1 summary

1. User-Agent： yes Http Part of the agreement , Part of the head domain ,User Agent Also abbreviated as UA. In a more common sense , It is a kind of browser that provides access to websites with the type of browser you use 、 Operating system and version 、CPU type 、 Browser rendering engine 、 Browser language 、 Identification of browser plug-ins and other information .
2. UA String in every browser HTTP Send the request to the server ！ browser UA The standard format of a string is ： Browser logo ( Operating system identification ; Encryption level identification ; Browser language ) Rendering engine logo Version information
3. User-Agent Inject ：User-Agent The principle of injection is the same as usual , It's just that we will submit the parameters in User-Agent Submitted by , Belong to http A kind of head injection .
4. In general, we use get perhaps post Mode submission ：
   1. get The method of submission is to add the statement to be injected directly after the web address ;
   2. post It is through forms ,
   3. get and post The difference is that we can pass IE See the parameters we submitted in the address bar , And the other one can't .

2 Introduction to the experiment

2.1 The experiment platform

1. Drone aircraft ：CentOS7 install docker, utilize docker Deploy sqli-labs As an experimental platform . For the specific deployment process, please refer to the article 《Docker To build sqli-labs Vulnerability environment 》.
2. Real machine ： For convenience of modification http Header information , This experiment uses BurpSuite To carry out the injection experiment ,BurpSuite The installation process can refer to the article 《BurpSuite Introduction and installation 》.
3. The target aircraft and the real aircraft bridge are connected to the same LAN .

2.2 The goal of the experiment

1. Get the website background database account and password .

3 Experimental process

3.1 Foreplay

1. The real machine turns on BurpSuite, Get into Proxy Tools , Open your own browser , Access target sqli-labs Of Less18, Open the page as follows .
   
2. This level simulates the login page , Try first Dumb The account login , After login, the page is shown as follows ：
   
3. stay BurpSuite The tool intercept The interface opens intercept is on, Reload the previous page , Give Way BurpSuite Get request , Right click to send the request to repeater Tools , Click on forward.
   
4. stay BurpSuite Of Repeater In the tools , We can see the request just sent , Click Send , You can see in the response user agent Information about , Therefore, it is speculated that the content of this field can be echoed to the page , There may be injection .
   

3.2 Determine the injection point and injection type

1. The normal process should first judge whether the injection can be carried out at the regular position , If there is really no case, find http Whether header information can be injected into , The experiment in this section omits the process of testing whether other locations can be injected , Just to demonstrate how to user-agent Inject .
2. go back to repeater Interface , Edit the request ,user-agent The information is modified to test, Test whether the response can echo the content . You can see the normal display .
   
3. Change the parameter to test' when , The system displays an error message , Therefore, we guess that the quotation mark is not normally closed due to the addition of a single quotation mark . Different from the past , There is also a string of error statements here, including IP And account number , We can guess , The system splices this statement into our injected parameters and executes it together .
   
4. Change the parameter to test' and '1'='1, Program running normally , Description: this parameter is a single quotation mark closed character type .
   
5. Conclusion ： The parameter injection information will be echoed in the response , It's an injection point , And the parameter is a single quotation mark closed character type .

3.3 Get the contents of the library name table name field name field

1. Get library name . Change the parameter to test' and updatexml(1,concat('~',database(),'~'),1) and '1'='1, Wait here for the last statement , On the one hand, it is to close the single quotation marks of background statements , On the other hand, it is to ensure that the operation of subsequent statements will not be affected when our statements are spliced in the background , This is a better way to close than to use # The brilliance of number and other methods . Through this parameter , We broke the name of the database where the website is located .
   
2. Get table name . modify cookie Parameter is test' and updatexml(1,concat('~',(select group_concat(table_name) from information_schema.tables where table_schema = database() ),'~'),1) and '1'='1, Total explosion 4 Table names , among users It's what we want .
   
3. Get field name . Change the parameter to test' and updatexml(1,concat('~',(select group_concat(column_name) from information_schema.columns where table_name = 'users'),'~'),1) and '1'='1, The response is as follows , Total explosion 3 Field names .
   
4. Get the number of users . in consideration of updatexml() Function echo character length is limited , Get the number of users first , Then get the user name and password one by one . Change the parameter to test' and updatexml(1,concat('~',(select count(username) from users),'~'),1) and '1'='1, The error prompt in the response is as follows , We can see that there are 13 Users .
   
5. Get the first user account and password . Change the parameter to test' and updatexml(1,concat('~',(select concat(id,':',username,':',password) from users limit 0,1),'~'),1) and '1'='1, The error prompt in the response is as follows , It can be seen that the first account password is Dumb, The remaining account and password only need to be modified limit Parameters can be taken out one by one .
   

3.4 experimental result

1. The experiment successfully revealed the website background database account and password .
2. The key of the experiment is to construct injection parameters that can close quotation marks .

4 summary

1. understand user-agent The composition and function of ;
2. master user-agent Method of injection .