Common types of sql injection

Others 2019-10-01 06:24:23 views: null

Here only to explain the basic types of sql injection vulnerabilities, code analysis will explain in another article post

table of Contents

  • The most basic injection -union injection attacks
  • Boolean injection attacks - Boolean blind
  • Error injection attacks
  • Time injection attacks - time blind
  • Stacking inquiry injection attacks
  • Secondary injection attacks
  • Byte wide injection attacks
  • base64 injection attacks
  • cookie request header injection attacks -http parameter injection
  • XFF injection attacks -http request header parameter injection
  • Injecting know the absolute path

0x01 most basic injection -union injection attacks

  1. Analyzing get type or post type is implanted;
  2. Finding the right closure rule;
  3. order by number of fields in the query;
  4. union select 1,2 ..... view display position first of several, if not the display position to try to let out id = 1, equal to let id = -1;
  5. Second, the three show up, then you can write sql statement in both locations;
  6. Query the current database, the current mysql user union select 1, user (), database ();
  7. Query the current database table inside the union select 1,2, group_concat (table_name) from information_schema.tables where table_schema = "data_name";
  8. Table name query to the sensitive user, a lookup table in which the fields continued union select 1,2, group_concat (column_name) from information_schema.columns where table_name = "user";
  9. Query field, such as "id", "passwd" content union select 1, id, passwd from user;
  10. Get the user, password background.

0x02 Boolean injection attacks - Boolean blind

  • View the phenomenon, to error, but there is no error message, also show the correct query can not belong to a Boolean query blinds, there are only two states, right or wrong;
  • Our closure rule to determine the status returned from two different pages;
  • For convenience, we assume return right here with "yes", an error is returned with "no" to represent these two states
  • After finding closure rule, we are closing the rules inside and 1 = 1 and 1 = 2 and test to see if the return is not the last two states;
  • Boolean blinds to use length () and substr () statement, with the two states to guess the solution database table names and other proper length and letters;
  • First with and length (database ())> 2 to guess the length of the database, using dichotomy;
  • Again and substr (database (), 1,1 ) = 't' to determine the first letter available burp run, the 26 letters, which returns yes letter stands for the first letter of which is;
  •  and substr (database (), 2,1) = 't' the second letter represents the current database;
  • Finally, the length, the success of the database guess it;
  • Step back operation with the union injected almost, just sql statement written in the database () at the above.

0x03 error injection attacks

  1. As long as there is sql injection point being given the information, then you can use the error injection;
  2. Still the same, quotes error, and then locate the closure rule, displayed correctly, you can start writing sql statement error injected in a closed rule;
  3. updatexml error to get the current database: 
    and updatexml(1,concat(0x7e,(select database()),0x7e),1)
  4. being given the floor to get the current database: 
    and (select 1 from (select count(*),concat((database()),floor (rand(0)*2))x from information_schema.tables group by x)a)
  5. Two methods are feasible, if not the first to try a second
  6. Then select statement can be used to replace the above database () to continue to get the table name in the database, the same field name, query and union injection attacks statement;
  7. But here group_concat can not be used, because the error injection and displays a result, it is necessary to limit the use of the statement;

0x04 injection attack time - time blind

  • The phenomenon is not clear, whether it is right or wrong will return to a state;
  • However, if the sleep (5) a method that allows a response time delay of 5 seconds or more, then the time blind;
  • We sleep (5) construct a time delay function of the state, so we have two states, like Boolean blinds as you can to determine the length of the database, table and field names and correct based on two states each letter;
  • The same finding the right closure rule, of course, this was combined with the closure rule and sleep (5) to construct statement, which closed the regular execution sleep (5), then it is right to give closure rule;
  • Blind with a time if (A, B, C) using the statement binding, meaning: If A is true, B is returned (i.e. execution B), otherwise C (execution C);
  • Then determine the name of the current database for the length of the sentence: 
    if (length(database())>1,sleep(5),1)

    If the database is to say a length greater than 1, then the response delay of 5 seconds, otherwise SELECT 1 (i.e. no delay), thereby Release database length.

  • Determine the current name of the first database and the second letter of the statement: 
    if(substr(database(),1,1)='s',sleep(5),1)
    if(substr(database(),2,1)='s',sleep(5),1)

    When only the first letter equal to 26 letters in the correct letter, will delay 5 seconds, or can be run by a burp sqlmap.

  • Library to obtain the full life of the database, table name, field names and the name of the specific content database according to the length of this interpolation.

 0x05 stack inquiry injection attacks

  1. Stack injection can be used where a Boolean blind may also be used with blind time;
  2. Also to find the right closed rule, and then also look at two states to guess the solution database name, table name, etc.;
  3. Stacked injected statement 
    ;select if(length(database())>1,sleep(3),1)
;select if(substr(database(),1,1)='r',sleep(3),1)
  4. According to the principle, the semicolon can be performed behind the new sql statement, but often not necessary, if you encounter other injection methods (or bypass mode) in the case does not work you can try this injection method; not very common.

0x06 secondary injection attacks

  • There are two secondary injection url, a url for injecting, the injection point is inserted sql statement places a url to return additional information;
  • After a url that is inserted into the sql statement, url which will return a response id value corresponds to this information, and then pass the new url II to the id value, then visit the response will come back broke sql statement query As a result, right or wrong sql information;
  • Url is the equivalent of a local user registration, user registration will add a new user id to store registration information in a database, then the id can be passed to access the url and secondly, url two can show user's registration information, but If the registration information is malicious meaning sql statement, url will show two sensitive database information;
  • Injection attacks almost like union, but the information echoed the need to show up in another url in;
  • It is behind the union injection attacks normal operation.

0x07 byte wide injection attacks

  1. If you have single, double quotes escaped, became a backslash, causing id parameter can not escape surrounded by single quotes;
  2. Under normal circumstances, where there is no sql injection vulnerability;
  3. However, if the database is GBK coding, byte wide injection can be used, and therefore do not know whether encoding is GBK, can try to use injection byte wide;
  4. Byte wide format before the address is in adding a  % DF  , plus single quotes because the backslash encoded as% 5c, in GBK encoding,% df% 5c Traditional is "even", therefore, single quotes successful escape, broke sql error;
  5. Therefore, when the rule is closed configuration, in front of the single quotation marks plus  % df  on the list;
  6. After writing a number of queries injected with the union in a closed rule on the list;

0x08 base64 injection attacks

  • If the value of the parameter id is encountered url looks like base64, the first take url decoding, then if it is base64, take base64 decoding, should that id values ​​(numbers 1 and 2) out of the solution;
  • So if you want to sql injection test this url, it is necessary for all values ​​back id be base64 encoding;
  • C submitted parameters passed to the url manner after implantation steps are implanted with the same union, but all the following values ​​(the entire payload) should be carried out base64 encoding, comprising a closure rule.

0x09 HTTP request header injection attack parameter injection -cookie

  1. All parameters of the capture of a http request url sql injection head is tested, all parameters are likely to exist inside the injection point, if the response packet sql error occurs, then this parameter is the injection point of the test;
  2. Http header injection common parameters are: 
    【Referer】、【X-Forwarded-For】、【Cookie】、【X-Real-IP】、【Accept-Language】、【Authorization】
  3. If the test when a cookie parameter, the response has reported sql error, then that cookie injection attacks;
  4. Union injected and the injection point is that the difference is not the same, after use of the injection method may be union.

0x10 HTTP request header injection attack parameter injection -XFF

  • Sql injection injection presence XFF i.e. HTTP header X-Forwarded-for parameters;

  • Test example value of this parameter X-Forwarded-for: 127.0.0.1 'sql responses are given, then the injection point is here;

  • After use union injection can be completed.

0x11 know the absolute path of the injection

  1. If some way broke the root directory of the site and know the existence of this sql injection site;

  2. This database may have to guess file permissions, then we can use the statement: into outfile to write shell to the root directory of your site, then connected with a kitchen knife;

  3. If the database does not file permissions, then we sqlmap parameters --is-dba database to see if the current user has administrator privileges;

  4. If you have administrator privileges, we can use the parameters inside sqlmap --os-shell command to upload rebound shell, eventually getshell;

  5. If the file, administrator privileges are not, then find another idea, logging, caching writes and so on.

 

Simple sql injection roughly describes the type encountered in existence, but then you may encounter under actual conditions more wonderful use of the sql injection method, but mastered these basic sql injection, sql injection on the back will be more advanced help; after bypassing technology will be introduced to the common sql injection.

 

Guess you like

Origin www.cnblogs.com/-chenxs/p/11614129.html
Recommended
Ranking
SpringBoot-integrate redis
[Sword pointing to offer] Interview question 03: Repeated numbers in an array
Arrangement "Offer Penalty for prove safety" string
Browser prevent the automatic generation of fill and Echo have been saved account solutions
Work hard and never slacken——2022 Yinmai Information Year-End Summary
Install jdk7 on Linux system
App common dependency management tools
EduCoder-Web程序设计基础-html5— 给表单组件添加说明-第1关:label标签相关概念
Machine learning - clustering - density clustering algorithm notes
Ant's large model is exposed, AI+ finance enters the "big model" era
Daily
More
2024-04-30(36)
2024-04-29(5)
2024-04-28(12)
2024-04-27(29)
2024-04-26(22)
2024-04-25(32)
2024-04-24(30)
2024-04-23(30)
2024-04-22(5)
2024-04-21(0)

Code World

© 2018 codetd.com