Shulou(Shulou.com)06/03 Report--

In this issue, the editor will bring you a summary of some scattered knowledge points about sql injection. The article is rich in content and analyzes and narrates it from a professional point of view. I hope you can get something after reading this article.

Zero, the knowledge points involved in this article

Sqlmap wrote a sentence about the specific process of horses.

Stack injection

Union injection (joint injection)

Common injection bypass posture

Sql injection precompilation and common bypass posture

1. Sqlmap's process of writing a horse (--os-shell)

1.1 brief description of the process

First write a file to upload, the name is "tmpujhum.php".

Then upload shell (tmpbcluy.php) through the Trojan horse uploaded by this file.

The name of the Trojan horse that executes the command is "tmpbcluy.php"

The specific process can be referred to: https://xz.aliyun.com/t/7942

1.2 A small problem

You can write a file directly through the command, why write a Trojan horse to upload the file first, and upload a horse through this Trojan horse?

* answer: * *

Sqlmap officially wrote the code, according to this process, joking ~ ~

The main reason is that most waf's monitoring of direct writing commands is stricter than that of uploading Trojans.

That is, through this idea of "superfluous action", the probability of uploading a horse successfully can be improved.

Second, stack injection:

2.1 what is stack injection

In SQL, the semicolon (;) is used to indicate the end of a sql statement.

Imagine that we continue to construct the next statement after finishing one sql statement. Will we execute it together?

So this idea leads to stack injection.

2.2 how to determine the existence of stack injection?

~ "id=1" is normal

~ try "id=1a". If an error is reported, it means that the data has not been forcibly transferred.

~ trying "id=1;" to assume that there is no error, indicating that ";" is not substituted into the query, but is used as the Terminator of the sql statement

~ at this point, there is a high probability of stack injection in this position.

2.3 limitations

The limitation of stack injection is that it can not be executed in every environment.

Restrictions that may not be supported by API or database engine

Of course, the lack of permissions can also explain why attackers cannot modify data or call some programs.

3. Union injection (joint injection)

3.1 principle

The vast majority of sql injections use this posture

I will not repeat the details, you can refer to the previous article directly.

The difference between 3.2 and stack injection

The difference is that the types of statements executed by union or union all are limited and can only be used to execute query statements.

Stack injection can execute arbitrary statements.

* * for example, the following example, the stack can be executed successfully, but the joint injection cannot be successful * *

User input: 1; the sql statement generated on the DELETE FROM products server side is:

Select * from products where productid=1;DELETE FROM products

When the query is executed, the first item displays the query information, and the second item deletes the entire table.

4. Common sql injection bypass posture

4.1 Waf features:

Most waf filter / intercept requests through regular matching

Generally speaking, a waf will launch N rules at the same time. If these rules are in effect at the same time, only one of them will still be blocked.

4.2 Core ideas around waf:

While bypassing the waf regular matching rule, the injected sql statement can be parsed and executed normally.

4.3 Common ideas

On the data:

Uppercase, lowercase, very old waf can be bypassed

Encryption and decryption, coding and decoding

Equivalent function union select = = union all select

Special symbol

Deserialization

Annotator mixing, mysql features:

Database/**/ () = = database ()

Inline comments, such as / * A sql version number sql execution content * /, not in the expansion

Method:

Change the submission method, and some waf only detects get by default (but it is useless to assume that the backend does not receive post)

Variation

Other:

FUZZ

, fuzzy test, use scripts / tools to generate a large number of payload, directly blow up the waf, and see which statements can pass waf

Database characteristics

, mysql features:

Union%23a%0Aselect 1,2,3#

= = union#a (change the number) select 1pm 2jinzu

= = union select 1pm 2jinn

, mysql features:

/ *! select * from users*/ will be executed normally

Junk data overflow

HTTP parameter pollution

In the case of multiple parameters, the last one is usually selected by default.

、 、? id=1/**&id=-1%20union%20select%201,2,3%23*/

That is to say, "1 union select, 1 union select, 2, 5, 3, 4, 5, 5, 5, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 3, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4,

In mysql, "/ * * content will not be executed * /" so WAF thinks it is safe.

But because of the characteristics of Apache

The final receiving parameter is: "- 1 union select 1, 2, 3, 2, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 4, 3, 3, 3, 4, 4, 4, 3, 3, 4, 4, 3, 3, 4, 4, 3, 4, 4, 4, 4, 3, 3, 4, 4, 4, 3, 4, 4, 4, 3, 4, 3, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 3, 4, 3, 3, 4, 3, 4, 4, 4, 4, 4, 4, 3, 4, 3, 4, 3, 4, 3, 4, 3, 3, 3,

Static resources

, that is, the original php?id=1 was changed to php/a.txt (b.js, etc.)? id=1

The result will not be affected, but we can pass some old WAF.

The success rate of using annotations combined with parameter pollution around waf is relatively high.

Pay attention to using sqlmap

~ if it comes with UA, the parameters can be changed, and it can be changed to the UA of search engines such as Baidu.

~ scripting around waf can be set to improve the success rate, and scripting is easy.

~ when testing by yourself, you can proxy the traffic of sqlmap to burp with parameters, and then compare the traffic of your normal browser to see the difference

~ when necessary, connect the agent pool directly and violently cooperate with the dry.

Fifth, Sql injection precompilation and common bypass posture

5.1 Overview

Precompilation is generally used in the framework of Java, which can intercept a lot of injections while improving the efficiency of sql statements.

But it can still be bypassed.

5.2 specific methods

5.2.1 ASC/DESC

Application scenarios:

When an application displays multiple pieces of data, you can usually choose forward sorting or reverse sorting, and ASC/DESC will be used.

ASC/DESC is a key word that affects semantics in SQL statements and cannot be quoted in single quotation marks.

It is assumed that the ASC/DESC is received from the front end, that is, there is a risk of being injected.

How to deal with:

The safer way is to use whitelist, and there are only two ways to sort it. You can use a simple conditional judgment statement.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.