| Penetration test is an important way to detect network vulnerability. Network manager could feel how harmful it is from doing penetration test, then build up security sense, enhance the network security efficiently according to the result of detection. So it's very significant to do research and realize tools based on penetration test.Buffer overflow and SQL injection are crucial technology in penetration test. In the thesis we will finally realize a test tool based on buffer overflow and SQL injection. The thesis introduces theories in detail of buffer overflow and SQL injection, including the buffer flow process of stack , heap, format string and single byte, two flow jump skill(replacing return address and function entrance address), writing , flow and filtering of shellcode, the theory of SQL injection, the injection attack to MSSQL Server with system table using. The injection method classified to two situations: opening feedback and shutting feedback.NBSI is one popular injection test tool aimed at MSSQL Server, but the detection method of injection is not accurate enough, and it only aimed at ASP, in the experiment of the thesis shows there are injection vulnerability in JSP. I use capturing packets tool WinSockExpert to analyze injection test and guess method of NBSI, then find out NBSI identify injection test and guess method based on state code. This method is limited from the finding that there are injection vulnerabilities in pages. We make some improvement based on it: doing injection test and guessing on state code with return information. I design key words aimed... |
PDF Full Text Request