Introduction
With the development of B/s pattern application development, more and more programmers use this pattern to write applications. But because the entry threshold of the industry is not high, the level of programmers and experience is uneven, a large number of programmers in the code, not the user input data to judge the legality, so that the application has security problems. Users can submit a database query code, based on the results returned by the program to obtain some of the data he wants to know, this is called the SQL injection, that is, SQL injection.
SQL injection is accessed from the normal WWW port, and the surface looks no different from the general Web page access, so the current firewall does not alarm SQL injection, if the administrator does not see the IIS log habits, may be invaded for a long time will not find.
However, SQL injection is quite flexible and can be a lot of surprises when injected. Can be based on the specific situation analysis, the construction of clever SQL statements, so that the successful acquisition of data, is the master and "rookie" the fundamental difference.
According to national conditions, the domestic web site with asp+access or SQL Server accounted for more than 70%, php+mysq accounted for l20%, the other less than 10%. In this article, we from the introduction, advanced to high-level explanation of ASP injection methods and skills, PHP injection of the article by the NB Alliance, another friend Zwell writing, hope for security workers and programmers are useful. Understand the ASP injection of friends also please do not skip the introductory article, because some people to inject the basic method of judgment there are still misunderstanding. Are you ready, everyone? Let ' s go ...
Introductory articles
If you have not tried SQL injection before, then the first step is to remove the check in front of the => tool =>internet option => advanced => display friendly HTTP error message. Otherwise, no matter what error the server returns, IE only displays as an HTTP 500 server error and cannot get more information.
The first section, the principle of SQL injection
The following we start from a website www.mytest.com (note: This article was published prior to the station webmaster consent, most of the real data).
On the homepage of the website, it is known as "IE can not open a new window of a variety of solutions" link, Address: http://www.mytest.com/showdetail.asp?id=49, we add single quotes after this address, the server will return the following error message:
Microsoft JET Database Engine error ' 80040e14 '
The syntax error of the string is in the query expression ' id=49 '.
/showdetail.asp, line 8
From this error we can see the following points:
1. The Web site uses an Access database that connects to the database through the jet engine, rather than through ODBC.
2. The procedure does not determine whether the data submitted by the client meets the procedural requirements.
3. The SQL statement queries the table for a field that is an ID.
From the example above, we can see that the principle of SQL injection is to submit special code from the client to collect the information of the program and server, so as to obtain the information you think of.
Section II, to determine whether SQL injection
After reading the first section, some people will feel: I also often this test can inject, this is not very simple?
In fact, this is not the best way, why?
First of all, not necessarily every server's IIS return specific error prompts to the client, if the program added CInt (parameters), such as statements, SQL injection will not be successful, but the server will also complain, the specific message to deal with the URL when the server error. Please contact your system administrator.
Second, some programmers who have some knowledge of SQL injection think that it is safe to filter out single quotes, which is not a small number if you use single quotes to test the injection point.
So, what kind of test method is more accurate? The answer is as follows:
①http://www.mytest.com/showdetail.asp?id=49
②http://www.mytest.com/showdetail.asp?id=49 and 1=1
③http://www.mytest.com/showdetail.asp?id=49 and 1=2
This is the classic 1=1, 1=2 test method, how to judge? Check out the results of the three URLs above:
The performance that can be injected:
① Normal display (this is inevitable, otherwise it is the error of the program)
② normal display, the content is basically the same as ①
③ prompts BOF or EOF (the program does not make any judgments), or prompts cannot find the record (when the rs.eof is judged), or the display content is empty (the program added on Error Resume Next)
Not to inject is easier to judge, ① also normal display, ② and ③ generally have program-defined error prompts, or prompt type conversion error.
Of course, this is only the incoming parameter is a digital time to use the method of judgment, the actual application will have character and search parameters, I will be in the middle of the "SQL injection general steps" to do the analysis.
Section III, Judgment of database types and injection methods
There are differences in the functions and injection methods of different databases, so we have to judge the type of database before we inject it. The most commonly used database for ASP is access and SQL Server, with over 99% Web sites on the web being one of them.
How do you let the program tell you what database it uses? To see:
SQL Server has some system variables that can be retrieved directly from the error message if the servers IIS prompts are not turned off and SQL Server returns an error:
Http://www.mytest.com/showdetail.asp?id=49 and User>0
This statement is simple, but it contains the essence of SQL Server-specific injection methods, and I myself found this highly efficient method of guessing in an unintentional test. Let me see what it means: first, the preceding statement is normal, with emphasis on and user>0, and we know that user is a built-in variable of SQL Server whose value is the current connected username and the type is nvarchar. With a nvarchar value of 0 compared to the number of int, the system will first attempt to convert the value of nvarchar to an int, of course, the process will certainly be wrong, SQL Server error prompt is: The nvarchar value "ABC" Conversion data type int A syntax error occurred in the column, hehe, ABC is the value of the variable user, so, do not waste Chuihuizhili get the database username. In a future space, you will see a lot of statements in this way.
Incidentally, as we all know, SQL Server's user SA is a role equivalent to adminstrators permissions, and with SA privileges, it is almost certain that the host's administrator can be obtained. The above method can easily test whether to log on with an SA, and note that if the SA is logged in, the hint is that the column that converts "dbo" to int has an error instead of "sa".
If server IIS does not allow you to return error prompts, how do you determine the database type? We can start with access and SQL Server and the differences, access and SQL Server have their own system tables, such as tables that hold all the objects in the database, access is in the system table [msysobjects], but reading the table in the Web environment prompts the No permissions ", SQL Server is in table [sysobjects] and is readable in the web environment.
With the confirmation that you can inject it, use the following statement:
http://www.mytest.com/showdetail.asp?id=49 and (select COUNT (*) from sysobjects) >0
http://www.mytest.com/showdetail.asp?id=49 and (select COUNT (*) from msysobjects) >0
If the database is SQL Server, then the first URL page is roughly the same as the original page http://www.mytest.com/showdetail.asp?id= 49, and the second URL, because the table msysobjects cannot be found, prompts for an error, Even if the program has fault-tolerant processing, the page is completely different from the original page.
If the database is using access, then the situation is different, the first URL of the page and the original page is completely distinct; the second URL, depending on whether the database settings are allowed to read the system table, is generally not allowed, so and the original URL is completely different. In most cases, you can use the first URL to know the type of database used by the system, and the second URL will only be validated when the IIS error prompts are turned on.