Shulou(Shulou.com)05/31 Report--

This article mainly shows you "how to solve the security problem of SQL injection", the content is simple and clear, and I hope it can help you solve your doubts. Let me lead you to study and learn this article "how to solve the security problem of SQL injection".

Blacklist filtering technology

1. Filter the sql key field

Common keywords: and, or, union all select, quotation marks, spaces, etc. Filtering

There are similar techniques that do not filter but by escaping functions or stripping illegal keywords.

Bypass method:

1. Case distortion (id=-1 UniOn sEleCt 1, 2, 3, and 3). )

2. Coding: Hexx code, urlencode

3. Comment'/ or/'

4. Filter replacement (and-&&, or- | |)

5. Truncation

2. Loopholes in file upload

When we surf the Internet, we often use the file upload function, such as uploading a profile picture, uploading a file, uploading a video, and so on. I all know that this is a normal function, but have you ever thought about how the server handles or parses these files after the file is uploaded? if the server is not safe enough when handling these uploaded files, it will lead to security incidents. For example: upload the web script file for the server to execute

(1) upload Trojan virus files to induce users or administrators to download

(2) upload fishing files

(3) upload fraudulent documents

File upload vulnerability core

For a file upload attack to be successful, you generally need to meet two elements:

(1) the file containing webshell can be uploaded to the server successfully.

(2) the file can be parsed by the server or we can access the uploaded file

Implementation Core-upload Bypass Technology

Generally speaking, the detection technology encountered in file upload: +

(1) client-side javascript detection (usually detection file extension)

(2) server-side MIME type detection (detection of Content-Type content)

(3) server-side directory path detection (detection of content related to path parameters)

(4) Server file extension detection (detection of content related to file extension)

(5) Server file content detection (detecting whether the content is legal or contains malicious code)

Client detection bypass (javascript detection)

This type of detection usually contains javascript code on the upload page that specifically detects file uploads. The most common one is to check whether the extension is legal. This kind of bypass is very simple.

Practice: create webshell file (such as shell.php)-> modify to legal extension (shell.png)-> burp intercept to (shell.php)-> upload

Server detection bypass (MIME type detection)

This test is done on the server and mainly checks the content-type type values (whitelist or blacklist). Of course, this bypass is also easy.

Practice: create webshell files (such as shell.php,Content-Type: text/plain)-> change burp interception to (sontent-Type: image/gif)-> upload

Server detection bypass (directory path detection)

The test is carried out on the server, generally to check whether the path is legal, but there is no defense for slightly more special ones. For example, shell.php. [\ 0] .png [\ 0], 123.php0x00.png where 0x00 is the truncation of php and c language, that is, when the server reads the file, it stops when shell.php encounters [\ 0] and executes as shell.php. Similarly, there is the post submission shell.php.png.

Note: to bypass background detection is to suffix the file he wants, and then truncate the real suffix

Server detection bypass (file extension detection)

As the name implies, it is to check the file extension, which is generally defended by whitelist.

1. Blacklist such as extension cannot contain html, php, php3,php4,asp, exe, bat, jsp + file name case bypass using file names such as AsP,pHp to bypass blacklist detection

(1) list bypassing attacks with lists that are not in the blacklist, such as no asa or cer in the blacklist

(2) A special file name is bypassed, such as changing the file name to test.asp in the http package sent. Or test.asp_ (underscore is a space), this naming method is not allowed in the windows system, so it needs to be modified in burp, and then after bypassing verification, the windows system will automatically remove the following dots and spaces, but note that the Unix/Linux system does not have this feature.

(3) htaccess file attack with list bypass, upload a custom .htaccess, you can easily bypass all kinds of detection

(4) parsing calls / loopholes bypass these vulnerabilities and directly cooperate with uploading a code-injected non-blacklist file, and then take advantage of parsing calls / loopholes

(5) whitelist detection

2. Whitelist is relatively safer than blacklist, but it is not necessarily absolutely safe.

(1) 0x00 truncation bypass

Truncate it in a way like test.asp.jpg, which is a whitelist file, and then use the detection logic loophole in the server code to attack. At present, I have only encountered such vulnerabilities in asp programs + parsing calls / vulnerabilities to bypass such vulnerabilities to directly cooperate with uploading a code-injected whitelist file, and then using parsing calls / vulnerabilities.

(2). Htaccess file attack

The following paragraph is mentioned in PHP manual: move_uploaded_file section, there is a warning which states'If the destination file already exists, it will be overwritten.'. If PHP security is not configured, you can use the move_uploaded_file function to overwrite the. htaccess file on the server so that you can define the parsing list at will.

Server detection bypass (file content detection)

If the file content detection is set strictly, then the upload attack will become very difficult, and it can be said that it is the last barrier detected in the code layer if it is breached, even if there is no vulnerability in the code layer, it also brings an opportunity to exploit the parsing vulnerability in the application layer.

(1) File Phantom header check

The main purpose is to detect the magic number of files at the beginning of the file content, for example, to bypass jpg Value = FF D8 FF E000 10 4A 46 49 46. To bypass gif file magic number detection Value = 47 49 46 38 39 61 to bypass png file magic number detection Value = 89 50 4E 47

(2) Detection of file-related information

Image file related information detection is commonly used is that the getimagesize () function only needs to forge the header part of the file to ok, that is, on the basis of the magic number, some file information is added a bit like the following structure

GIF89a (... some binary data for image...) (... Skipping the rest of binary data.)

(3) File loading detection

This is the most abnormal detection, generally call API or function to carry on the file loading test, the common is the image rendering test, and then the abnormal point is to carry on the secondary rendering, the attack way to the rendering / loading test is code injection to bypass the secondary rendering attack mode is to attack the file loader itself.

3.

1. (1) copy the corresponding URL below, click Load URL, and then click Execute

(2) construct closure, get the database name-dvwa, and then find the system error according to the previous routine. The error message is as follows.

The system automatically adds the\ symbol, and there is an error in the constructed function. At this time, we should avoid this phenomenon and make the system not automatically add special symbols to the constructor. In this case, the hexadecimal code can be used to convert the string dvwa to hexadecimal. In this way, single quotation marks will not be used in the constructor, and the system will no longer automatically add special characters to the constructor, breaking the constructor

(3) similarly, according to the SQL statement used before, burst the data.

2. Take Less-25 as an example

(1)

Http://192.168.122.130/sqli-labs-master/Less-25/?id=-1' union all select ()-- + / / close according to the echo structure and expose database ()

(2)

Http://192.168.122.130/sqli-labs-master/Less-25/?id=-1' union all select 1 column name from infoorrmation_schema.columns where table_name = table_name aAndnd table_schema = database ()-- + / / reveals the table name table_name and column name column_name

(3)

Http://192.168.122.130/sqli-labs-master/Less-25/?id=-1' union all select 3jin2 dint id from emails--+ / / reveals the data

Summary: first of all, we continue to construct the closed input, observe the echo, and find that the system filters the "and" string and "+" (+ equals to the space bar).

Then we guess to use mixed-case and, or cross-discontinuous and, or use other characters instead of and- such as & & (the main purpose is to use and), or use hexe code, urlencode conversion; similarly, the string "or", or the or that appears in a word (such as information), can also use the above method. The key is to bypass the filtering of the system and achieve a certain purpose.

3. Take Less-26 as an example

And characters are the same as Less-25. Filtered spaces can use% 20-spaces, or the encoding of the TAB key, or the encoding of the newline key.

4. Take http://192.168.122.130/DVWA-1.9/vulnerabilities/exec/ as an example. The interface is as follows, which is a ping interface.

There is a loophole in this interface, that is, you can use the connection symbol to complete other actions while ping. When you enter 127.0.0.1 | | pwd in the input field, the situation is as follows

It is found that the current file directory appears in the interface, and then we can take advantage of this vulnerability to get some data we want.

"one sentence Trojan horse" is mentioned here.

Echo'> 123.php

[sometimes in order not to let the victim find out, other forms of sentences are often used with "one sentence Trojan horse"

'> 1234.php

Fourth, combine File Inclusion and File Upload to realize the attack.

(1) Select DVWA security as Low under http://192.168.122.130/DVWA-1.9/security.php

Then File Upload uploads a .php file with an one-sentence Trojan horse, and then through the known directory, add the information to the Chinese kitchen knife to get all the directories-at this time, you can tamper, delete, upload and other operations on the file (sometimes you can get around it by renaming the file name: 123.png0x00.php-where 0x00 stands for the end of naming)

Using a Chinese kitchen knife, add as shown below-for echo'> 123.php

The catalogue can then be obtained from the Chinese kitchen knife as follows:

(2) Select DVWA security as Medium under http://192.168.122.130/DVWA-1.9/security.php

Uploading a .php file at this time will echo an error and cannot be uploaded, so we change the Trojan file format to the format that supports upload. There is a sentence in the png format Trojan horse-here take png format as an example

Set up the browser proxy manually

Start BurpLoader to grab and rename the package!

Then Action- > Send to Repeater, then click Go in Repeater, observe the window on the right, find that the file has been uploaded, open the Chinese kitchen knife, and follow the previous steps to visit.

(3) Select DVWA security as High under http://192.168.122.130/DVWA-1.9/security.php

First of all, if you see that the picture has been uploaded, then the uploaded picture must have been processed (adding a sentence Trojan horse), that is, open the picture coding tool winhex, add a word Trojan horse to the coding tool, and regenerate a new encoded picture.

Of course, you can use the cmd command: copy 1.png/b+123.php / a TCP.png. Here 1.png is a normal picture, 123.php is an one-sentence Trojan horse, re-synthesize the new image and name it TCP.png, then upload it, you can succeed (cmd is used above).

After the image is uploaded, it cannot be renamed like the Medium level. There should be corresponding security processing on the web server side.

At this point, we need to trigger manually (of course, you can also wait for the attacked system administrator to click on the image to trigger). After the trigger, we can use the same way to open the Chinese kitchen knife and obtain the catalogue.

Fifth, the way to deal with some abnormal grades:

Compare, observe where there is no change before and after upload (through heterosexuality), and then make certain changes to the uploaded data, so as to achieve a certain purpose.

Some other methods of attack:

1. Take http://192.168.122.130/DVWA-1.9/vulnerabilities/upload/ as an example, write a trigger instruction in a picture, execute the picture when the administrator hits a command, and execute the code contained in the picture, that is, pre-embed a commonly used trigger instruction!

2. Find the specific location where the temporary file is stored by default on the system to be attacked, and then change the contents of the file (for example, add an executable file containing a Trojan horse in the file, etc.) to achieve the desired effect.

3. For the system that automatically modifies the file name for uploading files, it will make it impossible for us to execute the non-executable files we uploaded. At this time, we can do this: because there is a certain limit for the device to process the file, it can transfer the same file at a high frequency every second, so that the background does not have time to change the file name of one or two files, so that the file name will not be changed, and then if we can access the file Execute and attack!

6. CSRF:Cross site Request Forgery cross-stack request forgery (using cookie values)

Construct a URL to induce the victim to click on the link, so as to use the victim's cookie to change the password without his or her knowledge.

Http://192.168.122.130/DVWA-1.9/vulnerabilities/csrf/?password_new=1234&password_conf=1234&Change=Change#

For example: for example, a hacker logs in to a website with his own account password, and then clicks to the password change interface to construct a URL to change the password. When the hacker wants to attack, he will induce a victim (when the victim used the browser to log in to the website, there is a cookie in the browser) to click on the previously constructed URL, and then change the password without the victim's knowledge. The password hacker knows that if the attack is successful at this time Hackers can use the password constructed before the construction of URL to log on to the website as the victim and carry out a series of operations!

Some of the current defenses:

1. You can use CAPTCHA for defense

2. Websites that need the original password to change the password

3. Defense tactics: no-referrer-when-downgrade

Linking from one site to another results in a new http request, and referrer is the field in the http request that indicates the source.

No-referrer-when-downgrade indicates that referrer is not sent to the server of the jump site when it is reduced from https protocol to http protocol.

4. The anti-counterfeiting mechanism token, which is different from cookie, can block most CSRF attacks (everyone has an anti-counterfeiting code, others cannot guess. If you want to change your password, you must use your own token to succeed)-token needs to be irregular and preferably encrypted.

The above is all the content of the article "how to solve the security problem of SQL injection". Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.