SQL injection penetrates a whole process of a network security company

xiaoxiao2021-03-06 18

Writer: Demonalex / Little God Email: Demonalex_at_hackermail.com Preface: Write this article Not to tell you how to do invading, but hope to remind everyone: "Invasion is accidental, but safe is not inevitable", do not neglect the operation Some small details on it. The author has always had a habit of frequently wandering some security websites. Recently, because of a chance of a chance to come to Guangzhou a famous online security company website. To be honest, this website is quite diversified, providing software downloads, there is your own forum (嘿, the interface is really good, do not know how security?). Out of the curiosity of its safety, the vitality decided to make a preliminary "safe penetration test" for it. At the beginning, just take some comprehensive network vulnerability scanning tools (X-Scan 3.0, NMAP, Retina, etc.) for information scanning, then do a result filtering, the result is only to find the other party's TCP80 port (that is, their The server only provides a normal HTTP service), without any typical vulnerability .... No play, the other party is still a one-wellnted business (because the focus of this article is not here, so network vulnerability scanner I will not explain this step by scanning this step. Is it given up? Not so easy ... Just a small god recently in sorting SQL INJECTION data, since there is now a chance to "help it" to help it test: P ------------ -------------------------------------------------- ------------------------------ Tip: Q: What is SQL injection? A: This attack is to put SQL's query / behavior commands into a legitimate HTTP submission request via the 'embedd' to reach an attacker's intention. Many dynamic web pages now get some parameters from the request from the web, and then dynamically constitute SQL requests to the database. For example, when a user needs to log in (user authentication) on the web page (user authentication), the dynamic web page will send the username and password submitted to the SQL inquiry request to the database to confirm the user. Submitted authentication information is valid. At the perspective of SQL injection attacks, we can achieve the purpose of attacking the attack by modifying the username and / or password value when sending SQL requests. For more information about SQL injection technology, please see: http://demonalex.nease.net/sql_injection/walkthrough.txt ------------------------ -------------------------------------------------- ---------------- First is the download system, just draw a tool download address: http: // The security company's website / a directory / Download/open.asp?id= 3444 ------------------------------------- ----------------------------------------- Appendix: Here the author uses Chinese instead of some Some sensitive information, please forgive me.

-------------------------------------------------- ---------------------------------------- http: // The security company's website / A directory / Download/open.asp?id=3444 'first test the other party without filtering' (single number) ...---------------------- -------------------------------------------------- ------------------ Tip: Q: How do I confirm that a website has SQL injection defects? A: First join some special character tags, entries, such as: hi 'or 1 = 1 - Find some landing page, enter the password input, or in the URL: - login: hi' or 1 = 1 --- Pass: hi 'or 1 = 1 --- http: //duck/index.asp? Id = hi' or 1 = 1 - If you want to do this type in a 'hidden', you can Download the HTML page from the website to the local hard drive, modify the value of its hidden part, such as

If you are lucky, it is estimated that you can now do not need your account and password and' successful landing '. -------------------------------------------------- ---------------------------------------- Try then the URL below, see No return normal page ... http: // The security company's URL / some directory / Download/open.asp?id=3444"http://-this security company's URL / a directory / Download/open.asp? ID = 3444 'or 1 = 1 - http: // This security company's URL / DOWNLOAD/open.asp?id=3444 "OR 1 = 1 - http: // The security company's website / somewhere Directory / Download/open.asp?id=3444 'or' a '=' ahttp: // This security company's URL / Directory /Download/open.asp?id=3444 "OR" A "=" A-- -------------------------------------------------- -------------------------------------- Tip: Q: Why do you want to use 'or 1 = 1 - to do test? A: Let's take a look at the importance of using 'OR 1 = 1 in other examples. Nominal login mode, using such a login method may get some special information that cannot be obtained in the normal landing. In proportion to the ASP page obtained in a link: http://duck/index.asp? Category = Food In this URL, 'category' is a variable name, and 'food' is a value given to the variable .

To do this (link success), this ASP must contain the following related code (below is also the code we wrote in this experiment): v_cat = request ("category" sqlstr = "SELECT * from product where pcategory = ' "& v_cat &" "SET RS = conn.execute (SQLSTR) As we see, the variable value will pre-processed and assigned to 'v_cat', that is, the SQL statement will become: SELECT * FROM Product WHERE PCATEGORY = 'FOOD' This request will return the result obtained after the WHERE condition, which is 'FOOD' in this example. Now I want to change the URL to this way: http://duck/index.asp? Category = food 'or 1 = 1 - Now our variable v_cat value is equivalent to "Food' or 1 = 1 - "Now, if we want to resize the SQL request, the SQL request will be: select * from product where pcategory = 'food' or 1 = 1 - 'Now this request will be from the Product table Each message is selected and does not pay attention to whether Pcategory is equal to 'FOOD'. As for the two '-' (dash) at the end, it is used to tell 'MS SQL Server ignore the last' (single number). Sometimes you can use the '#' (Well number) instead of '-' (double broken number) here. Anyway, if the other party is not a SQL server (here is MS SQL Server), or you can't use a simple way to ignore the last single quotes, you can try: 'or' a '=' A. The entire SQL request will change to: select * from product where pcategory = 'food' or 'a' = 'a' it will return the same result.

According to the actual situation, the SQL injection request is the possibility of multiple dynamic changes: 'OR 1 = 1-- "OR 1 = 1 - OR 1 = 1--' or 'a' = 'a" OR " a "=" a ') or (' a '=' a --------------------------------- -------------------------------------------------- ----- all return "HTTP 500 - internal server error", it seems to fail, not afraid, we have hope ... At this time, I can only pin it in the forum ... Figure) Step by step, first find a URL of a post (this writing: http: // This security company's website / forum catalog /List.asp?ltid=14 This URL) Repeat just behavior: http: / / This security company's website / forum catalog /List.asp?ltid=14'http:// The security company's website / forum directory /List.asp?ltid=14"http:// The security company's website / forum Directory /List.asp?ltid=14 'or 1 = 1 - http: // This security company's website / forum directory /List.asp?ltid=14 "OR 1 = 1 - http: // This security company Website / Forum Directory /List.asp?ltid=14 'or' A '=' ahttp: // This security company's website / forum directory /List.asp?ltid=14 "or" = "a Come or eat white fruit ... (as shown below) In addition to the address bar, don't forget the login box for the forum homepage: In the "User Name:" Enter: Network *** 'OR 1 = 1-- Then enter a few passwords in the Password: "area: p (get the picture below) --------------------------- -------------------------------------------------- ------------- Appendix: "Net ***" for our version of the master account you saw in the forum home page.

转载请注明原文地址:https://www.9cbs.com/read-49741.html

9cbs

New Post(0)