SQL injection Tianshu ASP injection vulnerability full contact
with the development of b/s mode application development, more and more programmers use this mode to write applications. However, due to the low entry threshold of this industry, the level and experience of programmers are also uneven. A large number of programmers do not judge the legitimacy of user input data when writing code, so that there are security risks in the application. The user can submit a piece of database query code and obtain some data he wants to know according to the results returned by the program. This is the so-called sqlinjection, that is, SQL injection
sql injection is accessed from the normal www port, and it seems to be no different from general web page access, so currently the firewall on the market will not alarm SQL injection. If the administrator does not have the habit of viewing IIS logs, he may not be detected for a long time
however, the SQL injection method is quite flexible, and many unexpected situations will be encountered during the injection. Whether we can analyze according to the specific situation and construct ingenious SQL statements to successfully obtain the desired data is the fundamental difference between a master and a "rookie"
according to the national conditions, domestic station asp+access or sqlserver accounts for more than 70%, php+mysq accounts for L20%, and others are less than 10%. In this article, we will explain the methods and skills of ASP injection from the basic level, advanced level to advanced level. The article on PHP injection was written by Zwell, another friend of Nb alliance, hoping to be useful to security workers and programmers. If you know about ASP injection, please don't skip the introductory chapter, because some people still have misunderstandings about the basic judgment method of injection. Are you ready? Let’s Go...
if you haven't tried SQL injection before, the first step is to remove the tick in front of IE menu => tools =>internet options => Advanced => display friendly HTTP error messages. Otherwise, no matter what error the server returns, ie will only display HTTP 500 server error, and no more prompt information can be obtained
section 1, SQL injection principle
let's start with a station (Note: This article has been approved by the station's webmaster before publication, and most of it is real data)
on the home page of the station, there is a link named "multiple solutions for ie not being able to open new windows". The address is:, we put a single quotation mark after this address ", and the server will return the following error prompt:
Microsoft Jet database engine error '80040e14'
the syntax error of the string is in the query expression 'id=49'
/p, line 8
from this error prompt, we can see the following points:
1 The station uses access database, which is connected to the database through jet engine, rather than ODBC
2. The program does not judge whether the data submitted by the client meets the program requirements
3. The table queried by this SQL statement has a field named ID
from the above example, we can know that the principle of SQL injection is to submit special code from the client to collect program and server information, so as to obtain the information you want
section 2: judge whether SQL injection can be performed
after reading section 1, some people will think: I often test whether SQL injection can be performed in this way, isn't it very simple
in fact, this is not the best way. Why
first of all, the IIS of each server does not necessarily return specific error prompts to the client. If statements such as cint (parameter) are added to the program, SQL injection will not succeed, but the server will also report an error. The specific prompt message is an error on the server when processing the URL. Please contact the system administrator
secondly, some programmers who have a little knowledge of SQL injection believe that it is safe to filter out the single quotation marks. This is not a rare case. If you test with single quotation marks, you cannot detect the injection point
then, what kind of test method is more accurate? The answer is as follows:
②; and 1=1
③ ; And 1=2
this is the classic 1=1, 1=2 test method. How to judge? Look at the results returned by the above three addresses:
performance that can be injected:
① normal display (this is inevitable, otherwise the program is wrong)
② normal display, the content is basically the same as ①
③ prompt BOF or EOF (when the program does not make any judgment), or prompt that the record cannot be found (when f is judged) Or the display content is empty (the program adds on error resume next)
it is easier to judge if it cannot be injected. ① it is also displayed normally, ② and ③ will generally have error prompts defined by the program, or errors in prompt type conversion
of course, this is only the judgment method used when the incoming parameters are numeric. In practical application, there will be character type and search type parameters. I will analyze them in the "general steps of SQL Injection" in the intermediate chapter
section 3, judge the database type and injection method
the functions and injection methods of different databases are different, so we need to judge the type of database before injection. Generally, the most commonly used databases for ASP are access and sqlserver, and more than 99% of the stations on are one of them
how can the program tell you what database it uses? Let's take a look:
sqlserver has some system variables. If the server IIS prompt is not turned off and sqlserver returns an error prompt, you can get it directly from the error message. The method is as follows:
http://www.mytest.com/showdetail.asp?id=49 ; And user>0
this sentence is very simple, but it contains the essence of sqlserver's unique injection method. I also found this highly efficient guessing method in an unintentional test. Let me see its meaning: first of all, the previous statement is normal, and the focus is on and user>0. We know that user is a built-in variable of sqlserver, and its value is the user name of the current connection, and its type is nvarchar. Compare the value of nvarchar with the number 0 of int, and the system will first try to convert the value of nvarchar into int type. Of course, there will be errors in the process of conversion. The error prompt of sqlserver is: there is a syntax error when converting the nvarchar value "ABC" to a column with data type of int. hehe, ABC is the value of the variable user, so you can get the user name of the database without any effort. In the following pages, you will see many sentences using this method
by the way, as we all know, sqlserver user SA is a role equivalent to adminstrators' permission. If you get SA permission, you can almost certainly get the administrator of the host. The above method can easily test whether to log in with SA. Note that if it is sa login, the prompt is that there is an error in converting "dbo" to int column, not "Sa"
how to judge the database type if the server IIS does not allow error prompts? We can start with the differences between access and sqlserver. Both access and sqlserver have their own system tables, such as the tables that store all objects in the database. ACC pairs can reduce the weight. ESS is in the system table [msysobjects], but reading this table in the web environment will prompt "no permission". Sqlserver is in the table [sysobjects], which can be read normally in the web environment
in the case of confirming that injection is possible, use the following statement:
; and (select count(*)
; And (select count (*)
if the database is sqlserver, the page of the first address is roughly the same as the original page; The second address, because the table msysobjects cannot be found, will prompt an error. Even if the program has fault-tolerant processing, the page is completely different from the original page
if the database uses access, the situation is different. The page of the first address is completely different from the original page; The second address depends on whether the database setting allows reading the system table. Generally speaking, it is not allowed, so it is completely different from the original address. In most cases, the first address can be used to know the database type used by the system, and the second address is only used for verification when IIS error prompt is turned on
in the introductory chapter, we learned the judgment method of SQL injection, but it is far from enough to get the confidential content of the station. Next, we will continue to learn how to get the content we want from the database. First, let's look at the general steps of SQL injection:
section 1, general steps of SQL injection
first, judge the environment, find the injection point, and judge the database type, which has been mentioned in the introductory chapter
secondly, according to the type of injected parameters, reconstruct the original appearance of the SQL statement in your mind. According to the parameter type, it is mainly divided into the following three types:
(a) id=49. The injected parameters are numeric, and the original appearance of the SQL statement is roughly as follows:
select * from table name where field =49
the injected parameters are id=49 and [query condition], That is, the generated statement:
select * from table name where field =49 and [query criteria]
select * from table name where field = 'series'
the injected parameters are>
select * from table name where field =' series' and [query criteria] and '='
if the parameters are not filtered during search, such as keyword= keyword, The original appearance of the SQL statement is roughly as follows:
select * from table name where field like '% keyword%'
the injected parameters are keyword= 'and [query condition] and'%25 '=', that is, the generated statement:
select * from table name where field like '%' and [query condition] and '% ='% '
then, replace the query condition with SQL statement to guess the table name, For example:
id=49 and (select count (*) from admin)>=0
if the page is the same as id=49, it indicates that the additional condition is true, that is, the table admin exists, otherwise, it does not exist (please keep this method in mind). This cycle continues until the table name is guessed
after guessing the table name, replace count (*) with count (field name), and guess the field name with the same principle
some people will say: there are some accidental elements here. If the table name is very complex and irregular, there is no need to play at all. It's true that there is no 100% successful hacker technology in this world. Flies don't bite seamless eggs. No matter how sophisticated the technology is, hackers can only start because others' programs are not tightly written or users can choose to use security awareness is not enough
a little digressive. In other words, there is still a way for the program to tell us the table name and field name for the sqlserver library, which will be introduced in the advanced chapter
finally, after the table name and column name are guessed successfully, use SQL statements to get the value of the field. Here is a most commonly used method - ASCII word for word decoding method. Although this method is very slow, it is certainly a feasible method
for example, we know that there is a username field in the table admin. First, we take the first record and test the length:
; And (select top 1
len (username) from admin)>0
explain the principle first: if the username length of top 1 is greater than 0, the condition is true; Then there are>1,>2,>3. Keep testing like this