We know that the website background needs to verify the user input. If this is not done, the user can even enter some SQL statements to operate the background database. Such a fun thing has never been really experienced. A few days ago, the School held a "your favorite counselor" voting activity. The website was estimated to be for a student team. As a result, the student cracked the Administrator account and password of the website, I asked him about the principle, learned about the steps to crack the attack, and practiced it again. thanks to Jing, I don't know this, nor can I have this blog.
The website address cracked in this article is www.2cto.com. The content in this article does not apply to this website. I have sorted out the detailed cracking process and shared it with you. The logic in this article is strong and you need to read it with patience. however, the text is about the cracking steps and is a general idea. If you have any questions, please leave a message and we will discuss it :)
Whether a website has the SQL Injection Vulnerability
A website generally contains a user table (user name and password) and an administrator information table (Administrator name and password). After you enter the user name and password, an SQL statement is executed in the background, check whether there are corresponding users AND passwords. For example, SELECT * FROM SomeTable WHERE UserName = $ UserName AND pwd = $ pwd. If this statement returns true, the logon operation is complete.
Imagine if you enter or = or in the student ID and Password text box and submit it, the preceding SQL statement becomes SELECT * FROM SomeTable WHERE UserName = or AND pwd = or. This statement becomes a logical expression that contains several segments, they are:
1. SELECT * FROM SomeTable WHERE UserName = (false)
Or
2. = (true)
Or
3. (false)
And
4. pwd = (false)
Or
5. = (true)
Or
6. (false)
Finally, the entire logical expression is 0 | 1 | 0 & 0 | 1 | 0. The result is true (when "0 | 1 |... "When the entire expression ellipsis is not counted, because" or "is already true), so you can log on successfully, in fact, also logged on successfully.
Ii. Principle of cracking the background database
Enter or = or in the text box of the user name and password. As of step 1 shown above, the expression value is true because a "or ", so no matter what the expression is after this, "True or false" "True or true" is true. the key is or = The = In The Middle Of or, = represents a character, always true. if we change = to an SQL expression, if the expression is true, the entire expression is true.
The subsequent steps require that the same text be entered in the UserName AND password text boxes, because the background statement format may be SELECT * FROM SomeTable WHERE UserName = $ UserName AND pwd = $ pwd, it is also possible that SELECT * FROM SomeTable WHERE pwd = $ pwd AND UserName = $ UserName. In either case, as long as the user name AND password are the same, as long as the SQL expression contained in the text is true, the entire expression is true. another advantage of writing is that it is convenient to copy and paste data.
Write some SQL expressions to test the content in the database at once.
3. Obtain the table name of the background database
If you replace the expression with (select count (*) FROM Table Name) <> 0, this expression is used to obtain the number of records in a table, you need to guess what the table name is. If you have guessed it, the number of records in the table will certainly not be equal to 0. Then the value of this expression is true. the common table names are the same. One by one, we try to find a table named admin. Its fields are not empty. obviously, this table is used to store administrator information.
4. Obtain the field name of the background database table
Now we know that this table is called admin. Next we will try to get the fields in this table.
Replace the expression with (select count (*) FROM admin where len (field name)> 0) <> 0. This expression is used to test whether the table admin contains this field. LEN (field name)> 0 indicates that the length of this field is greater than 0. If this field exists, LEN (field name)> 0 is always true. if this field is included, the number returned by the entire SELECT statement is certainly not 0, that is, the entire expression is true, and the field name is obtained.
Based on this method, three key fields are obtained: id, admin, and pass.
5. Obtain the length of a field
The obtained information is that there is an admin table with the id, admin, and pass fields. the user name and password are stored in the background. The common practice is to store the values (32-bit) after MD5 encryption. Now let's test whether this is the case.
Replace the expression with (select count (*) FROM admin where len (field name) = 32) <> 0. The result of replacing admin and pass with true is true, it indicates that the background storage Administrator account and password use the encrypted 32-bit field.
6. Obtain the Administrator account and password
The MD5 encrypted string contains 32 characters and may only consist of 0-9 and A-F characters.
1. Get the Administrator account
Change the expression to (select count (*) FROM admin where left (admin, 1) = A)> 0, which means I guess the first character of an adimin account is, if yes, the expression is true. if the failure, replace A with 0-9 and any character in the B-F to continue the test, know the success. if it succeeds, I will continue to guess the second character of this account. If the first character is 5, I guess the second character is A, then change the expression to (SELECT COUNT (*) FROM admin where left (admin, 2) = 5A)> 0. in the string, 1 in the LEFT () function is changed to 2. In addition, the two characters on the LEFT of the 5A code are 5A, of which 5 has been determined. in this way, we repeatedly guess until we get the entire 32-bit MD5 encrypted string.
2. Get the id corresponding to this account
Why do I need to obtain the corresponding id of this account? The reason is as follows: You can obtain the account and password according to the previous one, but a table can contain several administrator accounts and passwords. How can this problem be solved? You need to use id. One id corresponds to one record, and one record has only one matching account and password.
Change the expression to (select count (*) FROM admin where left (admin, 1) = 5 AND id = 1)> 0. Assume that the first character of an account is 5, if "AND id = 1" in this expression is correct, you can know that the account id is 1. if it is not 1, replace it with other numbers one by one.
3. Get the password of the account
Now you have guessed the account of an administrator and know the corresponding id (assuming it is 4). Now you only need to get the password recorded in this record. similarly, change the expression to (select count (*) FROM admin where left (pass, 1) = a and id = 4)> 0. Note that id is 4, the method for obtaining an Administrator account is the same as that for obtaining an administrator account. finally, we can get a 32-bit MD5 encrypted string (password ).
* Note: if it is too troublesome to manually obtain each character, you can use C # To write a program, simulate logon, and quickly obtain the result by controlling a loop.
7. Convert the account and password encrypted by MD5 to plaintext
Some website databases on the Internet store massive (trillions of lines) of plaintext corresponding to the MD5 encrypted dark text,You only need to enter the MD5 encrypted string you need to search for to see what the plaintext is..
8. Search for the website Administrator Logon page
If you cannot find the Administrator Logon page, you cannot log on to the website even if you already have an administrator account and password.
Asp> http://xgc.nuist.edu.cn/vote/vote_login.asp.
Guess and know that the Administrator's logon address is probably a http://xgc.nuist.edu.cn/vote/login.asp, in fact it is.
9. log on to the website background
10 Summary
Let's take a look at the security of this website...
If it is verified after the user enters the account password, the following things may not happen...
If the table name in the database is not so boring, things will not happen later...
If the field name in the database is not so boring, things will not happen later...
If the administrator login address is not so boring, things will not happen later...
How do I verify user input?