Error display injection takes advantage of the database when an operation is completed, an error message is displayed when the program fails to inject to get the target data. Because the characters displayed in the error are limited in length, they are slightly slower than the union injection, and the MySQL error message is approximately 64 characters long, and the Oracle error displays approximately 256 characters, and the SQL Server error message displays approximately 2030 characters in length.
Currently, the blinds support MySQL5, SQL Server, Oracle and other databases. Access does not support error display injection.

1.7. Database
Determine the database type and select the corresponding database.

1.8. Threads
Select the number of threads that the program can run at the same time, default 10 threads.

1.9. Retry
The number of attempts to continue the contract after the program has failed to send an HTTP packet.

1.10. Automatic identification
Fill in the data packet, fill in the address and port can be automatically injected recognition, support get and Post parameters automatic recognition injection.

1.11. Export the configuration
Clicking Export Configuration selects the path where the program configuration information needs to be exported, and the program exports the configuration information to an XML file, which can then be loaded using the import configuration in the menu to load the configuration information.

    1. Injection Center
      2.1. Data packets
      Method One:
      Enter the URL address http://127.0.0.1:8090/mysql.jsp?id=1 in the packet, right-click in the packet margin, select "Generate packets based on URL" to automatically configure the GET Request packet and set the IP address and port automatically.
      Method Two:
      Use the grab kit to fill in the HTTP packet data capture here, using the Fiddler, Burp Suite, and other grab tools, or manually configure the packet.
      Note: If the data is post submission, the Content-length property must be available for the program to automatically calculate the length.

2.2. Injection settings
2.2.1. Turn on URL encoding
When the URL encoding is turned on, the program will URL-encode the data in the encoding tag, which is recommended, because if there are special characters in the request parameter, the result of the contract may not be consistent.

2.2.2.302 Tracking
By default, when the program encounters a 302 redirect, the destination address of the redirect is requested when it is turned on. If you can determine the injection according to the state, you can select the following keyword configuration status = code, to inject.

2.2.3. Injection Markers
Usually manually injected using "xxxx.asp?id=1 and 1=1" for injection judgment, then this check "and 1=1" click on the tag injection, the program will be injected into the location set the injection tag, the program injected with the tag to inject the code to get the data. The core is to replace the "and 1=1" in our test statement with a tag.

Example:
The mark is actually choosing payload in that position.
Digital type: 1 and 1=1 Replace and 1=1 with markers
Character type: 1 ' and 1=1 and ' 1 ' = ' 1 replace and 1=1 with markers
Character type: 1 ' and 1=1# Replace and 1=1 with markers
Character type: 1 ' and 1=1--Replace and 1=1 with markers
Search type: 1% ' and 1=1 and '% ' = ' replace and 1=1 with markers

2.2.4. Encoding tags
Select the characters in the packet that need to be URL encoded, click Tag Encoding, and the program will insert the encoding tag. The program will automatically encode a configured encoding method.

2.2.5. Injection-Fetch data configuration
Refer to how I started to inject chapters in the automatic mode of Get data configuration.

3. Data center

3.1. Environment variables
3.1.1. Getting environment variables
Right click on the popup menu, click Get environment variable program will get the basic information of the database, Access database does not support this feature.

3.1.2. Copying variable values
Select the corresponding variable and right-click to copy the value.

3.2. Database Information
3.2.1. Getting a database
Click Get database, the program will get a list of all databases, Oracle will get a list of all users, access does not have a library.
3.2.2. Getting a table
Click Get Data table, the program will get the corresponding database table.
3.2.3. Getting columns
Click Get data column, the program will get the column of the corresponding table.
3.2.4. Getting data
Get start data, default start subscript 0, that is, the first data start to get, get the number of bars can be set, but cannot exceed the number of rows remaining at the beginning of the subscript. Double-click the column name to sort the operation.

3.2.5. Encoding settings
Here the encoding settings for the bool blind data configuration, blind if garbled, you can choose other encoding methods to try to obtain data, see if there is garbled. Here the coding is mainly used in the database of Hex, ASCW, Unicode and other encoding functions decoding.

3.2.6. Exporting data
Clicking Export data will select the disk path of the exported data and the program will automatically export the data.
3.2.7. Adding nodes
3.2.8. Deleting nodes
3.2.9. Modifying nodes

4. File operation

4.1. MySQL Load_file Read File
In the MySQL account has the file read and write permission (usually only the root account owns), can be in the blind, error display, union injection, read the text file content under the address path. Fill in the path, select MySQL load_file read the file, click Start.

4.2. MySQL Union Write file
The MySQL account has file read and Write permissions (typically only the root account is owned), you can write a text file to the disk under Union injection.
4.3. SQL Server FileSystemObject writing files
Under SA permissions, you can use FileSystemObject to write files, write file content injection not more than 4000 bytes, and how to be a GET request submission note that the general get commit cannot exceed 1024 bytes, so if you do not write successfully, see if the data you submitted is too long.
4.4. SQL Server sp_makewebtask writing files
Under SA permissions, you can use sp_makewebtask to write files, write file content injection not more than 4000 bytes, and how to be a GET request submission note that the general get commit cannot exceed 1024 bytes, so if you do not write successfully, see if the data you submitted is too long. The success rate is lower than FileSystemObject.
4.5. SQL Server writes files using a backup database
Under SA permissions, the back database method can be used to back up the content to a file. After this method has been written to the file, this file belongs to the database backup file, so there are some other redundant data.
4.6. SQL Server FileSystemObject Read file
Under SA permissions, FileSystemObject can be used to read files, which can be read in blind, error injection, and union injection. The length of the read file cannot exceed 4000 bytes.

5. Command execution

Currently, this feature only supports SQL Server, and under SA permissions, you can use xp_cmdshell to execute operating system commands and choose whether to echo execution results. The echo results can be obtained under blind, error injection, and union injection. Multi-statement support is required to perform this function.

6. Injection Bypass

6.1. Character substitution
Replace the characters in the edit encoding, note that the default system settings before the URL encoding to handle the bypass character, if you do not choose to process the bypass character before URL encoding, then the replacement character is the URL encoded character, such as replace empty Gecheng//, then fill in is "%20" replaced by "%2f %2f ".
6.2. Include keywords
For MySQL database simple bypass, can be manually tested after the choice of use/! /contains keywords to bypass protection.
6.3. Random Capitalization
Random case conversion of characters within the encoding tag, bypassing SQL injection protection.
6.4. Delay of the contract
Send each package after a break for a certain amount of time in the send, bypassing some protection.
6.5. IP with header
Add a random IP value to the HTTP request header, which lists the common spoofing IP headers that can be tested to select the corresponding header, and the program randomly generates the IP.

6.6. BASE64 encoding
Encodes the parameters within the encoding range base64.

7. Encoding Conversion

Fill in the characters that need to be converted, and select the corresponding encoding and decoding method on the line.

8. Log Center

8.1. Packet history
The packet history records each HTTP request and corresponds to the program, which can be used for error troubleshooting. If you need to improve performance, you can choose to turn off HTTP packet logging in the system settings in the menu.

8.2. Packet details
Select a record in the packet history, the program will automatically display the details, you can view the request response data, in response to press the "Ctrl+alt" key to pop up the Find keyword panel, for keyword search.

9. Batch Scan Injection

Import a domain name or link, select Crawl or detect injection.

10. Stop Injection

10.1. Stop Now
Right click on the current function, click Stop Now, the program will stop all current threads.

11. System settings

Open MySQL multi-byte fetch data, will determine whether the data has Chinese.
Turn on AutoDetect updates, and the program will automatically detect updates.
Turn on the bottom log and the program will display the log information at the bottom.
Open the package log, and the program will log each packet in HTTP.
Turn on bypass character processing before URL encoding, and all bypass character processing will be processed before URL encoding.
The software turns off the AutoSave configuration and whether the configuration is automatically saved when the software shuts down.
Maximum number of columns, the maximum test column automatically when the union test is automatically recognized when injected.
Single-domain maximum number of crawls, batch scan injection, if the crawl connection is selected, a domain name crawls to the maximum number of links will stop crawling links.
Single domain maximum number of scans, batch scan injection, the maximum number of single domain detection injection links.

12. How do I start injecting?

12.1. Auto mode
The automatic mode is suitable for the response content of the Web page with fixed injection detection, the automatic mode only supports the injection detection of the parameters of get or post passing, and does not support the injection of HTTP request attributes, such as Referer injection.
When you first start to automatically identify the injection, you need to configure the underlying information, address, port, timeout, encoding, thread, and number of retries.

Next, you need to configure the HTTP request packet, you can right-click in the Packet text box to select Generate Get or post data template, and then modify the requested URL address and host and submit data.
? Inject http://127.0.0.1:8090/mysql.jsp?id=1 Sample Packet configuration:
One, method one
Enter the URL address http://127.0.0.1:8090/mysql.jsp?id=1 in the packet, right-click in the packet margin, select "Generate packets based on URL" to automatically configure the GET Request packet and set the IP address and port automatically.
Two
First generate the Get packet template, modify the request URL address, take the URL root directory "/mysql.jsp?id=1", and then modify the host to "127.0.0.1:8090".

Finally click on the recognition injection, you can start the automatic recognition injection, if the recognition is successful, will automatically set the database type and injection type, and automatically inject tags, this time only need to switch to the data center to select the corresponding function to obtain relevant data.

12.2. Manual mode
12.2.1. Basic Configuration
Manual mode is relatively complex for automatic mode configuration, but automatic mode can deal with various situations of injection in various positions.
You first need to complete the basic configuration, basic configuration reference automatic mode of the entire process.
Then you need to manually determine the injection after the selection of the corresponding database and injection type, and tag, then how to judge and mark it?
First, you need to determine the type of injection, such as digital, character, search, etc., and then determine the corresponding database.
After the judgment is complete, you need to mark the injection position, how to judge and mark, please look down!
12.2.2. Determining injection Type
12.2.2.1. General-Purpose Digital
? URL Address:
Http://127.0.0.1:8090/JavaSQLInjection/mysql.jsp?id=1
Judgment injection:
Change the parameters id=1 and 1=1 and id=1 and 1=2 to test, if the 1=1 page appears as normal and the original page, and 1=2 when the page error or the page part of the data display is not normal, then you can determine this is a digital injection.
To determine the database type:
Use the EXISTS function to determine whether the system tables that query the corresponding database exist, according to whether the page is normal to determine the corresponding database type.
Mysql:http://127.0.0.1:8090/javasqlinjection/mysql.jsp?id=1 and exists (select 1 from Information_schema.tables)
Sqlserver:http://127.0.0.1:8090/javasqlinjection/mysql.jsp?id=1 and exists (select 1 from sysobjects)
Access:http://127.0.0.1:8090/javasqlinjection/mysql.jsp?id=1 and exists (select 1 from MSysAccessObjects)
Oracle:http://127.0.0.1:8090/javasqlinjection/mysql.jsp?id=1 and exists (select 1 from User_tables)
12.2.2.2. Universal Character Type
URL Address:
Http://127.0.0.1:8090/JavaSQLInjection/mysql.jsp?id=1
Judgment injection:
Change the Parameters id=1 ' and 1=1 and ' 1 ' = ' 1 and id=1 ' and 1=1 and ' 1 ' = ' 2 to test, or take advantage of the annotation symbol "#" or "-", of course special characters remember to do URL encoding, "#" URL is encoded after "%23", "-" code is "-%2" 0 ", using an annotation, you can change the parameters for Id=1 ' and 1=1%23 and Id=1 ' and 1=2%23 to test, if the 1=1 page appears normal and the original page, and 1=2 when the page error or the page part of the data display is not normal, then you can be determined here is a character type injection.
To determine the database type:
Use the EXISTS function to determine whether the system tables that query the corresponding database exist, according to whether the page is normal to determine the corresponding database type.
Mysql:http://127.0.0.1:8090/javasqlinjection/mysql.jsp?id=1 ' and exists (select 1 from Information_schema.tables) and ' A ' = ' a
Sqlserver:http://127.0.0.1:8090/javasqlinjection/mysql.jsp?id=1 ' and exists (select 1 from sysobjects) and ' a ' = ' a
Access:http://127.0.0.1:8090/javasqlinjection/mysql.jsp?id=1 ' and exists (select 1 from msysaccessobjects) and ' a ' = ' a
Oracle:http://127.0.0.1:8090/javasqlinjection/mysql.jsp?id=1 ' and exists (select 1 from User_tables) and ' a ' = ' a
12.2.2.3. Universal Search Type
? URL Address:
Http://127.0.0.1:8090/JavaSQLInjection/mysql.jsp?id=1
? Judgment injection:
Change the Parameters id=1% ' and 1=1 and '% ' = ' and id=1% ' and 1=2 and '% ' = ' to test, or take advantage of the notation "#" or "-", of course special characters remember to do URL encoding, "#" URL encoding is "%23", "-" after encoding is "-%2" 0 ", using the annotation, you can change the parameters for id=1% ' and 1=1%23 and id=1% ' and 1=2%23 to test, if the 1=1 page appears as normal and the original page, and 1=2 when the page error or the page part of the data display is not normal, Then you can be sure that this is a search-type injection.
? To determine the database type:
Use the EXISTS function to determine whether the system tables that query the corresponding database exist, according to whether the page is normal to determine the corresponding database type.
mysql:http://127.0.0.1:8090/javasqlinjection/mysql.jsp?id=1% ' and exists (select 1 from Information_schema.tables) and '% ' = '
sqlserver:http://127.0.0.1:8090/javasqlinjection/mysql.jsp?id=1% ' and exists (select 1 from sysobjects) and '% ' = '
access:http://127.0.0.1:8090/javasqlinjection/mysql.jsp?id=1% ' and exists (select 1 from msysaccessobjects) and '% ' = '
oracle:http://127.0.0.1:8090/javasqlinjection/mysql.jsp?id=1% ' and exists (select 1 from user_tables) and '% ' = '
12.2.2.4. or type
? URL Address:
Http://127.0.0.1:8090/JavaSQLInjection/login.jsp?username=1&pass=1
? Judgment injection:
Change the Parameters username=1 ' or (1=1 and 1=1) and ' 1 ' = ' 1 and username=1 ' or (1=1 and 1=2) and ' 1 ' = ' 1 to test, or take advantage of the annotation symbol "#" or "-", of course special characters remember to do URL encoding, "#" After the URL encoding is "%23", "-" after the encoding is "-%20", using the annotation, then you can change the parameters of 1 ' or (1=1 and 1=1)%23 and 1 ' or (1=1 and 1=2)%23 to test, if the 1=1 page appears as normal and the original page, and 1 = 2 O'Clock page error or the page part of the data display is not normal, then you can determine the character type injection.
? To determine the database type:
Use the EXISTS function to determine whether the system tables that query the corresponding database exist, according to whether the page is normal to determine the corresponding database type.
Mysql:http://127.0.0.1:8090/javasqlinjection/mysql.jsp?username=1 ' or (1=1 and exists (select 1 from Information_ schema.tables)) and ' a ' = ' a&password=1
Sqlserver:http://127.0.0.1:8090/javasqlinjection/mysql.jsp?id=1 ' or (1=1 and exists (select 1 from sysobjects) and ' a ' = ' A
Access:http://127.0.0.1:8090/javasqlinjection/mysql.jsp?id=1 ' or (1=1 and exists (select 1 from MSysAccessObjects) and ' A ' = ' a
Oracle:http://127.0.0.1:8090/javasqlinjection/mysql.jsp?id=1 ' or (1=1 and exists (select 1 from User_tables) and ' a ' = ' a
12.2.3. Injection Markers
It is very simple to first select the parameter values that need to be URL encoded, select the parameters that need to be URL-encoded, and then select the "and 1=1" in the previous judgment injection type, and then click the Tag Injection button on the right, or delete "and 1=1" directly, insert the injection marker at the corresponding position.
12.2.4. Getting Data configuration
12.2.4.1. BOOL Blind Injection data configuration
12.2.4.1.1. Basic Configuration
The bool blind configuration relies on the key words, the status code, the response time and other factors to make the logical false judgment.

? Keyword judgment
Keywords are normal logically true, characters that exist on the page, and characters that are logically false and do not appear on the page. That is, "and 1=1" characters that appear, while "and 1=2" do not appear.

Example:
Normal Digital injection:

The blinds keyword selects and 1=1, keywords that appear on the page, and keywords that do not appear when and 1=2, such as "SQL", "I Am SQL", "SQL injection". A principle, just make sure that the word is 1=1 condition is that the page appears this keyword, and 1=2 does not appear.
? Status Code judgment
State code to determine the principle of the same, only the condition becomes and 1=1 when the status code, two and 1=2 when the status code does not appear.
After selecting the status code, the key word of the program blind will depend on the status code, that is, "and 1=1" when the HTTP request status code for this keyword (200, 403, 302, 500, etc.), and "and 1=2" when the other status code.
? Time Judgment:
Need to manually determine the average response time of the webpage, set a time threshold, when the page response time exceeds this threshold, to prove that the current judgment is correct, otherwise incorrect.

12.2.4.1.2. Keyword Inversion
When the keyword is reversed, the program will reverse-inject the judgment, for example, "and 1=2" characters that appear, while "and 1=1" do not appear. If you select a status code, which is "and 1=2", the status code appears, and "and 1=1" is not a different status code.
12.2.4.1.3. Verifying that the keyword is correct
Click the keyword to verify that the keyword is configured correctly.
12.2.4.2. Error display mode fetch number configuration
Without configuration, the program will automatically get the error message, it is important to note that the program can display error messages.
12.2.4.3. Union injection-Fetch data configuration
Because the number of columns before and after the Union union query needs to be consistent, the program can only use the display column to display the data that is injected, so the union injection needs to configure the number of columns for SQL injection, and the data display columns.
Note: Because the Access database does not have a system table, you can only blindly guess the tables and columns, so you need to configure the blind draw data configuration. Configure the reference bool blind data configuration.
12.2.5. Getting data
Switch to the data center, try to get the data, such as Get failed, can try to switch data acquisition method, or manually test whether there are related protection rules, check the Web page encoding is normal, the HTTP packet log to view the reason for analysis failure, in the adjustment configuration.

SQL Injection Tool Practice

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.