SQL blind injection attack technology Overview

1 SQL blind injection attack technology overview Javaphile
SQL blind injection attack technology Overview
Coolswallow of Javaphile (coolswallow@shaolin.org.cn)
Blind SQL Injection Techniques: A Survey
Abstract: This paper gives a survey of current Blind SQL Injection Techniques. It first introduces the definition
Of SQL Injection and its risk, and reviews several solutions proposed to solve the problem and their each
Disadvantages. Then, the paper discusses that if detailed error messages are suppressed, how to identify SQL
Injections based on minimal reaction of the server, and how to identify SQL Injection vulnerable parameters,
Generate valid injection syntax and to build the required exploit. At last, an injection of union select statements
Is described in detail, including how to count the columns and how to identify columns types. Although
Provided examples in the paper refer to Microsoft SQL Server and Oracle only, the same techniques can be applied
To other Databases as well. By the paper, we hope to make it clear that application level vulnerabilities must be
Handled by application level solutions, and that relying on suppressed error messages for protection from SQL
Injection is eventually useless.
Key words: SQL Injection; Blind Injection; Database Attack; Web Application Security
Abstract: This article summarizes the blind Injection Technology Used in SQL injection attacks. This article first introduces the definition and
Hazards: This paper reviews several methods of defense against SQL injection and their respective shortcomings, and then discusses whether error information is blocked or concealed.
To check whether the SQL injection vulnerability exists, the minimum server response is required, and how to determine the injection points and correct injection syntaxes and structure.
Finally, this article takes the union select statement as an example to describe how to use this statement to calculate the number of columns in a data table under the blind note condition.
Methods and steps for determining the column data type. The examples in this article are for Microsoft SQL Server and Oracle, but the same technique
This article aims to clarify that application-level vulnerabilities can only be solved through application-level solutions.
It is useless to avoid SQL injection attacks by blocking error messages.
Key words: SQL Injection; Blind injection; database attacks; network application security
1 Overview
1.1 General SQL Injection Technology Overview
At present, there is no standard definition of SQL injection technology. The Chinese technology center of Microsoft has described two aspects [1]:
(1) script injection attacks
(2) malicious user input used to affect the executed SQL script
According to Chris Anley's Definition [2], when an attacker inserts a series of SQL statements in the query statement to write data to the application
In the program, this method can be defined as SQL injection. Stephen Kost [3] provides another feature of this attack form, "from a data
Database Access and direct retrieval without authorization ", SQL injection attacks, in essence, use the SQL syntax tool and target
Vulnerabilities in application developer programming. "When attackers can manipulate data and insert some SQL statements into the application
In fact, SQL injection is a common vulnerability in Multi-connection applications.
Add additional SQL statement elements at the end of a pre-defined query statement in sequence to fool the database server to execute any unauthorized query.
An Application is generally a Web Application. It allows users to enter query conditions and embed query conditions into SQL request statements.
Coolswallow: SQL blind injection attack technology Overview 2
Is sent to the database server associated with the application for execution. By constructing malformed input, attackers can perform such operations.
Request Statement to obtain unknown results.
In terms of risks, SQL injection attacks are at the forefront, which is basically the same as buffer overflow and other vulnerabilities.
Attackers must first bypass the firewall of the site. For SQL injection attacks
The program must allow a forward connection from the Internet to the Web server. Therefore, once the network application has an injection vulnerability, attackers can directly
Access the database and even obtain access to the server where the database is located. Therefore, in some cases, the risk of SQL injection attacks is
Higher than all other vulnerabilities.
SQL injection attacks use SQL syntax, which makes the attack extensive. Theoretically
Quasi-database software includes SQL Server, Oracle, MySQL, DB2, Informix, and other network applications connected to it, including
Active/Java Server Pages, Cold Fusion Management, PHP, Perl, and so on are all effective. Of course, various software has its own characteristics,
The actual attack code may be different. The principle of SQL injection attacks is relatively simple, and various database system-based applications are widely used.
A large number of public publications have been published to introduce Injection Vulnerabilities and methods of utilization, resulting in the increasing number of SQL injection attacks and injection attacks in recent years.
There are also abuse trends.
For a detailed introduction to the common SQL Injection Technology of ms SQL Server, refer to the "SQL Server application" prepared by Chris Anley.
Advanced SQL injection in the program "[2] and its subsequent" more advanced SQL injection "[4], produced by Cesar Cerrundo" using SQL Injection
Manipulate Microsoft SQL Server [5] and the White Paper "SQL Injection-your network application
Whether the program is under attack "[6]. For general SQL Injection Technology Introduction to Oracle, refer to Stephen Kost's" development for Oracle ".
Introduction to SQL injection attacks by personnel "[3.
1.2 defense against SQL injection attacks
As more and more attacks take advantage of SQL injection technology, a number of solutions have emerged to solve the injection vulnerability.
The solutions include:
(1) check the validity of the submitted data before the server officially processes it;
(2) encapsulate client submission information;
(3) Replace or delete sensitive characters/strings;
(4) shield error information.
Solution (1) is recognized as the most fundamental solution. The server rejects key processing operations before confirming that the client input is valid,
However, this requires developers to be able to build network applications in a secure way.
How to securely access the database documentation, but there are still many developers who lack sufficient security awareness, resulting in the development of products still exist
Injection vulnerabilities; solution (2) requires the support of RDBMS. Currently, only Oracle adopts this technology; solution (3) is an incomplete solution.
For example, when the input of the client is "... Ccmdmcmdd... ", After replacing and deleting the sensitive string" cmd ", the remaining characters
Exactly "... Cmd... "; Solution (4) is currently the most commonly used method. Many security documents believe that SQL injection attacks must pass error messages.
Information collection, some even claim that some special tasks cannot be completed without detailed error information, which makes many security experts Form
Concept: injection attacks cannot be implemented without detailed errors.
In fact, blocking error messages is a remedy after the server completes processing. The attack has actually occurred, but it is an attempt to block attackers.
This article introduces the SQL blind injection technology, which is a new technology used by some attackers and is blocked by error information.
Attackers can still obtain the required information and continue to perform injection attacks.
1.3 Structure of this Article
To understand the blind injection attack, we will first introduce the minimum server response required to determine the SQL injection vulnerability. Secondly, we will construct
A syntax-compliant SQL request that can be replaced with any valid SQL request. Finally, we will discuss that there is no detailed error message.
The blind injection attack discussed in this article is based on the network application before the attack,
The database type, table structure, and other information are completely unknown. Such information must be obtained through testing during the injection process.
Coolswallow: SQL blind injection attack technology overview 3
2. Determine the Injection Vulnerability
To launch SQL injection attacks, first of all, confirm that the network application to be attacked has the injection vulnerability. Therefore, the attacker must first be able
Sets up some types of prompts related to server errors. Although the error information itself has been blocked, network applications can still differentiate positive
The ability to identify requests and error requests. Attackers only need to learn to identify these prompts, find related errors, and check whether they are related to SQL.
2.1 identify errors
A network application mainly produces two types of errors. The first is the code exception generated by the Web server.
Similar to "500: Internal Server Error", if a syntax Error occurs in an SQL injection statement, for example, an unclosed quotation mark
The server throws this type of exception. to block this type of error, the default error information is usually replaced with an HTML page customized in advance,
However, as long as you observe this kind of response, you can confirm that a server error has occurred. In other cases, to further block this class
If an exception occurs on some servers, the server simply jumps to the home page or the previous page, or displays a simple error message.
But does not provide any details.
The second type of errors is generated by the application code, which indicates that its developers have good programming habits.
An error message is generated for these errors. Even if these errors occur, a request is usually valid.
(200 OK), but the page will still jump to the home page, or use a method to hide information, similar to "Internal Server Error ".
To distinguish these two errors, let's look at an example: there are two e-commerce applications, A and B, both of which use the same
A page called proddetails. asp, which is expected to obtain a parameter called ProdID. After obtaining this parameter, extract
And then process the returned results. Both applications use the link on the product list page.
The call to proddetails. asp ensures that the ProdID always exists and is valid. application A assumes that this will not cause any problems,
Therefore, no additional checks are performed on the parameters. If an attacker modifies the ProdID and inserts an id that does not exist in the data table, the database will
An empty record is returned. Because application A did not expect that an empty record may appear, when it attempts to process the data in the record, it is possible
An exception occurs, resulting in a "500: Internal Server Error". And Application B will confirm the size of the record before processing the record.
If the value exceeds 0, an error message "This product does not exist" is displayed, or the page is duplicated to hide this error.
Go to the product list page.
Therefore, for SQL blind injection, attackers first try to submit invalid requests and observe how the application handles these errors,
And what happens if an SQL error occurs.