"Penetration Defense Web" SQL injection attack advanced

Objective

Before we learned how to find, confirm, and exploit SQL injection vulnerability techniques, this article will cover some of the more advanced techniques to avoid filtering and circumvent defenses. There is a defense, of course, to explore the SQL injection defensive techniques.

Directory


The fifth section avoids the filtering method summary

• 5.1, case-sensitive variants
• 5.2. URL encoding
• 5.3. SQL Comment
• 5.4, empty bytes
• 5.5. Second-order SQL injection

Section sixth discusses SQL injection defense techniques

• 6.1. Input Validation
• 6.2. Coded output

Body

• The fifth section avoids the filtering method summary

In order to defend against attacks including SQL injection, Web applications often use input filters that can be implemented in the code of the application or externally, such as Web application firewalls and intrusion prevention systems. The way to avoid filtering is flexible, and I've summed up some common techniques in this section. We can try it when we don't know the filter rules.


5.1, case-sensitive variants

This technique is useful when keyword blocking filters are not smart, and we can change the case of characters in the keyword string to avoid filtering because the SQL keyword is handled in a case-insensitive manner.
For example: (The following code is a simple keyword blocking filter)

function Waf ($id 1) {  if(Strstr ($id 1,'Union ')        Error:lllegal input';     return; }  return  $id 1;}

= 



5.2, URL encoding

url encoding is widely used and can be bypassed by multiple types of input filters.

function Waf ($id 1) {  if(Strstr ($id 1,') | | strstr ($id 1,'/**/ '         'error:lllegal input';     return; }  return  $id 1;}

Dual URL encoding sometimes works if the web app decodes multiple times and applies its input filter before the last decoding.

Because of the dual URL encoding, the first decoding%2f%2a enters the input filter, so the success is bypassed. Of course this is used only if there is a URL decoded later.

5.3. SQL Comment

Many developers believe that restricting input to a single can limit SQL injection attacks, so they tend to just block a variety of whitespace characters.

 function WAF ($id 1) {      if  (Strstr ($id 1, '     '  

However, inline annotations can construct arbitrarily complex SQL statements without using spaces.




5.4, empty bytes


The usual input filters are implemented outside of the application code. such as intrusion detection system (IDS), these systems are generally developed by the native programming language, such as C + +, why null bytes can play a role, because in the original into the language, based on the starting position of the string to the first occurrence of a null byte position to determine the length of the string. So the null byte effectively terminates the string.

You only need to provide a URL-encoded NULL byte in front of the string blocked by the filter, for example:

%xx'  Union select Username,password from users where username='admin'  --

5.5. Second-order SQL injection

(1) An attacker submits some kind of conceived output in an HTTP request Into.

(2) Apply processing input, resulting in SQL queries injected by the attacker being executed.

(3) if applicable, returns the query result to the attacker in the application's response to the request.

another different SQL injection attack is "second order (Second-order)" SQL injection, the event timing of such an attack is usually as follows:

(1) An attacker submits some kind of conceived input in an HTTP request.

(2) The app stores the input (typically saved in the database) for later use and responds to requests.

(3) The attacker submits a second (different) request.

(4) to process the second request, the application retrieves the input already stored and processes it, causing the SQL query injected by the attacker to be executed.

(5) If applicable, returns the query result to the attacker in the application's response to the second request.

Literally second-order SQL injection is difficult for beginners to understand, so let me introduce a classic example to help you understand.

This is a personal information application, we can update our user name, we can also view our personal information.

The second step is to view our personal information in the SQL statement:

Select  from where ' $name '

The variable used by the queried statement name is our user name extracted from the database, so we can first insert the statement into the database using the update our User name feature.

Our SQL injection attacks were successfully executed when we viewed our personal information.

For example, we insert the user name into the

[SQL]Plain Text view copy code

zusheng'1'='1

Then we'll execute the statement in the back.

Select  from where ' Zusheng ' ' 1 '='1'

• Section sixth discusses SQL injection defense techniques

6.1. Input verification

input validation refers to verifying that the input received by all applications is legitimate.


There are two different types of input validation methods: Whitelist and blacklist verification


Whitelist Validation: For example, the ID value, then we determine whether it is a number.


blacklist validation: Use regular expressions to disallow certain characters and strings


white lists should be used as much as possible, with local restrictions on blacklisting that cannot be used.


6.2. Coded output

In addition to validating the input received by the application, we encode the data so that it not only protects against SQL injection attacks, but also prevents other problems, such as XSS.






Concluding remarks

because I have limited technology, so the understanding of defense skills is not in-depth, I hope to have better defense skills of small partners can share the experience, I will receive the skills to join this article, to provide more small partners for reference, thank you.


series articles preview and navigation

Penetration Defense Web Chapter-sql injection attack primary(Status: Updated)

• The first section injects the attack principle and writes its own injection point
• Section II Finding and confirming SQL injection

Penetration Defense Web Chapter-sql Injection Attack Intermediate (Status: Updated)

• Section III, using SQL injection
• Fourth section SQL Blind Utilization
  
  

  Article First chain: http://bbs.ichunqiu.com/thread-10093-1-1.html

  
  Thank you for your reading, if you learn, please like (code word is not easy)!

  
  Welcome to the Garden friends to add!

"Penetration Defense Web" SQL injection attack advanced