网站已被 SQL 注入攻击

发布于 2024-10-10 09:02:56 字数 341 浏览 8 评论 0原文

最近我的网站被 SQL 注入攻击了。黑客使用了以下查询 获取我的数据库名称。我无法理解他们写的这个查询。

查询:

=-999.9%20UNION%20ALL%20SELECT%20concat(0x7e,0x27,Hex(cast(database()%20as%20char)),0x27,0x7e),0x31303235343830303536,0x31303235343830303536,0x31303235343830303536--

运行查询后,它显示一个整数结果,类似于“74545883”。

您能解释一下查询是如何工作的吗?

Recently my site was hacked via SQL injection. The hacker used the following query
to get my DB name. I cannot understand this query they wrote.

Query:

=-999.9%20UNION%20ALL%20SELECT%20concat(0x7e,0x27,Hex(cast(database()%20as%20char)),0x27,0x7e),0x31303235343830303536,0x31303235343830303536,0x31303235343830303536--

After the query was ran it showed an integer result, something like "74545883".

Can you explain how the query works?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(7

可爱暴击 2024-10-17 09:02:56

它看起来像是溢出攻击。他们与您现有的查询进行UNION-ed。将所有 %20 替换为(空格),因为其网址编码会产生:

=-999.9 UNION ALL SELECT CONCAT(0x7e,0x27,Hex(cast(database() as char)),0x27,0x7e),0x31303235343830303536,0x31303235343830303536,0x31303235343830303536-

分解它:

  1. =-999.9 只是结束当前查询
  2. 0x31303235343830303536 是 NULL - 它们只是与现有查询中的列数匹配。如果您有 SELECT * FROM users 且 users 有 4 列,则 UNION 也必须有 4 列。结果,他们只是使用“NULL 值”来填充这些列。
  3. 真正的混乱在于CONCAT()。它们将 126、39、数据库名称组合为十六进制值,39 和 126
  4. -- 是 mysql 注释 - 从

这次攻击来看,它会忽略您的查询的其余部分,我怀疑您不是将输入包装在 mysql_real_escape_string() 中,这允许攻击者跳出您的查询并执行自己的查询。

有关详细信息,请参阅 owasp.org信息。

It looks like an overflow attack. They UNION-ed with your existing query. replacing all your %20 with (space) since its url-encoded yields:

=-999.9 UNION ALL SELECT CONCAT(0x7e,0x27,Hex(cast(database() as char)),0x27,0x7e),0x31303235343830303536,0x31303235343830303536,0x31303235343830303536-

break it down:

  1. the =-999.9 is just ending your current query
  2. 0x31303235343830303536 is NULL - they are just matching the number of columns in your existing query. If you had SELECT * FROM users and users had 4 columns, the UNION must also have 4 columns. As a result, they just used `NULL values to populate those columns.
  3. the real confusion is in the CONCAT(). They are combining 126, 39, database name as hex value, 39, and 126
  4. -- is a mysql comment - it ignores the rest of your query after

Judging from this attack, i suspect that you are not wrapping input in mysql_real_escape_string(), which allowed to attacked to jump out of your query and execute their own.

See owasp.org for more information.

天涯沦落人 2024-10-17 09:02:56

这不是完整的查询,实际上是人在您的网络应用程序中输入了此字符串。

现在,首先将并集部分中的 %20 替换为空格,您会得到:

SELECT concat(0x7e,0x27,Hex(cast(database() as char)),0x27,0x7e),0x31303235343830303536,0x31303235343830303536,0x31303235343830303536--

似乎用户将字符串放在您期望数字的某个位置。所以,你看到首先有一个数字(999.9)来完成查询的原始条件。然后,添加 UNION 部分。
最后,在 UNION 部分之后,添加注释字符 (-- ),以便绕过查询的其余部分(可能由您的系统添加)。

我们可以格式化代码以便更好地理解:

SELECT 
    concat
    (
        0x7e,
        0x27,
        Hex(cast(database() as char)),
        0x27,
        0x7e
    ),
    0x31303235343830303536,
    0x31303235343830303536,
    0x31303235343830303536

现在,结果第一列的子字符串将包含数据库名称的十六进制编码形式。实际上,它应该用单引号(0x27)包围,然后再次用〜(0x7e)包围

This is not the complete query, actually the person entered this string in your web app.

Now, first replace %20 with blank space in the union part, you get:

SELECT concat(0x7e,0x27,Hex(cast(database() as char)),0x27,0x7e),0x31303235343830303536,0x31303235343830303536,0x31303235343830303536--

Seems like the user put the string in some place where you were expecting an number. So, you see that first there is a number (999.9) to complete the original condition of the query. Then, an UNION part is added.
Finally, after the UNION part, the comment characters are added (-- ) so that, the rest of the query (which might be being added by your system) is bypassed.

We can format the code for better understanding:

SELECT 
    concat
    (
        0x7e,
        0x27,
        Hex(cast(database() as char)),
        0x27,
        0x7e
    ),
    0x31303235343830303536,
    0x31303235343830303536,
    0x31303235343830303536

Now, substring of the first column of the result will contain the hex encoded form of your datbase name. Actually, it should be surrounded by single quotes (0x27), then again surrounded by ~ (0x7e)

诗笺 2024-10-17 09:02:56

查询使用 DATABASE() ,然后使用 HEx( ) 函数。

一旦他们有了这个,他们就可以使用 UNHEX 函数

看一下 UNHEX 示例

mysql> SELECT UNHEX('4D7953514C');
        -> 'MySQL'
mysql> SELECT 0x4D7953514C;
        -> 'MySQL'
mysql> SELECT UNHEX(HEX('string'));
        -> 'string'
mysql> SELECT HEX(UNHEX('1267'));
        -> '1267'

很高兴知道它们是如何进入的,但总而言之,您需要修复代码以避免 SQL 注入。

The query returned the Database name using DATABASE() , it then converted this to a hex value using HEx() function.

Once they had this they could use UNHEX function

Have a look at the UNHEX examples

mysql> SELECT UNHEX('4D7953514C');
        -> 'MySQL'
mysql> SELECT 0x4D7953514C;
        -> 'MySQL'
mysql> SELECT UNHEX(HEX('string'));
        -> 'string'
mysql> SELECT HEX(UNHEX('1267'));
        -> '1267'

It is good to know how they got in, but all in all, you need to fix up your code to avoid SQL Injection.

梦醒时光 2024-10-17 09:02:56
-999.9 UNION ALL SELECT 
CONCAT('Hex(cast(database() as char))'),
0x31303235343830303536,
0x31303235343830303536,
0x31303235343830303536

我想你的日志中一定还有其他条目,如果没有,他事先就知道你有 3 列。

-999.9 UNION ALL SELECT 
CONCAT('Hex(cast(database() as char))'),
0x31303235343830303536,
0x31303235343830303536,
0x31303235343830303536

I think you must have other entries in your log, if not he knew before hand that you have 3 columns.

夏天碎花小短裙 2024-10-17 09:02:56

这是使用 Havij 进行注入的示例
0x7e 和 0x27 对​​应于 ~ 和 ' ,它们将用于框架 HTML 显示
例如
id=999999.9+union+all+select+0x31303235343830303536,(select+concat(0x7e,0x27,unhex(Hex(cast(sample_tbl.name+as+char))),0x27,0x7e)+from+测试.sample_tbl+Order+by+id+limit+0,1)+--
此查询将根据

http://www.string-functions.com/hex-string.aspx

This is an exemple of injection using Havij
The 0x7e and 0x27 correspond to ~ and ' wich will be used to frame the HTML display
such as
id=999999.9+union+all+select+0x31303235343830303536,(select+concat(0x7e,0x27,unhex(Hex(cast(sample_tbl.name+as+char))),0x27,0x7e)+from+test.sample_tbl+Order+by+id+limit+0,1)+--
This query will render ~'Alfred'~ which is the field value of the column name, from the table sample_tbl in the table test

~'r3dm0v3_hvj_injection'~ is the Havij signature code unhex 0x7233646D3076335F68766A5F696E6A656374696F6E according to http://www.string-functions.com/hex-string.aspx

菩提树下叶撕阳。 2024-10-17 09:02:56

首先,查询看起来像是 HTML 编码的。将 %20 替换为空格,它会变得更具可读性。他们还将部分查询转换为某种内容的十六进制表示形式。也尝试对语句的该部分进行十六进制解码。

当您尝试将 SQL 动态创建为字符串,然后将其发送到 DBMS 时,就会产生 SQL 注入风险。想象一下,像这样的字符串存储在您的系统中,用于搜索栏等:

SELECT * FROM SOME_TABLE WHERE SOME_COLUMN=

要完成查询并让攻击进入,他们需要进行如下输入this:

'x' or 1=1

在这种情况下,查询将变为:

SELECT * FROM SOME_TABLE WHERE SOME_COLUMN='x' or 1=1

SOME_COLUMN< /code> 可以是任何变量,无论它在哪里失败,重要的是 1=1 始终为 true,从而可能使攻击者能够访问该表中的每一行。

现在您已经了解了,请检查您的代码并将每个动态创建的查询替换为准备好的语句。 OWASP 网站也有大量用于防御性编码的资源:

www.owasp.org

First off, the query looks like it's HTML encoded. Replace the %20s with spaces and it will become a little more readable. Also they are converting part of the query into a hex representation of something. Try hexadecimal decoding that part of the statement as well.

A SQL injection risk is created when you try to create a SQL dynamically as a string, and then send it to the DBMS. Imagine a string like this stored in your system for use in a search bar, etc:

SELECT * FROM SOME_TABLE WHERE SOME_COLUMN=

To complete the query and let the attack in, they would need to make their input like this:

'x' or 1=1

In that instance the query will become:

SELECT * FROM SOME_TABLE WHERE SOME_COLUMN='x' or 1=1

SOME_COLUMN could be any variable, it doesn't matter where it fails, the thing that matters is that 1=1 is ALWAYS true, thereby potentially giving the attacker access to every row in that table.

Now that you know about it, go through your code and replace every dynamically created query with a Prepared Statements. The OWASP site has a lot of resources for defensive coding as well:

www.owasp.org

三生池水覆流年 2024-10-17 09:02:56

是的,他得到了您的数据库名称的十六进制形式,您所说的“74545883”。
通过对其进行解密,他可以获得真实的数据库名称。

Yes he has got the hex form of your database name which you say is '74545883'.
By Unhexing it he would have got the real database name.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文