SQL Injection parsing (2) Execution Injection

Previous: http://www.bkjia.com/Article/201209/153277.html
Check whether the program has the SQL injection vulnerability:

Use string data:

1. Submit a single quotation mark to check whether an error occurs.

2. Submit two single quotes. The two single quotes are escaped in the database and processed as single quotes. If an error message is returned, the program may have the SQL injection vulnerability.

3. Submit benign data. In oracle, '|' keyword, '+' keyword in ms-SQL, and ''keyword in mysql. The above three inputs are equivalent to keyword strings, select input based on the database type to check whether the keyword result is the same as the input one.

Use digital data:

1. If the original URL is http://www.bkjia.com/select. jsp? Id = 4

You can change 4 to (1 + 3) to check whether the output is the same. If the same is true, the SQL injection vulnerability may exist.

2. If the above verification output is the same, you can use complex SQL statements for further verification. The ASCII command returns the ASCII code of the specified character. For example, ASCII ('A') is equivalent to 65, and the ASCII code of A is 65. The above 4 can be replaced with (ASCII ('A')-61.

3. If a single quotation mark is used to filter the above URL, it will be invalid, but a number can be used. For example, if the ascii code of Number 1 is 49, it can be changed to (ASCII (1)-45 ).

PS: If a payload is attached directly to a URL, the above characters must be encoded with URL &: % 26, =: % 3d. spaces are not allowed in the query string, space must be encoded as + or % 20. because space is encoded as +, to use +, it must be encoded as % 2b and semicolon encoded as % 3b. For example, 1 + 1 is encoded as 1% 2b1. Online encoding and decoding tools: http://www.baidu.com/baidu? Word = url % B1 % E0 % C2 % EB & sg = 123

 

Use different statements for injection:

1. select is the most common statement available. The preceding logon bypass password is the select statement. A select statement uses a where clause to comment out a comment.

2. insert statements can also be SQL Injection objects. Assume that the statement registered by a web application user is insert into user (username, password, Id, privs) value ('youthflies', 'passwd', 1234, 2 ), if the SQL injection vulnerability exists, we can specify our own Id and privs at will, provided that the statements we construct have no syntax errors, that is, the number and type of other fields must be correct. Register a user whose username is youthflies ', 'passwd', 11111, 1)-. Then, we have successfully registered a user whose Id is 11111 and permission is 1. If we cannot know the number and type of other fields, we can try this way. For username, enter youthflies ', 1)-; youthflies', 1)-; youthflies ', 1, 1) -; youthflies )-. If 1 doesn't work, try another 2000. Many databases implicitly convert numbers into strings, and implicitly convert 2000 to data-based data types.

3. update statement. The update statement is similar to the insert statement, except that one where statement is used to determine the range. Add the User password modification function. The SQL statement in the background is updated users set password = 'newpasswd' where username = 'youthflies' and password = 'passwd ', to change the password, you must first determine whether the previous password is correct. Enter admin-in username to bypass password verification, modify the admin password, or enter admin 'or 1 = 1-in a more destructive manner, so that all user passwords can be modified, once this happens, it will cause serious damage.

4. delete statement. It is similar to the update statement.

5. union operator. SQL uses the union operator to combine two or more query results into one result. If a select statement of a web program generates SQL injection, we can use the union operator to execute another independent query and merge the results into the first query results. For example, if you have a select statement, select username, age, email from user where username = 'youthflies ', we enter youthflies 'Union select username, age, password from user where username = 'youthflies '-, so that the final SQL statement becomes select username, age, email from user where username = 'youthflies' union select username, age, password from user where username = 'youthflies'-'. In this way, we manually construct a query and return the user password.

However, such an injection requires two conditions: 1. We must ensure that the results of the two queries can be properly integrated, and the number and type must be compatible; 2. We must know the table name and related column names of the database. If the preceding two conditions are not met, the result of the union statement we construct may be incorrect, and the error may be processed in a background friendly manner and cannot be further obtained. However, the database converts numbers to strings by default, and NULL to any type of data, which can be used. Therefore, if you do not know the Data Type of a column, we can select NULL.

We can use NULL to test the number of columns in the result, and input youthflies 'Union select NULL-; youthflies 'Union select NULL, NULL-; youthflies 'Union select NULL, NULL, NULL-when the statement is executed normally, the number of columns is correct. You can also use the order by clause to determine the number of columns and input youthflies 'order by 1-; youthflies 'order by 2 -; youthflies 'order by 3-(order by 3 indicates sorting by the third parameter). When an error occurs, you can determine the number of columns.

The number of columns is determined. The next step is to determine the type. For example, if the number of columns is 3, enter youthflies 'Union select 'A', NULL, NULL-, youthflies 'Union select NULL, 'A', NULL-; youthflies 'Union select NULL, NULL, 'A'-, which row is correctly executed indicates that the type of the column is a string. PS: the oracle database requires that each select statement must have a where clause. In the global table, select, youthflies 'Union select NULL from DUAL-, DUAL indicates all tables in the database.

After determining the number of columns and types, we can extract data from the database, but we must know the column names in the table. You can also extract the database version to launch attacks based on known vulnerabilities in the version. Ms-SQL database: youthflies 'Union select @ version, NULL, NULL-; oracle Database: youthflies 'Union select banner, NULL, NULL -.