w

SQL Injection Attacks and Defense  Second Edition

Exploiting second-order SQL injection
Virtually every instance of SQL injection discussed in this book so far may be classified as
“first-order” SQL injection. This is because the events involved all occur within a single HTTP
request and response, as follows:
1 The attacker submits some crafted input in an HTTP request.
2 The application processes the input, causing the attacker’s injected SQL query to execute.
3 If applicable, the results of the query are returned to the attacker in the application’s response
to the request.
A different type of SQL injection attack is “second-order” SQL injection. Here, the
sequence of events is typically as follows:
1 The attacker submits some crafted input in an HTTP request.
2 The application stores that input for future use (usually in the database), and responds to the
request.
3 The attacker submits a second (different) request.
4 To handle the second request, the application retrieves the stored input and processes it,
causing the attacker’s injected SQL query to execute.
5 If applicable, the results of the query are returned to the attacker in the application’s response
to the second request.
Second-order SQL injection is just as powerful as the first-order equivalent; however, it is a
subtler vulnerability which is generally more difficult to detect.
Second-order SQL injection usually arises because of an easy mistake that developers make
when thinking about tainted and validated data. At the point where input is received directly
from users, it is clear that this input is potentially tainted, and so clued-in developers will make
some efforts to defend against first-order SQL injection, such as doubling up single quotes or
(preferably) using parameterized queries. However, if this input is persisted and later reused, it
may be less obvious that the data are still tainted, and some developers make the mistake of
handling the data unsafely at this point.

Consider an address book application which allows users to store contact information about
their friends. When creating a contact, the user can enter details such as name, e-mail, and
address. The application uses an INSERT statement to create a new database entry for the
contact, and doubles up any quotation marks in the input to prevent SQL injection attacks (see
Figure 7.1).

The application also allows users to modify selected details about an existing contact. When
a user modifies an existing contact, the application first uses a SELECT statement to retrieve
the current details about the contact, and holds the details in memory. It then updates the
relevant items with the new details provided by the user, again doubling up any quotation
marks in this input. Items which the user has not updated are left unchanged in memory. The
application then uses an UPDATE statement to write all of the in-memory items back to the
database (see Figure 7.2).

The quotes are doubled up in your input, and the resultant INSERT statement looks like this:
INSERT INTO tbl Contacts VALUES (‘a‘‘+@@version+’’a’, ‘foo@example.org’,…
Hence, the contact name is safely stored in the database, with the literal value that you
submitted.
Then, you need to go to the function to update the new contact, and provide a new value in
the address field only (any accepted value will do). When you do this, the application will first
retrieve the existing contact details, using the following statement:
SELECT

FROM tbl Users WHERE contact Id = 123
The retrieved details are stored briefly in memory. The value retrieved for the name field
will, of course, be the literal value that you originally submitted, because this is what was
stored in the database. The application replaces the retrieved address in memory with the new
value you supplied, taking care to double up quotation marks. It then performs the following
UPDATE statement to store the new information in the database:
UPDATE tbl Users
SET name=‘a’+@@version+‘a’, address=‘52 Throwley Way’,…
WHERE contact Id = 123
At this point, your attack is successful and the application’s query is subverted. The name
retrieved from the database is handled unsafely, and you are able to break out of the data
context within the query and modify the query’s structure. In this proof-of-concept attack, the
database version string is copied into the name of your contact, and will be displayed on-screen
when you view the updated contact details:
Name: a Microsoft SQL Server 7.00 – 7.00.623 (Intel X86) Nov 27 199822:20:07 Copyright (c)
1988–1998 Microsoft Corporation Desktop
Edition on Windows NT 5.1 (Build 2600:)a
Address: 52 Throwley Way Let’s assume that the doubling up of quotation marks in this instance is effective in
preventing first-order SQL injection. Nevertheless, the application is still vulnerable to second-
order attacks. To exploit the vulnerability, you first need to create a contact with your attack
payload in one of the fields. Assuming the database is Microsoft SQL Server, create a contact
with the following name:
a‘+@@version+’a To perform a more effective attack, you would need to use the general techniques already
described for injecting into UPDATE statements (see Chapter 4), again placing your attacks
into one contact field and then updating a different field to trigger the vulnerability.

Exploiting second-order SQL injection 利用二阶注入获取数据库版本信息 SQL Injection Attacks and Defense Second Edition的更多相关文章

  1. sql 2000以及2005以上获取数据库中所有的表(不包括系统表)

    ---------------------------------------------------------------------------- --sql 2005以上数据库 --- 获取数 ...

  2. MS SQL 事物日志传送能否跨数据库版本吗?

    SQL SERVER的事物日志传送(log shipping)功能,相信很多人都使用过或正在应用,这是MS SQL提供的一个非常强大的功能,一般需要一个主数据库服务器(primary/producti ...

  3. 【web安全】第一弹:利用xss注入获取cookie

    首先一定要先来吐槽一下tipask系统.这是一枚开源的类似百度知道的系统,但是漏洞多多,最基本的XSS注入都无法防御. 言归正传: [准备1] cookie接收服务器. 平时喜欢用sae,所以在sae ...

  4. SQL SERVER获取数据库文件信息

        MS SQL SERVER 获取当前数据库文件等信息,适用于多个版本: SELECT dbf.file_id AS FileID , dbf.name AS [FileName] , s.fi ...

  5. android利用ContentResolver访问者获取手机联系人信息

    转载自:http://www.jb51.net/article/106379.htm 首先需要在AndroidManifest.xml文件中添加权限: <uses-permission andr ...

  6. 防sql注入之参数绑定 SQL Injection Attacks and Defense 预处理语句与存储过程

    http://php.net/manual/zh/pdo.prepared-statements.php 预处理语句与存储过程 很多更成熟的数据库都支持预处理语句的概念.什么是预处理语句?可以把它看作 ...

  7. 防sql注入之参数绑定 SQL Injection Attacks and Defense

    http://php.net/manual/zh/pdo.prepared-statements.php 预处理语句与存储过程 很多更成熟的数据库都支持预处理语句的概念.什么是预处理语句?可以把它看作 ...

  8. Mysql 下 Insert、Update、Delete、Order By、Group By注入

    Insert: 语法:INSERT INTO table_name (列1, 列2,...) VALUES (值1, 值2,....) 报错注入: insert into test(id,name,p ...

  9. 利用insert,update和delete注入获取数据

    0x00 简介 利用SQL注入获取数据库数据,利用的方法可以大致分为联合查询.报错.布尔盲注以及延时注入,通常这些方法都是基于select查询语句中的SQL注射点来实现的.那么,当我们发现了一个基于i ...

随机推荐

  1. 【Python3 爬虫】07_正则表达式(原子)

    原子是正则表达式的最基本的组成单位,而且在每个模式中最少包含一个原子.原子是由所有那些未显示指定为元字符的打印和非打印字符组成. 原子分类 1.普通字符作为原子 普通字符是编写正则表达式时最常见的原子 ...

  2. Android平台Native开发与JNI机制详解

    源文链接: http://mysuperbaby.iteye.com/blog/915425 一个Native Method就是一个Java调用非Java代码的接口.一个Native Method是这 ...

  3. Android Viewpager实现图片轮播(仿优酷效果)

    1 http://blog.csdn.net/t12x3456/article/details/8160128 2 http://www.cnblogs.com/androidez/archive/2 ...

  4. 解决window10系统电脑插入耳机之后没有声音的问题

    其实办法也是从百度百科上查到的 ⁄(⁄ ⁄•⁄ω⁄•⁄ ⁄)⁄     可能是因为自己某个不小心的操作更改了设置 1. 首先要点开设置按钮,在搜索栏输入控制面板 (当然知道控制面板在哪里的小伙伴就不用 ...

  5. 深入PHP中慎用双等于(==)的详解

    PHP比较运算符出现的频率实在是太高了,尤其是 ==if(a == b){// do something}但是,你真的掌握了 == 了吗?细节很重要!来看下面的代码,说出你认为正确的答案var_dum ...

  6. 打包Cocos2d-xproject为PC项目

    <1>第一步,得到总体的大.exe 1.复制cocos2d-x-2.2文件下的Release.win32文件侠到桌面. 2.将项目下的Resources里的资源拷贝到Release.win ...

  7. 75. Find Peak Element 【medium】

    75. Find Peak Element [medium] There is an integer array which has the following features: The numbe ...

  8. Django学习之第三方储存服务器的使用

    最近,越来越多的公司采用第三方储存来作为视频,图片的储存工具. 国内的像七牛,阿里云的OSS,国外的像亚马逊的S3,微软的azure都是非常有名的第三方储存. 下面以阿里的OSS为例,来介绍第三储存的 ...

  9. wb标准

    1. WEB标准 WEB标准不是某一个标准,而是一系列标准的集合.网页主要由三部分组成:结构(Structure).表现(Presentation)和行为(Behavior).对应的标准也分三方面:结 ...

  10. UI-7-UIScrollView

    #import "ViewController.h" @interface ViewController ()<UIScrollViewDelegate> { UIIm ...