Penetration skills-Some Opinions on safe dogs

Penetration skills-Some Opinions on safe dogs

Security Attacks and defense are never outdated. Just like a website you infiltrate, you may not be able to penetrate it well at some point due to various technical conditions, but as you grow and study. There will always be some unexpected little surprises waiting for you. I had a lot of tasks in my hands last week, so I went to the Forum three days ago, and I went to do what I did in the next two days. When penetrating a website, we found a digital injection point, which is being used. Duang, the dongle pops up.

There were not too many tasks on hand that day, so I planned to manually test it and think about how to bypass the dongle (ω )). So here is my story! (1) After finding a suspected digital injection point to visit the website, I will perform a manual test on the url with the id parameter. The id parameter of a url is found to be incorrect. The first is a normal url. The returned page is shown in.

Then I simply traverse the parameter id when id = 1. The page looks like this.

Then I began to verify whether there may be injection points, generally for such numeric parameters. We use the original id value to add, subtract, multiply, and divide another value, and then compare whether the page of the result after calculation is the same as the corresponding id page. To put it simply, if the page id = 37-36 is the same as the page id = 1, we can guess there may be an injection point here. Then, convert the id parameter to id = 37-36, for example. The page is exactly the same as id = 1.

(2) When I use order by [number] to determine the number of columns in the current select statement, the database reports an error. For example.

We can see that the original SQL statement in the background already has order by, so we can annotate it with -- + (in the url, + indicates space. The page is the same as that of id = 37.

Later, we use union select 1 to obtain data, as we do in general. But the reality is a slap in the face, and the website has a safe dog. For example

Then, the landlord started the test and thought about using % 0a (corresponding to the line break ). However, it seems that there is no such thing. For example

Let's try the null character % 00, which has magical features in many occasions. It seems useful. The website returns an error message, as shown in.

We can see that there is no space between 37 and union. Let's add a space. For example, the background still reports an error. The error message is the same as the previous one. This indicates that the "% 00" symbol has a problem in the SQL query statement. What should we do?

Where can we place % 00 without affecting SQL statements? I Want To wit you will think of mysql multi-line comments, we only need to put % 00 between/**/, mysql will turn a blind eye to % 00. Let's take a look at the actual results.

The returned error message is different. Familiar with SQL statements, this is to tell us that the two select statements before union are different. At this time, let's take a closer look. Here, the number of select columns has changed to three columns, this is different from the one we tested for the first time. For example, below is our first union test. We can see that there is only one column. That is to say, this id parameter is used in two different queries, which means we cannot get data through union select.

Now let's clarify our thoughts: The first select statement is: SELECT count (id) as c FROM 'hdm0550293 _ db '. 'm16 _ new' WHERE cid = 37/**/union select 1, 2, 3 -- LIMIT 1 The second select statement is: SELECT 'id', 'title ', 'pic 'FROM 'hdm0550293 _ db '. 'm16 _ new' WHERE isdisplay = 1 AND cid = 37/**/union select 1 -- order by sort desc, id desc LIMIT (3) Since union cannot be used, the technologies we can use now are error-type injection and Boolean blind injection. [1] Test updatexml (1, concat (0x7e, user (), 0)

[2] Test extractvalue (1, concat (0x7e, user ()))

[3] We test or (select count (*) from information_schema.tables group by concat (user (), floor (rand (0) * 2), as shown in. :-O, my God, we want the data.

Obtain the current database, or (select count (*) from information_schema.tables group by concat (database (), floor (rand (0) * 2 )))

However, when obtaining the data table name, the dog still detects this type. (Select count (*) from information_schema.tables group by concat (select table_name from information_schema.tables where table_schema = database () limit 0, 1), floor (rand (0) * 2) -- +

However, we have bypassed it step by step, and we have broken through several defense points. So give yourself a thumbs up. [2] Of course, we can also use the blind note technology to obtain data, but some common list names will still be banned. Below is the name of the library that I ran out of writing the blind injection script.

(4) Later, the primary installed the latest apache dongle in the local environment.

Let's test whether the new version can use % 00. [1] First, let's take a look at the site where we found the problem. Use/* % 00 */and 1 = 1 to return to the page normally

Take a look at my local environment, the latest version of dongle. This is not feasible.

Unfortunately, the latest version of dongle is detected for this % 00 symbol, but why is the target site unresponsive? You can see that dongle has an option to update protection rules online. Safedog matches New Injection rules, and many websites think that a safe dog is safe. However, the lack of management and inaction on security causes them to be attacked by hackers even if they have waf.

(5) At the end, the website needs to be maintained and managed. Always pay attention to system and software updates and do not think about silver bullets. No security software can help you with your own inaction. In the past, the landlord was very depressed when he saw the dongle. However, after this analysis, he found that inaction often left us a chance. So if you encounter a Dongle, try to bypass it. Maybe the one you encounter is not an administrator. (6) No exercise this weekend! I was going to play on Sunday. Hey, I 've written a post tonight. It's so tired. Don't be stingy with likes. Next time, I really need to think about recording a video. Otherwise, it would take me three hours to write a post.