I’m coming hahahahahahahahaha
According to what I said before, it should have been updated just after the Easter holiday, but after my sister said that she still wanted to return home as soon as possible, I started to jump into the crazy research of turning point
Then it is necessary to rebook nucleic acid, contact China Southern airlines office in the UK to buy connecting flight tickets, and see the entry and transfer requirements of Finland
For me this kind of small red book no matter how detailed all want to check the government entry requirements just rest assured that English is not good for the study of turning point is really deadly……
However, this week is more than a lot of notes on cryptography, will be sorted out into an article to put up, feel all kinds of encryption methods and the advantages and disadvantages of the analysis is very interesting
Today, we will start with a target penetration test just completed, which is not difficult, but involves two classic toolkits and reflects the connection between the front end of the website and the background database. It is an introductory but complete test
The first is the test environment and target
This test uses the Ubuntu-32bit virtual machine used in school daily teaching
Known, the school is based on a server set up web site, the URL is http://10.0.2.x/index.html
The article goal
Show meng Xin a simple website attack process
If there are huang Huo’s junior school sister brush to this article remember to collect, back IY2840 useful hahaha hahaha
The article is mainly a summary of their own practice, writing may be relatively simple, mistakes welcome big guy correction
Take the first step
The first thing that stuck with us was that for a site we were testing, we didn’t even have a full domain name, so the most important thing for us was to fix the domain name problem first
As you can see, the part of the domain name in question is 10.0.2.x, which is clearly an IP address altogether
At this point, we began to analyze the problem. Finding the address of the missing part seemed like a very difficult thing to do, but to switch our thinking, we might as well think of the problem as, to the extent possible, which address corresponds to the accessible server
To solve this problem, we need to use the Nmap tool
NMAP (Network Mapper) is an open source Network detection and security audit tool. It is designed to scan large networks quickly, although it is not a problem to scan a single host
First, install the tools. In Linux, open the terminal and install as root
Enter the command sudo apt install nmap
If you are using a normal user account, you will also need to enter the password of the root account
Next, we use the SN instruction of NMAP, which can be used to probe the scanning host
We are not sure about the last bit, but according to the basic knowledge of the network, we can know that its value is between 1 and 255, so in this step, the instruction we use is
Nmap – sn at address 10.0.2.1-255
Later, we will see several addresses returned from the command line, of course, I found three when I scanned, the other two open to show some basic host information
However, the address 10.0.2.4 is the only one, which is found to be a large login interface
Well, it’s perfect
Bypass the login screen and locate the injection point
SQL injection bypasses login, which is a well-known security problem. First, let’s introduce the principle
For example, a normal login statement might look something like this
select*from user_table where username = ” and password = ”
The select section is the database statement, which is used to verify that your input in user_Table matches a tuple of the username and password attributes that you entered. Our input is transmitted to the single quotation marks behind username and password
At the end of the day, however, this return is a programming statement that cannot escape the confines of syntax
If we enter the user name admin and password 123, it will become
select*from user_table where username = ‘admin’ and password = ‘1234’
But what if we put in something a little bit counterintuitive? For example, enter only the username field
Or 1 = 1
So does this statement become
select*from user_table where username = ” or 1 = 1 –‘ and password = ”
Username = null or 1=1 (true)
Once such an input occurs, the system determines that you have entered the correct username, based on the principle that anything OR true is equivalent to true
The rest of the password has been commented out by you with “–“
So we logged into the system
This is called SQL injection, and to determine whether a link has been injected, we can simply construct the code by passing in parameters that we can control, and determine whether it has been injected by what the server returns
For the actual injection, the three statements I use are
admin’ or ‘1’ = ‘1
‘ or 1 = 1#
admin’; #
Not all statements can be injected into a fixed site, depending on how the site is set up, so we can collect as many statements as possible during the day
This is what it looks like when you log in with the second line
Interestingly, this is what we see when we log in with the first and third lines
The first line and the third line are the same as the second line. The second line only checks the value of “true” for username. The third line is the same as “admin” for username
When we drop admin, the system displays the difference from when username is only true. Instead of reporting an error, it displays more information
This tells us a valuable piece of information: There is a user on the system with the username admin and that name, which is almost certainly the administrator account for the system
At this point, we have managed to access the site’s data without authorization, but if this SQL logic flaw is discovered and fixed by the site’s maintenance staff, we will no longer be able to access the site unless we find another way to inject it
To solve this problem once and for all, let’s just do what every hacker loves to do: find out the password of the administrator account in the system!!
Now it’s time to do something really big
Now that we’ve logged in to the inside of the site, what we should notice here is that in the first injection statement, for example, when we enter the site, the URL displayed on the site becomes
http://10.0.2.4/unsafe_home.php?username=admin ‘+ or +’ 1 ‘+ % 3 d + 1 & password =
In the admin’+or+’ +’1’+%3D+’ part, all Spaces become plus signs and equal signs become %3D since our injection, which is the browser’s own conversion
If you cut that out, the link would have been
http://10.0.2.4/unsafe_home.php?username=&Password=
Parse the meaning of this URL
http:// is the protocol used by the website
10.0.2.4 is address
unsafe_home.php? Username =&Password= can be regarded as
< entry file name >.< file extension >? < communication endpoint 1= content 1>< Communication endpoint 2= Content 2>
The communication of the URL points to the endpoint that performs the communication, which is the communication endpoint, which is used for positioning, and then we send the corresponding content to the corresponding location on the back end
Starting now, we’ll use the second tool, SQLMap
Sqlmap is an open source penetration testing tool that automatically detects and exploits SQL injection vulnerabilities and takes over database servers
We download it in the same way as nmap
Input instructions we see from the diagram, repeatedly knock good trouble
Listed here is the database that corresponds to this URL. In the instruction, -u is used to upload the parameter, which is the URL of the site to scan, and — DBS stands for enumerating the DBMS database
The results are as follows
The result returned by this graph tells us that the database management system used by this site is MySQL 5.0.12, and there are several databases as follows
As soon as we saw one of the databases named User, we immediately targeted him as our next target
–tables is used to iterate over database tables in the DATABASE management system (DBMS)
A database consists of tables that contain at least one table
-d Upload the database name
In summary, we iterate over all tables contained in the database named User under the URL and get the following result
The database user contains only the credential table
In a table, each column is an attribute
This directive is used to traverse the columns in the table Credential in database Users, resulting in the following result
And then we’re going to have a step like this
–dump, dump DBMS database table entires
Download the entires (entiry) instance from the table of this database
An entiry is a thing or object that is distinguishable from all other objects in the real world
For example, in a table containing the name, student number, age, and major, there is a row of data
Li xiaobai, 123456,20, information security
So Li Xiaobai is an entity in this database
Dump table entities dump table entities dump table entities
After executing this command, we were asked several questions, the first two not important but the third
do you want to use common password suffixes?
After we select yes, he starts executing, and after about 7 seconds of executing, he displays one
cracked password ‘assignment’ for hash ‘….. ‘
Then we CRTL + C terminated the execution and returned this result
Remember that when we walked through columns, we already got the attributes of the table. When we dumped the table, we already got the entities, including their values for each attribute. The last step is actually asking us if we should try to match the password with a regular word
All passwords in the system have been encrypted. What we are doing is encrypting common words to see if these words can match the hash in the system after being encrypted with hash. If so, it means that this common word is the password of this entity
Admin password = “assignment”; admin password = “assignment”
After the attempt, use admin+ Assignment on the website, login success
conclusion
There is no summary of the technical process, it’s all there, let’s talk about a few issues in the security industry
First, don’t trust user input, which can sometimes be harmful to the system, like our injection statements. Most of the time, we enforce control by forbidding the input of characters such as Spaces, semicolons, and quotation marks, but there are also ways to mask these control mechanisms. This back-and-forth defense and attack is the subject of research in SQL security
Secondly, the user’s security awareness. No matter how serious the security system is, it cannot prevent users from setting a simple user name and password. In fact, many administrators of Internet companies nowadays are used to using admin/administrator as the administrator account name. They will not use too complicated passwords, and even write the password on a sticky note and stick it on the desk. Have caused great security risks. Human heart and humanity are bigger vulnerabilities than the security of the system.
Finally, when you have time, you can learn more about the popular powerful tools and read their instructions. When you encounter a problem, it is not difficult to use a tool to solve the problem, but you do not know that there is a simple tool to use. For simple problems, it’s much easier to use tools than to write your own code and scripts, and for complex problems, it’s much easier to use popular tools to develop scripts. The understanding of these tools is the accumulation and precipitation of work experience and personal ability of a person engaged in the network security industry.
digression
How I feel about the recent incident with Chain Safety
First of all, love chain Ann’s teachers and classmates
Then there are new ways of committing crimes as well as new technologies
Finally, all these years I have been thinking about how to correct my heart first, and then how to learn stronger skills
In the early years of high school, one of my classmates put virus software in the USB disk and installed it in the computer room of the school. In fact, he didn’t know the virus or even the basic security technology, and he didn’t get any benefit from his behavior. He just enjoyed the pleasure and sense of achievement of doing this
And my learning experience, life is the first complete tool for Windows, with their own two computers, all kinds of learning, the vulnerability of the retrieval process with virtual machine, even to the real real attacking in the website, and according to various sites within the scope of the test platform is given, and do not cause damage in the process of test, test after the testing process due to the related department, Helps maintain the network environment
Thanks to my parents’ education, I have a supreme respect for rules, so that AT any time, I can resist the urge to show off skills to others, or to carry out unauthorized attacks in order to meet the so-called sense of achievement. Over the years, I can honestly say that I have never done a bad thing, that they are worthy of the identity of network security practitioners, I think this is the most fulfilling thing for me
Technology is always changing, constant, should be the sense of integrity, and the honor of maintaining that integrity
Heaven and earth move, gallop ceaselessly
The law of heaven and earth is always carried out