Penetration Test 1

Build a scripting environment like asp,php,aspx
Environmental differences such as packages, integration packs, Iis,apache,tomcat Uginx, etc.
scripts, database types
Concrete analysis of various construction combinations
All kinds of loopholes produce place
Learning the first vulnerability: SQL injection is mainly about acess injection
Web http default Port 80


Www.baidu.com:80
Www.baidu.com
Issue: Port occupancy

Static Dynamic Language differences
HTML asp,php,aspx ...

Dynamic language: Server and client code inconsistencies
Static language: Server side and client code consistent


Phpstudy


Script asp php aspx JSP CGI war do PY PL
Database access MySQL MSSQL (SQL Server) Oracle Postsql DB2

Common collocation
ASP Access,mssql
PHP MySQL
ASPX MSSQL Oracle
JSP Oracle MSSQL

iis6.0 windows2003
iis7.0 7.5 windows2008
Apache Windows Linux


How to build a platform?
Tools, third-party platforms (webmaster tools)
How to check the operating system?
Combination, tool, TTL value


Server
Operating system
Web Services
Site Mix (Build platform
Software, IIS, etc.
Database
Access,mysql and so on,
Script
asp,php, etc.)

Source (self-developed, online download open source)


FTP Service
Mail Service MySQL database cmd command format-u account name-p password-H website address
SQL injection principle and formation process: scripting code and database
Principle: Accept relevant parameters without processing directly into the database operation (can manipulate the acceptance parameters affect the page)




http://127.0.0.1:81/0/0/Production/PRODUCT_DETAIL.asp?id=1513

Website address: http://127.0.0.1:81/0/0/
File directory:/production/
Website file: product_detail.asp
File parameter name: ID
File parameter value: 1513

Database

Id=request ("id") takes the value passed by the ID parameter and assigns a value to the variable ID.
Sql= "SELECT * from product where id=" &id define the variable values that were previously accepted in the SQL statement combination
Set Rs=conn.execute (SQL) Execute SQL statement

http://127.0.0.1:81/0/0/Production/PRODUCT_DETAIL.asp?id=1513

id=1513
SELECT * FROM product where id=1513


http://127.0.0.1:81/0/0/Production/PRODUCT_DETAIL.asp?id=1513 and 1=1

id=1513 and 1=1
SELECT * from product where id=1513 and 1=1 returns True
SELECT * from product where id=1513 and 1=222 returns false


SELECT * FROM product where id=1513 union select 1,23,..... from admin



Judgment injection:
and 1=1 the correct page
and 1=211 error page

and mathematical logical operators
OR and non-
OR and XOR
Or: TRUE or True
And: False or False

True or True
True and False


Universal Password
' or ' = ' or '

Related Aspects:
1. Whether to accept parameters
2. Whether to bring in database queries


Problems that might have injected

1.www.xxx.com/news.asp x
2.www.xxx.com/index.asp?page=111
3.www.xxx.com/index.asp?id=1&page=111
4.WWW.XXX.COM/INDEX/NEW/ID/5 Pseudo-Static
5.www.xx.com/index/new/asp-5.html

Pseudo-Static

www.xxx.com/index.asp?id=1&page=111
ID parameter Injection

Www.xxx.com/index.asp?page=111&id=1 and 1=1


SQL injection
Asp+access Injection


Database injection
ASP injection
PHP Injection

Access Injection
MySQL Injection


Judgment injection
and 1=1 correct
and 1=x errors

Guess Field
ORDER BY XX

Guess table name (federated query)
Union select 1,2,3,4,5.....22 from admin

Access Brute Force guess injection




Experiment:
Puzzle 1: Column name modification, find the column name, manually successfully obtain the account password
Puzzle 2: Manually modify the code to ensure a successful login background




Background login
$xxname =$_get[' username ']
$xxname =$_get[' Xxname ']

Penetration Test 1