"SQL injection attack and practice"

1. study the principle of buffer overflow, at least for the difference of two kinds of database

Buffer overflow means that when the computer fills the buffer with the number of bits of data, exceeding the capacity of the buffer itself, the overflow of data over the legitimate data, ideally, the program to check the length of the data does not allow the input of characters beyond the length of the buffer, However, most programs assume that the data length always matches the allocated storage space, which is a hidden danger for buffer overflow. The buffers used by the operating system are also known as "stacks". Between the various operations, instructions are temporarily stored in the "stack" and a buffer overflow occurs on the stack.

1.1. Principle :

By writing content beyond its length to the program's buffer , the buffer overflows, thereby destroying the program's stack and allowing the program to execute other instructions in order to achieve the purpose of the attack. The cause of the buffer overflow is that the user input parameters are not carefully checked in the program. For example, the following program:

void function (char *str) {

Char buffer[16]; strcpy (BUFFER,STR);

}

The strcpy () above will copy the contents of STR directly into buffer. As long as the length of STR is greater than 16, it will cause buffer overflow and make the program run in error. There are standard functions such as strcpy such as strcat (), sprintf (), vsprintf (), Get (), scanf (), and so on.

Of course, just filling in the buffer to cause it to overflow generally will only have a segmentation error (segmentation fault), but not to achieve the purpose of the attack. The most common approach is to make the program run a user shell by making a buffer overflow, and then execute other commands through the shell. If the program is rooted and has suid permissions, the attacker obtains a root-privileged shell that can perform arbitrary operations on the system.

Buffer overflow attacks are a common security attack means because buffer overflow vulnerabilities are too common and easy to implement. Also, a buffer overflow is the primary means of a remote attack because the buffer Overflow vulnerability gives the attacker everything he wants: implant and execute the attack code. The injected attack code runs a program with a buffer overflow vulnerability with certain privileges to gain control of the attacked host.

Of the 5 remote attacks that the Lincoln Lab used to evaluate intrusion detection in 1998, 2 were buffer overflows. Of the 13 recommendations cert in 1998, 9 were related to buffer overruns, and in 1999, at least half of the recommendations were related to buffer overruns. In Ugtraq's survey, 2/3 of respondents considered buffer overflow vulnerabilities to be a serious security issue.

1.2. MySQL

MySQL is the most popular open source SQL database management system, developed, distributed, and supported by MySQL AB. MySQL AB is a MySQL developer-based business company, a second-generation open source company that uses a successful business model to combine open source values and methodologies. MySQL is a registered trademark of MySQL AB.

MySQL is a fast, multi-threaded, multi-user, and robust SQL database server. MySQL server supports mission-critical, heavy-duty production system use, or it can be embedded in a large configuration (mass-deployed) software.

Compared to other database management systems, MySQL has the following advantages:

(1) MySQL is a relational database management system.

(2) MySQL is open source.

(3) MySQL server is a fast, reliable and easy-to-use database server.

(4) The MySQL server works in a client/server or embedded system.

(5) A large number of MySQL software can be used.

1.3. Oracle

When you bring up a database, the first company you think of is Oracle (Oracle). The company was founded in 1977 and was originally a company specializing in database development. Oracle has been a leader in the database industry. In 1984, the relational database was first transferred to the desktop computer. Then, Oracle5 pioneered the new concepts of distributed databases, client/server architectures, and more. Oracle 6 first-line lockdown mode and support for Chenduo processing computers ... The latest Oracle 8 increases the object technology and becomes the relational-object database system. Oracle is now one of the most widely used relational data systems in the world, covering dozens of models, including large, medium and small machines.

Oracle database products have the following excellent features.

(1) Compatibility

Oracle products are standard SQL and tested by the U.S. National Institute of Standards and Technology (NIST). Compatible with IBM Sql/ds, DB2, INGRES, IDMS/R, and more.

(2) Portability

Oracle's products can run on a wide range of hardware and operating system platforms. Can be installed in more than 70 different large, medium and small machines, can be in VMs, DOS, UNIX, Windows and other operating systems under the work.

(3) Possible connectivity

Oracle can connect to a variety of communication networks, supporting a variety of protocols (TCP/IP, DECnet, LU6.2, etc.).

(4) High productivity

Oracle products provide a variety of development tools that can greatly facilitate further development of the user.

(5) Openness

Oracle's good compatibility, portability, connectivity, and high productivity make Oracle RDBMS a good open-ended.

2. Research on the discovery and injection technology of SQL injection point for different data types

2.1. SQL Injection Principle

SQL injection refers to the use of some Web applications (such as: websites, forums, message books, article publishing system, etc.) in some unsafe code or SQL statements are not careful of the page, carefully constructed SQL statement, the illegal SQL statement instruction into the system actual SQL statement and execute it, to obtain the user name, Password and other sensitive information, so as to achieve the control of the host server attack method. A SQL injection vulnerability is a security vulnerability that occurs at the application and database tiers. In short, it is injected into the string of SQL instructions, in the poorly designed program ignored the inspection, then these injected instructions will be mistaken for the database server is normal SQL command to run, and therefore be corrupted or intrusion.

2.2. SQL Injection classification

Classification according to injection point type

• Digital injection Point

  In the Web side is probably http://xxx.com/news.php?id=1 this form, its injection point ID type is a number, so called digital injection point. This type of SQL statement prototype is probably select * from 表名 where id=1 .

• Character Injection Point

  In the Web side is probably http://xxx.com/news.php?name=admin this form, its injection point name type is a character type, so called character injection point. This type of SQL statement prototype is probably select * from 表名 where name=‘admin‘ . Note the quotes more.

• Search-Injection points

  This is a special kind of injection. This kind of injection is mainly refers to in the data search does not filter the search parameters, generally in the link address has "keyword= keyword", some do not appear in the link address, but directly through the search box form submission. The SQL statements submitted by such injection points are roughly the same:select * from 表名 where 字段 like ‘%关键字%‘。

3, Research buffer Overflow prevention method, at least for two programming languages to differentiate research

3.1. Prevention methods

There are currently four basic ways to protect buffers from buffer overflow attacks and effects:

1. The method of forcing the correct code to be written
Writing the right code is a very meaningful but time-consuming task, especially when writing a C-language program with error-prone tendencies (such as the 0 end of a string), which is caused by a tradition of pursuing performance that ignores correctness. Although it took a long time to get people to know how to write secure programs, programs with security vulnerabilities still appear. So people have developed tools and techniques to help inexperienced programmers write secure and correct programs. While these tools help programmers develop more secure programs, these tools are unlikely to identify all buffer overflow vulnerabilities due to the features of the C language. Therefore, debugging technology can only be used to reduce the possibility of buffer overflow, and does not completely eliminate its existence. Unless the programmer can ensure that his program is foolproof, the following sections should be used to ensure the reliability of the program.

2, through the operating system so that the buffer is not executable, thereby preventing the attacker to colonize the attack code
This method effectively prevents a lot of buffer overflow attacks, but the attacker does not necessarily have to colonize the attack code to implement a buffer overflow attack, so this method still has a lot of weaknesses.

3, using the compiler's boundary check to achieve buffer protection
This method makes buffer overflow impossible, which completely eliminates the threat of buffer overflow, but is relatively expensive.

4. Integrity check before the program pointer fails
This way, although this method does not invalidate all buffer overflows, it does prevent the overwhelming majority of buffer overflow attacks, and it is difficult to escape the buffer overflow protected by this method.

The most common form of buffer overflow is to attack the activity record and then colonize the code in the stack. This type of attack has many records in 1996 years. Rather than performing stack and stack protection, this attack can be effectively defended. The non-execution stack defends all attack methods that put code into the stack, and stack protection defends all changes to the activity record. The two methods are compatible and can defend multiple possible attacks at the same time.
The rest of the attacks can basically be defended with pointer protection, but in some special situations it is necessary to use manual protection for pointers. Fully automatic pointer protection requires additional bytes to be added to each variable, which makes the pointer boundary check advantageous in some cases.

Most interestingly, the buffer Overflow vulnerability--morris worm uses methods that are not effectively defended by all methods today, but are rarely used because of the complexity.

In this paper, we describe and analyze the principle of buffer overflow in detail, and briefly introduce several defense methods. Since this attack is a common attack method, it is meaningful and effective to carry out this research work.

3.2, according to the steps of buffer overflow attack, the commonly used buffer overflow attack detection technology can be divided into the following 3 types:

(1) Detection method based on input string

(2) Detection method based on return address in the protection stack

(3) Detection method based on monitoring system call.

The detection method based on input string

Detects the input string, determines that it is an overflow attack string, and takes a blocking action to prevent the attacker from injecting the attack code. There are generally 3 ways to build an overflow attack string
The 1th type of overflow attack string is suitable for cases where the buffer is greater than shellcode length, and the 2nd overflow attack string is generally used in cases where the buffer is less than shellcode length, and the 3rd method is to put shellcode in the environment variable, which is the most common method at present.

detection method based on return address in the protection stack

The most critical step in a buffer overflow attack is to alter the program's flow by modifying the function return address, so that a buffer overflow attack can be judged by checking whether the return address is modified before the function call returns. The implementation of this detection can be done by inserting some of the constraints and judgment modules in the source code, and then monitoring the variables and stack areas during the running of the compiled program to detect if an attack occurs. Stackguard and Stackshield are this type of tool, which are extension tools for the GCC compiler to monitor the function return address of the call is normal.

There are currently three basic methods to protect the buffer against buffer overflow attacks and effects: 1, through the operating system so that the buffer is not executable, thereby preventing the attacker to implant the attack code, 2, the method of forcing the correct code, 3, the use of compiler boundary check to achieve buffer protection, so that buffer overflow can not occur, This completely eliminates the threat of buffer overflow.

detection method based on monitoring system call

A buffer overflow attack can be detected by detecting whether there is a ShellCode run. An attacker would want ShellCode to start an interactive shell process with the acquired privileges to accomplish as many things as possible, and hopefully ShellCode as short as possible to be more covert, so the vast majority of ShellCode call system functions. Because monitoring all system calls consumes a lot of system resources, only system calls that are commonly used by ShellCode are monitored, and certain characteristics determine whether a monitored system call is an illegal call to identify whether a protected system is compromised by a buffer overflow.

4. Use at least two types of database injection attack tools

Sqlmap

Sqlmap is an open-source penetration testing tool that can automatically detect and exploit SQL injection vulnerabilities and servers that access the database. It has a very powerful detection engine, a multi-feature penetration tester, access to the underlying file system via database fingerprint extraction, and execution of commands via a take-out connection.

The SQLMAP supported databases are

MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, SQLite, Firebird, Sybase, and SAP MaxDB

Detection injection

Basic format

Sqlmap-u "Http://www.vuln.cn/post.php?id=1″

Use LEVEL1 to detect all database types by default

Sqlmap-u "Http://www.vuln.cn/post.php?id=1″–dbms Mysql–level 3

Specifies that the database type is MySQL with a level of 3 (a total of 5 levels, the higher the level, the more comprehensive the detection)

Follow 302 Jump

When the page error is injected, the automatic jump to another page needs to follow 302.
When the injection error, the first error and then jump, do not need to follow 302.
The goal is to trace the error message.

Cookie Injection

When the program has anti-get injection, you can use a cookie to inject
Sqlmap-u "http://www.baidu.com/shownews.asp" –cookie "Id=11″–level 2 (only level up to 2 will detect cookies)

Injecting from the post packet

You can use tools such as Burpsuite or temperdata to grab the post package

Sqlmap-r "C:\tools\request.txt"-P "username" –dbms mysql specify username parameters

Sqlmap verbose command:

• –IS-DBA Current user rights (Root permission)
• –dbs all databases
• –CURRENT-DB Web site Current database
• –users All database Users
• –current-user Current Database user
• –random-agent structure Random User-agent
• –passwords Database Password
• –proxy http://local:8080–threads 10 (can customize thread acceleration) proxy
• Delay time of –time-sec=timesec DBMS response (default is 5 seconds)

SqlsusSqlsus is a MySQL injection and takeover tool written in the Perl language. It can get the database structure, implement the injection query, download the server's files, crawl the writable directory and write to the backdoor, and copy the database files and other functions. It provides both inband and blind injection modes to get database permissions. When used, the user first uses the tool to generate a configuration file. In the configuration file, set the injection path and the injected parameters, and then load the file to implement the penetration test.

"SQL injection attack and practice"