SQL injection of Web security testing & Penetration Testing ~ ~

Penetration Testing Concepts:

See Baidu Encyclopedia

Http://baike.baidu.com/link?url=T3avJhH3_MunEIk9fPzEX5hcSv2IqQlhAfokBzAG4M1CztQrSbwsRkSerdBe17H6tTF5IleOCc7R3ThIBYNO-q

Objective:

Security testing scope is very wide, straight to the point, the landlord of this line of understanding is not too deep, is also in the study phase, this article, but also to their own learning summary and record and simple to share; there are no specific tools to use, more is the principle of detailed understanding and solution of the discussion.

Code section:

Html+jsp+mysql, implement login and new data function.

Html

<!DOCTYPE HTML PUBLIC "-//w3c//dtd HTML 4.01 transitional//en" "Http://www.w3.org/TR/html4/loose.dtd "><HTML><Head><Metahttp-equiv= "Content-type"content= "text/html; charset=utf-8" /><title>SQL injection of web security testing</title></Head><Bodybgcolor= "#ffffff"><formAction= "chklogin.jsp"Method= "POST">  <inputtype= "text"name= "User" /><BR/>  <inputtype= "Password"name= "Pass" /><BR/>  <inputtype= "Submit"value= "Login" /></form><formAction= "insert.jsp"Method= "POST">  <inputtype= "text"name= "User" /><BR/>  <inputtype= "text"name= "pwd" /><BR/>  <inputtype= "Submit"value= "new" /></form></Body></HTML>

View Code

Jsp1

<%@ page contenttype= "text/html; Charset=utf-8 "%><%@ pageImport= "Java.sql.*"%>String User= Request.getparameter ("User"); String Pass= Request.getparameter ("Pass"); Connection Con=NULL; PreparedStatement PS=NULL; ResultSet RS=NULL; String SQL=NULL; Try{class.forname ("Com.mysql.jdbc.Driver"); Con= Java.sql.DriverManager.getConnection ("jdbc:mysql://192.168.0.157/webtest?useunicode=true& Characterencoding=utf-8 "," root "," 123456 "); SQL= "SELECT * from user WHERE name= '" +user+ "' and pwd = '" +pass+ ""; PS=con.preparestatement (SQL);//PS = con.preparestatement ("SELECT * from user WHERE name=?") and pwd =? ");//ps.setstring (1, user);//ps.setstring (2, pass);rs =Ps.executequery (); if(Rs.next ()) {out.println ("Login Successful!"); Out.println ("SQL:" +SQL); }    Else{out.println ("Login failed!"); Out.println ("SQL:" +SQL); }  }Catch(Exception ex) {out.println ("Login Exception!"); Out.println ("SQL:" +SQL); Out.println ("Exception:" +ex); }finally{    if(NULL!=RS)      {Rs.close (); RS=NULL; }    if(NULL!=PS)      {Ps.close (); PS=NULL; }    if(NULL!=con)      {Con.close (); Con=NULL; }  }%></body>View Code
Jsp2
<%@ page contenttype= "text/html; Charset=utf-8 "%><%@ pageImport= "Java.sql.*"%>String User= Request.getparameter ("User"); String Pass= Request.getparameter ("pwd"); Connection Con=NULL; PreparedStatement PS=NULL; ResultSet RS=NULL; String SQL=NULL; intR = 0; Try{class.forname ("Com.mysql.jdbc.Driver"); Con= Java.sql.DriverManager.getConnection ("jdbc:mysql://192.168.0.157/webtest?useunicode=true& Characterencoding=utf-8 "," root "," 123456 "); SQL= "INSERT into user (NAME,PWD) VALUES ('" +user+ "', '" +pass+ "')"; PS=con.preparestatement (SQL);//PS = con.preparestatement ("SELECT * from user WHERE name=?") and pwd =? ");//ps.setstring (1, user);//ps.setstring (2, pass);R =ps.executeupdate (); if(r>0) {out.println ("Add success!"); Out.println ("SQL:" +SQL); }    Else{out.println ("Add failed!"); Out.println ("SQL:" +SQL); }  }Catch(Exception ex) {out.println ("Add Exception!"); Out.println ("SQL:" +SQL); Out.println ("Exception:" +ex); }finally{    if(NULL!=RS)      {Rs.close (); RS=NULL; }    if(NULL!=PS)      {Ps.close (); PS=NULL; }    if(NULL!=con)      {Con.close (); Con=NULL; }  }%></body>View Code
Introduction to the principle of login:
Html->jsp->db
HTML page Input two parameters user, pass, press ' login ' button, call chklogin.jsp CHKLOGIN.JSP receive HTML incoming two parameters, go to the database user table inside the query, return is NOT NULL, the login succeeds, otherwise the login fails, the exception is the login exception. The method used by the query is the + parameter stitching used by the Executequery,sql assembly.
Normal scenario:
Database user Data
Page login (password error)
Page Login OK
So far, the environment of our experiment has been, and now we can get the hands and feet ~ ~ Start ~
SQL injection Instance 1 (login without knowing the user password password):
Interface information Input value
User:test
PWD: ' or 1=1; --
Effect
SQL injection Instance 2 (login without knowing username and password):
Interface information Input value:
User: ' or 1=1; --
Pwd:
Effect:
Above two instances of attack escalation case:
Primary program: Interface front-end control-interface parameters to do filtering and restrictions, such as '--; characters, or characters, etc.;
Solution: Through the Fiddler and other HTTP protocol grasping the package tool, the user name and password can be freely edited, note that the browser made URL encoding, direct request bypass the front-end string control.
Upgrade Scenarios for instances:
Intermediate Program: Front-end control + logic business control, logic Business control discard using + splicing method, take the method of obtaining parameters to achieve:
PS = con.preparestatement ("SELECT * from user WHERE name=?") and pwd =? ");
Ps.setstring (1, user);
Ps.setstring (2, pass);
Response plan:
interface string input parameter injection is invalid with HTTP protocol interface mode parameter injection.
Try the scenario (not practiced):
The parameters of a variety of code escape, the content of this link is more, the landlord level is limited, this piece is interested in the Welcome to add.
Above, is a simple example, from the above sake, also did not see how much danger ah, just enter the system only ~ ~ also did not see how much danger and data leakage of major risk loopholes AH ah ~ ~ Well, meal began to play ~ ~
New Data function principle:
Reference Login ~
New features are working correctly:
SQL injection Instance 3 (arbitrary add data):
Interface input Data
Test ', ' Test '), (' 1 ', ' 2 '); --
Effect:
The show starts here ~ ~
The first step is to get the current database version, the use of SELECT version () ~
SQL injection Instance 4:
Interface Input Information
Test ', (SELECT version ()))--
Effect:
The second step is to get the database database object, INFORMATION_SCHEMA. Tables Use ~
SQL injection Instance 5:
Interface Input Parameters:
Test ', (select Table_schema from INFORMATION_SCHEMA. TABLES GROUP BY Table_schema limit 1)); --
Effect:
DBList
Interface:
Data:
The next process is the cycle, you know ~ until you get all the db
The third step is to get the Table object and table structure below the DB Library.
The method is similar to INFORMATION_SCHEMA. Tables familiar with
Fourth, get DB user name information
Haha, similar in manner, familiar to Information_schema.user
Fifth step, reset user password
Haha, similar in manner, familiar to Information_schema
Sixth step, get IP, this many ways
It all got, almost can declare GG ~ ~
Solutions & Discussion:
Analyzed from two dimensions, the first application layer angle, from the front-end to the business layer to the DB layer.
The second dimension, from the software seven-tier architecture perspective, is the physical layer, the data link layer, the network layer, the transport layer, and the application layer.
Specific as follows
1. The front-end parameters are strictly controlled;
2. Do not use splicing string implementation of the business layer;
3. Business function request, increase the token field control, each post request to the Koken to verify effectively;
4. Transmission protocol, which involves the security of data interface parameters, and transmits HTTPS protocol;
5. The database, take the minimum atomic control, to the user, user rights to strict permissions control, can do data reading and data insertion of the business can be separate using different users as far as possible to distinguish;
6. Application layer Access DB, the database configuration related information, especially the PWD field for the specific algorithm encryption;
7. Database and application deployment in the intranet environment, and the external network to isolate;
8. The system, welcome to the maintenance of children's shoes supplement;
9. Other dimensions welcome additions and discussions.
Now, from work to the weekend happy ~
SQL injection of Web security testing & Penetration Testing ~ ~