电子商务网站SQL注入项目实战一例(转载)
有个朋友的网站,由于是外包项目,深圳某公司开发的,某天我帮他检测了一下网站相关情况。 我查看了页面源代码,发现了个惊人的事情,竟然整站打印SQL到Html里,着实吓我一跳: PS:2年前秋色园系列文章有分享一文是整站SQL打印用于分析网站性能,不过也只是
有个朋友的网站,由于是外包项目,深圳某公司开发的,某天我帮他检测了一下网站相关情况。
我查看了页面源代码,发现了个惊人的事情,网站空间,竟然整站打印SQL到Html里,着实吓我一跳:
PS:2年前秋色园系列文章有分享一文是整站SQL打印用于分析网站性能,不过也只是本地优化调试,而服务器上也采用某特殊条件才打印。
于是把这赤祼祼的对外公开的SQL问题反映了过去,之后算是取消了。
故事B段:错误异常打印了SQL,诱人:
过了些许天,我又抽空看了看:
原始路径为:,我随意加了个引号:
直接打印SQL?这不是引诱人犯罪么?好吧,当时被诱了一下,花了小半天折腾了一下。
故事C段:发现有简单的SQL关键字过滤:
随意加了个“and“条件,发现有过滤一些关键字:
然后多次检测,发现过滤了:and select,update,delete等关键字。
故事D段:发现可以执行自定义语句,但SQL账号似乎没有SA权限或者是关闭了xp_cmdshell服务:
于是我组了一条truncate table xxx,当然,这是个不存在的表名:
http://'%20%20or%201=1;truncate%20table%20abc;--
试了下,执行完成,没报啥提示,太恐怖了。
既然可以执行自定义语句,美国服务器,那执行下提权语句看看:
http:http://'%20%20or%201=1;exec master..xp_cmdshell 'net localgroup administrators test /add
发现没啥提示,但是账号不起效果,所以估计sql的账号没有sa权限可以调用xp_cmdshell,另外这里,由于--符号被用来分隔字符串,所以不起作用。
故事E段:发现登陆有明显的SQL漏洞:
过了点时间,我就不折腾了,我打算注册个账号看看其它情况。
到了登陆页,发现注册还要绑定手机号,我就不注册了,于是在登陆里随手弄了一个常见的a' or 1=1--
竟然报密码错误,吓我一跳,说明用户名注入了,只是密码那关错误。
故事F段:发现验证码竟然在Cookie里:
通过拦截请求信息,发现更奇葩的事:
验证码竟然直接放在Cookie里,这。。。
故事G段:破解用户密码:
既然用户名可以注入,为啥密码还报错误?
通过错误的语法,看了一下对方的SQL语句,猜出了基本的代码逻辑:
根据用户名查出了账号信息,取出的数据的密码再和密码对比。
构造注入语句,发现密码为md5存储:
既然可以注入,这里就可以执行语句了,于是,使用普通的语句弄个账号登陆试试。
一开始我构造了条件:
username=a考虑到用弱密码123456的很多,我就试了下,发现没搞头,本来还想写个爆破弱口令的账号。
后来想想,这密码,一般都是加密的,所以我要知道对方的加密方式。
通过多次构造类似下面的语句:
username=a最终确定了为md5加密存储。
于是把123456 md5一下变成:
username=a49ba59abbe56e057'--&password=123456&verifycode=5020
没想到,来了个以下坑爹的提示:
试了下很多个账号,都是这种情况,这提示太坑爹,忽悠了我。
PS:其实是账号通过了,直接拿返回的Cookie就可以进用户的,不过我被忽悠了,以为不可用。
返回的Cookie,实际也是加密的,所以,这种方式,虚拟主机,看不到手机号,所以没法直接简单的登陆。
再构造SQL注入语句,创建属于自己的账号和密码:
于是,我想通过构造更新语句,把某个账号的手机号和密码都更新一下,然后再我登陆进去。
所以,我就必须执行类似于:update xxx ,password= where uid=10003
由于过滤掉update,所以直接来是不行的,本来打还算编码成16进制折腾,发现转16进制麻烦,也懒的开vs折腾。
于是我想到了一个简单的方式,把语句反过来写,再用reverse函数把语句转过来执行。
最终就成了以下函数:
username==emanresu erehw ''9d4d9c1ac9814f08''=drowssaP tes xxx tadpu');exec(@A);--&password=88888888&verifycode=2222
执行后,发现都是返回“当前账号已冻结,请联系客户”这句大忽悠的话。。。
害的我试了N个账号,最后拿其中一个登陆了,才发现是正常的。
后来告诉了对方有SQL注入漏洞,最后反馈说用SQL工具检测正常,无语。
再后来就示例告诉了对方,修正了这个漏洞后,我就写文分享了。
总结:
1:验证码怎么可以放Cookie里?
2:SQL语句怎么可以随意打印给别人看?
3:SQL注入检测怎么能光靠工具?
4:防SQL注入怎么能靠几个简单的关键字过滤?
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
AI Hentai Generator
Generate AI Hentai for free.
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
1376
52
Share an easy way to package PyCharm projects
Dec 30, 2023 am 09:34 AM
Share the simple and easy-to-understand PyCharm project packaging method. With the popularity of Python, more and more developers use PyCharm as the main tool for Python development. PyCharm is a powerful integrated development environment that provides many convenient functions to help us improve development efficiency. One of the important functions is project packaging. This article will introduce how to package projects in PyCharm in a simple and easy-to-understand way, and provide specific code examples. Why package projects? Developed in Python
Can AI conquer Fermat's last theorem? Mathematician gave up 5 years of his career to turn 100 pages of proof into code
Apr 09, 2024 pm 03:20 PM
Fermat's last theorem, about to be conquered by AI? And the most meaningful part of the whole thing is that Fermat’s Last Theorem, which AI is about to solve, is precisely to prove that AI is useless. Once upon a time, mathematics belonged to the realm of pure human intelligence; now, this territory is being deciphered and trampled by advanced algorithms. Image Fermat's Last Theorem is a "notorious" puzzle that has puzzled mathematicians for centuries. It was proven in 1993, and now mathematicians have a big plan: to recreate the proof using computers. They hope that any logical errors in this version of the proof can be checked by a computer. Project address: https://github.com/riccardobrasca/flt
A closer look at PyCharm: a quick way to delete projects
Feb 26, 2024 pm 04:21 PM
Title: Learn more about PyCharm: An efficient way to delete projects. In recent years, Python, as a powerful and flexible programming language, has been favored by more and more developers. In the development of Python projects, it is crucial to choose an efficient integrated development environment. As a powerful integrated development environment, PyCharm provides Python developers with many convenient functions and tools, including deleting project directories quickly and efficiently. The following will focus on how to use delete in PyCharm
PyCharm Practical Tips: Convert Project to Executable EXE File
Feb 23, 2024 am 09:33 AM
PyCharm is a powerful Python integrated development environment that provides a wealth of development tools and environment configurations, allowing developers to write and debug code more efficiently. In the process of using PyCharm for Python project development, sometimes we need to package the project into an executable EXE file to run on a computer that does not have a Python environment installed. This article will introduce how to use PyCharm to convert a project into an executable EXE file, and give specific code examples. head
How to Make a Shopping List in the iOS 17 Reminders App on iPhone
Sep 21, 2023 pm 06:41 PM
How to Make a GroceryList on iPhone in iOS17 Creating a GroceryList in the Reminders app is very simple. You just add a list and populate it with your items. The app automatically sorts your items into categories, and you can even work with your partner or flat partner to make a list of what you need to buy from the store. Here are the full steps to do this: Step 1: Turn on iCloud Reminders As strange as it sounds, Apple says you need to enable reminders from iCloud to create a GroceryList on iOS17. Here are the steps for it: Go to the Settings app on your iPhone and tap [your name]. Next, select i
PHP Practical: Code Example to Quickly Implement Fibonacci Sequence
Mar 20, 2024 pm 02:24 PM
PHP Practice: Code Example to Quickly Implement the Fibonacci Sequence The Fibonacci Sequence is a very interesting and common sequence in mathematics. It is defined as follows: the first and second numbers are 0 and 1, and from the third Starting with numbers, each number is the sum of the previous two numbers. The first few numbers in the Fibonacci sequence are 0,1,1.2,3,5,8,13,21,...and so on. In PHP, we can generate the Fibonacci sequence through recursion and iteration. Below we will show these two
PyCharm Tutorial: How to remove items in PyCharm?
Feb 24, 2024 pm 05:54 PM
PyCharm is a powerful Python integrated development environment (IDE) that provides rich functions to help developers write and manage Python projects more efficiently. In the process of developing projects using PyCharm, sometimes we need to delete some projects that are no longer needed to free up space or clean up the project list. This article will detail how to delete projects in PyCharm and provide specific code examples. How to delete a project Open PyCharm and enter the project list interface. In the project list,
Basic tutorial: Create a Maven project using IDEA
Feb 19, 2024 pm 04:43 PM
IDEA (IntelliJIDEA) is a powerful integrated development environment that can help developers develop various Java applications quickly and efficiently. In Java project development, using Maven as a project management tool can help us better manage dependent libraries, build projects, etc. This article will detail the basic steps on how to create a Maven project in IDEA, while providing specific code examples. Step 1: Open IDEA and create a new project Open IntelliJIDEA
