Study the principle of buffer overflow, at least for the difference of two kinds of database
Buffer overflow principle
A buffer overflow is the amount of data that a computer program fills into a buffer that exceeds the capacity of the buffer itself. Overflow data is overwritten with legitimate data. Ideally, the program checks the length of the data and does not allow the input of strings that exceed the buffer length. However, most programs assume that the data length always matches the allocated storage space, which is a hidden danger for buffer overflow.
Principle
- For MySQL Database
Check_connection (sql_parse.cc):
/
Old clients send null-terminated string as password; New Clients Send
The size (1 byte) + string (not null-terminated). Hence in case of
Empty
Password both send '.
/
UINT passwd_len= thd->client_capabilities & client_secure_connection?
passwd++: strlen (passwd);
The 0x8000 is provided in the ' client capabilities ' tag, and the user can specify the value of the Passwd_len field. To exploit the vulnerability attack select 0x14 (20) as the value, as it equals the SHA hash length, which can be checked through the understanding process.
After several checks are used to ensure that the user is from the licensed host, the authentication process enters the following code:
/Check password:it should be empty or valid/
if (Passwd_len = = Acl_user_tmp->salt_len)
{
if (Acl_user_tmp->salt_len = = 0 | |
Acl_user_tmp->salt_len = = Scramble_length &&
Check_scramble (passwd, thd->scramble, acl_user_tmp->salt) = = 0 | |
check_scramble_323 (passwd, Thd->scramble,
(ULONG) acl_user_tmp->salt) = = 0)
{
Acl_user= acl_user_tmp;
res= 0;
}
}
The Check_scramble function returns an authentication failure, but looking at the check_scramble_323 function we can see:
My_bool
check_scramble_323 (const charscrambled, const charMessage
ULongHash_pass)
{
struct Rand_struct rand_st;
ULONG Hash_message[2];
Char buff[16],To,extra; /* Big enough for check/
const CHARPos
Hash_password (hash_message, message, scramble_length_323);
Randominit (&rand_st,hash_pass[0] ^ hash_message[0],
HASH_PASS[1] ^ hash_message[1]);
To=buff;
for (pos=scrambled;Pos; pos++)
to++= (char) (Floor (My_rnd (&rand_st)31) +64);
Extra= (char) (Floor (My_rnd (&rand_st)31));
To=buff;
while (scrambled)
{
if (scrambled++ = (char) (to++ ^ extra))
return 1; /Wrong password */
}
return 0;
}
Here, a 0-length scrambled string can be used to bypass validation, and in the last comparison of the function if the scrambled string has no characters, the function returns ' 0 ', allowing the user to bypass the validation with a 0-length string.
Another stack-based buffer buff can be overrun by an extra-long scrambled string, and the buffer is overrun with characters that are output from the My_rnd () function, and the character range is 0x40. 0x5f may lead to arbitrary code execution under some platforms.
Oracle database server logon long user name buffer Overflow Vulnerability
The Oracle Database service program does not have sufficient bounds checking to copy the user name external data to the local memory buffer, and a remote attacker can exploit the vulnerability to buffer overflow attacks against the database, possibly executing arbitrary instructions on the system with the Oracle process privileges.
The code in the Oracle database service that handles the validation request section has a remote, available buffer overflow that can trigger a stack-based overflow by passing an extended username to the service program, and a well-constructed user name data may execute arbitrary instructions on the system with Oralce process privileges, in linux/ "Oracle" Permissions on UNIX systems, and Local system permissions under Windows systems.
Most Oracle client applications truncate the long user name and provide it to the database, so an attacker would need to write their own authentication client to exploit the vulnerability. However, NGSSoftware found that there is a client tool LOADPSP can allow the long user name input, the user can be used for testing, the tool in the Oracle installation directory under the "Bin" directory.
Research on the discovery and injection technology of SQL injection point for different data types
The
- Digital injection point
, such as "http://****?id=55", is called "Digital injection point" because of the "number" of such injected parameters. The SQL statement that is submitted by this type of injection point is roughly the same: Select * from table name where field =55
When we submit the injection parameter as "http://****?id=55 and[query condition]", the complete SQL statement submitted to the database is:
Select * FROM table name where field =55 and [query condition]
- character injection point
like "http://****?" class= Date "This type of injected parameter is" character "and is therefore referred to as the" character type "injection point.
The SQL statement submitted by such an injection point is roughly the same:
Select * from table name where field = ' Date '
when we submit an injection parameter of "http://****class= date and[query Condition", the complete The SQL statement is ":
Select * from table name where field = ' Date ' and [query condition]
-
Search Injection Point
This is a special kind of injection. This kind of injection is mainly refers to in the data search without filtering the search parameters, generally in the link address has "keyword= keyword", some do not display the link address, but directly through the search box form submission.
The SQL statement submitted by such an injection point is roughly the same:
Select * from table name where field like '% keyword% '
When we submit an injection parameter of "keyword= ' and[query condition] and '% ' = ', then commit to the database After the SQL statement is:
SELECT * from table name where field like '% ' and [query condition] and '% ' = '% '
study buffer Overflow prevention method, at least for two programming languages to differentiate research according to the steps of buffer overflow attack, you can use common The buffer overflow attack detection technique is divided into the following 3 types: Detection method based on input string, detection method based on return address in protection stack and detection method based on monitoring system call
The
- detects the input string based on the detection method of the input string
, determines that it is an overflow attack string to take a blocking action, so that the attacker cannot inject the attack code. In general, the following 3 methods are used to construct the overflow attack string
1 overflow attack string is suitable for cases where the buffer is greater than shellcode length; the 2 overflow attack string is typically for buffers less than shellcode The length of the case; the 3 method is to put shellcode in environment variables, which is the most common method at present.
-
Detection method based on return address in protection stack
Buffer overflow attacks the most critical step is to change the process of the program by modifying the function return address, so that a buffer overflow attack can be judged by checking whether the return address is modified before the function call returns.
Buffer Overflow attacks account for the overwhelming majority of remote network attacks, which can give an anonymous Internet user the opportunity to gain some or all of the control of a single host. If a buffer overflow vulnerability can be effectively eliminated, a large percentage of security threats can be mitigated. There are currently three basic methods to protect the buffer against buffer overflow attacks and effects: 1, through the operating system so that the buffer is not executable, thereby preventing the attacker to implant the attack code, 2, the method of forcing the correct code, 3, the use of compiler boundary check to achieve buffer protection, so that buffer overflow can not occur, This completely eliminates the threat of buffer overflow.
Database injection tool
- sqlmap
- sqlmap.py-u "http://www. Xxx.com/index.asp?id=1 "
to determine if the ID parameter is injected: The result contains an" id "is vulnerable field indicates an injection exists, the following steps can execute successfully ~
- sqlmap.py- U "http://www. Xxx.com/index.asp?id=1 "--dbs
enumerates all database names that can be listed
- sqlmap.py-u" http://www. Xxx.com/index.asp?id=1 "--CURRENT-DB
lists the database names that are currently in use, assuming that the Sqltest database
- sqlmap.py-u http://www is listed. Xxx.com/index.asp?id=1 "--IS-DBA
Determines whether the injection point has administrator rights: Returns true to indicate that it is an administrator
- sqlmap.py-u" http://www. Xxx.com/index.asp?id=1 "-D" sqltest "--tables
gets all the tables in sqltest, assuming the" admin "Table
- sqlmap.py-u" http://www. Xxx.com/index.asp?id=1 "-D" sqltest "-t" admin "--columns
Enumerates the fields (column names) of the table admin, assuming there is a" username "," password "field
- Sqlmap.py-u "http://www. Xxx.com/index.asp?id=1 "-D" sqltest "-T" admin "-C" Username,password "--dump
Download field Username,password value, if asked whether to crack MD5 encryption , select No to
now, for a simple injection point (get method), we have already obtained the data we want
"*" injected after the demo will be filled with
- Super SQL injection
The Super SQL Injection tool (ssqlinjection) is an HTTP protocol-based self-package SQL injection tool that supports SQL injection anywhere in the HTTP protocol, supports various types of SQL injection, and supports HTTPS mode injection.
The Super SQL Injection tool (ssqlinjection) is a SQL injection tool based on the HTTP protocol self-set package.
The Super SQL Injection tool supports automatic identification of SQL injection and automatic configuration, such as the program does not automatically recognize, but also manual intervention to identify injection, and mark the injection location.
The Super SQL Injection tool supports SQL injection anywhere in the HTTP protocol, supports various types of SQL injection, and supports HTTPS mode injection.
The Super SQL Injection tool supports BOOL type blind, error display injection, union injection, and other methods to obtain data.
The Super SQL injection tool supports databases such as access, MySQL5, SQL Server, Oracle, and more.
The Super SQL Injection tool supports manual and flexible SQL injection bypass, customizable character substitution and other bypass injection protection.
Super SQL Injection tool supports batch scan SQL injection vulnerability, can import domain name crawl once link scan, using similarity algorithm, vulnerability, false alarm rate is less than 1%.
SQL Injection Attack Practice
