Use WebScarab to inject SQL into WebGoat

The principle of WebScarab is simple. It records the request and response of the detected session content. You can view the record in multiple forms. WebScarab is designed to allow users to master the operation process of an HTTPS-based program. It can also be used to debug bugs that are difficult to handle in the program, it can also help security experts discover potential program vulnerabilities.

Download link: http://down.51cto.com/data/149238

> Go to the treasure chest of network security tools and check out other security tools.

SQL injection is currently the most common vulnerability in Web applications. This vulnerability may exist as long as there is a submit box on the Web page and the content of the submit box affects the SQL statements in the background query. Generally, when writing a Web application, programmers directly extract the submitted parameter values from the request and put them in the SQL statement for query. This causes the risk of one SQL injection. Attackers who are familiar with SQL statements will enter the designed content in the webpage input box, and change the SQL query logic to get what they want. For example:

Case 1: bypass the logon interface:

The Common Logon page has two input boxes, one user name and one password. The SQL statement in the background is

Select * from Users where username = '[user name]' and password = '[password]'

[User name] and [Password] are the content entered in the two input boxes. Generally, there is no problem. The programmer can log on to the system by checking that the number of returned recordset records is greater than 0, however, if a malicious user enters 'X' or '1' = '1 in the user name and the password is lost, the SQL query statement in the background will change

Select * from Users where username = 'X' or '1' = '1' and password = '[password]'

The logical value of the where statement is always true. If you can guess the user name, you can use this user to log on.

Case 2: Execute dangerous SQL statements;

Currently, many databases support batch processing and use semicolons to separate multiple SQL statements. For example, on a query interface, the customer number can be queried as a number.) The background SQL statement is:

Select * from MERs where ID = [Customer ID]

The [customer number] indicates the user input content. If the user inputs 1, drop table MERs. Then the entire SQL statement is changed to select * from MERs where ID = [customer number] 1; drop table customers. Once such a query is passed, the customers table is gone.

In the same way, malicious users can implant triggers and modify data. In short, they can execute all the operations within the data user permissions used for SQL Execution in the background.

Of course, SQL injection attacks are not necessarily so simple. Sometimes you need to analyze the web page carefully, guess the SQL structure, and use some tools for assistance. Because WebScarab is used in the test, here is a brief introduction.

WebScarab is a proxy tool. It can intercept the communication process of the web browser and analyze the content so that you can easily modify it. For example, if I send a submit request, webScarab first intercepts the content and does not rush to the Real Server. Instead, a window pops up to allow you to modify the content. After the modification is completed, it is submitted to the server. If some restrictions are imposed on the webpage input box, for example, the length limit and Number Format limit can only be modified in this way; it can also modify the response returned by the server, which can filter out some js Code that restricts the client. This is another powerful tool of OWASP.

The injection process starts as follows:

First, clarify the goal. webgoat Tutorial:

There is only one input box on the interface. The requirement of this tutorial is that we use the SQL Injection Method to log on to the interface and enter x' or '1' = '1 in the password. No, it turns out that the password box can only contain 8 characters, and the one just now has 12 characters! At this time, it seems that we are about to sacrifice WebScarab.

The default running mode of WebScarab is Lite, for example:

You need to change it to the Full-Featured Interface mode, select use Full-Featured Interface in the check box, and restart WebScarab. The Interface is as follows. Many more functions are available:

Because we want to Intercept the request, check Proxy-Manual Edit-Intercept request. In IE, direct the proxy server to port 8008 of the Local Machine (webscarab), enter 111 In the webgoat Password box, and the following page is displayed immediately:

The password can be changed to: x' or '1' = '1. Click Accept Changes. The interface is as follows: