In-depth SQL Injection

The preceding simple SQL injection attack method has been applied.
Today, we will continue to study some issues.

In the previous section, we can use some returned information to determine SQL injection. However, not all IIS on each server may return a specific error message to the client. If cint (parameter) is added to the program) SQL injection will not succeed, but the server will also report an error. The specific prompt is that an error occurs on the server when processing the URL. Contact the system administrator.
Second, some programmers who have a little knowledge about SQL Injection think that it is safe to filter out single quotes. This is not a minority case. If you use single quotes for testing, the injection points cannot be tested.
So what test method is more accurate? The answer is as follows:

① Http: // host/showdetail. asp? Id = 49

② Http: // host/showdetail. asp? Id = 49; and 1 = 1

③ Http: // host/showdetail. asp? Id = 49; and 1 = 2

This is the classic 1 = 1, 1 = 2 test method. How can this problem be determined? You can see the results returned from the above three urls:

Injection performance:

① Normal display (this is inevitable, or the program is wrong)

② Normally displayed, the content is basically the same as ①

③ Prompt BOF or EOF (when the program does not make any judgment), or prompt that the record cannot be found (rs is determined. eof), or the display content is null (the program adds on error resume next)

If it cannot be injected, it is easier to judge. ① It is displayed normally. ② and ③ There are generally Program-defined error prompts or error prompts during type conversion.

Of course, this is only the judgment method used when the input parameters are numeric. in actual application, there will be numeric and search parameters. Next we will analyze them.

But let's start with a question:
Different database functions and injection methods are different. Therefore, before injection, we need to determine the database type. Generally, Access and SQLServer are the most commonly used databases in ASP. More than 99% of websites on the Internet are among them.

How can a program tell you what database it uses? Let's take a look:

SQLServer has some system variables. If IIS on the server prompts that it is not closed and SQL server returns an error message, you can directly obtain the error information as follows:

Http: // host/showdetail. asp? Id = 49; and user> 0

This statement is very simple, but contains the essence of the SQL Server injection method. I also found this efficient method in an unintentional test. Let me take a look at its meaning: first, the preceding statement is normal, with emphasis on and user> 0. We know that user is a built-in variable of SQLServer, the value is the username of the current connection and the type is nvarchar. Compare the nvarchar value with the int value 0. The system will first try to convert the nvarchar value to the int type. Of course, the conversion process will definitely fail. The SQLServer error prompt is: A syntax error occurs when converting the nvarchar value "abc" to an int column. The value of abc is the value of the variable user. In this way, the user name of the database is obtained without any effort. In the future, we will see many statements using this method.

By the way, as we all know, the SQLServer user sa is a role equivalent to the Adminstrators permission. With the sa permission, you can almost certainly get the Administrator of the host. The above method can be used to easily test whether to log on with sa. Note that, if it is a log on with sa, an error occurs when "dbo" is converted to an int column, instead of "sa ".

If IIS on the server does not allow an error message to be returned, how can we determine the database type? We can start with the difference between Access and SQLServer. Access and SQLServer both have their own system tables, such as tables that store all objects in the database. Access is in the system table [msysobjects, however, when reading the table in the Web environment, the system prompts "no permission". SQLServer is in the table [sysobjects] and can be read normally in the Web environment.

Use the following statement to confirm that the injection can be performed:

Http: // host/showdetail. asp? Id = 49; and (select count (*) from sysobjects)> 0

Http: // host/showdetail. asp? Id = 49; and (select count (*) from msysobjects)> 0

If the database is SQLServer, then the page of the first website and the original page http: // host/showdetail. asp? Id = 49 is roughly the same. However, because the second website cannot find the table msysobjects, an error is prompted. Even if the program is fault tolerant, the page is completely different from the original page.

 

If the database uses Access, the situation is different. The page of the first website is completely different from the original page. The second website is determined by whether the database allows reading the system table, generally, this is not allowed, so it is completely different from the original website. In most cases, the database type used by the system can be known through the first web site. The second web site is used only for verification when the IIS error prompt is enabled.

They learned how to judge SQL injection, but it is far from enough to obtain the website's confidential content. Next, we will continue to learn how to obtain the desired content from the database. First, let's take a look at the general steps of SQL injection:

Section 1: General steps of SQL Injection

First, judge the environment, find the injection point, and determine the database type. This is already discussed in the Getting Started article.

Secondly, according to the injection parameter type, the original appearance of the SQL statement is reconstructed in mind. There are three types of parameters:

(A) ID = 49 These injection parameters are numeric. The SQL statement is roughly as follows:
Select * from table name where field = 49
The injected parameter is ID = 49 And [query condition], that is, the generated statement:
Select * from table name where field = 49 And [query condition]

(B) Class = the injection parameters of the series are simplified. The SQL statements are roughly as follows:
Select * from table name where field = 'series'
The injected parameters are Class = series and [query conditions] and ''= ', that is, the generated statement:
Select * from table name where field = 'series' and [query conditions] and ''=''

(C) If parameters are not filtered during search, such as keyword = keyword, the original appearance of the SQL statement is roughly as follows:
Select * from table name where field like '% keyword %'
The injected parameter is keyword = 'and [query condition] and' % 25' = ', which is the generated statement:
Select * from table name where field like '%' and [query condition] and '%' = '%'

 

Then, replace the query condition with an SQL statement to guess the table name, for example:

ID = 49 And (Select Count (*) from Admin)> = 0

If the page is the same as that of ID = 49, the additional conditions are true, that is, the table Admin exists, and vice versa (Please remember this method ). This loop ends until the table name is guessed.

After the table name is guessed, replace Count (*) with Count (field name) and use the same principle to guess the field name.

Some people may say: there are some occasional elements. If the table name is complex and irregular, it won't be enough. That's right. There is no 100% successful hacker technology in this world. No matter how technical or advanced hackers are, this is because other people's programs are not strictly written or the user's security awareness is not enough.

I am a little confused. After all, there is still a way for the SQL Server database to let the program tell us the table name and field name. We will introduce it in the advanced article.

 

Finally, after the table name and column name are successfully guessed, use an SQL statement to obtain the field value. The following describes the most common method-Ascii verbatim decoding, although this method is slow, it must be a feasible method.

For example, we know that the username field exists in the Admin table. First, we take the first record and test the length:

Asp? Http://www.19cn.com/showdetail.asp? Id = 49; and (select top 1 len (username) from Admin)> 0

First, describe the principle: if the length of top 1's username is greater than 0, then the condition is true; then, the test goes on like> 1,> 2,> 3 until the condition is not true, for example, if 7 is true or 8 is not true, It means len (username) = 8.

Of course, no one will be stupid from 0, 1, 2, 3 tests one by one, so how can we get started quickly. After obtaining the length of username, use mid (username, N, 1) to intercept the nth character, and then asc (mid (username, N, 1) to obtain the ASCII code, for example:

Id = 49 and (select top 1 asc (mid (username, 1, 1) from Admin)> 0

The ASCII code of 1st characters is also obtained by gradually narrowing down the range. Note that the ASCII code of English and numbers is between 1-characters and can be accelerated by the half-fold method, if the program is written for testing, the efficiency will be greatly improved.

 

Section 2 SQL Injection common functions

Those who have basic SQL language have a much higher success rate than those who are not familiar with SQL injection. We need to improve our SQL level, especially some common functions and commands.

Access: asc (character) SQLServer: unicode (character)

Purpose: return the ASCII code of a character.

 

Access: chr (number) SQLServer: nchar (number)

Function: opposite to asc, returns Characters Based on the ASCII code.

 

Access: mid (string, N, L) SQLServer: substring (string, N, L)

Purpose: return the substring of the string that starts from N characters and ranges from N to N + L.

 

Access: abc (number) SQLServer: abc (number)

Purpose: return the absolute value of a number (used to guess Chinese characters)

 

Access: A between B And C SQLServer: A between B And C

Purpose: Determine whether A is between B and C.

 

Section 3. Chinese Processing Methods

It is common to encounter Chinese characters during injection. Some people may want to retreat when they encounter Chinese characters. In fact, as long as you have some knowledge about Chinese encoding, "Chinese phobias" can be quickly overcome.

First, let's talk about common sense:

In Access, the Chinese ASCII code may have a negative number. After this negative number is obtained, use abs () to obtain the absolute value. The Chinese characters remain unchanged.

In SQLServer, Chinese ASCII is positive,