Web security engineer-growth record
Environment: dvwa1.7 Database: mysql knowledge: SQL statement (Click me) before SQL injection, we are familiar with select statements. 1. Open our SQL Terminal
2. After Entering mysql, we can see that we have entered an SQL statement to return the desired result. Pay attention to the semicolon! The dvwa we use will generate a dvwa database in the database when we set the previous chapters; here we use it for our select statement: (1) use dvwa database use dvwa; (2) query all information in the users table with the username 'admin' select * from users where user = 'admin'; there are three main points on it, [1] '*': wildcard indicates that all content is matched, that is, the visitor does not reject [2] 'where': the keyword is used as a condition. [3] strings in the database are usually enclosed by single quotes. The select statement retrieves data from the database (3) let's take a look at the other side of the select statement, in fact, it is equivalent to the output statement of our programming language. Don't believe it. Let's take a look! Select 'Hello world! '; (4) if we have multiple data to output, we can use "," to separate each content. For example, select user, user_id from users where user = 'admin ';
Extended: when we want to output multiple pieces of data, rather than retrieving data, select 'hello', 'World'; select 1, 2, 3; (5) union is to put the heap data in front of union together with the heap data in the back so that it can be displayed in a table. What is put together? For example: select 1, 2, 3 union select 4, 5, 6; resolution, we know that select 1, 2, 3 is the output of three numbers, respectively, 1, 2, 3. The following select statement also outputs three numbers. If The number of output data is inconsistent, The following error occurs: The used SELECT statements have a different number of columns
This is a point for SQL injection (6). We will continue to learn a content order, this allows us to sort the Retrieved Data in ascending or descending order. Select user, user_id from users order by user; here we will introduce the concept of "field ". A field is a data column in the Table. Each field represents a column. Here, we use the select statement to retrieve the user and user_id data columns. When order by user is used, each data in the user data column is sorted. The default value is asc. Let's take a look at select user, user_id from users order by user_id; we can see that the order of user_id is increasing progressively. Desc can be used if the number is decreased.
There is also a small tips: We can use numbers in addition to field names as conditions for order. 1. The first field 2, the second field, and so on. However, if that field does not exist, this error occurs. Unknown column name xx. We need enough SQL knowledge this time. Next, let's start our injection journey. 3. "The Rabbit's mysql, seeing your tail, is still running !" Setting: we change the security level to low so that we can gain confidence first to avoid face attacks. 1. For the test and analysis page function, we can see that there is an input box, according to the above prompt, enter the user id. After entering the information, we found that it returned information about the user! Here we enter "1"
Here we can see that it returns three rows of data, one row is the user ID we entered. One row is the user name, and the other row is the user alias.
At the same time, let's take a look at the address bar of the browser. We can see that the url is like this: http: // localhost/dvwa/vulnerabilities/sqli /? Id = 1 & Submit = Submit #
We can see that there is something with id = 1 here. Is it the user id we entered? Here we enter "2" and find that the url is changed to http: // localhost/dvwa/vulnerabilities/sqli /? Id = 2 & Submit = Submit # All right. Here, we can get the id value used here to make us controllable. What we enter will be passed in through id! 2. Test the parameter id to see if it has the SQL injection vulnerability! Here we enter "1" in the input box. Note that "1" is followed by a single quotation mark "'". An error is reported here. A syntax error occurs in our SQL statements.
Here we can make a guess. First, the id is wrapped by two. The query statement may select firstname, surname from users where id = '1' like this. When we add a quotation mark after 1, the number of single quotation marks is unbalanced. At that time, the query statement is as follows. Select firstname, surname from users where id = '1'; the last quotation mark is not closed. What should we do? There are several methods at this time. (1) We will continue to enter an extra quotation mark (1 '') on the basis of the original quotation mark ''". At this time, let's take a look at the query statement select firstname, surname from users where id = '1'. At this time, we have to talk about a mysql syntax,
In the where statement, when multiple strings appear, "=" will select the highest priority. The priority is reduced from left to right! That is, the closest one to "=.
Let's look at several examples.
The first one is an SQL query statement similar to the preceding one.
Select * from users where user_id = '1 ''';
The second is to clarify our priority,
Select * from users where user_id = '1' 2 ';
The result is the same as user_id = 1.
Let's look at a long,
Select * from users where user_id = '1' 2' 'abc' 'efg ';
The results are the same as those above.
(2) The second method is to use the "#" symbol to comment out the following single quotes. Then the query statement will become like this. select firstname, surname from users where id = '1 '#'; (3) The third method is to use "--". Here, note that "--" is followed by a space. In the url, we need to use "+" to replace the Space following. Then the query statement will become like this. select firstname, surname from users where id = '1' -- '; well, we will return to our test page. The result is the same as input 1. Here we can know that the parameter of the [1] vulnerability is "id" [2]. The type of the vulnerability is vulnerability 3. Okay. After confirming the vulnerability, we need to construct the payload. What is payload? It is a piece of malicious code, so that we can obtain the data in the data. (1) There are two methods to analyze the number of fields. [1] The reason for analyzing the number of fields is that we need to use the union select statement to obtain the required sensitive data. So here I leave another question: why can I guess how to use the union method to obtain data? (Note: What is the function of this page ?) According to our order by knowledge above, if the number following exceeds the number of fields, an error will be reported! Through this, we can determine the number of fields. The payload we constructed is as follows: 1' order by 1 # 1' order by 2 # 1' order by 3 # When the input is 3, an error is returned. That is, the number of fields is 2.
[2] The second method is to directly use union select to guess the number of fields, because when the number of fields does not correspond, it will also report an error! 1 'Union select 1 # 1' union select 1, 2 #1 'union select 1, 2, 3 # can be found that there is no error when union select 1, 2, that is, the number of fields is 2. At the same time, we should also note that it seems that three more data entries are returned. What is this?
This is the data from our union select. When we get the data information, we can replace 1 and 2 with the data information, so that we can get it by viewing the page! Tips: when the number of fields is small, it doesn't matter. If the number of fields is large, you will be stupid. Hack with python in the next lesson. We will write scripts to do this unnecessary work (2) the number of fields is 2, that is, the data column from the select statement has two columns. That is, we can use union select to produce two data records. Let's get information about our database! 1. Get the name of the current database. The current username is 1 'Union select database (), user () # Here, the database () will return the name of the database used by the current website, user () returns the user name for the current query. Okay. here we can see that the current database is: dvwa current user name: root @ localhost
Similar function: version () to obtain the current database version Tips: Sometimes, the following select statement limits the number of output rows through limit 1, so we generally make the original database query invalid, that is, enter an invalid id. -1 'Union select database (), user () # This will only return our data. 2. Well, our goal is to obtain the current user table, so proceed to construct payload. Based on the above information, we know that the current database is named dvwa. But not enough! What is the table name? Okay, are you going to give up .... -_-| Tips: Take a cool break and let's take a look at it. When you go to elementary school, do you have a swollen word that you don't understand? A: You have a Xinhua Dictionary! So does mysql have something similar to the Xinhua Dictionary? The answer is: Some Xinhua Dictionary is called information_schema. It is a Xinhua Dictionary containing all the information of the mysql database. If you have any information about the database, you can ask it! It is essentially a database with information about other data. Here, there is a table that grows like this tables. There is a table with such length as columns. Is it a bit of a feeling? Yes, the tables Table stores information about all tables in the database. It has a field named table_name and a field named table_schema. Table_name indicates the table name, And table_schema indicates the database where the table is located. For columns, it has column_name, table_schema, table_name. Here we recall that the message we have is the database name. That is to say, we can construct payload-1 'Union select table_name, 2 from information_schema.tables where table_schema = 'dvwa '# What is information_schema.tables? Information_schema won't make our Xinhua Dictionary! Here we use a syntax, "Data name. Table Name" tables is equivalent to the directory of our Xinhua Dictionary, table_name is the field in tables. The statement means that here is a Xinhua Dictionary to help me find out the word (Table Name) next to the Database Name "dvwa.
As you can see, (bytes) B, a lot of data! What are we interested in ?? Of course, it's the users table! After that? Isn't there another columns table?
So what do we need? Table_name and table_schema are required.
So what should we check? Column_name
The payload we constructed this time is as follows-1 'Union select column_name, 2 from information_schema.columns where table_schema = 'dvwa 'and table_name = 'users' # here, if the database name is not specified as 'dvwa ', there will be a lot of mixed data if there are users tables in other data.
Again, (bytes) B, a lot of data! What are we interested in ?? Of course it's user, password! The two fields are just fine. Let's modify payload-1 'Union select user, password from users #
Binggo! All user names and password values are provided! This password seems to be a bit odd, count one, 32 bits! The password here is encrypted by md5, so it is difficult to inject a management account and password. But is there no way to encrypt the password? Not necessarily! Tips: Boy, who told you to meet me! We need to find some md5 cracking websites to solve this problem! Okay, I like this Click. Here we choose pablo for cracking. the md5 ciphertext is: 0d2017d09f5bbe40cade3de5c71e9e9b7.
We can see that the password has been cracked. The password is "letmein". Let's verify it! Now, we have successfully logged on!