网站已被 SQL 注入攻击
最近我的网站被 SQL 注入攻击了。黑客使用了以下查询 获取我的数据库名称。我无法理解他们写的这个查询。
查询:
=-999.9%20UNION%20ALL%20SELECT%20concat(0x7e,0x27,Hex(cast(database()%20as%20char)),0x27,0x7e),0x31303235343830303536,0x31303235343830303536,0x31303235343830303536--
运行查询后,它显示一个整数结果,类似于“74545883”。
您能解释一下查询是如何工作的吗?
Recently my site was hacked via SQL injection. The hacker used the following query
to get my DB name. I cannot understand this query they wrote.
Query:
=-999.9%20UNION%20ALL%20SELECT%20concat(0x7e,0x27,Hex(cast(database()%20as%20char)),0x27,0x7e),0x31303235343830303536,0x31303235343830303536,0x31303235343830303536--
After the query was ran it showed an integer result, something like "74545883".
Can you explain how the query works?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(7)
它看起来像是溢出攻击。他们与您现有的查询进行
UNION-ed。将所有%20替换为(空格),因为其网址编码会产生:分解它:
=-999.9只是结束当前查询0x31303235343830303536 是NULL- 它们只是与现有查询中的列数匹配。如果您有 SELECT * FROM users 且users有 4 列,则UNION也必须有 4 列。结果,他们只是使用“NULL 值”来填充这些列。CONCAT()。它们将 126、39、数据库名称组合为十六进制值,39 和 126--是 mysql 注释 - 从这次攻击来看,它会忽略您的查询的其余部分,我怀疑您不是将输入包装在
mysql_real_escape_string()中,这允许攻击者跳出您的查询并执行自己的查询。有关详细信息,请参阅 owasp.org信息。
It looks like an overflow attack. They
UNION-ed with your existing query. replacing all your%20with (space) since its url-encoded yields:break it down:
=-999.9is just ending your current query0x31303235343830303536isNULL- they are just matching the number of columns in your existing query. If you hadSELECT * FROM usersandusershad 4 columns, theUNIONmust also have 4 columns. As a result, they just used `NULL values to populate those columns.CONCAT(). They are combining 126, 39, database name as hex value, 39, and 126--is a mysql comment - it ignores the rest of your query afterJudging from this attack, i suspect that you are not wrapping input in
mysql_real_escape_string(), which allowed to attacked to jump out of your query and execute their own.See owasp.org for more information.
这不是完整的查询,实际上是人在您的网络应用程序中输入了此字符串。
现在,首先将并集部分中的 %20 替换为空格,您会得到:
似乎用户将字符串放在您期望数字的某个位置。所以,你看到首先有一个数字(999.9)来完成查询的原始条件。然后,添加 UNION 部分。
最后,在 UNION 部分之后,添加注释字符 (-- ),以便绕过查询的其余部分(可能由您的系统添加)。
我们可以格式化代码以便更好地理解:
现在,结果第一列的子字符串将包含数据库名称的十六进制编码形式。实际上,它应该用单引号(0x27)包围,然后再次用〜(0x7e)包围
This is not the complete query, actually the person entered this string in your web app.
Now, first replace %20 with blank space in the union part, you get:
Seems like the user put the string in some place where you were expecting an number. So, you see that first there is a number (999.9) to complete the original condition of the query. Then, an UNION part is added.
Finally, after the UNION part, the comment characters are added (-- ) so that, the rest of the query (which might be being added by your system) is bypassed.
We can format the code for better understanding:
Now, substring of the first column of the result will contain the hex encoded form of your datbase name. Actually, it should be surrounded by single quotes (0x27), then again surrounded by ~ (0x7e)
查询使用 DATABASE() ,然后使用 HEx( ) 函数。
一旦他们有了这个,他们就可以使用 UNHEX 函数
看一下
UNHEX示例很高兴知道它们是如何进入的,但总而言之,您需要修复代码以避免 SQL 注入。
The query returned the Database name using DATABASE() , it then converted this to a hex value using HEx() function.
Once they had this they could use UNHEX function
Have a look at the
UNHEXexamplesIt is good to know how they got in, but all in all, you need to fix up your code to avoid SQL Injection.
我想你的日志中一定还有其他条目,如果没有,他事先就知道你有 3 列。
I think you must have other entries in your log, if not he knew before hand that you have 3 columns.
这是使用 Havij 进行注入的示例
0x7e 和 0x27 对应于 ~ 和 ' ,它们将用于框架 HTML 显示
例如
id=999999.9+union+all+select+0x31303235343830303536,(select+concat(0x7e,0x27,unhex(Hex(cast(sample_tbl.name+as+char))),0x27,0x7e)+from+
测试.sample_tbl+Order+by+id+limit+0,1)+--此查询将根据
http://www.string-functions.com/hex-string.aspx
This is an exemple of injection using Havij
The 0x7e and 0x27 correspond to ~ and ' wich will be used to frame the HTML display
such as
id=999999.9+union+all+select+0x31303235343830303536,(select+concat(0x7e,0x27,unhex(Hex(cast(sample_tbl.name+as+char))),0x27,0x7e)+from+
test.sample_tbl+Order+by+id+limit+0,1)+--This query will render ~'Alfred'~ which is the field value of the column name, from the table sample_tbl in the table test
~'r3dm0v3_hvj_injection'~ is the Havij signature code unhex 0x7233646D3076335F68766A5F696E6A656374696F6E according to http://www.string-functions.com/hex-string.aspx
首先,查询看起来像是 HTML 编码的。将
%20替换为空格,它会变得更具可读性。他们还将部分查询转换为某种内容的十六进制表示形式。也尝试对语句的该部分进行十六进制解码。当您尝试将 SQL 动态创建为字符串,然后将其发送到 DBMS 时,就会产生 SQL 注入风险。想象一下,像这样的字符串存储在您的系统中,用于搜索栏等:
SELECT * FROM SOME_TABLE WHERE SOME_COLUMN=要完成查询并让攻击进入,他们需要进行如下输入this:
'x' or 1=1在这种情况下,查询将变为:
SELECT * FROM SOME_TABLE WHERE SOME_COLUMN='x' or 1=1SOME_COLUMN< /code> 可以是任何变量,无论它在哪里失败,重要的是1=1始终为 true,从而可能使攻击者能够访问该表中的每一行。现在您已经了解了,请检查您的代码并将每个动态创建的查询替换为准备好的语句。 OWASP 网站也有大量用于防御性编码的资源:
www.owasp.org
First off, the query looks like it's HTML encoded. Replace the
%20s with spaces and it will become a little more readable. Also they are converting part of the query into a hex representation of something. Try hexadecimal decoding that part of the statement as well.A SQL injection risk is created when you try to create a SQL dynamically as a string, and then send it to the DBMS. Imagine a string like this stored in your system for use in a search bar, etc:
SELECT * FROM SOME_TABLE WHERE SOME_COLUMN=To complete the query and let the attack in, they would need to make their input like this:
'x' or 1=1In that instance the query will become:
SELECT * FROM SOME_TABLE WHERE SOME_COLUMN='x' or 1=1SOME_COLUMNcould be any variable, it doesn't matter where it fails, the thing that matters is that1=1is ALWAYS true, thereby potentially giving the attacker access to every row in that table.Now that you know about it, go through your code and replace every dynamically created query with a Prepared Statements. The OWASP site has a lot of resources for defensive coding as well:
www.owasp.org
是的,他得到了您的数据库名称的十六进制形式,您所说的“74545883”。
通过对其进行解密,他可以获得真实的数据库名称。
Yes he has got the hex form of your database name which you say is '74545883'.
By Unhexing it he would have got the real database name.