Build a scripting environment like asp,php,aspx
Environmental differences such as packages, integration packs, Iis,apache,tomcat Uginx, etc.
scripts, database types
Concrete analysis of various construction combinations
All kinds of loopholes produce place
Learning the first vulnerability: SQL injection is mainly about acess injection
Web http default Port 80
Www.baidu.com:80
Www.baidu.com
Issue: Port occupancy
Static Dynamic Language differences
HTML asp,php,aspx ...
Dynamic language: Server and client code inconsistencies
Static language: Server side and client code consistent
Phpstudy
Script asp php aspx JSP CGI war do PY PL
Database access MySQL MSSQL (SQL Server) Oracle Postsql DB2
Common collocation
ASP Access,mssql
PHP MySQL
ASPX MSSQL Oracle
JSP Oracle MSSQL
iis6.0 windows2003
iis7.0 7.5 windows2008
Apache Windows Linux
How to build a platform?
Tools, third-party platforms (webmaster tools)
How to check the operating system?
Combination, tool, TTL value
Server
Operating system
Web Services
Site Mix (Build platform
Software, IIS, etc.
Database
Access,mysql and so on,
Script
asp,php, etc.)
Source (self-developed, online download open source)
FTP Service
Mail Service MySQL database cmd command format-u account name-p password-H website address
SQL injection principle and formation process: scripting code and database
Principle: Accept relevant parameters without processing directly into the database operation (can manipulate the acceptance parameters affect the page)
http://127.0.0.1:81/0/0/Production/PRODUCT_DETAIL.asp?id=1513
Website address: http://127.0.0.1:81/0/0/
File directory:/production/
Website file: product_detail.asp
File parameter name: ID
File parameter value: 1513
Database
Id=request ("id") takes the value passed by the ID parameter and assigns a value to the variable ID.
Sql= "SELECT * from product where id=" &id define the variable values that were previously accepted in the SQL statement combination
Set Rs=conn.execute (SQL) Execute SQL statement
http://127.0.0.1:81/0/0/Production/PRODUCT_DETAIL.asp?id=1513
id=1513
SELECT * FROM product where id=1513
http://127.0.0.1:81/0/0/Production/PRODUCT_DETAIL.asp?id=1513 and 1=1
id=1513 and 1=1
SELECT * from product where id=1513 and 1=1 returns True
SELECT * from product where id=1513 and 1=222 returns false
SELECT * FROM product where id=1513 union select 1,23,..... from admin
Judgment injection:
and 1=1 the correct page
and 1=211 error page
and mathematical logical operators
OR and non-
OR and XOR
Or: TRUE or True
And: False or False
True or True
True and False
Universal Password
' or ' = ' or '
Related Aspects:
1. Whether to accept parameters
2. Whether to bring in database queries
Problems that might have injected
1.www.xxx.com/news.asp x
2.www.xxx.com/index.asp?page=111
3.www.xxx.com/index.asp?id=1&page=111
4.WWW.XXX.COM/INDEX/NEW/ID/5 Pseudo-Static
5.www.xx.com/index/new/asp-5.html
Pseudo-Static
www.xxx.com/index.asp?id=1&page=111
ID parameter Injection
Www.xxx.com/index.asp?page=111&id=1 and 1=1
SQL injection
Asp+access Injection
Database injection
ASP injection
PHP Injection
Access Injection
MySQL Injection
Judgment injection
and 1=1 correct
and 1=x errors
Guess Field
ORDER BY XX
Guess table name (federated query)
Union select 1,2,3,4,5.....22 from admin
Access Brute Force guess injection
Experiment:
Puzzle 1: Column name modification, find the column name, manually successfully obtain the account password
Puzzle 2: Manually modify the code to ensure a successful login background
Background login
$xxname =$_get[' username ']
$xxname =$_get[' Xxname ']
Penetration Test 1