I received a notification from the Internet Emergency Center! Remember the correct opening method of sqlmap.

Time:2021-8-22

Last night, I received an email in my mailbox and automatically ran to the dustbin

I felt something wrong at work this morning. I turned it out of the dustbin

It looks like a very serious and official notification document. It’s about this long (anyway, I have to get up with the key information)

 

 

When you see the content of the email, nine times out of ten it is true. Because these websites use the old background of ASP + access written by a colleague a long time ago (with a long history)

I’ve also encountered the vulnerability of SQL injection before. At that time, I was too busy and didn’t know how to deal with it, so I turned off all the write permissions of the website (the message board function can’t be used either)

This official document mentions: sqlmap. I haven’t used it before. I’ll try it for the time being

 

 

First, download and install the tutorial written by a great God:https://blog.csdn.net/baigoocn/article/details/51456721

Installation diagram of sqlmap under Windows

Since sqlmap is written in Python language, you need to install the python language environment. The following is the detailed installation process:

 

preparation:

(1) Windows7 / 8 / 10 operating system;

(2) Python2.7.11;

(3) SQLMap

 

Step1.   Download Python 2.7.11: (be careful not to be too new. There may be compatibility problems. The version I recommend is very good!!!)

            Download address:https://www.python.org/downloads/

 

 

Step2.   Python 2.7.11 installation:

2.1.   Double click the downloaded Python 2.7.11 installation package directly. The default is next;

 

 

2.2.   By default, next;

 

 

 

2.3.   Check the item “add python.exe to path”. After the installation is completed, it is no longer necessary to add environment variables separately. It is “unchecked” by default;

 

 

 

2.4. After installation, restart the system, check whether it is effective, “Win + R”, enter CMD, and then enter python

 

Step 3: sqlmap Download

            Download address:http://sqlmap.org/

 

 

Step4: sqlmap installation

4.1.   Unzip the downloaded sqlmap installation package into the sqlmap folder and copy it to the “C: \ Python 27” directory;

 

 

4.2. Then create a new CMD shortcut on the desktop and name it “sqlmap”;

 

 

 

 

4.3.   Then right click Properties on the new shortcut, change the start position to C: \ Python 27 \ sqlmap, and then click OK;

 

4.4.   Double click the shortcut you just created and enter sqlmap.py – H. the following message indicates that the installation is successful.

So far, over!

 

SQL injection in ASP

Then I searched the search engine (in fact, I found the top blogs) and learned about SQL injection in ASP

Reference link:https://www.cnblogs.com/mo-beifeng/archive/2011/05/01/2033818.html

If you haven’t tried SQL injection before, the first step is to remove the tick in front of IE menu = > tools = > Internet Options = > Advanced = > display friendly HTTP error messages. Otherwise, no matter what error the server returns, ie will only display as an HTTP 500 server error and cannot get more prompt information.

 

Determine whether SQL injection can be performed:

① http://www.19cn.com/showdetail.asp?id=49

② http://www.19cn.com/showdetail.asp?id=49 and 1=1

③ http://www.19cn.com/showdetail.asp?id=49 and 1=2

This is the classic 1 = 1 and 1 = 2 test method. How to judge? Just look at the results returned from the above three URLs:

Performance that can be injected:

① Normal display (this is inevitable, or there is a program error)

② The display is normal, and the content is basically the same as ①

③ Prompt BOF or EOF (when the program does not make any judgment), or prompt that the record cannot be found (when rs.eof is judged), or the display content is empty (the program adds on error resume next)

It is easier to judge if injection is not allowed. ① is also displayed normally. ② and ③ generally have program defined error prompts or errors in prompt type conversion.

Of course, this is only the judgment method used when the incoming parameters are numeric. In practical application, there will be character and search parameters.

 

Prevention methods
SQL injection vulnerabilities can be described as “thousands of miles of embankment, collapse in the ant nest”. This vulnerability is very common on the Internet. It is usually caused by programmers who do not understand injection, or program filtering is not strict, or a parameter forgets to check. Here, I’ll give you a function instead of the request function in ASP to inject say no into all SQL. The functions are as follows:

Function SafeRequest(ParaName,ParaType)
'--- incoming parameters---
'paraname: parameter name - character type
'paratype: parameter type - numeric (1 indicates that the above parameters are numbers, 0 indicates that the above parameters are characters)

Dim Paravalue
Paravalue=Request(ParaName)
If ParaType=1 then
If not isNumeric(Paravalue) then
Response.write "parameter" & paraname & "must be numeric!"
Response.end
End if
Else
Paravalue=replace(Paravalue,"'","''")
End if
SafeRequest=Paravalue
End function

 

In fact, it is simply a page that passes parameters through get. When receiving parameters, you must filter them

If it’s just a simple numeric type, use cint ()

 

Note: the test statements in the official documents are similar to:

sqlmap.py -u "http://www.xxx.com/newsview.asp?id=1" --batch

If the data can be obtained, it means that there is a vulnerability

Well, let’s do this for the time being. I’ll greatly reply to the official email when I finish revising it.

 

Add: after scanning once, the scanning log will be left locally. It is possible that there are no vulnerabilities after the website is rectified, but it is still detected. The log needs to be emptied

Sqlmap clear history scan log

When using sqlmap to scan SQL injection vulnerabilities, the first scan will leave a message in the / root /. Sqlmap / output / directory of SQL

The folder with IP address as the name is as follows:

If the security vulnerability is repaired, the same results as the first scan will still appear when using sqlmap again,

The reason is that there are previous scanning records in the / root /. Sqlmap / output / directory, so it is affected.

The solution is to delete the corresponding scan record.