Shulou(Shulou.com)06/02 Report--

This article mainly explains "Web network security analysis Base64 injection attack principle". The explanation content in this article is simple and clear, easy to learn and understand. Please follow the idea of Xiaobian slowly and deeply to study and learn "Web network security analysis Base64 injection attack principle" together!

Base64 injection attack

Base64 attack test address: 127.0.0.1/sqli/base64.php? id=MQ%3d%3d。

As you can see from the URL, the ID parameter is Base64 encoded (%3d is the URL encoding format of =). After decoding, it is found that the ID is 1. Try to add a single quotation mark and convert it to Base64 encoding together, as shown in Figure 59.

Figure 59 Base64 encoding 1'

When accessing the id=1'encoded URL (127.0.0.1/sqli/base64.php? id=MSc%3d), page returned error. Base64 codes of 1 and 1=1 and 1 and 1=2 are MSBhbmQgMT0x and MSBhbmQgMT0y respectively. Visit id= MSBhbmQgMT0x and id= MSBhbmQgMT0y again. The returned results are shown in Figure 60 and Figure 61.

Figure 60 Results of visit id=MSBhbmQgMT0x

Figure 61. Results of visit id=MSBhbmQgMT 0y

From the returned results, we can see that when visiting od=1 and 1=1, the page returns the same result as id=1, while when visiting od=1 and 1=2, the page returns a different result than id=1, so there is an SQL injection vulnerability in this page.

Then, using the order by query field, the union method is used to complete the injection.

Base64 injection code analysis

In the Base64 injection page, the program obtains the GET parameter ID, uses base_decode() to Base64 decode the parameter ID, and then directly concatenates the decoded $id into the select statement for query. The query results are output to the page through a while loop, as shown below.

An SQL injection vulnerability exists because the code does not filter the decoded $id and concatenates the $id directly into the SQl statement. When accessing id=1 union select 1,2,3--+(Base64 encoding is performed first when accessing), the SQL statement executed is:

select * from users where `id`=1 union select 1,2,3--+

At this time, SQL statements can be divided into select * from users where `id`=1 and union select 1,2,3. The second statement (Union query) can be used to obtain data in the database.

There are other exploitation scenarios for this attack method. For example, if there is WAF, WAF will check the parameter ID in the transmission, but since the ID in the transmission is Base64 encoded, it is very likely that WAF will not detect the dangerous code at this time, thus bypassing WAF detection.

Thank you for reading, the above is the "Web network security analysis Base64 injection attack principle" content, after the study of this article, I believe that we have a deeper understanding of the Web network security analysis Base64 injection attack principle, the specific use of the situation also needs to be verified by practice. Here is, Xiaobian will push more articles related to knowledge points for everyone, welcome to pay attention!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.