On the web page, there are three data submission methods: Get, post, and cookie. Traditional injection commands such as "and 1 = 1" are added after the injection point, which belongs to the get submission method. Many websites only use the get Method for filtering, which provides an opportunity for Cookie injection.
In previous blog posts, we have introduced cookie injection through injection transfer. In order to better understand cookie injection, we use burpsuite to capture packets and use pangolin for Cookie injection. We still use the previously established lab environment. The target website uses the southern data 5.0 template, the target server IP address 192.168.80.129, And the hacker Host IP address 192.168.80.128.
Burp suite is a powerful comprehensive web attack platform, which is also complicated to use. Here it mainly uses its packet capture function. Software: http://down.51cto.com/data/1889494,Burp suite runs based on a Java environment, so you also need to install Java in the hacker host.
Open the target website and set the local host as a proxy server in the browser. The port number is 8080. In this way, all data sent to the Internet through a browser will be intercepted by burp suite.
650) This. width = 650; "Title =" 1.jpg" alt = "wkiol1rs873ianvuaad2fusge3c297.jpg" src = "http://s3.51cto.com/wyfs02/M02/4D/89/wKioL1RS873iANvuAAD2fUSge3c297.jpg"/>
When a webpage is opened, the data is intercepted by burpsuite and can be seen from the intercepted data, "? Id = 25.
650) This. width = 650; "Title =" 2.jpg" alt = "wKiom1RS82-yTdzVAAHhbiJmksk150.jpg" src = "http://s3.51cto.com/wyfs02/M00/4D/8A/wKiom1RS82-yTdzVAAHhbiJmksk150.jpg"/>
Click forward to forward the data and open the webpage normally. Add "and 1 = 1" and other injection statements in the address bar. Press enter and the data is intercepted by burpsuite again.
650) This. width = 650; "Title =" 3.jpg" alt = "wkiol1rs89prx9ueaaexsyqeiqe123.jpg" src = "http://s3.51cto.com/wyfs02/M02/4D/89/wKioL1RS89PRX9UeAAEXsYQeIqE123.jpg"/>
From the intercepted data, we can see that the data submitted by get is converted into the injection statement we just entered.
650) This. width = 650; "Title =" 4.jpg" alt = "wkiol1rs89_yzeqwaaiynttlq3i962.jpg" src = "http://s3.51cto.com/wyfs02/M00/4D/89/wKioL1RS89_yZEqWAAIynTTLQ3I962.jpg"/>
After understanding the principles of data submission, we will use the tool "pangolin" to inject cookies.
Run pangolin, copy the URL of the injection point to the URL bar, and click the check button on the toolbar. pangolin can automatically determine that the injection type is Cookie injection (if the injection fails to be detected, you can try several more URLs ),
650) This. width = 650; "Title =" 5.jpg" alt = "wKioL1RS8-vAqMlOAAISK1LtwRI018.jpg" src = "http://s3.51cto.com/wyfs02/M01/4D/89/wKioL1RS8-vAqMlOAAISK1LtwRI018.jpg"/>
Then, click "Get Data"-> "Get table" to display the tables contained in the database. We are concerned with the "admin" table.
650) This. width = 650; "Title =" 6.jpg" alt = "wkiom1rs85rax7shaaismhw6wne931.jpg" src = "http://s3.51cto.com/wyfs02/M01/4D/8A/wKiom1RS85rAX7ShAAISmHw6WNE931.jpg"/>
Select the "admin" table and click "retrieve". The fields in the table are displayed.
650) This. width = 650; "Title =" 7.jpg" alt = "wkiom1rs86ozwibkaaiijci91t4901.jpg" src = "http://s3.51cto.com/wyfs02/M02/4D/8A/wKiom1RS86OzWIBKAAIijCI91T4901.jpg"/>
Select the password and username fields and click get data in the right window. the user name and password are displayed.
650) This. width = 650; "Title =" 8.jpg" alt = "wkiom1rs87dc8kuiaajkz2jjo4g404.jpg" src = "http://s3.51cto.com/wyfs02/M00/4D/8A/wKiom1RS87DC8KUIAAJkZ2Jjo4g404.jpg"/>
This article is from the "one pot of turbidity wine" blog. For more information, please contact the author!
Network Security Series-17 cookie injection (burpsuite + pangolin)