Principles of SQL Injection

With the development of B/S application development, more and more programmers are writing applications using this mode. However, due to the low entry threshold in this industry, the programmer's level and experience are also uneven. A considerable number of programmers did not judge the legitimacy of user input data when writing code, application security risks. You can submit a Section DatabaseQuery the code and obtain the desired data based on the results returned by the program. This is called SQLInjection, that is, SQL injection.

SQL injection is accessed from the normal WWW port, and it seems to be no different from the general web page access, so the current Municipal firewall does not alert SQL injection, if the Administrator does not check IIS logs, it may be invisible for a long time.

However, the SQL injection method is quite flexible, and many unexpected situations may occur during the injection process. It is the fundamental difference between a master and a cainiao to analyze the specific situation and construct clever SQL statements to obtain the desired data.

According to national conditions, ASP + access or sqlserver accounts for more than 70% of Chinese websites, and PHP + mysq accounts for L20 %,OthersLess than 10%. In this article, we will explain ASP injection methods and techniques from entry-level, advanced to advanced, and PHP InjectionArticleWritten by Zwell, another Nb-Alliance friendWorkAnd programmers. Do not skip this article if you are familiar with ASP injection, because some people still have misunderstandings about the basic injection judgment methods. Are you ready? Let's go...

　　Entry

If you have never tried SQL injection before, remove the check box before ie menu> Tools> Internet Options> advanced => show friendly HTTP Error messages. Otherwise, no matter what error is returned by the server, ie Only displays as an HTTP 500 server error and cannot receive more prompts.

　　Section 1. Principles of SQL Injection

We will start from a website http://www.19cn.com/( Note: most of the data is real data that has been approved by the webmaster before this article is published ).

On the home page of the website, named "ie cannot open new window of a variety of solutions" link, address: http://www.19cn.com/showdetail.asp? Id = 49. we add a single quotation mark (') after this address. The server will return the following error message:

Microsoft Jet Database Engine error '80040e14'

The syntax error of the string is in the query expression 'id = 49.

/Showdetail. asp, row 8

We can see the following points from the error prompt:

1. The website uses an Access database and connects to the database through the jet engine, instead of using ODBC.

2. The program does not determine whether the data submitted by the client meets the program requirements.

3. The table queried by this SQL statement has a field named ID.

From the above example, we can know that the principle of SQL injection is to submit special code from the client to collect information about programs and servers and obtain the information you think.

　　Section 2: Determine whether SQL injection can be performed

After reading the first section, some people may think that I often do the same.TestCan it be injected? Isn't that easy? In fact, this is not the best method. Why?

First of all, not necessarily the IIS of each server returns a specific error message to the client. If statements such as CINT (parameter) are added to the program, SQL injection will not succeed, but the server also reports an error. The specific prompt is that an error occurs on the server when processing the URL. Contact the system administrator.

Second, some programmers who have a little knowledge about SQL Injection think that it is safe to filter out single quotes. This is not a minority case. If you use single quotes for testing, the injection points cannot be tested.

So what test method is more accurate? The answer is as follows:

① Http://www.19cn.com/showdetail.asp? Id = 49

② Http://www.19cn.com/showdetail.asp? Id = 49and 1 = 1

3 http://www.19cn.com/showdetail.asp? Id = 49and 1 = 2

This is the classic 1 = 1, 1 = 2 test method. How can this problem be determined? You can see the results returned from the above three urls:

Injection performance:

① Normal display (this is inevitable, or the program is wrong)

② Normally displayed, the content is basically the same as ①

③ Prompt BOF or EOF (when the program does not make any judgment), or prompt that the record cannot be found (RS is determined. EOF), or the display content is null (the program adds on error resume next)

If it cannot be injected, it is easier to judge. ① It is displayed normally. ② and ③ There are generally Program-defined error prompts or error prompts during type conversion.

Of course, this is only the judgment method used when the input parameters are numeric. in actual application, there will be between numeric and search parameters, I will analyze the SQL Injection general steps in the intermediate section.

　　Section 3. Database types and injection methods

Different database functions and injection methods are different. Therefore, before injection, we need to determine the database type. Generally, access and sqlserver are the most commonly used databases in ASP. More than 99% of websites on the Internet are among them.

How can a program tell you what database it uses? Let's take a look:

Sqlserver has some system variables. If IIS on the server prompts that it is not closed and SQL server returns an error message, you can directly obtain the error information as follows:

Http://www.19cn.com/showdetail.asp? Id = 49and user> 0

This statement is very simple, but contains the essence of the SQL Server injection method. I also found this efficient method in an unintentional test. Let me take a look at its meaning: first, the preceding statement is normal, with emphasis on and user> 0. We know that user is a built-in variable of sqlserver, the value is the username of the current connection and the type is nvarchar. Compare the nvarchar value with the int value 0. The system will first try to convert the nvarchar value to the int type. Of course, the conversion process will definitely fail. The sqlserver error prompt is: A syntax error occurs when converting the nvarchar value "ABC" to an int column. The value of ABC is the value of the variable user. In this way, the user name of the database is obtained without any effort. In the future, we will see many statements using this method.

By the way, as we all know, the sqlserver user SA is a role equivalent to the adminstrators permission. With the SA permission, you can almost certainly get the administrator of the host. The above method can be used to easily test whether to log on with SA. Note that, if it is a log on with SA, an error occurs when "DBO" is converted to an int column, instead of "sa ".

If IIS on the server does not allow an error message to be returned, how can we determine the database type? We can start with the difference between access and sqlserver. Access and sqlserver both have their own system tables, such as tables that store all objects in the database. Access is in the system table [msysobjects, however, when reading the table in the web environment, the system prompts "no permission". sqlserver is in the table [sysobjects] and can be read normally in the Web environment.

Use the following statement to confirm that the injection can be performed:

Http://www.19cn.com/showdetail.asp? Id = 49and (select count (*) from sysobjects)> 0

Http://www.19cn.com/showdetail.asp? Id = 49and (select count (*) from msysobjects)> 0

If the database is sqlserver, then the first web site page with the original page http://www.19cn.com/showdetail.asp? Id = 49 is roughly the same. However, because the second website cannot find the table msysobjects, an error is prompted. Even if the program is fault tolerant, the page is completely different from the original page.

If the database uses access, the situation is different. The page of the first website is completely different from the original page. The second website is determined by whether the database allows reading the system table, generally, this is not allowed, so it is completely different from the original website. In most cases, the database type used by the system can be known through the first web site. The second web site is used only for verification when the IIS error prompt is enabled.

(After the entry)

(The use of NBSI-NB Union SQL injection analyzer can detect a variety of SQL Injection Vulnerabilities and decoding to improve the efficiency of guessing.

From: http://www.51testing.com/html/08/n-131108.html