Introduction
This article focuses on SQL injection. If the reader has already understood the General SQL injection technology, I have introduced it in my previous article, that is, by entering different parameters to wait for the server to respond, then, they are injected to the database through different prefixes and suffixes (suffix and prefix. This article will go further to discuss SQL blind note. If you do not have any knowledge reserves, we recommend that you go to wikipedia first. Before proceeding, please remind me that if you want to follow the steps described in this article, you need to register a NOWASP Mutillidae account in the NOWASP Mutillidae environment.
SQLInjection Preface
This article demonstrates how to inject SQL commands from the web interface, but does not directly connect to the database. Instead, it tries to make the backend database processor execute our query statements as SQL commands. This article first describes some basic injection knowledge and then describes the content of blind injection.
Show Time
Here, I log on with the username "jonnybravo" and password "momma", and then enter the User view page, which is located in OWASP 2013> A1 SQL Injection> Extract data> User Info. To view user information, you must enter the user ID and password to log on. Then you can view the information of the current user.
As mentioned in my previous article, this page contains SQL Injection Vulnerabilities, so I will try a variety of injection methods to manipulate the database and use the suffix I mentioned earlier) and prefix. Here, I use the following injection statement:
Username: jonnybravo 'or 1 = 1 ;-
The injection statement is used to query user jonnybravo from the database. The query is terminated immediately after data is obtained (using single quotes), followed by an OR statement, because this is a "if status" query statement, "or 1 = 1" is given here, indicating that the query will always be true. 1 = 1 indicates that all records in the database are obtained, followed by-indicates that the query is completed, indicating that there are no other query statements following the current statement of the database.
Figure 1 view User information normally
After the payload is injected, the server exposes all user information in the database. 2:
Figure 2 injection of payload results in leakage of all data in the database
So far, this article demonstrates a basic SQL injection to the reader. The author uses the SQLmap tool in the penetration test release, such as BackTrack and Samurai, to demonstrate it to the reader. To use SQLmap, you only need to open the terminal, enter SQLmap, and press enter, as shown in:
If you use SQLmap for the first time, no advance operations are required. If you have used this tool, you need to use the-purge-output option to delete the previous output file, as shown in:
Figure 3 Delete the original output file from the SQLmap output directory
This article demonstrates some unique operations. Generally, when using SQLmap, users will directly specify a URL. The author also uses this tool to analyze the request, but will first use Burp to view the request and save it to a text file, then, use the SQLmap tool to call the text file for scanning. The preceding preparations are as follows:
GET /chintan/index.php?page=user-info.php&username=jonnybravo&password=momma&user-info-php-submit-button=View+Account+Details HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:27.0) Gecko/20100101 Firefox/27.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateReferer: http://localhost/chintan/index.php?page=user-info.phpCookie: showhints=0; username=jonnybravo; uid=19; PHPSESSID=f01sonmub2j9aushull1bvh8b5Connection: keep-alive
Save the request to a text file and send it to KALI linux. Run the following command to send the request header to SQLmap:
SQLmap-r ~ /Root/Desktop/header.txt
Self-Critical Evaluation
In the command, the-r option indicates to read a file containing the request ,~ /Root/Desktop/header.txt indicates the file location. If you use VMware, for example, to run KALI on a virtual machine on Windows, the following error message may be generated when you run the command:
Here, you must specify an IP address in the Request Header so that KALI linux can communicate with XP normally, as shown in the following figure:
Then the command can be executed normally. The result is shown in:
Basically, this tool analyzes the request and determines the first parameter in the request, and then tests the parameter to determine the database type running on the server. For each request, SQLmap tests the first parameter in the request.
GET/chintan/index. php? Page = user-info.php & username = jonnybravo & password = momma & user-info-php-submit-button = View + Account + Details HTTP/1.1
SQLmap can detect multiple databases, such as MySQL, Oracle SQL, PostgreSQL, and Microsoft SQL Server.
Is the list of databases that the SQLmap System displays when detecting the specified request:
First, it determines whether the given parameter can be injected. Based on the situation demonstrated in this article, we have set OWASP mutillidae to 0 for security. Therefore, it can be injected here, And SQLmap also detects that the background database DBMS may be MYSQL.
As shown in, the tool identifies that the background database may be MYSQL, so it prompts you to skip the detection of other types of databases.
"Because we have known that the database to be detected is MYSQL before this demonstration, we will skip the detection of other types of databases here ."
Then, ask the user whether to introduce (include) All MYSQL-related payload tests. Here, select the "yes" option:
After testing some payloads, the tool has identified a injection problem caused by an error and a blind injection problem caused by a Boolean type on the GET parameter.
</p>
It is displayed that the GET parameter username is a query injection point based on the MYSQL union (union-based) type. Therefore, other tests are skipped here to explore the vulnerabilities that have been found.
At this point, the tool has identified possible injection points that should be explored in depth:
Next, I pass the username parameter to the SQLmap tool for in-depth mining. Through all the injection points and payloads described above, we will use the Boolean-based SQL blind Injection Technology for the username parameter through the-technique option in SQLmap. Select different options in the following list to select different technologies:
B: Boolean based blind)
Q: Inline queries)
T: time-based blind injection (blind)
U: Union query based)
E: error-based)
S: stack Query)
The parameter "username" is also given in this example. Therefore, the final command constructed is as follows:
SQLmap-r ~ Root/Desktop/header.txt--technique B--p username--current-user
Here, the-p option indicates the parameter to be injected, and the "-current-user" option indicates that the SQLmap query is forced and the current user logging on to the MYSQL database system is displayed. Shows the command output:
The tool also recognizes the operating system name, the programming language used by the DBMS server and the program.
"" What we do now is to send requests to the server and receive responses from the server, similar to client-server interaction. We did not directly interact with the Database Management System DBMS, but SQLmap can still identify the background information.
At the same time, this is different from the preceding SQL injection. In the previous demonstration of SQL injection, we used prefixes and suffixes. This method is not used in this article. Previously, we entered the content in the input box and waited for the response to be returned to the client. In this way, we can get the starting point based on the information. In this article, we enter the true content in the input box and use it to determine the response of the application as the information that the program returns to us. "
Result Analysis
We have provided the current user name, which is located on the local machine. Let's see what it does in the background. As mentioned above, the background is an if judgment statement, which analyzes the if query and checks that username is jonnybravo and 7333 = 7333. Then SQLmap replaces 7333 with different strings, the new request is as follows:
page=user-info.php?username=’jonnybravo’ AND ‘a’='a’ etc..FALSEpage=user-info.php?username=’jonnybravo’ AND ‘l’='l’ etc..TRUEpage=user-info.php?username=’jonnybravo’ AND ‘s’='s’ etc..TRUEpage=user-info.php?username=’jonnybravo’ AND ‘b’='b’ etc..FALSE
As shown above, the first and last query request results are false, and the other two query requests are true because the current username is root @ localhost and contains letters l and s, therefore, the two queries give the username containing the two letters when querying the alphabet.
"This is the SQL server user name used for verification with the web server. This situation should not occur in any attacks against the client, but we let it happen ."
The "-current-user" option is removed, and the "-U" and "-password" options are used instead. -U is used to specify the user name to be queried.-password indicates that SQLmap can obtain the password corresponding to the specified user name. The final command is as follows:
SQLmap-r ~ Root/Desktop/header.txt -- technique B-p username-U root @ localhost -- passwords
Shows the command output:
Self-Critical Evaluation
Sometimes the password may not be obtained successfully and only a NULL Output is obtained, because the system administrator may not set authentication information for the specified user. If the user is tested on the local machine, the user root @ localhost does not have a password by default. You need to set a password for the user by yourself. You can view the user list in the MySQL user data table, double-click the password area to add a password for it. Alternatively, you can directly use the following command to directly update the password of a specified user:
Set the password to "sysadmin" here, so that SQLmap can get the password. If it is not set, NULL is obtained.
Through the above method, we do not directly communicate with the database server, and get the administrator login authentication information through SQL injection.
Summary
The injection method described in this article is the so-called SQL blind injection, which is more complicated and difficult to detect and use in many cases. I believe that the readers have already understood the differences between traditional SQL injection and SQL blind injection. In the context of this article, we just enter a parameter to see if it responds in a traditional way, and then try to inject it with luck, which is totally different from the injection we demonstrated earlier.
References
1. http://en.wikipedia.org/wiki/ SQL _injection
2. http://www.SQLmap.org/
3. https://github.com/SQLmapproject/SQLmap/wiki/usage
4. http://dev.mysql.com/doc/refman/5.6/en/examples.html
[Via infosecinstitute]
