《白帽子Web安全——注入攻击》
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">注入攻击的本质,是把用户输入的数据当成代码执行。</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">两个关键<span style="color: black;">要求</span>:1、用户能够<span style="color: black;">掌控</span>输入;2、<span style="color: black;">本来</span>程序要执行的代码,拼接了用户输入的数据</p>
<h2 style="color: black; text-align: left; margin-bottom: 10px;"><span style="color: black;">1、</span>SQL注入</h2>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">SQL注入即<span style="color: black;">指的是</span>web应用程序对用户输入数据的合法性<span style="color: black;">无</span>判断或过滤不严,攻击者<span style="color: black;">能够</span>在web应用程序中事先定义好的<span style="color: black;">查找</span>语句的结尾上添加额外的SQL语句,在管理员不知情的<span style="color: black;">状况</span>下实现<span style="color: black;">违法</span>操作,以此来实现<span style="color: black;">诈骗</span>数据库服务器执行非授权的任意<span style="color: black;">查找</span>,从而进一步得到相应的数据信息。</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">1、盲注(Blind Injection)</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">倘若</span>Web服务器开启了错误回显,这就会给攻击者带来<span style="color: black;">极重</span>的便利,疯狂调试注入结果。</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">所说</span>盲注,其实<span style="color: black;">便是</span>在服务器<span style="color: black;">无</span>错误回显时完成的注入攻击。</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">最<span style="color: black;">平常</span>盲注<span style="color: black;">办法</span>:构造简单的<span style="color: black;">要求</span>语句,<span style="color: black;">按照</span>返回页面结果<span style="color: black;">是不是</span><span style="color: black;">出现</span>变化,来判断SQL语句<span style="color: black;">是不是</span>得到执行</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">例如:1=2、1=1对比分析页面变化</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">2、Timing Attack(时序攻击)</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">在<span style="color: black;">暗码</span>学中,时序攻击是一种侧信道攻击,攻击者试图<span style="color: black;">经过</span>分析加密算法的时间执行来推导出<span style="color: black;">暗码</span>。每一个<span style="color: black;">规律</span>运算在计算机<span style="color: black;">必须</span>时间来执行,<span style="color: black;">按照</span>输入<span style="color: black;">区别</span>,精确<span style="color: black;">测绘</span>执行时间,<span style="color: black;">按照</span>执行时间反推出<span style="color: black;">暗码</span>。</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">在MySQL中,有一个BENCHMARK()函数,用于测试函数性能</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">BENCHMARK(count,expr)</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">函数执行结果,是将表达式expr执行Count次</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">利用BENCHMARK()函数,<span style="color: black;">能够</span>让同一个函数执行若干次,使得结果返回的时间比平时要厂;<span style="color: black;">经过</span>时间长短的变化,<span style="color: black;">能够</span>判断注入语句<span style="color: black;">是不是</span>执行成果。这种一种边信道攻击,在盲注中<span style="color: black;">叫作</span>为Timing Attack</p>database()system_user()current_user()last_insert_id()<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">倘若</span>当前数据库用户(current_user)<span style="color: black;">拥有</span>写权限,攻击者<span style="color: black;">能够</span>将信息写入本地磁盘</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">另外</span><span style="color: black;">经过</span>Dump文件<span style="color: black;">办法</span>,还<span style="color: black;">能够</span>写入一个webshell</p>
<h2 style="color: black; text-align: left; margin-bottom: 10px;"><span style="color: black;">2、</span>数据库攻击技巧</h2>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">SQL注入是基于数据库的一种攻击</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">1、<span style="color: black;">平常</span>的攻击技巧</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">SQL注入<span style="color: black;">能够</span>猜解数据库对应的版本,例如下面MySQL的版本<span style="color: black;">倘若</span>为4就会返回true</p>
<div style="color: black; text-align: left; margin-bottom: 10px;">http://www.site.com/news.php?id=5 and substring(@@version,1,1)=4</div>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">利用union select来判断表命admin<span style="color: black;">是不是</span>存在,列名passwd<span style="color: black;">是不是</span>存在</p>
<div style="color: black; text-align: left; margin-bottom: 10px;"><span style="color: black;">id</span><span style="color: black;">=</span><span style="color: black;">5</span> <span style="color: black;">union</span> <span style="color: black;">all</span> <span style="color: black;">select</span> <span style="color: black;">1</span><span style="color: black;">,</span><span style="color: black;">2</span><span style="color: black;">,</span><span style="color: black;">3</span> <span style="color: black;">from</span> <span style="color: black;">admin</span>
<span style="color: black;">id</span><span style="color: black;">=</span><span style="color: black;">5</span> <span style="color: black;">union</span> <span style="color: black;">all</span> <span style="color: black;">select</span> <span style="color: black;">1</span><span style="color: black;">,</span><span style="color: black;">2</span><span style="color: black;">,</span><span style="color: black;">passwd</span> <span style="color: black;">from</span> <span style="color: black;">admin</span>
</div>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">在注入攻击过程中,长城会用到<span style="color: black;">有些</span>读写文件的技巧。<span style="color: black;">例如</span>在MySQL中,<span style="color: black;">能够</span><span style="color: black;">经过</span>LOAD_FILE()读取系统文件,并<span style="color: black;">经过</span>INTO DUMPFILE写入本地文件。前提:用户<span style="color: black;">拥有</span>读写系统响应文件或目录的权限</p>
<div style="color: black; text-align: left; margin-bottom: 10px;"><span style="color: black;">union</span> <span style="color: black;">select</span> <span style="color: black;">1</span><span style="color: black;">,</span><span style="color: black;">1</span><span style="color: black;">,</span><span style="color: black;">LOAD_FILE</span><span style="color: black;">(</span><span style="color: black;">/etc/passwd</span><span style="color: black;">),</span><span style="color: black;">1</span><span style="color: black;">,</span><span style="color: black;">1</span><span style="color: black;">;</span></div>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">倘若</span>当前用户<span style="color: black;">拥有</span>创建表的权限。<span style="color: black;">首要</span><span style="color: black;">经过</span>LOAD_FILE()将系统文件读出,再<span style="color: black;">经过</span>INTO DUMPFILE将该文件写入系统,<span style="color: black;">而后</span><span style="color: black;">经过</span>LOAD DATA INFILE将文件导入创建的表中,最后就<span style="color: black;">能够</span><span style="color: black;">经过</span><span style="color: black;">通常</span>的注入技巧直接操作表的数据</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">除了<span style="color: black;">能够</span><span style="color: black;">运用</span>INTO DUMPFILE外,还<span style="color: black;">能够</span><span style="color: black;">运用</span>INTO OUTFILE,两者区别是DUMPFILE适用于二进制文件,它会将<span style="color: black;">目的</span>文件写入同一行内;而OUTFILE则更适用于文本文件。</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">写入文件的技巧,经常被用于导出一个WebShell,为攻击者进一步攻击做铺垫。所有<span style="color: black;">咱们</span><span style="color: black;">能够</span>禁止普通数据库用户具备操作文件的权限。</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">2、命令执行</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">在MySQL中,除了<span style="color: black;">能够</span><span style="color: black;">经过</span>导出webshell间接地执行命令外,还<span style="color: black;">能够</span>利用“用户自定义函数”的技巧,即UDF(User-Defined Functions)来执行命令</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">在流行的数据库中,<span style="color: black;">通常</span>都支持从本地文件系统中导入一个共享库文件<span style="color: black;">做为</span>自定义函数。<span style="color: black;">运用</span>如下语法<span style="color: black;">能够</span>创建UDF:</p>
<div style="color: black; text-align: left; margin-bottom: 10px;"><span style="color: black;">CREATE</span> <span style="color: black;">FUNCTION</span> <span style="color: black;">f_name</span> <span style="color: black;">RETURNS</span> <span style="color: black;">INTEGER</span> <span style="color: black;">SONAME</span> <span style="color: black;">shared_library</span></div>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">在MySQL4的服务</p>
“BS”(鄙视的缩写)
页:
[1]