Full contact of-asp injection of the Bible in SQL injection

Source: Internet
Author: User
Tags filter count iis query sql injection table name variable access database
SQL injected into the Bible-asp Injection Vulnerability Full Contact select from Digituser Blog
With the development of B/s pattern application development, more and more programmers use this pattern to write applications. But because the entry threshold of the industry is not high, the level of programmers and experience is uneven, a large number of programmers in the code, not the user input data to judge the legality, so that the application has security problems. Users can submit a database query code, based on the results returned by the program to obtain some of the data he wants to know, this is called the SQL injection, that is, SQL injection.

SQL injection is accessed from the normal WWW port, and the surface looks no different from the general Web page access, so the current firewall does not alarm SQL injection, if the administrator does not see the IIS log habits, may be invaded for a long time will not find.

However, SQL injection is quite flexible and can be a lot of surprises when injected. Can be based on the specific situation analysis, the construction of clever SQL statements, so that the successful acquisition of data, is the master and "rookie" the fundamental difference.

According to national conditions, the domestic web site with asp+access or SQL Server accounted for more than 70%, php+mysq accounted for l20%, the other less than 10%. In this article, we from the introduction, advanced to high-level explanation of ASP injection methods and skills, PHP injection of the article by the NB Alliance, another friend Zwell writing, hope for security workers and programmers are useful. Understand the ASP injection of friends also please do not skip the introductory article, because some people to inject the basic method of judgment there are still misunderstanding. Are you ready, everyone? Let ' s go ...

Introductory articles

If you have not tried SQL injection before, then the first step is to remove the check in front of the => tool =>internet option => advanced => display friendly HTTP error message. Otherwise, no matter what error the server returns, IE only displays as an HTTP 500 server error and cannot get more information.

The first section, the principle of SQL injection

The following we start from a website www.19cn.com (note: This article was published prior to the station webmaster consent, most of the real data).

On the homepage of the website, it is known as "IE can not open a new window of a variety of solutions" link, Address: http://www.19cn.com/showdetail.asp?id=49, we add single quotes after this address, the server will return the following error message:

Microsoft JET Database Engine error ' 80040e14 '

The syntax error of the string is in the query expression ' id=49 '.

/showdetail.asp, line 8

From this error we can see the following points:

1. The Web site uses an Access database that connects to the database through the jet engine, rather than through ODBC.

2. The procedure does not determine whether the data submitted by the client meets the procedural requirements.

3. The SQL statement queries the table for a field that is an ID.

From the example above, we can see that the principle of SQL injection is to submit special code from the client to collect the information of the program and server, so as to obtain the information you think of.

Section II, to determine whether SQL injection

After reading the first section, some people will feel: I also often this test can inject, this is not very simple?

In fact, this is not the best way, why?

First of all, not necessarily every server's IIS return specific error prompts to the client, if the program added CInt (parameters), such as statements, SQL injection will not be successful, but the server will also complain, the specific message to deal with the URL when the server error. Please contact your system administrator.

Second, some programmers who have some knowledge of SQL injection think that it is safe to filter out single quotes, which is not a small number if you use single quotes to test the injection point.

So, what kind of test method is more accurate? The answer is as follows:
①http://www.19cn.com/showdetail.asp?id=49

②http://www.19cn.com/showdetail.asp?id=49 and 1=1

③http://www.19cn.com/showdetail.asp?id=49 and 1=2

This is the classic 1=1, 1=2 test method, how to judge? Check out the results of the three URLs above:

The performance that can be injected:

① Normal display (this is inevitable, otherwise it is the error of the program)

② normal display, the content is basically the same as ①

③ prompts BOF or EOF (the program does not make any judgments), or prompts cannot find the record (when the rs.eof is judged), or the display content is empty (the program added on Error Resume Next)

Not to inject is easier to judge, ① also normal display, ② and ③ generally have program-defined error prompts, or prompt type conversion error.

Of course, this is only the incoming parameter is a digital time to use the method of judgment, the actual application will have character and search parameters, I will be in the middle of the "SQL injection general steps" to do the analysis.

Section III, Judgment of database types and injection methods

There are differences in the functions and injection methods of different databases, so we have to judge the type of database before we inject it. The most commonly used database for ASP is access and SQL Server, with over 99% Web sites on the web being one of them.

How do you let the program tell you what database it uses? To see:

SQL Server has some system variables that can be retrieved directly from the error message if the servers IIS prompts are not turned off and SQL Server returns an error:

Http://www.19cn.com/showdetail.asp?id=49 and User>0

This statement is simple, but it contains the essence of SQL Server-specific injection methods, and I myself found this highly efficient method of guessing in an unintentional test. Let me see what it means: first, the preceding statement is normal, with emphasis on and user>0, and we know that user is a built-in variable of SQL Server whose value is the current connected username and the type is nvarchar. With a nvarchar value of 0 compared to the number of int, the system will first attempt to convert the value of nvarchar to an int, of course, the process will certainly be wrong, SQL Server error prompt is: The nvarchar value "ABC" Conversion data type int A syntax error occurred in the column, hehe, ABC is the value of the variable user, so, do not waste Chuihuizhili get the database username. In a future space, you will see a lot of statements in this way.

Incidentally, as we all know, SQL Server's user SA is a role equivalent to adminstrators permissions, and with SA privileges, it is almost certain that the host's administrator can be obtained. The above method can easily test whether to log on with an SA, and note that if the SA is logged in, the hint is that the column that converts "dbo" to int has an error instead of "sa".

If server IIS does not allow you to return error prompts, how do you determine the database type? We can start with access and SQL Server and the differences, access and SQL Server have their own system tables, such as tables that hold all the objects in the database, access is in the system table [msysobjects], but reading the table in the Web environment prompts the No permissions ", SQL Server is in table [sysobjects] and is readable in the web environment.

With the confirmation that you can inject it, use the following statement:

http://www.19cn.com/showdetail.asp?id=49 and (select COUNT (*) from sysobjects) >0

http://www.19cn.com/showdetail.asp?id=49 and (select COUNT (*) from msysobjects) >0

If the database is SQL Server, then the first URL page is roughly the same as the original page http://www.19cn.com/showdetail.asp?id=49, and the second URL, because the table msysobjects cannot be found, prompts for an error, Even if the program has fault-tolerant processing, the page is completely different from the original page.

If the database is using access, then the situation is different, the first URL of the page and the original page is completely distinct; the second URL, depending on whether the database settings are allowed to read the system table, is generally not allowed, so and the original URL is completely different. In most cases, you can use the first URL to know the type of database used by the system, and the second URL will only be validated when the IIS error prompts are turned on.

Advanced Chapter

In the introductory section, we learned how to judge SQL injection, but it is far from enough to really get the confidential content of the website. Next, we'll continue to learn how to get what we want from the database, first of all, let's look at the general steps of SQL injection:

The first section, the general steps of SQL injection

First of all, judge the environment, look for the injection point, and judge the database type, which is already mentioned in the introductory article.

Secondly, according to the type of injection parameter, the original of the SQL statement is reconstructed in the mind, according to the type of parameter, it is divided into the following three kinds:

(A) The parameters of id=49 such injections are numeric, and the SQL statements are as follows:
Select * from table name where field =49
The injected parameter is id=49 and [query condition], that is, the build statement:
Select * from table name where field =49 and [query criteria]

(B) class= series The parameters of such injections are character types, and the original SQL statements are roughly as follows:
Select * from table name where field = ' Soap series '
The injected parameters are the class= series ' and [query conditions] and ' = ', that is, the generated statement:
Select * from table name where field = ' serials ' and [query conditions] and ' = '

(C) When the search does not filter the parameters, such as the keyword= keyword, the original SQL statement is roughly as follows:
Select * from table name where field like '% keyword% '
The injected parameter is keyword= ' and [query condition] and '%25 ' =, that is, the build statement:
Select * from table name where field like '% ' and [query condition] and '% ' = '% '

Next, replace the query condition with the SQL statement, guessing the table name, for example:

Id=49 and (Select Count (*) from Admin) >=0

If the page is the same as the id=49, the attached condition is set, that is, the table admin exists, otherwise, that is not present (please bear in mind this



Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.