Throwing away tools and learning to inject them manually

Script intrusion is very popular on the Internet, and the Script Injection Vulnerability is popular among hackers. Whether it's an old bird or a new dish, it will be fascinated by its great power and flexible moves!

It is precisely because of the prevalence of injection attacks that the injection tools on the market are endless! Well-known nbsi of Xiaozhu, HDSI of the instructors, and ah d injection tools! This makes it easy for the dishes to master the injection vulnerability! However, the tool is dead, but the injection method is active. Can I flexibly construct SQL Injection statements based on the actual situation to get the desired information, it is the fundamental difference between a [blocked undesirable keyword] High Shou and a small dish! It is impossible to improve the principle of using only tools. Of course, in some special circumstances, those who only use tools can only give up! Therefore, learning to manually inject your own SQL Injection statements is a must for hackers! I hope this article will inspire those who will not be manually injected! This helps you get rid of tools and step into the [blocked undesirable keywords] High Shou!

Anti-spoofing basics:

To learn how to inject manually, there is a term that must be mentioned, that is, the database system!

1. Introduction

Database systems are divided into databases and database management systems! Databases are the places where data is stored, and database management systems are the software for database management! The storage section of data in the database is called the data model! There are four common data models: hierarchical model, mesh model, relational model, and object-oriented model. The relational data model is the most important data model, and access, MSSQL, and Oracle are all relational model database systems. Among them, access and MSSQL database systems are the most common! These are all theoretical knowledge and I hope you can understand them!

2. Basic Concepts

Table: A table is a basic component of a relational database! It is arranged by combination of rows and columns into relevant information. A row is usually called a record and a column is called a field. Each field is called a field! Each record consists of multiple fields. Each field is called a field name, and the value of each field is called an estimate field value. Each row in the table, that is, each record has the same structure!

3. Injection Conditions

Only dynamic pages that call databases can have the injection vulnerability. dynamic pages include asp php jsp cgi. This article only describes ASP page injection. So what is the page for calling the database? For example, asp? Id = PHP? Id = is used to call the database page. "? "The ID added after is called a variable. Note that this variable can be changed at will. The value after" = "is called a parameter! This parameter can also be changed! You must be flexible in thinking. Do not be too rigid!

4. Analysis of injection vulnerability principles:

If the program does not effectively filter the variables submitted by the user, it is directly included in the query statement. In this way, we can submit statements with the data query function, add it to the information to be submitted by the program, and then judge the content in the database based on the information returned by the server! In this case, you may not understand it very well. It doesn't matter. Let's take a look.

The basics have been completed!

Practice

If you are new to injection, the first step is to right-click the IE icon on the desktop, click Properties, click "advanced", and then pull down the scroll bar, find "show Friends", remove the preceding check box, and click "OK" to get more information from the server!

Part 1: manual access database Injection

1. Determine whether the injection vulnerability exists:

I believe everyone should know this! Add and 1 = 1 and 1 = 2 to the URL of a database call, if and 1 = 1 is added, the returned result is normal (that is, the page is the same as when and 1 = 1 is not added ), the addition of and 1 = 2 returns an error (different from the page when and 1 = 2 was not added), which proves that the page has an injection vulnerability. For example:
Http://www.xxx.com/a.asp? Id = 7. For this webpage, we add and 1 = 1 (two spaces, one before and, one between and 1 = 1 !), The URL becomes
Http://www.xxx.com/a.asp? Id = 7 and 1 = 1. Open this webpage with IE and return to normal! Add and 1 = 2 to the end, and the URL becomes
Http://www.xxx.com/a.asp? Id = 7 and 1 = 2. Use IE to open the webpage and return an error! This shows the Web http://www.xxx.com/a.asp? Id = 7 injection vulnerability, which is an injection point! (Web pages with the injection vulnerability are called injection points !)
However, not all pages can be judged in this way. Some pages, whether you add and 1 = 1 or and 1 = 2, return error pages, is there no injection vulnerability on such pages? Not necessarily! Such as this page: http://www.xxxxxx.com/ B .asp? Id = ade7. No matter whether we are and 1 = 1 or and 1 = 2, it returns an error page! At this time, we will try to use another method to test the vulnerability. This method can be said to be a variant of and 1 = 1 and 1 = 2. The original web site is like this: http://www.xxxxxx.com/ B .asp? Id = ade7, now we turn it into this: http://www.xxxxxx.com/ B .asp? Id = ade7 'and '1' = '1. Open it with IE and check whether the returned result is normal! If it is normal, you can use this address to further test whether the vulnerability exists. (If the response is abnormal, the page is likely to have no injection vulnerability !) : Http://www.xxxxxx.com/ B .asp? Id = ade7 'and '1' = '2, open this URL with IE, if an error is returned, then this URL http://www.xxxxxx.com/ B .asp? The injection vulnerability exists when id = 1!
A. Analysis of numeric parameter injection points!

At this moment, some friends must ask, why is it impossible to use and 1 = 1 and 1 = 2 at the beginning! Don't worry. Let's first look at the differences between the two injection vulnerabilities?

(Do not tell me that the second website has a few more characters than the first one.) I believe you have seen that the parameter followed by the second website is ade7, which is a character! The parameter followed by the first URL is 7, which is a number! This is why the statements used to test the vulnerability are different! Those who have learned the database should know that in the query, the value of the character type should be enclosed in single quotation marks, which is like 'character Data '. Suppose that the query statement corresponding to the first injection page is like this (every page that calls the database will have one or several corresponding query statements, used to query the content in the database !)

: Select * from table name where id = 7. This is the original query statement. This statement is correct and can be found in the database! However, if we add and 1 = 1 after the URL, then this query statement will be changed to select * from table name where id = 7 and 1 = 1 (now we know that the variables mentioned in the analysis of injection vulnerability principles are not filtered !), Here we need to talk about some knowledge about the database. In this statement, and is a logical operator! (This is all you need to remember.) It means "and" in Chinese! As mentioned in high school mathematics, the two sentences connected with "and" must be true, or the entire sentence is not true! For example, Apple and elephants are both fruits. This sentence is wrong. Apple is a fruit, but an elephant is not! Now we can understand that the two sentences connected with "and" must be true, or the entire sentence is not true. If Apple and pear are both fruits, this sentence is correct. After knowing the usefulness of and, let's look at the sentence "select * from table name where id = 7 and 1 = 1, and the select * from table name where id = 7 must be correct. (why? If this query statement is incorrect, this injection page is problematic! So the sentence before and must be correct !). Let's look at "and". 1 = 1. You don't have to say it. That's right. (isn't it difficult to say that it's not equal to one ?) Based on the and usage, we can now determine that the query statement select * from table name where id = 7 and 1 = 1 is still correct! So it can still correctly query information from the database and return it to us!

The sentence: Select * from table name where id = 7 and 1 = 2, it must be wrong, this query statement cannot be used to query information from the database correctly, so we will see an error page! The above is the analysis when the injection point parameter is int (integer type!

B. Injection Points Analysis of parameter types

Just as before, let's take a look at the query statement on the second injection page, for example, the Select * from table where id = 'ade7 '(why quotation marks? See the previous section !). The original query statement looks like this. If we still use the numeric parameter to test the vulnerability, the statement will become like this: select * from table where id = 'ade7 and 1 = 1' and
Select * from table where id = 'ade7 and 1 = 2', because the program will automatically query the content in the quotation marks. If we submit the statement in the preceding two statements, the program queries the records whose ID values are ade7 and 1 = 1 and ade7 and 1 = 2, in this case, the result is not found (you do not want to tell me that there are exactly two records in the database: ade7 and 1 = 1 and 1 = 2 ). Some may ask, why not the query ID is 'ade7, and then and 1 = '1? Well, I will answer you now. Even if you can query records whose ID value is 'ade7, this sentence is also wrong. How can 1 be equal to '1? Right? What's more, the program cannot query 'ade7. More importantly, it is prepared that the value of a field in the database cannot be 'ade7, because this string contains only one quotation mark, if you directly store this string into the database, the program will report an error! How is it? Do you understand?

Now let's talk about the principle of testing with 'and' 1' = '1 and 'and' 1' = '2! This query statement is also used:
Select * from table where id = 'ade7 '. If we add 'and'1' = '1 after the URL, the query statement will become
Select * from table where id = 'ade7 'and '1' = '1' (the outermost quotation mark is automatically added by the Program! Is this statement correct? Let's analyze it. If we submit a statement, the program will automatically query records whose ID value is ade7! Because this record exists (if it does not exist, it is a problem with this webpage !), However, and followed by '1' = '1' is correct, so this statement is correct! If we replace 'and'1' = '1 with 'and '1' = '2, then the statement becomes the select * from table where id = 'ade7 'and '1' = '2'. We can see that this statement is correct after reading it! How Can '1' be equal to '2? Right? Okay. Here is the principle of injection points for parameter types!

2. Database Type judgment

After determining that an address is an injection point, we must first determine the type of the database connected to this injection point! Here are several simple methods. If one method cannot be determined, another method will be used!

A. Add single quotation marks directly after the injection point. Sometimes we can determine the database it uses based on the server error message. Through this error message, we can see that the type of database connected to this injection point is access. Why? Take a closer look! It refers to Microsoft Jet Database Engine connector 80040e14, indicating that the database is connected through the jet engine, rather than ODBC! If the connection is using the jet method, it indicates that the ACCESS database is used. If the connection is ODBC, it indicates that the database is MSSQL! Remember this. In fact, there is a detailed error message, which tells you the type of the database directly! Because I have not found such an injection point, I cannot cut the figure here. You can see it at a glance!
B. Add the injection point (Note: You have determined that it is an injection point and then added it. It is useless if it is not an injection point !) :; -- (A semicolon, two dashes !) For example, this URL
Http://www.xxxxxxxx.com/article/as.asp? Id = 875, we have already determined that it is an injection point, so that we can add it later; -- let it become
Http://www.xxxxxxxx.com/article/as.asp? Id = 875; -- submit this URL. If the page returns normal, the database is MSSQL. Because in the MSSQL database, both; and -- exist, ";" is used to separate two statements, and "--" is the annotator, and the statements following it are not executed! But not in the ACCESS database! So if it is an Access database, When you inject the address
When "; --" is added, the program regards "; --" as a part of the parameter, so that an error occurs in the query! If an error occurs, it is basically "access" (because the websites that use these two databases on the Internet are the most !)
C. If none of the above methods can be determined, you can use this trick! Use the differences between access and MSSQL databases to determine! Two query statements are required! Similarly, if the injection point is http://www.xxxxxxxx.com/article/as.asp? Id = 875, then we add and exists (select count (*) from sysobjects), then the address becomes
Http://www.xxxxxxxx.com/article/as.asp? Id = 875 and exists (select count (*) from sysobjects ). If the page returns normally, it can prove that the database is MSSQL. Let me explain this statement: This sentence means that the number of records in the sysobjects table is greater than 0! (Awkward !) If the returned result is normal, the value is greater than 0, indicating that the table sysobjects exists. Because this table is only available in the MSSQL database, you can determine the database's MSSQL! If an error is returned, no! How can we use a query statement to determine whether the database is accessible! Don't worry. Let's look down! We add and exists (select count (*) from msysobjects) after the injection point ). It becomes
Http://www.xxxxxxxx.com/article/as.asp? Id = 875 and exists (select count (*) from msysobjects), understand this statement according to the method of understanding the MSSQL database just now! Note that submitting this statement will not return to the normal page! Even the ACCESS database does not return a normal page! By default, we do not have the permission to query the data in this table! However, the Web will prompt "records cannot be read; 'msysobjects' has no read permission "! If this error message is returned, it indicates that it is an Access database !! In simple terms, there are two query statements:
And exists (select count (*) from sysobjects)
And exists (select count (*) from msysobjects)

If the first return is normal, it is the MSSQL database. If both are abnormal, It is the ACCESS database (Here we only discuss MSSQL and access)

Note: The above is all about the detection method when the parameter is int. If the parameter is character type, you must add single quotation marks after the parameter, and then add "at the end of the query statement "; --"

3. The length of the table, field name, detection record count, and detection field.
I will introduce the tool injection process to you!

A. Guess the table!
The statement used: And exists (select count (*) from the name of the table you want to guess ). Add this sentence after the injection point. If the returned result is normal, the table you guessed exists! For example
Http://www.xxxxxxxx.com/article/as.asp? Id = 875 and exists (select count (*) from Admin). If the returned result is normal, the admin table exists! If an error is returned, it indicates that the error does not exist !. The same is true for other tables!

B. Guess column!

Statement used: and (select count (column name) from the table name guessed)> 0. Add this sentence after the injection point. If the returned result is normal, the column you guessed exists! For example
Http://www.xxxxxxxx.com/article/as.asp? Id = 875 and (select count (username) from Admin)> 0. If the returned result is normal, the username Column exists! First, make sure that the table name following from exists! Otherwise, how do you guess it is all wrong!

C. Detection records

The statement used: and (select count (*) from the table name guessed)> X (X is a number ). Add this sentence after the injection point, and constantly change the number x until you can guess the exact number of records! Like http://www.xxxxxxxx.com/article/as.asp? Id = 875 and (select count (*) from Admin)> 2, which indicates the number of records in the admin table, that is, there are several administrators (because an administrator corresponds to a record !). If the returned result is normal, the number of records in the admin table is greater than 2. At this time, we will change 2 to a larger number! For example 5, if an error is returned, it indicates that the number of administrators is between 2 and 5, the integer between 2 and 5 is 3 and 4, at this time we transform the statement to the http://www.xxxxxxxx.com/article/as.asp? Id = 875 and (select count (*) from Admin) = 3 or = 4, which is the number of the administrator who returns normally. If more than 5 requests are submitted and an error is returned, a larger number is obtained. Repeat the previous action to guess the number of records!

D. Check Field Length

Statement used: and (select top 1 Len (column) from Table)> X (X is the same as just now !). In this sentence, select top 1 refers to the first data query! (Multi-row ECHO is not supported in the Web environment! Only one row of data can be queried at a time !), Len is a function in MSSQL. It can be a string, an expression, or a column name in Len! You can understand this! The transformation method of the next X is the same as above!