Yucai System

Part A

I got a real experience,here:

zhihu

The North School database contains information on the status of Shenyang’s recent primary school graduates, and it has been the same registration system for several years, using a process of importing data directly into the school’s servers and then comparing them when they register.

As is said yesterday,we got the North School and Beihong Registration Information, including account number (the north school account number is the student number) , password, name, sex, home address, identity card number, parents mobile phone number, parents name, graduated primary school and so on. In fact, we really should raise our awareness of network security. In case such a situation does happen, people can then log on to whoever they want and change their information, if you do get in and the information doesn’t match up…

Got The experimental primary and junior high school registration information in recent years, the data and the above one is similar.

We got last year’s Department of Children’s registration information, including personal information, whether or not to accept, probation classes and so on, there is no account password. There’s also a field called num, an integer of no more than 15, which doesn’t seem to be a fraction. The data is very messy, some people repeated dozens of times, do not know what to do.

How to crack it? It’s easy. Well, SQL injection… for example, I do a user name check, the user enters a user name, we assume the user name is name, and then send it to the server. The server sends a request to the database to see if there is a user with the appropriate user name. Then the query is: Select * From Beihong WHERE Neyc’name’; (This statement is true, as seen FROM the site error) this statement is generated:

Select * From datasheet name WHERE Neyc’user name’; assuming no one has ever used this user name, the database returns FALSE (No) to the server, which returns user name does not exist.

At this point, with SQL injection, we can submit a virus-like user name, such as:‘or 00;-+ +"+“will be escaped by the server as a space”", then the query statement is interesting: Select * From Beihong Neyc"or 00;-’; In a database query, the – part is escaped as a comment, meaning the program doesn’t run it, and the semicolon stops.

So the statement becomes: Select * From Beihong WHERE Neyc"or 00; well, the return value of this string is the entire data table, and the server takes this bunch and thinks that the user name already exists, and there’s a bunch of them, the user name already exists is then returned to the user. So we can understand that the result of the query is completely dependent on whether or not the second half of the string of “virus user names” I submitted is true, for example, if I change it to’ and 01-+ then it will always return “user name does not exist” .

This type of injection is called a “boolean blind” , and bool Bourg has only two values: Yes and no. This injection is not easy because it does not output database query results, just yes and no. I am also not professional, injection time because need to guess, solve a lot of things, with SQLMAP, big god-level software, almost all sites with SQL vulnerability can be broken with it, you can also get command-line permissions, next-sentence Trojans (This one-sentence Trojans, written into the site’s directory, use software to connect trojans can perform a variety of extremely dangerous operations, it can directly access all the files of the entire computer) .

When I injected, Beihong used a separate “user name check repeat” Url, which is the example I mentioned above, it is easy to crack, because only one parameter, it is easy to implement boolean injection.

Part B

For the closure of the website,I missed this accurate experience.

Successfully cracked the North School and Beihong this year has submitted all the enrollment data, account numbers, passwords. Spam sites, bad firewalls of their own, no database commands, error-prone output, no directory access restrictions, database account password root, after the second after the injection cracked the data export and found that all the account passwords have not been any encryption, directly clear text storage site appearance construction rotten batch, the backstage can directly inject a sentence Trojan, but I didn’t do it. A few lines of basic vulnerability code and the site goes down. I’m not a professional, but they suck.

Here I would also like to commend the North campus. The North campus made an upgrade to the system a few days ago, removing the method of user name registration. The student ID number is the user name, and requires that the student ID number must be in the current year’s student ID database, beihong’s system is almost the same as Beihong’s, but because of the cancellation of user name Login, greatly increased the difficulty of cracking.For the north campus, after the user name Login was removed, the user name search page was abandoned, so after updating the system, the URL for the user name search appeared an error, becoming only an error, causing me to have to inject the login interface, i need a student ID and a password. Think of it, the two systems are directly stored in the client’s authentication code, the server did not verify… so I do not need to consider the problem of authentication code, greatly reduced my cracking difficulty (really is extremely, moreover the verification code is saved in clear text, does not have the encryption. If the server verifies the encrypted authentication code before determining whether the account password is correct, it is unlikely to be cracked) . It goes on to say that when you inject the north campus, you need to sniff out the characters, the database names (SSR cards were hanging) , the table names (in case of error, no need to sniff) , and the field names. You can only submit one letter at a time for a match, and then determine whether the return value is correct or not.

Part C

On the other hand, the server doesn’t have any firewalls. (northcote may have added, but it didn’t stop any of my requests.) SQL injection is the best defense against even the most basic injection. It probably wasn’t even opened . Then the upper paragraph, i sniff out a set of account passwords, and then I inject them, and then I get yes and no, which is always yes or no, because you do fake password matches, even if the server “thinks” your account password is okay, creating a Cookie to record your identity will also fail because the user does not exist, and no Cookie will be entered, resulting in a “No” page that can not be determined, another thing that comes to mind is that the Cookie holds a clear text account password, and then every time a user visits a page, they have to access the database, which slows down access time considerably, how Much Delay Server performance ah… in fact, the way to deal with SQL injection is extremely simple. As I just said, first, you can add a Captcha, save the encrypted Cookie at the front end, and then check whether the submitted Captcha is encrypted to match the Cookie value when the back end is accessed. The simplest Captcha is this, if you add Captcha to every operation that requires a database query, and then query the database after the Captcha has passed, you can resist more than half of the SQL injection, because injection is a trial process, and trial requires a lot of access. A lot of access will need to fill in every time the verification code, who can fill it? People. People don’t do that, so some people just stop. Second, add a firewall AH, pagoda board comes with a very powerful firewall, and even kill some requests, uh, most of the SQL attacks are useless. Third, the server-side must not receive data even filter do not filter on the processing! . The front end judges the validity of the data, the back end must also judge Because people who know a little bit about back-end can use F12 to grab back-end request address, and then make false request, life is so beautiful. Don’t judge too much, account passwords shouldn’t have too many special characters, especially operator placeholders: double quotes, single quotation marks, and parentheses . The North School system is Debian, it was a decent server only system, with closed debug mode, and the database account was the highest level of root, but the password wasn’t a simple one, so I suffered a little while trying to crack it. Beihong’s system is Windows, DEBUG mode not off, the DEBUG constant was forgotten, so the program simply assumed that DEBUG mode was on, which resulted in an error in the program’s output, exposing the root directory path of the site, d: / Pc, and the password for the database root account, root. The database is not available to localhost, nor is Phpmyadmin Open, and no one will be able to access it The last picture gave me a good laugh, if you look at the access log, you can see the screen is full of only one IP every second to send dozens of requests, hey hey database of any content I have not changed, I can not delete library run away something, just for research . According to Article twenty-nine of the Cybersecurity Law of the People’s Republic of China, "The state supports cooperation among network operators in the collection, analysis, notification and emergency handling of network security information, so as to enhance the security and guarantee ability of network operators. " All privacy data collected will be cleared within 24 hours, will Not be distributed or used for illegal purposes.