Tsinghua University continuing education institute SQL Injection

Since Tsinghua University's Continuing Education Institute uses the SQL assembly method in the background and does not filter user input, there is a risk of SQL injection. Any browsing of one of the articles, such as http://www.sce.tsinghua.edu.cn/news/detail.jsp? Id1 = 1554, (for details about SQL injection, please refer to www.2cto.com/Article/201209/153277.html). We add a single quotation mark after the parameter. We can see that the server reports an error, indicating that the single quotes we submitted are parsed, SQL syntax errors, such:




Use sqlmap for automatic detection (for sqlmap usage, www.2cto.com/Article/201209/153288.html). The following figure shows the results of the WTI test:





We can see that SQL Injection exists. The mysql database is 5.0.11 In the backend of www.2cto.com. It is not the latest version. we can proceed to the next step based on the vulnerabilities in the old version, what is interesting is that the website designer has a low security awareness and directly uses the mysql database logged on as the root user, which makes us do a lot of work, such as detecting the hash of the administrator password. The parameter is-passwords, the tracing network test is as follows:




The user name and password hash of the mysql database have been detected and will not be posted here. After the detection, sqlmap will ask if we want to brute-force crack the detected hash, sqlmap has a built-in dictionary that can be used to crack hash passwords. To crack the password of a mysql database user, we can use the nmap tool to scan whether port 3306 is enabled for the target host. If yes, we can try to connect it with the cracked username and password, because the security of the website is not in place and there is no IP address restriction, we can directly use the detected password to log on to the database, easily tracing the network:




Easy to trace network warning: This article is only for learning records, do not do damage.