What, a command directly hacked the database!
shigenI recently studied a penetration tool sqlMap. It is a popular open source tool for automating SQL injection attacks and penetration testing. It is specifically designed to detect and exploit SQL injection vulnerabilities in web applications. SQLMap has a rich feature set to automatically detect and exploit SQL injection vulnerabilities, obtain sensitive information of a database, and perform various database operations such as extracting, modifying, or deleting data. It supports a variety of database management systems (DBMS), including MySQL, Oracle, SQLite, Microsoft SQL Server, and more. Multiple injection techniques are also supported, including error-based injection, federated query injection, Boolean blind injection, and temporal blind injection. By using these techniques, it can automatically discover and exploit various types of SQL injection vulnerabilities.
Its official address is here: sqlmap code address
sqlmap directly connects to the database
The following is a case where I use to sqlMapconnect to the database and obtain the version information of the database.
python3 sqlmap.py -d 'mysql://root:[email protected]:3306/security' -f --banner
Probing for a single URL
Here, an interface shigenis written, which is specially used for testing:spring bootsqlMap
@GetMapping(value = "findById2")
public Result<User> findById2(@RequestParam(value = "id", defaultValue = "1", required = false) String id) {
User user = userMapper.findById2(id);
return Result.ok(user);
}
I believe that this code is not difficult to read. My interface is to obtain idthe parameter of this string type, and query the data from the database to return it.
The ORM framework of the database is adopted mybatis plus, and I also put my code for operating the database part here:
@Select("select * from user where id = ${id}")
User findById2(@Param("id") String id);
I believe that careful partners have already discovered the problem!
Please come on stage next sqlMap!
python3 sqlmap.py -u 'http://127.0.0.1:9000/penetration/findById2?id=20' -dbs
Witness the moment of miracle
I go straight to my results!
The console outputs all my local databases, and it is accurate and complete! Isn't it scary. The first time I didn't quite believe it, I thought it was shigenvertigo.
I took a look at the information output by the console payload. Its parameters are: id= 2 and 5685=5685, and this is just a case. sqlmapDuring execution, it will inject many such wherestatements that are always followed by conditions.
This is an obvious case, always adding andconditions after the conditions, so that SQL can query the data as much as possible, provoking and probing crazily.
==> Preparing: select * from user where id = ?
==> Parameters: 20) AND 6535=9250 AND (2651=2651(String)
But --dbsit is just sqlMapthe tip of the iceberg of commands or functions, it also has these powerful functions:
Enumeration:
These options can be used to enumerate the back-end database
management system information, structure and data contained in the
tables
-a, --all Retrieve everything
-b, --banner Retrieve DBMS banner
--current-user Retrieve DBMS current user
--current-db Retrieve DBMS current database
--passwords Enumerate DBMS users password hashes
--dbs Enumerate DBMS databases
--tables Enumerate DBMS database tables
--columns Enumerate DBMS database table columns
--schema Enumerate DBMS schema
--dump Dump DBMS database table entries
--dump-all Dump all DBMS databases tables entries
-D DB DBMS database to enumerate
-T TBL DBMS database table(s) to enumerate
-C COL DBMS database table column(s) to enumerate
I will not take everyone to try one by one, I will show a case here --tables: indeed, all the data tables in my local database have been scanned out, you see, seatathe four tables!
More use case skills shigenwill continue to be shared, welcome 评论 点赞 在看 关注, so that you won't miss a lot of dry goods!
** Also silently mention: SQLMap is a powerful tool, but you need to abide by laws and ethics when using it. After all, you know the value of data, if you accidentally squat in the bureau! **Besides, the data is down now, people (cloud service) have monitoring, check the data, people (cloud service) have records, there is nowhere to hide!
postscript
Do you think the article ends here? I also want to share a question: How was my code vulnerability discovered and directly attacked into the database? Can't blame sqlMaptoo much, then the databases in the world are not safe, the point is here, ${id}.
focus
${id}It is a string replacement method, which directly embeds the parameter value into the SQL statement, which has security risks.#{id}It is a pre-compiled parameter placeholder method. The parameter value is passed through the placeholder and the parameter binding is performed by the database driver, which is safer and more reliable.
The precompiled parameters here are a bit like what we learned at the beginning prepareStatement. mybatisOr mybatis plusthe bottom layer is handled like this:
- Placeholder generation: MyBatis will use the parameter name
#{id}inid, and generate corresponding placeholders according to different database vendors. For example, for a MySQL database, the placeholders might be?; for an Oracle database, the placeholders might be:1, ,:2etc. - Parameter binding: MyBatis will bind the parameter value to the generated placeholder. This process is completed by the underlying database driver. The database driver handles these placeholders by using a prepared statement (PreparedStatement), and safely binds parameter values to the placeholders.
Therefore, many company specifications, including Alibaba java开发手册, clearly stipulate: the use of placeholders #{}.
The above is all the content of today, and shigentogether, every day is different!