Article From:

1、Study the principle of buffer overflow, at leastThe study of two kinds of databases for differentiation

    Buffer overflow is that when the computer fills the buffer with the number of bits, it exceeds the capacity of the buffer itself. The overflow data is covered on the legitimate data. Ideally, the program checks the length of the data does not allow the characters to exceed the length of the buffer, but most programs assume that the data length is always the same as the length of the buffer.The allocated storage space matches, which is a hidden danger for buffer overflow. The buffer used by the operating system is also known as “stack”. Between operations, instructions are temporarily stored in the “stack”, and the stack also has buffer overflow.


   By writing the content beyond its length to the buffer of the program, it causes the overflow of the buffer, which destroys the stack of the program, and makes the program execute other instructions to achieve the purpose of the attack. The reason for the buffer overflow is that the parameters entered by the user are not carefully checked in the program. For example, the following program:

void function(char *str) {

char buffer[16]; strcpy(buffer,str);


The strcpy () above will directly transform the content from STR to buffer in the copy. So long as the length of STR is greater than 16, it will cause buffer overflow and cause the program to run wrong. There are standard functions such as strcpy and strcat.), sprintf (), vsprintf (), gets (), scanf () and so on.

Of course, filling anything in the buffer zone will cause it to overflow. Generally, there will only be Segmentation fault, which can not achieve the purpose of attack. The most common way is to create a buffer overflow to enable the program to run a user shell and then shell.Do other orders. If the program belongs to root and has suid permissions, the attacker gets a shell with root permissions and can do any operation on the system.

The reason why buffer overflow attacks become a common security attack is that buffer overflow vulnerabilities are too common and easy to implement. Moreover, a buffer overflow is the main means of a remote attack because the buffer overflow vulnerability gives the attacker everything he wants: implants and executes the attack generation.Code. The embedded attack code runs a program with buffer overflow vulnerabilities with certain permissions to get the control of the attacked host.

In 1998, 2 of the 5 remote attacks used by Lincoln labs to assess intrusion detection were buffer overflow. In 1998, of the 13 CERT recommendations, 9 were related to buffer overflow. In 1999, at least half of the recommendations were buffer overflow.It’s about. In the ugtraq survey, 2/3 respondents believe that buffer overflow vulnerability is a serious security problem.


     MySQLThe most popular open source SQL database management system is developed, published and supported by MySQL AB. MySQL AB, a business company based on MySQL developers, is a second generation open source that uses a successful business model to combine open source value and methodology.Company. MySQL is a registered trademark of MySQL AB.

    MySQLIt is a fast, multithreaded, multi-user and robust SQL database server. The MySQL server supports the use of critical tasks, heavy load production systems, and can also be embedded in a mass- deployed software.MySQL has the following advantages:

 (1)MySQLIt is a relational database management system.

 (2)MySQLIt’s open source.

 (3)MySQLThe server is a fast, reliable and easy to use database server.

 (4)MySQLThe server works in client / server or embedded system.

 (5)There is a lot of MySQL software that can be used.


       The first company to think about a database is Oracle (Jia Guwen). Founded in 1977, it was originally a company specializing in developing databases. Oracle has been in the leading position in the database field. In 1984, the relational database was first turned to the tableOn the computer. Then, Oracle5 pioneered the new concepts of distributed database, client / server structure and so on. Oracle 6 pioneered line locking mode and support for symmetric multiprocessing computers… The latest Oracle 8 mainly increases the object technology and becomes a relationship – pair.Like a database system. At present, Oracle products cover dozens of models such as large, medium and small computers. Oracle database has become one of the most widely used relational data systems in the world.

  OracleThe database product has the following excellent features.


  OracleThe product is standard SQL and tested by the National Standard Institute of Technology (NIST). It is compatible with IBM SQL/DS, DB2, INGRES, IDMS/R and so on.


  OracleThe product can run on a wide range of hardware and operating system platforms. It can be installed in more than 70 different large, medium and small machines, and can be operated under VMS, DOS, UNIX, Windows and many other operating systems.


  OracleIt can be connected to various communication networks and support various protocols (TCP/IP, DECnet, LU6.2, etc.).

  (4)High productivity

  OracleThe product provides a variety of development tools, which can greatly facilitate users to further develop.


  OracleGood compatibility, portability, connectivity and high productivity enable Oracle RDBMS to have good openness.

2、Aiming at different data types, we study the discovery and injection technology of SQL injection point.

2.1、SQL Injection principle

        SQL Injection refers to the use of some Web applications (such as web sites, forums, message books, article publishing systems, etc.) which have unsecured pages or SQL statements that are not meticulous, construct a SQL statement carefully, translate the illegal SQL statement instructions into the system actual SQL statement and execute it,Get sensitive information such as user name and password, so as to control the attack method of host server. The SQL injection vulnerability is a security vulnerability occurring at the application and database level. In short, the SQL instruction is injected into the input string, which is ignored in poorly designed programs.These injected instructions are run by database servers mistaken for normal SQL instructions, so they are destroyed or intrusions.

2.2、SQL Injection classification

Classification according to the type of injection point

 Digital injection point

At the Web end, it is probably the form of id=1 id=1, whose injection point is type number, so it is called digital injection point. This type of SQL statement archetype is probablyselect * from Table name where id=1

Character injection point

At the Web end, it is probably the form of name=admin name=admin, whose injection point is of character type, so it is called character injection point. This type of SQL statement archetype is probablyselect * from Table name where name='admin'。Pay attention to the quotes.

Search injection point

This is a special type of injection. This kind of injection mainly refers to not filtering the search parameters in the search for data. Generally, there are “keyword= keywords” in the link address, some do not display in the link address, but are submitted directly through the search box form. SQL of this kind of injection pointThe original form of the statement is as follows:select * from The table name where field like '% keyword'.

3、Research on buffer overflow prevention methods, at least for two programming languages for differential research

3.1、Precaution method

There are four basic ways to protect buffers against buffer overflow attacks and effects:

1、A method of forcing the right code to write
Writing the right code is a very meaningful but time-consuming job, especially in writing a C language that is prone to error prone programs, such as the zero end of a string, which is caused by the tradition of pursuing performance and ignoring correctness. Although it took a long time to make people know how to write ANNAll procedures, security vulnerabilities still exist. So people developed tools and techniques to help inexperienced programmers write safe and correct programs. Although these tools help programmers develop more secure programs, these tools can not find all buffers due to the characteristics of C language.Overflow vulnerability. Therefore, debugging technology can only be used to reduce the possibility of buffer overflow, and can not completely eliminate its existence. Unless the programmer can ensure that his program is foolproof, the following parts should be used to ensure the reliability of the program. It

2、The buffer zone is not executable through the operating system, thus preventing attackers from attacking the code.
This method effectively prevents a lot of buffer overflow attacks, but the attacker does not necessarily have to colonized attack code to achieve a buffer overflow attack, so there are many weaknesses in this method. It

3、Using compiler boundary check to achieve buffer protection.
This method makes the buffer overflow impossible, thus eliminating the threat of buffer overflow completely, but the cost is relatively large. It

4、Integrity check before the failure of the program pointer
This way, although this method does not make all buffer overflow failures, it does prevent most of the buffer overflow attacks, and it is difficult to escape the buffer overflow that is protected by this method. It

The most common form of buffer overflow is the record of the attack activity and then the code is inserted into the stack. This type of attack has many records in the 1996. Instead of executing stack and stack protection methods, this attack can be effectively protected. The non execution stack can defend all the attack methods that stack the code into the stack.Stack protection can defend all methods of changing activity records. These two methods are compatible with each other and can defend many possible attacks at the same time. It
The remaining attacks can basically be protected by pointer protection, but in some special cases, manual protection is needed. Automatic pointer protection requires additional bytes for each variable, which makes pointer boundary checking advantageous in some cases. It

The most interesting thing is that the buffer overflow vulnerability –Morris worm uses all methods that can not be effectively defended today, but it is rarely used because of too much complexity. It

In this article, we describe and analyze the principle of buffer overflow in detail, and briefly introduce several defense methods. Because this kind of attack is a common attack method at present, the research on this aspect is meaningful and effective. It

3.2、According to the steps of buffer overflow attacks, common buffer overflow attack detection techniques can be classified into 3 types:

(1)Detection method based on input string

(2)Detection method of return address based on protection stack

(3)The detection method based on the monitoring system call.

Detection method based on input string

       The input string is detected to determine if it is an overflow attack string, so that the attacker can not injects the attack code. There are generally 3 ways to build overflow attack strings.
The first overflow attack string is suitable for the case that the buffer is larger than the ShellCode length; the second overflow attack string is generally used in the case that the buffer is less than the ShellCode length; the third method is to put ShellCode in the environment variable, which is more common at present.The method used.

Detection method based on the return address in the protection stack

       The most critical step in the buffer overflow attack is to change the program’s process by modifying the function back to the address. So, before the function call is returned, the buffer overflow attack can be judged by checking whether the return address is modified. The implementation of the test can be inserted by some constraints in the source code.And the module of judgement, then monitor the variables and stack area during the process of the compiled program to detect whether there is any attack. StackGuard and StackShield are tools of this type. They are extensions of gcc compiler.The return address of the function that is monitored is normal.

 There are three basic methods to protect the buffer from the attack and impact of the buffer overflow: 1, the buffer is not enforceable through the operating system, thus preventing the attacker from implanting the attack code; 2, the method of forcing the correct code to be written; 3, using the compiler’s boundary check to achieve the buffer protection,The buffer overflow can not occur, thus completely eliminating the threat of buffer overflow.

Detection method based on monitoring system call

       It is possible to detect whether there is a buffer overflow attack by detecting whether ShellCode runs. Attackers want ShellCode to use an access to start an interactive shell process to accomplish as many things as possible, and hope ShellCodeAs short as possible, it is more hidden, so most ShellCode will call system functions. Since monitoring all system calls will consume a large amount of system resources, it is only monitored for system calls commonly used by ShellCode, depending on some of the features that are monitored.Whether the system call is illegal can determine whether the protected system is attacked by buffer overflow.

4、Inject at least two kinds of databases into attack tools


SqlmapIt is an open source penetration testing tool that automatically detects and utilizes SQL injection vulnerabilities and servers that access the database. It has a very powerful detection engine, a permeable tester with a variety of features, access to the underlying file system through the database fingerprint, and the execution of commands through a band connection.

 sqlmapSupported databases have

 MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, SQLite, Firebird, SybaseAnd SAP MaxDB

 Detection injection

 Basic format

 sqlmap -u “″

 Default using level1 to detect all database types

 sqlmap -u “″ –dbms mysql –level 3

 The specified database type is mysql, with a level of 3 (a total of 5 levels, the higher the level, the more comprehensive the test).

 Follow the 302 jump

 When you insert page errors, you need to follow 302 when you jump to another page automatically.

When the error is injected, it is not necessary to follow 302 when the error is first reported and then jumps.
The goal is to follow the wrong information.



 When the program has anti get injection, you can use cookie injection.

sqlmap -u “” –cookie “id=11″ –level 2(Only when level reaches 2 will cookie be detected.)


Injecting from the post packet


You can use burpsuite or temperdata to grab post packets.


sqlmap -r “c:\tools\request.txt” -p “username” –dbms mysql Specify the username parameter

sqlmapDetailed orders:

  • –is-dba Current user rights (or not root permissions)
  • –dbs All databases
  • –current-db Web site current database
  • –users All database users
  • –current-user Current database users
  • –random-agent Construction of random user-agent
  • –passwords Database password
  • –proxy http://local:8080 –threads 10 (Custom thread acceleration) agent
  • –time-sec=TIMESEC DBMSThe delay time of the response (by default of 5 seconds)
     sqlsusIt is a MySQL injection and take over tool written in Perl language. It can get the database structure, implement the injection query, download the file of the server, crawl the writable directory and write the back door, and copy the database file and so on. It provides Inband and blind injection of two injection modes to get data.Library permissions.
 When using, users first use the tool to generate a configuration file. In the configuration file, set the injection path and the parameters injected, then load the file and perform the penetration test.
Link of this Article: Eleventh weeks summary

Leave a Reply

Your email address will not be published. Required fields are marked *