Breakthrough safety dog

Prepare knowledge

Sql injection

principle:

The user can control the input and construct malicious parameters (mostly SQL statements), and the code executed by the web application is spliced ​​with unfiltered user input.

harm:

1. Database information leakage

2. Web page tampering

3. Website Troubleshooter: Modify some field values ​​of the database, embed the web link, and conduct Troubleshooter attack.

4. The database was maliciously operated

5. The database was maliciously operated: the database server was attacked, and the system administrator account of the database was tampered with.

6. The server is controlled remotely and a back door is installed.

7. Destroy hard disk data and paralyze the entire system.

Reinforce:

1. String filtering.

2. The front-end js prevents sql injection.

3. Restrict user permissions in the database.

4. Use more security parameters that come with the database.

5. Run the program with the least authority.

6. When the command is executed incorrectly, do not give too many hints about the details of the error.

Web Security Dog Introduction

Website Security Dog is a server tool that integrates website content security protection, website resource protection and website traffic protection functions. Covers modules such as network horse/Trojan horse scanning, anti-SQL injection, anti-leech, anti-CC attack, real-time monitoring of website traffic, website CPU monitoring, download thread protection, IP black and white list management, and web anti-tampering functions. It can provide users with real-time website security protection and avoid the harm caused by various attacks on the website.

The main function of the safety dog

1: 网马木马主动防御及查杀    Web Trojans and Web Trojans scanning tools use signature + heuristic engine scanning and killing algorithms, and the detection rate of WEB Trojans is greater than 90%

2: 流量监控   Real-time monitoring of the incoming and outgoing traffic and total traffic of each website, as well as the CPU usage of each application pool and website

3: It 网站漏洞防御功能   can intercept SQL injection of GET, POST, COOKIES, etc., can define signatures for GET, POST, COOKIES, and can intercept XSS injections.

4: 危险组件防护功能   Fully intercept the calling authority of malicious code to components, intercept IIS to execute malicious programs, and protect website security

5: .Net安全保护模块   Quickly set the .Net security mode, prohibit .Net from executing system sensitive functions to ensure website security

6: 双层防盗链链接模式    You can set anti-hotlink filtering for different sites to prevent pictures, desktops, software, music, and movies from being quoted. If it is found that the requester is stealing a website link, it will be automatically redirected to the error handling page

7: 网站特定资源防下载   Support anti-download protection for specific resources such as doc, mdb, mdf, myd, and add the path of the sensitive data to be protected to prevent sensitive data from being downloaded

8: CC攻击防护   The unique anti-attack algorithm independently researched and developed, and the efficient active defense system can effectively defend against CC attacks and traffic attacks.

9: 网站流量保护   Support download flow control and download thread control. Adopt original thread control and flow control technology to greatly improve server performance and protect website traffic.

SQL injection bypasses WAF

大小写绕过Some manufacturers' filtering is not rigorous, some use blacklist filtering, but some only filter the lowercase form, but when passing parameters, the received parameters are not converted to lowercase for matching. In view of this situation, we can easily bypass it. For example, union select is converted to UnIOn sELeCT

内联注释For example, a filter is filtered, union, where, table_name, table_schema, =, and information_schema are usually bypassed with inline comments as follows: id=1/*!UnIoN*/+SeLeCT+1,2,concat(/*!table_name*/)+FrOM /*information_schema*/.tables /*!WHERE */+/*!TaBlE_ScHeMa*/+like+database()In PHP, / **/the meaning of a comment is the meaning of termination, so when the Web execution container reads At /*that time, it will think that all the following is the content of the comment, so it will not be checked, and then the termination comment symbol will be used , thus bypassing the detection

替换关键字For example, the filter filters out select, we can splice like this:, seselectlectUse nested splicing, so that the filter filters the middle select, and the characters on both sides are spliced ​​into select, which can bypass some WAF

Character编码In some cases, WAF decodes the input in the application, but some WAF only filters and decodes once, so as long as we double-encode the bypass statement, it can be bypassed. (WAF is decoded once and then filtered, and the subsequent SQL statements will be automatically decoded and executed directly).

Example demonstration

Target website: 172.16.12.2

Detect vulnerabilities:

I clicked on a few pages and found that the URLs are all of the id=x type. Enter id=1 and 1=1 as shown below

Obviously we were found by the dog.

Try id=1', the display is as follows:

Obviously, the parameters we entered were brought into the database, so the error was reported.

Here you can also use inline comments to bypass the security dog: /*! and 1=1*/display normally, /*! and 1=2*/no content displayed on the page.

Bypass the security dog ​​anti-injection detection

Union select has a feature, that is, if an error occurs in the previous statement, the data queried later will be output to the front.

Through /*! order by 6*/ established and /*! order by 6*/ error report found that there are 6 items.

Then pass /*!union//*!select*/1,2,3,4,5,6 as shown below, and find that 1 and 4 can be replaced with useful functions.

Found that the database is zzcms and the version is 5.5.47

Through user(), @@version_compile_os discovers the current user and current operating system

Burst table

The information_schema of the mysql database stores a lot of content about the mysql database, such as all user names, table names, column names, etc., see Baidu for details.

Through group_concat(), the results of the query are connected together and displayed.

Blast listing

Explosive bao username and password

Is this password a bit outrageous (the md5 value is generally 32 bits, a string composed of "0-9" and "a--f"), I counted 32 bits, and the cut letters are also "a"-- "f", so I very much suspect that this was encrypted by md5, after decryption: 123123.

Bypass the security dog ​​and upload

Log in with admin and 123123.

Direct upload to Malaysia (data.php) was discovered by the dog, so burpsuite caught the dog around.

Bypass principle:

After sending it to the Repeater, copy the content of the file and paste it in the decentralized file. At this time, it is equivalent to uploading two files and modifying the suffix of the first file to jpg. When a file name and content were added to make the two file names inconsistent, the security dog ​​protection was successfully bypassed and the php file was uploaded.

The reason is that the security dog ​​uses the first file name data.jpg when matching the file name, which is a composite security requirement. The second file is at the end, and the first file will be overwritten. The server saves the file when it is saved. The second file name data.php, that is, the security check is useless, and the php file has been uploaded successfully

The Malaysian interface is as follows

Experience Webshell

Right escalation

Whoami discovered that it turned out to be the system permission, which may be for practicing. The system permission is too rare.

systeminfo view system information

net user view existing users

We can log in through the administrator, but we don't know the password. Since I have system authority now, the net user administrator 123456 can log in by changing the password to 123456.

Enter mstsc on the local machine win+r to open the remote login client of windows, enter the target machine ip, and then verify the account name and password, log in as follows.