Using sqlmap injection to obtain the account and password of the website administrator

1、 Cross site scripts

principle ： It refers to that the attacker uses the website program to filter the user input insufficiently , Input can be displayed on the page to affect other users HTML Code , So as to steal user information 、 An attack that uses the user's identity for certain actions or virus attacks on the visitor .

（1）GET Mode cross site script

Because some websites will <script> Tags are filtered , If there is no pop-up display 1234 Alarm box , Right click on the returned page , View page source code . Check whether the web source code contains the complete <script>alert(1234)</script> character string , In this way, whether there is a pop-up display or not 1234 Alarm box , All indicate that there are cross site scripting vulnerabilities .

（2）POST Mode cross site script

post Same as above , Generally, you can use hackbar The plug-in Enable Post data Insert validation content .

2、 Frame injection 、 Link Injection

principle ： Framework injection is an all based approach GUI Browser attacks , It's because the script doesn't validate them correctly , It is possible for attackers to inject frame or iframe Mark .

Link injection is the act of modifying the content of a site , The way is to transfer the information of the external site URL Embedded in , Or there will be scripts in vulnerable sites URL Embedded in . take URL Embedded in vulnerable sites , Attackers can use it as a platform to launch attacks on other sites , And attack the vulnerable site itself .

The specific methods ： Through the analysis of get The submitted url Frame or link injection with parameters in , Inject into parameters id

3、 allow TRACE Method

principle ：TRACE The method is HTTP A protocol debugging method of protocol definition , This method makes the server return the content requested by any client as it is . The attacker took advantage of TRACE request , Combined with other browser side vulnerabilities , Cross site scripting attack is possible , Get sensitive information , such as cookie Authentication information in , This sensitive information will be used for other types of attacks .

4、Struts2 Remote command

principle ： As the bottom template of website development , Is the most widely used Web One of the application frameworks .

One type of vulnerability is a remote code execution vulnerability when using an abbreviated navigation parameter prefix , Common are Struts2 Remote command execution S2-045、Struts2 Remote command execution S2-016、Struts2 Remote command execution S2-019、Struts2 Remote command execution S2-033、Struts2 Remote command execution S2-037.

5、Struts2 URL Jump S2-017

principle ：Struts2 URL Jump S2-017, yes Struts2 The second type of vulnerability of remote command , Is an open redirection vulnerability when using the abbreviated redirection parameter prefix .

Sqlmap Injection command common table

1.-u # Injection point

1. -f # Fingerprint identification database type
2. -b # Get database version information
3. -p # Specify testable parameters  
4. -D "" # Specify the database name
5. -T "" # The designation indicates
6. -C "" # Specified field
7. --level=（1-5） # The level of testing to be performed
8. --risk=（0-3） # The level of risk to be performed
9. --data # adopt post send data
10. --columns # List fields
11. --current-user # Get the current user name
12. --current-db # Get the current database name
13. --users # List all users of the database
14. --passwords # All passwords of database users
15. --privileges  # View user permissions （--privileges -U root） 
16. -U  # Specify the database user
17. --dbs  # List all databases
18. --tables -D "" # Lists the tables in the specified database
19. --columns -T "user" -D "mysql"  # List mysql In the database user All fields of the table
20. --dump-all  # List all databases, all tables
21. --exclude-sysdbs  # Only the new databases and tables created by users are listed
22. --dbms  # Specify database
23. --os  # Specify the operating system
24. --is-dba  # Whether you are a database administrator
25. --union-check  # Do you support union Inject
26. --union-use  # use union Inject
27. --cookie ""  #cookie Inject
28. --user-agent  # Customize user-agent
29. --string=""  # string matching
30. --sql-shell  # Execute assignment sql Inject
31. --file-read  # Read the specified file
32. --file-write  # Write to local file
33. --os-cmd-id  # Execute system commands
34. --os--pwn  # rebound shell

utilize sqlmap Attack injection  

SQL Injected vulnerability verification

principle ： finger web The application does not judge or filter the validity of the user's input data , Attackers can web Add extra... At the end of a predefined query statement in the application SQL sentence , In this way, the database server is cheated to execute any unauthorized query , Get database information .

1. This time, we chose the actual combat of a shooting range

stay kali Internal utilization sqlmap Verify that... Exists SQL Inject holes

3. Launch an injection attack

It's reported 2 A database

4. Burst the database and then report the form The form is also reported 2 The forms of the two databases are  

To get the user name, account and password, you need to judge

  Generally, the account and password of the user name are in admin Inside

5. Try to do admin Field injection into the form

Injection found that the user name is saved And password fields

6. Explain how to get the user name

Blast again Found that the user name has burst out

7． Get administrator user password   

Burst the password It's three lines cmd5 The ciphertext of Decrypt the ciphertext You get the administrator password

8. Decrypt password Blast it out. You can search here cmd5 To decrypt . There is no demonstration here

Get injection command wx Focus on ：（ Tianyin security ） reply ： Inject   Free access to