Golden Eyes - SQL Inject Scanner Production (1)
(Author: mikespook | Date: 2004-5-16 | Views: 125)
Keywords: Golden Eye, SQL Injection, Scanner, C # This article is the earliest to "hack security base". Later, due to some reasons, the magazine was suspended. So now I am organized and sent to my station, give you a view. Because "Golden Eyes" has been released from me to now, if your station is still suffering from this scanner, then I can only say sorry, you are too lazy, the patch! The content of this article has certain aggressiveness, here only research discussion. The author is not responsible for any consequences caused by this article. I hope that friends who read this article should have a certain programming basis, because this article will involve a large amount of data structure. I often ask me: "I also want to learn hacking technology, learn to program. How should I learn? From where to learn?" Today, I will discuss the "Golden Eye" SQL injection scanner writing ideas and technical details. Here I hope that everyone will only look at the cat and painted the scanner to write the website account, but I hope that I have inspired some ideas in this scanner. Two questions: 1. What is "Golden Eyes" "Golden Eyes" is a scanner for the SQL note hole that is the "Jinmei Online Film Free Member Edition" in early September 2003. He has experienced 1.0, 1.1, 1.2 and the latest version 1.3 four versions. Among them, I only released three versions of 1.0, 1.1, 1.3. I have improved the scanning algorithm of the kernel portion every time I upgrade. Make the scan speed multiplexed. 2. What is SQL injection vulnerability, how to use the vulnerability in my impression, similar articles have been a lot. Old version of the mobile network forum, the early loneliness of the swordsman, and the "Free Member Edition of Jinmei Online Movie" for this scanner (for convenience, the following is "Jinmei" system.) These dynamic page programs have SQL injection vulnerabilities . In order to facilitate my future procedures, I will repeat what is SQL injection vulnerability. Here I use ASP as a language that explains. Of course, if you don't understand ASP, there is no relationship. You just understand what I will say below. We know that data can be obtained through the parameters belonging through the page address in the writing of the dynamic page. That is, a get method. For example, http://www.abc.com/movie.asp?id=123. The "ID = 123" later here is the content incorporated in the GET method. The variable is named "ID" and the variable value is "123". This variable is operated in the background page, is actually very simple. Take the ASP page as an example:
Movie.asp <% response.write request.queryString ("ID")%> Here "Request.QueryString (" ID ")" The return is incoming content "123". Of course, if you use "Movie.asp? ID = Hello World" to access, "Request.QueryString (" ID ")" is "Hello World". What can happen here? Of course, if it is just a vulnerability, there is nothing. If it is the following program:
Movie.asp <% set conn = server.createObject ("adodb.connection") connStr = "provider = microsoft.jet.Oledb.4.0; data source =" & Server.mappath ("db.mdb") Conn.open Connstr SET RS = Server.createObject ("AdoDb.Recordset") SQL = "Select * from admin where aid =" Request.QueryString ("ID") RS.Open SQL, CONN, 1, 1%> Friends who wrote ASP You know that this is a record of finding a field "AID" from "Admin" table "Request.QueryString (" ID ")". For example, "123" said earlier. In actually "RS.Open SQL, CONN, 1, 1", the SQL statement is executed in the "SELECT * from Admin Where Aid = 123". Above this program, there is no problem with normal implementation. But we expect "Request.QueryString (" ID ")" is a legal field value. For example, the index number must be a number. What is the number of "Request.QueryString (" ID ")"? Of course it is wrong. We use the following address to access Movie.asp this page: "Movie.asp? Id = hello world". At this time, I will prompt an error. Because "AID" field is a number, you must be a number. And we entered a string. The actual SQL statement is "Select * from admin where aid = hello world", this is of course an error! Everyone please pay attention: The wrong place is our breakthrough! Let's take a look at what is the use of "Movie.asp? ID = 123 and 1 = 1" access. At this time, the actual SQL statement is "SELECT * from admin where Aid = 123 and 1 = 1" We know "1" must be equal to "1". Then the effect of this SQL statement execution is exactly the same as "Select * from admin where aid = 123". Will it be wrong! But if you change "and 1 = 1" to "and 1 = 2", there will be an error that occurs when using "Hello Word" access. If we can look up the field content with the statement, return the value of the lookup. Can we use "and 1 = X" to test? The page can only be displayed correctly when X is equal to "1". Take the "Jinmei" system as an example. It uses the Access database. The administrator account is existing in the data table "password". There are three fields: "ID", "name", "pwd". Store "Sequence Number", "Administrator Name", "Password", respectively. Very coincident, "Jinmei" system has only one administrator. And "ID" is "1". Ok, in fact, our intrusion code has been very well written: Use "Select ID from password where name = admin" to test the administrator name is "admin". If the administrator name is "admin", the SQL statement returns "1". Otherwise it is other value. Using the "AND 1 = 1" judgment just mentioned, you can know that the administrator name we guess is "admin". The complete intrusion code is as follows: "Movie.asp? Id = 123 and 1 = (select id from password where name = admin)" But there is a problem here that we must exhaust the administrator name.
