Shulou(Shulou.com)06/01 Report--

Today, the editor to share with you is how to identify sql injection loopholes, I believe that most people do not understand, in order to let you better understand, the editor summed up the following content, do not say much, let's look down.

Personal arrangement:

1. Inject string data

Steps:

a. Submit a single quotation mark as the data of the target query to see if it will cause an error or whether the result is different from the original result.

b. If you find an error or other abnormal behavior and submit two single quotes at the same time, see what happens. The database uses two single quotes as escape sequences, representing a reason single quotation mark, so the sequence is interpreted as a reference to the data in the string rather than the Terminator that ends the string. If this input causes an error or abnormal behavior for hours, the application may be prone to receive sql injection *

c. To further verify the vulnerability, you can use the sql connector to create a string equivalent to "benign" input, which may be vulnerable to * if the application handles specially designed input in the same way as the corresponding "benign" input.

Each database connection method is different, such as:

Oracle:'| | 'FOO

Ms-sql:'+ 'FOO

There is a space between mysql:''FOO quotation marks

two。 Inject digital data:

If the sql query merges the numeric data submitted by the user, the application will still enclose it in single quotation marks and treat it as string data, which can be processed by following the test steps of the string above. Sometimes digital data will be transferred directly to the database, not in single quotation marks, using the above method can not detect vulnerabilities, you can follow the test steps below.

Steps:

a. Try to enter a simple mathematical expression whose result is equal to the original numeric value. For example, if the original value is 2, you can try to submit 1: 1 or 3-1, and if there is the same corresponding, it is vulnerable.

b. If it is proved that the modified data will have a significant impact on the application, the testing method described above is the most reliable. However, if any input can be inserted into the digital parameters, but the program behavior has not changed, the previous check method will not be able to find vulnerabilities.

c. If the first test method is successful, further evidence of the vulnerability can be obtained using more complex expressions that use special sql keywords and syntax. The ASCII command is a typical example, which returns the digital ASCII code of the submitted character. For example, the ASCII value of An is 65, and in sql, the following expression equals 2:

67-ASCII ('A')

d. If the single quotation marks are filtered out, then the previous test method is useless. However, you can take advantage of the fact that the database implicitly converts digital data into string data when necessary. For example, because the ASCII value of character 1 is 49, in the sql statement, the following expression equals 2:

51-ASCII (1)

Pay special attention to:

When looking for sql injection class defects in an application, we often make the mistake of forgetting that certain characters have special meanings in the http request. If you want to insert these characters in the * * payload, you must carefully url them to ensure that the application interprets them as expected, especially the following characters:

-& and = are used to connect name / value pairs to establish query strings and post data blocks. They should be encoded using% 26 and% 3D, respectively.

-spaces are not allowed in the query string, and if spaces are submitted in them, the entire string is terminated immediately. It must be encoded with + or% 20.

-because + is used to encode spaces, if you want to use + in a string, you must encode it with% 2b. Therefore, in the previous digital example, 1x1 should be submitted in the form of 1%2b1.

-semicolons are used to separate cookie fields and must be encoded with% 3b.

Whether you edit parameter values directly from the browser through the interceptor code server, or by using other methods, you must use these coding methods. If the relevant characters are not encoded, the entire request may be invalid or unexpected data may be submitted.

3. Inject the query structure:

If the data submitted by the user is inserted into the sql query structure instead of the data items in the query, the implementation of sql injection * * only requires the direct application of valid sql syntax without any "escape".

The most common injection point in the sql query structure is the order by clause.

Steps:

a. Make a note of any parameters that may control the order of the results returned by the application or the types of fields in them.

b. Provides a series of requests to submit numeric values in parameter values, starting with the number 1, and then incrementing the requests one by one.

-if changing the numbers in the input affects the order of the results, the input may be inserted into the order by clause.

-if submitting input 1 produces a set of results in which a column contains a 1 in each row, the input may be inserted into the name of the column returned by the query, such as:

SELECT 1,title,year from books where publisher='wilery'

Notes:

Implementing sql injection in the order by clause is very different from other injection scenarios, in which the union, where, or, and keywords in the query are not accepted in the data. Usually, the implementation of injection * requires the * to specify a nested query to replace the parameter, such as (SELECT 1 WHREE or 1and0) instead of the column name.

After reading the contents of the appeal, do you have a general idea of identifying sql injection vulnerabilities? If you want to know more about the content of the article, welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.