"Notes" NetEase micro-professional-web security Engineer -04.web Safe Combat -7.sql Echo Injection

We mentioned before that when you forget the password of a website, you can try the Universal password: Username input Admin '--this is actually exploited SQL injection vulnerability.

SQL injection (SQL injection): An attacker who destroys the structure of a SQL query statement by injecting a malicious SQL command to achieve the purpose of executing a malicious SQL statement.

DVWA Combat:

1. Open Phpstudy or XAMPP, run Apach and MySQL;

2. The browser enters Dvwa main interface, in the left column Select Dvwa security level is low, then enter SQL injection;

Prompt us to enter a user ID, we enter 1, the page returns the user's information.

So we suspect that the SQL statements in the background should look like this:

SELECT  from WHERE user_id = ' $id ';

So we can try to use the universal password to see if we can get the background to execute malicious statements, we try to enter

1 or 1024=1024 (numeric type)

1 ' or ' 1024 ' = ' 1024 (character type)

Get all the user information, here's ' 1024 ' = ' 1024 plus background ' just so that the where statement is always true.

There is a SQL injection vulnerability, is it possible to further exploit, to obtain more information?

We're going to see if we can figure out the number of fields in the user table, and try entering:

1 ' or ' 1024x768 ' = ' 1024x768 ' ORDER by 1 #

When the execution succeeds, the order is ordered by the first field, and if it succeeds, it means that the first field exists (as if it were nonsense O (╯-╰) o). But we can use the same method, order by 2,3,4,...... Until the n error, which indicates a total of N-1 fields, we found that when trying to the 3 times the wrong, stating that the SELECT statement has only 2 fields.

Just that? Next we'll move on to the Union usage, enter:

1 ' Union Select #

We found that the second item was written in the first name and surname. What's the use of that? We enter:

1 ' Union SELECT @ @version, @ @datadir #

Find out how to get the SQL version and directory! Similarly, more information can be obtained (user and database name):

1 ' Union Select User (), database () #

With the database name, we can use it to query all the tables in the database:

1 ' Union select 1,table_name from Information_schema.tables where table_schema= ' Dvwa ' #

Description Database Dvwa A total of two tables, guestbook and users.

Next we look at what fields are in the Users table? Worrying about too many fields, we use Group_concat to stitch these fields together:

1 ' Union Select 1,GROUP_CONCAT (column_name) from Information_schema.columns where table_name= ' users ' #

We get the 8 field names of the users table, can we get the password for each user next? Try:

1 ' union select User,password from Users #

So we have all the user's username and password, although it is encrypted, but as long as the www.cmd5.com can be cracked out, such as "5f4dcc3b5aa765d61d8327deb882cf99", the decryption result is: "Password"!

So, with a simple SQL vulnerability, we get all the user's password, the harm is really too big. In addition, we can also use the Load_file function to get the server various files, as well as write Webshell, is in is too scary.

Union SELECT ' <?php @eval ($_get[' cmd ');?) > ', Webshell into outfile ' d:/.... '

We summarize the following common methods of SQL injection:

1. Determine if there is an injection, whether the injection is a character type or a digital type
2. To guess the number of fields in a SQL query statement
3. Determining the order of fields displayed
4. Get current Database
5. Getting tables in a database
6. Get the name of a field in a table
7. Download data

3. Next we turn the security level to medium and find that the input box becomes a drop-down box.

But how can a little drop-down frame stop us? We have used Tamperdata or zap many times before to modify the request message, so this is not a problem, specifically not detailed, you can refer to the previous article. However, in addition to the dropdown box restrictions, the background also uses the Mysql_real_escape_string function to escape the special symbol \x00,\n,\r,\, ', ', \x1a:

= mysql_real_escape_string ($id);

But if it is a digital injection vulnerability, this filter is not very useful, then what if you need to input table_schema= ' Dvwa ' as before? You can simply use the encoding function in the Hackbar plug-in to hex code, the DVWA encoded as 0x64767761, you can do without the quoted number.

4. Next we look at the high level of SQL injection and find that we have to click on the link after the new window to enter the ID to modify. This is mainly to prevent the general Sqlmap injection, because sqlmap in the injection process, can not get the results of query Submission page, no feedback, there is no way to inject further.

But this does not prevent us from using the Union select Injection, using the same method as before, and there is no problem. View background source code, found a limit of more than 1 limits, I want to output only one result, but this can be directly bypassed with the comment symbol.

$query  = "Select fromWHEREuser_id='$id  '1; ';

5. Finally, we look at the impossible Code, found that the background has a lot of control, including the input must be a number, using pre-compiled binding variables, code and data separation, and only the number of query results returned is 1 o'clock, will be successful output, effectively prevent SQL injection.

    //was a Numberentered? if(Is_numeric ($id)) {// CheckTheDatabase$data=$db -Prepare('SELECT first_name, last_name from users WHERE user_id = (: id) LIMIT 1;' ); $data -Bindparam (': ID', $id, PDO::P aram_int); $data -Execute(); $row=$data -Fetch(); //Make sure only 1Result isreturnedif($data -RowCount()== 1) {

6. Although SQL injection is very powerful, but the process is a little cumbersome, need to try again and again, is there any tool to save our labor? Of course, it is a bit, that is artifact Sqlmap, just a few commands, you can complete all of our operations. However, for us to understand the principle behind the tool is more important, we are interested to download Sqlmap installation and trial, about Sqlmap after the time to write a special article introduction.

Practical experience:

SQL injection, by inserting a SQL command into a Web form to submit or entering a query string for a domain name or page request, eventually achieves a malicious SQL command that deceives the server. The main protection methods are as follows:

1. Never trust the user's input. The user's input can be verified by regular expressions, or by limiting the length, by converting the single quotation mark and the double "-".
2. Never use dynamically assembled SQL, either using parameterized SQL or directly using stored procedures for data query access.
3. Never use a database connection with administrator rights, and use a separate limited database connection for each app.
4. Do not store confidential information directly, encrypt or hash out passwords and sensitive information.
5. The exception information applied should give as few hints as possible, preferably using a custom error message to wrap the original error message.

"Notes" NetEase micro-professional-web security Engineer -04.web Safe Combat -7.sql Echo Injection