In many cases, when intruders use tool injection, they find that the tool cannot decipher the table names and field names. That is because all tools have their own dictionary, which includes table names and field names. If the administrator If the table name and field name are changed so that they are not in this dictionary, then the tool we use will not be able to guess the field name and table name. In the following article, we will start from analyzing manual injection to build a line of defense against SQL injection.
The intruder will construct a simple judgment condition to determine whether the page has an injection vulnerability. The general steps are as follows:
The page to be detected here is http://127.0.0.1/111/view.asp?id=198
1. Intruder If you want to manually inject a site, you must set up the browser to ensure that error messages can be returned during manual injection. The steps are as follows:
right-click on the browser and select "Properties", and select "Advanced" in the pop-up dialog box. tab. As shown below:
Figure 1
Then remove the hook in front of "Show friendly HTTP error messages" and finally click the "Apply" button.
2. The intruder submits the following URL to the browser:
http://127.0.0.1/111/view.asp?id=198 and 1=1.
If there is a SQL injection vulnerability, the database can be queried. 1=1 is an identity. Ignore, so a normal page will be returned. This page is the same as http://127.0.0.1/111/view.asp?id=198 . At this time, the intruder will judge that this site is expected to be injected. If some error messages are returned, some rudimentary intruders may abandon the site.
3. The intruder further submits the following URL to the browser:
http://127.0.0.1/111/view.asp?id=198 and 1=2
1=2 is an identity inequality. If the site supports database query, it will probably return information as shown in the figure below:
Figure 2
Generally, if the intruder appears as shown in the figure above, it is basically certain that this site can carry out SQL injection attacks.
However, in many cases, an intruder can quickly determine whether the target site has a SQL injection vulnerability by simply using a single quote, and submit the following URL to the browser:
http://127.0.0.1/111/view.asp?id=198'if Returning the following information indicates that there is more than half a chance that an injection vulnerability exists:
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft] [ODBC Microsoft Access Driver] The syntax error of the string is in the query expression 'id =1'. /list.asp, line 50
4. At this time, the intruder begins to construct a special SQL query statement to query the table name of the site database, and submits the following statement to the URL:
http://127.0.0.1/111/view.asp?id= 198 and exists(select * from admin)
This statement queries the database to see if the admin table exists. If it exists, a normal page will be returned. If the table does not exist, an error page will be returned. Generally, intruders will first test commonly used table names, which are also table names and field names that exist in the password dictionary of general injection tools. If the table name is not among the commonly used table names, the intruder will use social engineering to guess the table name. In this case, the intruder has a low chance of guessing the table name.
5. After getting the table name, the intruder starts to construct a query statement to query the database field name, and submits the following statement to the URL:
http://127.0.0.1/111/view.asp?id=198 and exists(select user from admin)
this The statement is to query the admin table in the database whether the user field exists. If it exists, a normal page will be returned. If it does not exist, an error page will be returned.
7. Next, the intruder begins to determine the value of the field id, and constructs the following statement to query the value of id: http://127.0.0.1/111/view.asp?id=198 and exists (select id from admin where id=1 )
returns the correct page if it is correct, and returns the error page if it is incorrect.
6. After guessing the table name and field name, the intruder began to construct a query statement to guess the administrator account length, and submitted the following statement to the URL:
http://127.0.0.1/111/view.asp?id=198 and exists(select id from admin where len(user)<6 and id=1)
This statement is to query the length range of the user name in the user field, which means the length is less than 6. If it is correct, it will return to the normal page, if it is wrong, it will return to the error page.
Narrow the scope, and then construct the following statement to determine the specific length of the user name:
http://127.0.0.1/111/view.asp?id=198 and exists(select id from admin where len(user)=5 and id=1)
Correct If the error occurs, the normal page will be returned. If the error occurs, the error page will be returned.
8. Next, the intruder enters the final step to construct a statement to query the administrator's user name, and submits the following statement to the URL: http://127.0.0.1/111/view.asp?id=198 and exists(select count(*) from admin where left(user,1)='a')
This statement is to guess the user name from the left side of the user name to a. If it is correct, it will return to the normal page. If it is wrong, it will return to the error page. Guess one by one. Guess In the second position, the modified statement is (user,2)='ad', and so on.
After the intruder obtains the username and password, the injection is nearing completion.
As for the prevention method, it is very simple. From the above process, we can see that if the table name and field name are not among the commonly used table names and field names, the intruder will use social engineering to guess. If the table name and field name modified by the administrator are complex enough, the intruder will invade. If the attacker still cannot achieve the goal, there is another simple defense method that is to download some anti-injection patches from the Internet and apply them. This method is to modify the site files and add filtering statements to filter the statements submitted by the intruders to prevent injections. Yes, I won’t explain its principle to you here.