It has been more than half a year since I contacted sqli (SQL injection), which is a huge field. Every time I think I've understood something, something new will come out. I need to learn again. I'm not efficient and have a lot of work. And with the expansion of knowledge system, many things will gradually forget. Therefore, the idea of writing a mind map came into being to sort out your own ideas and prevent forgetting. Second, as a sophomore, I hope my younger and younger students can learn faster in this respect. I hope that my work will help the building of sqli and consolidate its foundation~
Sqli has a wide range of fields. From the perspective of programming language, PHP, Java, python, C ා From the perspective of database type, mysql, MSSQL, Oracle, PostgreSQL If you add Apache or IIS or other subtle differences in the response layer, it's a lifetime's work. But the good news is that there are only subtle differences between them in most cases (except for OOB and weight raising). Learning by analogy, the workload will be much smaller. This paper will be based on MySQL PHP, with mind map as the main line, introduce the strange knowledge points in the map, and also introduce some practical CTF exercises for your experiment.
The MySQL + PHP environment is very simple to build. Use phpstudy
http://www.phpstudy.net/a.php/211.html
OK, that's one of the reasons why I choose MySQL + PHP.
After being familiar with the knowledge points in the map, you can borrow sqli lab and redtiger:
https://redtiger.labs.overthewire.org/
Haking-lab:
http://hackinglab.cn/
These three sets of online sqli exercises introduce the practice and consolidation of relevant knowledge points.
The files involved in this article can be found on this network disk:
http://pan.baidu.com/s/1gfOSowF
If you have any questions about the content of the article or find any loose points, please contact me (click to read the original to enter my blog) and hope to discuss with you.
The right way to open sqli mind map
Due to the size of the picture, please visit the following address:
Sqli injection mind map
http://104.194.90.209:2501/tmp_picture/Sum_SQLi.png
The unsociable skill in the guide map
From top to bottom, this part explains the relatively remote knowledge points in the map.
Sqli is generated because the program does not fully filter the input, which causes the attacker to manipulate the input to exploit the code.
General Union query
The most basic and fundamental way to use it is to get the data in the database. From the top of the mind map, first of all, union brings back the normal process of query. With the expansion of knowledge, the application means will be more and more diverse. In this part, you can use sqli labs to train. The source code and the answer (MySQL injected into the heavenly book) have been put into the online disk. You can take them by yourself if you need them. There are many and complete questions in it. "MySQL injection" also explains the basic knowledge. You can brush it several times and consolidate it.
Six error reporting grammars and principles
Then there is the introduction of the principle and syntax of the error reporting function. Only when you know the principle can you use it flexibly. There are 6 functions that I have encountered that will lead to the error reporting. One more method may lead to another unexpected solution in the CTF competition. Sqli labs has a special error reporting gate, the sixth gate of hacking Lab
http://hackinglab.cn/ShowQues.php?type=sqlinject
It's also error reporting injection. You can practice it.
Show & describe unconventional injection
Next, the show & desc part is a clever gesture, which uses error reporting to get data in unconventional show or describe statements.
Post a good place to view official documents
http://devdocs.io/
Of course, Google + official website is the hard truth.
String comparison without function in blind annotation
In the subsequent sqli, when the 'ABC','abd 'is true, it should be noted that when the string truncation function is disabled (common when typing CTF), strings can be directly compared, but the comparison between letters is based on alphabetic order rather than ASCII code, which will result in that the final output data of blind script is not case sensitive. The comparison between alphabetic and non alphabetic characters is based on ASCII code, so the upper and lower case of letters can be determined by a non alphabetic character in 0x5b-0x60.
'abc'>'abd' 为TRUE
Boolean blind annotation is similar to time blind annotation, and there is no special supplement.
The next part of string operation is purely to bypass some blacklists. CTF is more useful, and several commonly used real-world environments are enough.
Digital operation utilization
In the test injection part, some test statements are pasted. Attention should be paid to the '3-2' test vector in number. If you enter 3-2 when transferring parameters and then echo the page with id = 1, it indicates that there is a vulnerability there, and at least you can obtain data through blind annotation.
For example, if you enter 1 - (if (user() = = root @ localhost '), 1,0) -- + if the returned page is id = 1, then the following statement is judged to be false. If the page is id = 0, then the judgment is true, which has a blind injection vulnerability. You can continue testing and inject with tools or scripts according to the test results.
1-(IF(user()='[email protected]'),1,0)--+
Annotator bypass
Continue to the MySQL annotator section, which has two points to note. First, '/ *! 50000or * / 1 = 1 and' / *! Or * / 1 = 1 are used to bypass WAF. Second, filter the annotator -- space. Because some blacklists (especially in CTF topics) use regular when filtering -- spaces as annotators, but regular is easy to be lax, such as filtering -- spaces and --% 20 (PS: URL encoding of spaces), but --% A0 (PS: newline) can still bypass filtering and be used as annotators. So when testing -- the space annotator, as long as -- it's not filtered, there's probably a way around it.
' /*!50000or*/1='1
' /*!or*/1='1
Information collection vector
Continue down, in the "version & host name & User & Library name & database path & MAC address" section, collect some global variable names in mysql, you can get some sensitive information required by penetration test, and you need to pay attention to the /! MySQL version number / form to get MySQL version number. When the injection statement is select * from users limit 1, {injection point}; in this form, you can insert such as /! 50717 / at the injection point. If the version number is less than 5.7.17, it will return true, so you can judge the version number.
SELECT * FROM Users limit 1,{INJECTION POINT};
Oceduer analysis syntax explosion column, table name
Continue down. In the column name and table name section, in addition to the more conventional Union, error reporting and blind annotation methods, you can also use the procedure analysis syntax.
Limit usage can be tested by yourself. The fourth pass of hacking-lab
http://hackinglab.cn/ShowQues.php?type=sqlinject
All library, table and column names will be popped out at one time
In addition, I found a very NB injection vector:
All library, table and column names can be popped out at one time
Check the source code and see [library name] > table name > column name, which is displayed neatly~
Document operation notice
Continue down, starting with the file operation, and you're going to have to deal with the advanced use of sqli. First of all, query whether the user has the permission of file operation. There are three query methods. If the secure file priv variable is empty, the function can be used directly. If it is null, the function cannot be used. However, the version before MySQL 5.5.53 is empty by default, and the later version is null by default. If the user used by the injection point has file operation permission, it will be very dangerous.
First of all, the user can use the loadfile() function to get any file information, and even use the hex() and unhex() functions to get all the data of the application program (binary file) on the server. “select …… The statement "into outfile 'path'" can write a Trojan horse to the server, "select Into dumpfile 'path' can be written directly to binary files, so as to write unsafe plug-ins to the server, so as to carry out power lifting and other illegal operations.
Basically, the injection point with file operation permission is not far from the whole server group~
OOB channel leakage injection
Further down is OOB (out of band channel attack), which is to transmit data in an unconventional way. You also need the secure file priv permission. For MySQL, there are two main out of band transmission modes: DNS (domain name leakage) and SMB. This kind of technology is difficult to understand conceptually, but it is a very powerful technology after mastering. In addition to bypassing WAF to bring out data, it can also be combined with XSS vulnerability for more harmful attacks. There is an article on the safe guest
http://bobao.360.cn/learning/detail/3458.html
The introduction is quite detailed, and there is also a reproduction course, which can be learned in a wave~
Pop the current SQL statement
Continue down, there is a powerful but never mentioned knowledge point, which can pop out the current query statement: select group concat (info) from information schema.processlist will pop out the injection statement, then you can better find a way to construct the query statement, even when column name and other column name keywords are filtered, directly find out the sensitive column names.
SELECT group_concat(info) FROM information_schema.processlist
Continue down is stack injection. If the injection point can perform stack injection, you can use semicolon to end the previous statement and open a new statement, like this: select * from users where id = 1 and 1 = 0; insert into users (username, password, priv) values ('bobbytables', 'kl20da $$','admin '); If the injection can be stacked, there will be more ways to exploit the vulnerability, such as adding admin user in the previous statement. Or get rid of the grammar limitation of the original sentence and inject a new sentence for file operation. There are many old articles, including "SQL injection attack and defense", which say PHP MySQL is not allowed, but after testing, there is still a way to stack injection. For PHP MySQL, stack injection can be used interactively with database through PDO MySQL and mysqli, but not through MySQL query.
SELECT * FROM Users WHERE ID=1 AND 1=0; INSERT INTO Users(username, password, priv) VALUES ('BobbyTables', 'kl20da$$','admin');
Power raising
UDF raise power
https://hack0nair.me/2013-05-01-udf-privilege-escalating-on-mysql/
It's a normal way of lifting permissions for MySQL. When hacker can upload files and execute them in other ways, he can modify the permissions of known users through lifting permissions, so as to "get rid of pants".
bypass
Continue down are some of the bypass positions used to bypass some of the WAFS.
Wide byte injection
Wide byte injection can take advantage of the characteristics of wide byte to eat the escape backslash in the case of web application escaping single quotation mark. This feature, like the following character encoding bypass techniques, has been introduced in detail, and will not be covered here. Wide byte injection detail gate
http://drops.blbana.cc/2016/12/05/Mysql%E5%AE%BD%E5%AD%97%E8%8A%82%E6%B3%A8%E5%85%A5/
Character encoding bypass technique
Character encoding bypassing techniques detailed explanation of the portal
https://www.leavesongs.com/PENETRATION/mysql-charset-trick.html
Bypass space filtering
Bypassing the space part, the special characters are separated by |, similar to% 09, the percentage sign plus the hex of ASCII code. And the space after the and operator can be bypassed by some special character combinations, such as those mentioned in the map
The characters that can be combined are +, -, ~,! @. Whether it can act as a space is related to the selected characters and the parity of the number of characters. Interested friends can test it by themselves.
Encoding bypassing
Continue down, code around, not all cases apply, depending on the code. Illegal hexadecimal means that the web application attempts to decode the URL of the following characters after% is detected. Normally, the following two characters should be (0-F). If there is a character larger than f, it is illegal. The parsing is stopped, the percentage sign is removed, and the sensitive keyword is restored.
Bypass the comma
Continue down, bypass comma is a common knowledge point in CTF, you can inject without reference to comma in case of echo. Mid ('abc 'from 1 for 1) is very useful in disallowing blind annotations of commas. Limit 1 offset 0 can be used to bypass commas in limit 0,1
The following overflow area bypass means that some web applications will intercept user input and execute in sections. At this time, the number of intercepted digits can be used to bypass keyword detection.
The second parameter of MD5 brings security problems
Next [MD5 second parameter
http://cvk.posthaven.com/sql-injection-with-raw-md5-hashes
Binding sqli
http://bobao.360.cn/learning/detail/3357.html
Type conversion
http://bobao.360.cn/learning/detail/3804.html)
There have been more detailed articles.
At this point, the introduction of some intuitively difficult points in mind map is over, and other points are equally important. Just look at the map directly and you can know what it means, so there is no nonsense.