What is? SQL Inject ？

The attacker took advantage of Web Application oversight of user input validation , The input data contains symbols or commands of special significance to some database systems , Let the attacker have the opportunity to directly issue instructions to the background database system , Then realize the intrusion to the background database and even the whole application system .

SQL Principle of injection

SQL Inject the essence of the attack , The server does not filter the malicious data entered by the user , Directly treat the data entered by the user as SQL Statement execution , Thus affecting database security and platform security .

SQL Injection essence

Insufficient input checks , Lead to SQL Statement executes the illegal data submitted by the user as part of the statement .

Two conditions

1. The user can control the input

2. The original program is to be executed SQL sentence , Spliced malicious data entered by the user

Injection process

1. Attacker access has SQL Websites that inject vulnerabilities , Look for the injection point

2. The attacker Construct injection statements , Inject statements and in programs SQL Statements combine to generate Xin sql sentence

3. new sql The statement is submitted to the database for processing

4. The database performs a new sql sentence , triggered sql Injection attack

harm

1. Bypass login authentication ： Use the universal password to log in to the website background, etc

2. Get sensitive data ： Get the website administrator account password, etc

3. File system operations ： List , Read 、 Write files, etc

4. Registry operation ： Read 、 write in 、 Delete the registry, etc

5. Execute system commands ： Remote execution command

Judge a HTTP Whether the request exists SQL The way of Injection

classic ：and 1=1 | and 2>1 | or 1=1

Database functions ：and sleep(4)=1 | and length(user())>3

Special symbols ： Single quotation marks ‘ Double quotes “

SQL Injection classification

Injection type ：

1.SQL Inject

The attacker put sql Command insert into web The input field of the form or the query string requested by the page , Cheat the database server to execute malicious sql command

2. Command injection

The backend does not filter out malicious data , The code is executed as a system command .

3. Code injection

It usually appears in the unsafe use of some functions （ For example, the file contains 、 Deserialization vulnerability ）

4.LDAP Inject

ldap： Lightweight directory access protocol

Used to access mu'lu service , Commonly used in active directory, Enterprise management directory .

Input submitted by the user is inserted without verification ldap Search filter , The attacker modifies the structure of the filter by submitting specially designed input , To retrieve data or perform unauthorized operations .

5.XML Inject

xxe Loophole ： When referencing external entities , By constructing malicious content , Cause arbitrary reading of files 、 Execute system commands 、 Probe the intranet port 、 Attacks on Intranet sites and other hazards .

xpath Inject ： And sql Inject something similar ,xpath The parser itself is right url、 The content of the code submitted by the form is not strictly limited , As a result, malicious code can be parsed and executed directly

6.JSON Inject

Lightweight data exchange format , It mainly uses special character injection JSON in , Cause parsing failure .

Digital injection

test method

Character type injection requires single quotation marks or double quotation marks as closing , So use quotation marks to test .

Search Injection

SQL Injection process

Automated injection tool

（1）SQL Injection tool

SQLmap、Havij、Sqlid

（2）ASP\JSP Injection tool

NBSI o D Injection software Bright boy injection Software

（3）PHP Injection tool

Pangolin injection Software Haiyang top injection Software

Commonly used SQL Injection tool

BSQL Hacker、The Mole、Pangolin、Sqlmap、Havij、Safe3 SQL Injector、SQL Poizon

Manual injection process

（1） Determine whether there are points such as

（2） Determine the field length

（3） Determine the echo position of the field

（4） Judging database information

（5） Find the database name 、 Database table

（6） Find all fields and field values in the database table

（7） Guess the account password , And log in to the administrator background

seek SQL Injection point

GET Method

POST Method

Both of the above methods can be passed burp Or browser plug-ins hackbar Realization

Other injection point data ：Cookie、host、user-agent

summary ： As long as the background receives the data input from the front end , And the data is not filtered , Finally, directly into the database , Which can pose a threat

SQLmap brief introduction

sqlmap When an automated sql Injection tool , The main function is to scan , Discover and utilize given url Of sql Inject holes

SQLmap The job of

1. Judge the injectable parameters

2. Determine what can be used sql Injection mode

3. Identify which database

4. According to the user's choice , What data to read

Five injection modes

1. Blind annotation based on Boolean , That is, the injection of true or false conditions can be judged according to the returned page

2. Time based blind annotation , That is, no information can be judged based on the content returned from the page , Use conditional statement to check whether time delay statement is executed （ That is, whether the page return time increases ） To judge

3. Based on error reporting injection , That is, the page will return an error message , Or return the result of the injected statement directly to the page

4. Joint query injection , You can use union Injection of the situation .

5. Heap query injection , That is, the injection during the execution of multiple statements can be executed at the same time

SQLmap install

Official website ：

sqlmap: automatic SQL injection and database takeover tool

Github:

https://github.com/sqlmapproject/sqlmap

ps： Configuration required before installation py2.7 Environmental Science

SQlmap Parameters

How to get the goal

-m ： Remove saved url To test

-r： Get... From a text file http request

-g： Test injection google Search results for GET Parameters

-l： from Burp perhaps WebScarab Get log from agent

-u： Enter the target directly url

How to request the target

--data： Put the data in post Mode submission

--param-del：get or post The data for & Character segmentation other than

--cookie,--load-cookies,-drop-set-cookie ： Set up cookie

--referer： forge http Medium referer

--headers： Add extra http head

--timeout： Set timeout

--retries： Set number of retries

Injection test related parameters ：

--level ： There are seven detection levels , The default is 1

 --risk： Risk level , There are four , Default 1

  Injection technical parameters ：

--technique ： Appoint sqlmap The detection technology used （ Mostly used for blind injection ）

--time-sec： Set the time to delay Injection

--union-cols： Set up union Number of query fields

--second-order： Set the of secondary injection url

Column data related parameters

-b --banner： List the version number

--current-db： Returns the currently used database

--users： List all administrative users

--passswords： List and crack database users hash

--privileges： List database administrator privileges

Probe waf：

--check-waf

Bypass waf：

sqlmap There is one of them. tamper Catalog , What's in it is waf Bypass script , such as base64encode.py,between.py,greatest.py

Common use ：

The current library :

Sqlmap -u http://xxx//page.php?id=10 --current-db

Name of Pop Watch ：

Sqlmap -u http://xxx/page.php?id=10 -D Database name --tables

Pop field name ：

Sqlmap -u http://xxx/page.php?id=10 -D Database name -T Table name --columns

SQLmap Plug in usage :

example ：

sqlmap.py -u "http://xxx/sqlmap/mysql/grt_int.php?id=1" --tamper tamper/between.py,tamper/randomcase.py,tamper/space2 comment.py -v 3

SQlmap Detection is far from analysis

SQlmap Pre contract for testing

In the process of detecting the injection point , There will be a series of pre contracting , These pre contracting include some contracting logic

Network connectivity detection 、WAF testing 、 Web page stability detection 、 Parameter dynamic detection 、 Heuristic injection detection ： The purpose is to detect whether the parameter points are dynamic , Whether it is a possible injection point

False alarm detection ： In Boolean blind injection, response similarity analysis technology is used to determine whether there is an injection point , Gaussian algorithm is used in time blind injection to determine whether there is an injection point , There is the possibility of false positives in these two judgment methods , To prevent false positives ,sqlmap Introduce false positive detection mechanism

Response similarity comparison technology

stay SQLmap The whole process of detection , There will be a definition of the original response , It refers to the process of website connectivity detection , If the website responds successfully , The response will be defined as the original response

stay SQlmap in , The original response is the object to be compared in the comparison process , After a request is successfully responded , Compare with the original response , Come up with a comparison .

The output of the algorithm is True Indicates that the current response is similar to the original response , Output is false Indicates that the current response is not similar to the original response