How to implement manual SQL injection

SQL injection is one of the common methods used by *** to attack the database. Its core idea is: *** constructs a database query code after the normal URL that needs to call the database data, and then based on the returned results , to obtain some of the data you want. Next, we will use SQL injection vulnerabilities to attack the already built *** platform to obtain the website administrator's account and password. Target server IP address: 192.168.80.129, *** host IP address: 192.168.80.128.

(1) Find the injection point

Open a web page and pay attention to the URL.

The injection point must be a page like "http://192.168.80.129/shownews.asp?id=7" where there is a command call, "shownews.asp? "id=7" is the value passed by the page, that is, "id=7" is passed to the "shownews.asp" page for processing.

We can add and 1=1 and and 1=2 after this URL for testing.

http://192.168.80.129/shownews.asp?id=7 and 1=1, the web page can still be displayed normally.

http://192.168.80.129/shownews.asp?id=7 and 1=2, the web page cannot be displayed normally.

This shows that "asp?" also calls the "and 1=1" we added as a command parameter, then we can construct some SQL statements to be called and executed, thus getting Information is needed, this is called an injection vulnerability. A webpage like this that can call command parameters is called an injection point.

(2) Guess the table name

***The main purpose of website *** is to obtain the username and password of the website administrator. The username and password are both It is stored in a table in the backend database, so first we have to guess what the name of this data table is.

The most commonly used table names are admin and admin_user. We can add such a statement after the injection point URL to guess the table name:

http://192.168.80.129/shownews .asp?id=7 and (select count(*) from admin) > 0

"select count(*) from admin" means counting how many records there are in the admin table. If the admin table exists , then this statement will get a value. As long as this value is compared to 0, the result is correct and the web page should display normally. On the contrary, if the admin table does not exist, then "select count(*) from admin" will not get any value. Compared with >0, the result will not be established, and the web page will not be displayed normally.

If the web page cannot be displayed normally, you can try another table name until it is displayed normally:

http://192.168.80.129/shownews.asp?id=7 and (select count(*) from admin_user) > 0

http://192.168.80.129/shownews.asp?id=7 and (select count(*) from manage_user) > 0

The table name of this website is manage_user.

Common table names include: admin sysadmin manger admin123 webadmin member manage_user

Note: If you really can’t guess the table name, you can also use tools like Mingxiaozi to help.

(3) Guess the number of fields

The next step is to guess which field in this table stores the user name and password. First You need to know how many fields there are in the data table.

The "order by" statement is used here. The original meaning of "order by" is to sort by a certain field. "order by 10" is to sort by the 10th field. If the 10th field exists, then The web page will be displayed normally. Otherwise, if the web page cannot be displayed normally, it means that the 10th field does not exist.

http://192.168.80.129/shownews.asp?id=7 order by 11

This method can be used to guess that this table has a total of 11 fields.

(4) Guess the field name

The next step is to know which field stores the user name and password. The "union select" joint query statement is used here.

http://192.168.80.129/shownews.asp?id=7 union select 1,2,3,4,5,6,7,8,9,10,11 from manage_user

Here the fields storing username and password will be exposed.

The field that stores the username is generally called username, and the field that stores the password is generally called password. Replace the 2nd and 3rd fields with these two names:

http://192.168.80.129/shownews.asp?id=7 union select 1,username,password,4,5,6,7,8,9,10,11 from manage_user

At this time The username and password were revealed.

(5) Guess the background management entrance

This Southern Data Template version 2.0 already includes a page called "Administrator Login "the link to. Nowadays, most websites do not set it up like this, so we generally have to guess based on experience. The management entrance is usually stored in the website subdirectory named admin. Enter the following address http://192.168.80.129/admin, and it will automatically The management portal is displayed.

Here you can use the administrator account and password that were revealed before to log in, but the password "3acdbb255b45d296" is obviously encrypted by MD5.

The above is the detailed content of How to implement manual SQL injection. For more information, please follow other related articles on the PHP Chinese website!