How Web Apps Work
MCV Architecture
Presentation layer (browser), logic layer (programming language), storage layer (database)
Understanding SQL Injection
SQL injection is an attack that inserts or adds code to an application's input parameters, which are then passed to a back-end SQL server for parsing and execution.
The main method of SQL injection is to insert malicious code into parameters, which will be placed into SQL commands to be executed;
the indirect attack method is to insert malicious code into strings, which are then saved in the database. Data tables or as metadata, when the stored strings are placed into dynamic SQL commands, malicious code will be executed.
Example:
Target: http://www.victim.com/products.php?val=100
Payload : http://www.victim.com/products.php?val=100 'OR'1'='1
Purpose: View database All products in
Understand the generation process of SQL injection
Construct dynamic string
- Improper handling of escape strings: The SQL database parses the single quote character (') into the dividing line between code and data. The content outside the single quote is the code that needs to be run, and the content inside the single quote is the data.
escape character
single quote
space
double vertical bar
comma
dotEnter a single quote in the field of the URL or Web page to identify whether the website is vulnerable to SQL injection attacks
- Mishandling of types: When dealing with numeric data, it is not necessary to enclose numeric data in single quotes.
Example:
SELECT * FROM TABLE WHERE USERID = 1 UNION ALL SELECT LOAD_FILE('etc/passwd') --
- Improper assembly of the query statement: During the program development stage, the table or field to be queried is unknown, so the table and field are controllable by the user.
http://www.victim.com/user_details.php?table=users&column1=user&column2=password&column3=Super_priv
Among them, table, column1, column2, and column3 are all controllable.
- Mishandling of errors: Detailed internal error messages are displayed to attackers, giving attackers important clues about potential flaws in the website.
- Improper handling of multiple submissions: When there are multiple form submissions, only the first form is validated.
Insecure database configuration
System administrator account:
SQL Server --> sa
MySQL --> root / anonymous
Oracle --> SYS / SYSTEM / DBSNMP / OUTLN