web learning record of CTF -- advanced SQL injection


  this part is the advanced part of sql injection knowledge, and introduces more injection skills.

Time injection attack

   the scenario of time injection attack is also that the server does not return the information of query statements, which is similar to boolean injection attack. boolean injection guesses the database information through true or false. Time injection attacks make the database operation time longer by using functions such as sleep() or benchmark(), so as to judge whether the statement is executed successfully.

# Judge the length of database name
# if (condition, true -- > select sleep (5), false -- > select 1)
if (length(database())>4, sleep(5), 1)

# Judge the database name character by character
if (substr(database(), 1, 1)="d", sleep(5), 1)

Stack query injection attack

  the so-called stacked query injection is that multiple statements can be executed, separated by semicolons. It is generally required that the back-end logic can execute multiple sql statements at one time. When using PDO (PHP data object) to execute sql statements, injection can not be realized at this time. Of course, it does not rule out that there is a problem with the programmer's code. At this time, injection can still be carried out, but PDO will only return the execution result of the first statement. The second statement is generally judged by the effect using time blind injection.

# Judge the database name character by character
;select if(substr(database(), 1, 1)="d", sleep(3), 1) #

Secondary injection attack

   the so-called secondary injection attack means that the statements directly injected through the input box will be escaped or hash ed by the back-end program. At this time, the injection effect cannot be achieved, but the constructed statements will be directly stored in the database. Then we query the word segment, and the back-end program will take it out for splicing, but there is no protection operation at this time, Constitutes a secondary injection attack.
  for example, there are two function pages in a website, login PHP can register, search PHP can query.

# Save injection statement
# Visit: login php? username=test'
At this time, single quotation marks will not cause sql Syntax error, because the back end is directly escaped, but it will be stored in the data table test'

# Execute sql injection
# Assuming the ID returned above is 10, visit: search php? id=10
 The sql Syntax error because the query operation spliced fields username

Wide byte injection attack

   in the character injection attack, we try to enter id=1 ', but the result will find that the single quotation mark is escaped by the escape character (backslash). At this time, the sql statement we constructed cannot escape the encirclement of the single quotation mark, so we cannot achieve the effect of injection. At this time, we can use wide byte injection attack. One premise is that the database code is GBK. In GBK, the single quotation mark code is% 5c, and then% df%5c can form a whole. Therefore, we can escape by adding% df in front of the escape character.

# Wide byte attack,%23 yes#The character encoding of the number is used to comment out the following statements
# id = 1%df'%23

# Use nested queries to avoid single quotes
select table_name from information_schema.tables where table_schema='sql' limit 0, 1;

select table_name from information_schema.tables where table_schema=(select database()) limit 0, 1;

cookie injection attack

   cookie injection attack means that the injection statement is constructed not in the get parameter of the url, but on the cookie in the http request header, that is, the back-end program will sql splice the data in the cookie. The difficulty here is to find the injection location. The injection method in the back is the same as that in the front.

GET /cookie.php HTTP/1.1
Cookie: id=1+and+1=2

base64 injection attack

   base64 injection attack, as its name implies, is that the parameters obtained through url will be decoded by base64 in the back-end program before they can be directly spliced into sql statements. There are no new injection techniques here. The injection principle is the same as that described above, but note that before injection, the statement is encoded as base64 and then spliced into the url. Another advantage of this coding is that it can bypass the detection of WAF.

id=1 and 1=2 --> id=MSBhbmQgMT0y

XFF injection attack

  X-Forwarded-for is abbreviated as XFF header, which is the HTTP request header field used to identify the most original IP address of the client connected to the Web server through HTTP proxy or load balancing. In short, it represents the real IP address of the client. However, this field is very easy to be forged. For example, this field is often modified to, indicating local access. In sql injection, this field is used for injection, which can be compared with cookie injection attack. Similarly, it is to find the injection point in the HTTP header information.

GET /xff.php HTTP/1.1
X-Forwarded-for:' and 1=1 #


Never forget the original intention and forge ahead!

Keywords: Web Development Cyber Security CTF

Added by ma9ic on Wed, 09 Feb 2022 20:44:09 +0200