Objective:
Now the network, script intrusion is very popular, and script injection vulnerability is a popular hacker community. Whether it is a veteran or a new start, it will be fascinated by its immense power and flexible moves.
It is precisely because of the prevalence of injection attacks, the market to inject tools in endlessly. The more famous is the nbsi of the bamboo, the hdsi of the Guru and the injection tool of D and so on. This is a great convenience for the small dishes to grasp the injection holes. However, the tool is dead, inject the technique is alive, can according to the actual situation flexibly constructs the SQL injection statement, obtains oneself wants the information, is [is blocked the unpopular keyword] high shou and the vegetable dish's fundamental difference. It is impossible to improve the use of tools, but not the principle of it, of course, in the face of some special circumstances, those who will only use the tools of the vegetable can only give up. So learn to manually inject yourself. Constructing SQL injection Statements is a lesson for hackers. I hope this article will give a little bit of inspiration to the friends who are not yet hand-injected. Help everyone to get rid of tools early, step into the [blocked unpopular keyword] High shou ranks.
The foundation of Evil Compensation:
To learn to manually inject, there is a noun must be mentioned, that is the database system.
1. Brief introduction
Database system is divided into database and database management system. The database is the place that holds the data, the database management system is the software that manages the database. The storage node structure of the data in the database is called the data model. There are four kinds of common data models, namely, hierarchical model, network model, relational model and object-oriented model. The relational data model is the main data model, ACCESS, MSSQL and Oracle are relational model database systems. Access, MSSQL database systems are the most common. These are theories of knowledge, I hope you understand.
2. Basic concepts
Table: A table is the basic constituent element of a relational database. It is arranged into related information by row and column combination. Usually rows are called records, and columns are called fields. Each field is called a field. Each record is made up of more than one field. The name of each field is called the field name, and the value of each field is called an estimate field value. Each row in the table has a structure that you want to share with each record.
3. Conditions of injection
Only dynamic pages that call the database can have an injection vulnerability, dynamic pages include ASP PHP jsp CGI and so on. This article speaks only of the injection of ASP pages. So what is the page that calls the database? such as the situation: asp?id= php?id= Such a look is the page that calls the database. "?" After the ID of the name of the variable, note that this variable is free to change, "=" after the value of the name called parameters. This parameter can also be changed. Everyone's thinking must be flexible, to learn to extrapolate, not too rigid.
4. The principle analysis of injection vulnerability:
The program to the user submitted variables are not effectively filtered, directly into the query statement, so that we can submit a statement with the function of data query, add to the information to be submitted by the program, and then based on the information returned by the server to judge the contents of the database. You may not understand it so well, it doesn't matter, then look down.
The basics have been finished below to start the actual practice section.
Actual part
If it is a novice friend who has just come into contact, the first step we have to make is right click on the desktop of the IE icon, and then point properties, and then point "advanced", and then pull down the scroll bar, to find "show friends ' good ' HTTP error message", the front of the hook removed, and then point "OK", This is done to get us more information about the server being returned.
The first part: Access database manual Injection
1. To determine if an injection vulnerability exists:
This is a belief that everyone should know. That is, add and 1=1 and 1=2 to the URL of a calling database, and if you add and 1=1 back to normal (just as the page looks when it was not with and 1=1), add and 1=2 return an error (unlike the page when it was not added and 1=2) , you can prove that the page has an injection vulnerability. Like what:
http://www.xxx.com/a.asp?id=7, this page, we add and 1=1 in the back (two spaces, and the front one, and and 1=1 one.) ), the Web site becomes a
Http://www.xxx.com/a.asp?id=7 and 1=1, open this page with IE, return to normal. And then try to add and 1=2 in the back, and the URL becomes
Http://www.xxx.com/a.asp?id=7 and 1=2, also open this web page with IE, return an error. This means that the Web page http://www.xxx.com/a.asp?id=7 there is an injection hole, is an injection point. (a Web page that has an injected vulnerability is called an injection point.) )
However, not all of the pages can be judged, and some pages whether you join and 1=1 OR and 1=2, returned are the wrong page, is not such a page to inject a loophole. Not necessarily. For example, this page: Http://www.xxxxxx.com/b.asp?id=ade7, it returns the wrong page, whether we are behind and 1=1 or and 1=2. This time we are going to try to test the vulnerability in another way, which can be said to be a variant of the and 1=1 and 1=2. The original URL is this: Http://www.xxxxxx.com/b.asp?id=ade7, now we turn it into this: Http://www.xxxxxx.com/b.asp?id=ade7 ' and ' 1 ' = ' 1, Open it with IE to see if the return is not normal. If normal, then you can then use this address to further test for the existence of the vulnerability (if the return is not normal the page is likely to have no injection vulnerabilities.) ): Http://www.xxxxxx.com/b.asp?id=ade7 ' and ' 1 ' = ' 2, open this web site with IE, if the return error, then this site http://www.xxxxxx.com/b.asp?id=1 there are injection loopholes.
A. Digital parameter injection point analysis.
There must be a friend to ask, why not at the beginning of that and 1=1 and 1=2. Oh, don't worry, first look at the two have injected the vulnerability of the page has what is different.
(You do not tell me that the second URL than the first URL more than a few x), I believe you have seen, the second URL followed by the parameter is Ade7, is the character. And the first URL followed by the parameter is 7, is a number. It is here that the statement that caused the test vulnerability is different. Friends who have studied databases should know that in queries, character values are wrapped in single quotes, that is, ' character data '. This assumes that the first injection of the page corresponding to the query statement is such (usually called the database page will have one or several corresponding query statements, used to query the contents of the database.) )
: SELECT * FROM table name where id=7. This is the original query, this statement is correct, you can query the database in the appropriate content. But if we add and 1=1 to the back of the URL, then this query becomes the SELECT * from table name where id=7 and 1=1 (this one knows the principle analysis of the injection vulnerability there is no filtering meaning of the variable). , it is necessary to say some knowledge about the database, in this statement, and is the logical operator. (This is OK), in Chinese translation is "and" meaning. In high school mathematics, two sentences that are connected by "and" must be true, otherwise the whole sentence is not true. For example: Apples and elephants are fruits. This sentence is wrong, Apple is fruit, but elephants are not. You should be able to understand that the "and" to connect the two sentences, must be true, otherwise the whole sentence is not true "this sentence." If the apple and the pear are all fruits, then this sentence is right. Once you know the usefulness of and then come back to see the select * from table name where id=7 and 1=1 this sentence, and the previous select * from table name where id=7 is certainly right, (why, if the query is not correct, the injection page has The problem. So the sentence in front of and must be correct. )。 Then look at and back, 1 = 1, I do not have to say it, is also true (not one is equal to one.) According to the and usefulness of what we have just said, we can now determine that the SELECT * from table name where id=7 and 1=1 query statement is still right. So it can still correctly query the information from the database, return to us.
Extrapolate, the sentence: SELECT * from table name where id=7 and 1=2, it is certainly wrong, then this query statement can not correctly query the database from the information, so we will see a wrong page. The above is the analysis when the injection point parameter is int (integer type).
B. Analysis of the injection point of character parameters
as just now, let's take a look at the query in the second character injection page, such as the select * from table where id= ' Ade7 ' (why quotes are added). Let's see the front. )。 The original query is this way, and if we also follow the method of testing the vulnerability in numeric parameters, the statement becomes like this: select * from table where id= ' Ade7 and 1=1 ' and the
Select * from table where id= ' ade 7 and 1=2 ', because the program will automatically query the contents of quotes, if we do so by the previous two statements, the program will query the ID value of Ade7 and 1=1 and Ade7 and 1=2 Records, This is not the result (you should not tell me that there are exactly two records in the database with IDs Ade7 and 1=1 and 1=2). Here may be a friend to ask, why not the query ID for ' Ade7, then and 1 = ' 1. OK, I now answer you, even if can query ID value is ' ade7 record, that this sentence is also wrong, 1 how can equal to ' 1. Right. What's more, the program is not possible to query the ' Ade7, more prepared to say that the database is not possible to have a field value is ' Ade7, because this string is less than a quotation mark, if the string stored directly in the database, the program will be an error. What do you think. Get it.
Now again the principle of the test using ' and ' 1 ' = ' 1 ' and ' 1 ' = '. This is also the query statement:
SELECT * FROM table where id= ' Ade7 ', if we add ' and ' 1 ' = ' 1 ' Behind the URL, the query statement becomes
SELECT * FROM table where id= ' Ade7 ' and ' 1 ' = ' 1 ' (the outermost layer of quotation marks here is automatically added by the program). This statement is not right. Let's analyze it. If we submit a statement, the program automatically queries the ID value as the Ade7 record. Because the record is there (if it doesn't exist, there's a problem with the page.) ), and then the ' 1 ' = ' 1 ' followed is correct, so the statement is correct. If we change ' and ' 1 ' = ' 1 to ' and ' 1 ' = ' 2, the statement becomes the SELECT * from table where id= ' Ade7 ' and ' 1 ' = ' 2 ', and we can see that the statement is correct. How can ' 1 ' be equal to ' 2 '? Right. Well, the principle of the injection point of the character type parameter is introduced here.
2. The judgment of the database type
After determining that an address is an injection point, we first need to determine the type of database to which this injection point is connected. Here are some simple ways to do this. If a judgment does not come out, then another way of judging.
A. Add single quotes directly after the injection point. Sometimes we can judge what database it is using according to the information of the server's error. With this error message we can see that the type of database to which this injection point is connected is access, and for what, look carefully. It says Microsoft Jet database Engine error ' 80040e14 ', which means connecting to the database through the JET engine, not ODBC. If you are connecting by using the Jet method, you are using an Access database, which means that the database is MSSQL if it is ODBC. That's all you have to remember. In fact, there is a detailed error message, it directly to the type of database to tell you. Because I did not find such an injection point, there is no way to intercept the picture. You can see it when you meet the words.
B. After the injection point (note, you first determine that it is injected into the point after the addition, not the injection point you add is useless.) ):;-(a semicolon, two horizontal lines.) For example, this web site
http://www.xxxxxxxx.com/Article/as.asp?id=875, we have already confirmed that it is the injection point, so that we can add to the following;--let it become
http:// www.xxxxxxxx.com/article/as.asp?id=875;--Submit this URL, if the page returned to normal, the description database is MSSQL. Because in the MSSQL database, and--all exist, ";" is used to separate two statements, and "--" is the annotation character, after which the statements are not executed. Not in the Access database. So if it's a database of access, and when you add the word ";-" to the address
, the program will take ";-" as part of the argument so that the query will go wrong. If it's wrong, it's almost certainly access (because the web uses the most sites for both databases). )
C. Using the above methods are not judged, that can use this trick. Use the differences between access and MSSQL databases to make judgments. There are two query statements to use. Similarly, if the injection point is http://www.xxxxxxxx.com/Article/as.asp?id=875, then we add and exists (select COUNT (*) from sysobjects) at the back. The address becomes the
http://www.xxxxxxxx.com/Article/as.asp?id=875 and exists (select COUNT (*) from sysobjects). If the page returns normally, it can prove that the database is MSSQL. Let me explain this statement: This sentence means that the number of records in the query sysobjects table is greater than 0. (a little awkward.) If returned to normal, the description is greater than 0, also indicates that there is sysobjects this table, because this table only MSSQL database only, so can determine the database of MSSQL. If you return an error, it is not. So how do we use Query statements to determine if the database is access. Don't worry, look down. We add and exists (select COUNT (*) from msysobjects) after the injection point. is the
http://www.xxxxxxxx.com/Article/as.asp?id=875 and exists (select COUNT (*) from msysobjects), Understand this statement by just understanding the MSSQL database. Note here that submitting this statement will not return to the normal page. Even an Access database does not return to a normal page. Because by default, we do not have permission to query the data in this table. But the web will prompt us "record unreadable;" Msysobjects ' no Read permission '. If this error message is returned, it will prove to be an Access database ... In simple terms, two query statements:
and Exists (select COUNT (*) from sysobjects)
and exists (select COUNT (*) from msysobjects)
If the first one returns to normal, that is the MSSQL database, if both are not normal, that is the Access database (here is only the discussion of MSSQL and access)
Note: The above is all about the parameter is int, when the detection method, if the parameter is a character, then first in the argument followed by a single quote, and then at the end of the query sentence plus ";-"
3. Guess the table, field name, detection record number, detect field length.
I follow the tools injected into the process to tell you.
A. Guess the table.
Statement used: and exists (select COUNT (*) from the name of the table you want to guess). Add this after the injection point, if returned to normal, you guessed that the table is there. Like what
http://www.xxxxxxxx.com/Article/as.asp?id=875 and Exists (select COUNT (*) from admin), if returned to normal, indicates that the admin table exists. If an error is returned, it does not exist. That's what the other watches are all about.
B. Guess the columns.
The statement used: and (select COUNT (column name) from the guessed table name) >0. Add this after the injection point, if the return to normal, you guessed that the column is there. Like what
http://www.xxxxxxxx.com/Article/as.asp?id=875 and (select COUNT (username) from admin) >0, if returned to normal, username this column exists. But first you have to make sure that the name of the form behind it is there. Or you're wrong about what you think.
C. Number of records detected
The statement used: and (select COUNT (*) from the guessed table name) >x (X is a number). Add this sentence after the injection point and constantly change the number of x until you have guessed the exact number of records. For example, http://www.xxxxxxxx.com/Article/as.asp?id=875 and (select COUNT (*) from admin) >2, this sentence is to guess that there are several records in the admin table, There are several administrators (because one administrator corresponds to a record.) )。 If returned normally, the number of records in admin This table is greater than 2. This time we change 2 to a larger number. For example 5, if you return an error, the number of administrators is between 2 and 5, and the integers between 2 and 5 are 3 and 4, and this time we transform the statement to http://www.xxxxxxxx.com/Article/as.asp?id=875 and (select Count (*) from admin) =3 or = 4, which is the number of administrators who return to the normal. If the commit >5 also returns an error, then take a larger number, and then repeat the action just can guess the number of records.
D. Detect field length
The statement used: and (select top 1 len (column) from table) >x (X is the same as just now.) )。 Let me explain this sentence, select top 1 is to query the first piece of data meaning. (Multiple-line echoing is not supported in a Web environment.) Only a single query cannot exceed one row of data. Len is a function in MSSQL, using Len (), which can be a string or an expression or a column name. Know this, we should be able to understand it. The same as the one on the back of the X transformation method.