Shulou(Shulou.com)06/02 Report--

This article mainly shows you the "sample analysis of the principle of wide-byte injection attack in Web", which is easy to understand and well-organized. I hope it can help you solve your doubts. Let me lead you to study and learn the article "sample analysis of the principle of wide-byte injection attack in Web".

Wide byte injection attack

The test address of the wide byte injection attack: http://127.0.0.1/sqli/kuanzijie.php?id=1.

The result returned by visiting the id=1', page is shown in figure 46. Instead of reporting an error, the program adds an escape character (backslash).

Figure 46 single quotation marks escaped

As you can see from the returned results, the parameter id=1 is surrounded by single quotation marks when querying the database. When id=1' is passed, the passed single quotation marks are escaped by the escape character (backslash), so that the parameter ID cannot escape the single quotation marks, so in general, there is no SQL injection vulnerability here. However, there is a special case, that is, when the encoding bit of the database GBK, you can use wide-byte injection, the wide-byte format is to add a% df after the address, and then add single quotation marks, because the backslash encoding is% 5c, and in the GBK encoding,% df%5c is the traditional word "quote", so at this time, the single quote escaped successfully, reporting the error of the MySQL database, as shown in figure 47.

Figure 47 uses wide bytes to escape the enclosing of single quotation marks

Because the input parameter id=1', causes the SQL statement to have an extra single quote, you need to use comments to annotate the program's own single quotation marks. The result returned by visiting the id=1%df'--+, page is shown in figure 48, and you can see that the SQL statement already conforms to the syntax specification.

Figure 48 annotate single quotation marks with comments

Further determine the injection using and 1 and and 1, visit id=1%df' and 1 and id=1%df' and 1, and return the results as shown in figures 49 and 50.

Figure 49 what is the result of visiting the id=1%df' and 1, 1, Murray + page

Figure 50 what is the result of visiting the id=1%df' and 1 visit 2 Murray + page

When the and 1 programs returned to normal, the and 1 programs returned an error, so it was determined that there was a SQL injection vulnerability in the parameter ID, then used order by to query the number of fields in the database table, and finally learned that the number of fields was 3, as shown in figure 51.

Figure 51 gets the number of fields in the database table

Because the page displays the contents of the database directly, you can use Union injection. Like Union injection, the Union statement at this time is union select 1, 2, and 3. In order for the page to return the result of the Union query, you need to change the value of ID to a negative number, as shown in figure 52.

Figure 52 combined with Union injection

Then try to query the library name of the current database (database ()) at the location of 2 on the page with the following statement:

Id=-1%df' union select 1 dint database (), 3 Murray +

The result returned is shown in figure 53.

Figure 53 get database ()

When querying the table name of a database, you usually use the following statement.

Id=-1%df' union select 1, (select table_name from information_schema.tables where table_schema='sql' limit 0jue 1), 3Murray +

But at this point, because the single quotation mark is escaped, there will be more backslashes automatically, resulting in an error in the SQL statement, so you need to use another method here: nested queries. In a query statement, add another query statement, the following is the changed query database table name statement.

Id=-1%df' union select 1, (select table_name from information_schema.tables where table_schema= (select database ()) limit 0Pol 1), 3muri +

As you can see, the original table_schema='sql' becomes table_schema= (select database ()), because the result of select database () is' sql', which is the nested query, as shown in figure 54.

Figure 54 get the table name of the database

As you can see from the returned result, the first table name of the database is emails. If you want to query the following table name, you also need to modify the number after limit, which will not be repeated here. Use the following statement to try to query the fields in the emails table.

Id=-1%df' union select 1, (select column_name from information_schema.columns where table_schema= (select database ()) and table_name= (select table_name from information_schema.tables where table_schema= (select database ()) limit 0pm 1) limit 0pr 1), 3Murray +

Three layers of nesting are used here, the first layer is table_schema, which represents the nesting of library names, and the second layer can be the third layer when the nesting of table_name. We can see that there are two limit in the statement, and the previous limit controls the order of the table names. If the query here is not the emails table, but the users table, you need to change the value of limit. As shown in figure 55, the latter operation is shown in Union injection, which is not repeated here.

Figure 55 get the database field name

Analysis of wide byte injection code

In the wide byte injection page, the program takes the GET parameter ID, escapes the parameter ID with addslashes (), and splices it into the SQL statement to query, the code is as follows.

When accessing id=1', the SQL statement executed is:

Select * from users where id='1\'

You can see that single quotes are escaped by the escape character "\", so in general, it cannot be injected, but there is a wide-byte injection vulnerability here because SET NAMES 'GBK', is executed before the database query to set the encoding to wide-byte GBK.

In PHP, a wide character injection vulnerability may also exist when transcoding through iconv ().

The above is all the contents of the article "sample Analysis of the principle of wide Byte injection attacks in Web". Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.