Directly obtain access, SQL Server, and other database data

Source: Internet
Author: User

When using SQL injection to access, you may encounter problems such as Chinese passwords and key field names cannot be guessed. Using this technology can quickly solve such problems. There are two minimum technical requirements:

1. The access database system has the SQL injection vulnerability. mssql database also supports this technology.
2. You need to know the name of the table where the data to be burst is located and a field name under the table, which is generally an id field.

The obvious advantages of using this technology are:

1. quotation marks are not required. Filtering quotation marks does not affect this technology.
2. You can quickly know the content of sensitive data without having to guess the content of Chinese characters or special characters.
3. the SQL Server can quickly obtain sensitive data content after blocking error messages.
4. You can still get the desired data if you do not know the field name of the key (data to be queried ).

At first glance, this technology may be difficult, but it is actually very simple. There are two difficulties. Generally, the first one is easy to think of after seeing the results, but the second one is indeed a little troublesome.

First, let's look at a table, which is the union syntax. This is also the main principle of data burst. As shown in:

 

After we use SQL Inject Technology to insert a union statement, if the two select queries have the same number of columns, after the entire SQL statement is executed, the query result is the data obtained by the select statement after the union operation. So it is possible to blow out the data we need. Let's look at a simple example:

Asp? SoftID = 3903% 20 union % 20 select % 20 username "target = _ blank> http://www.chinakj.com/SoftView.asp? SoftID = 3903% 20 union % 20 select % 20 username, password, 1%, 20 from % 20 admin

This is an SQL Server that disables the return of error messages, so it cannot directly obtain sensitive data according to previous methods. After inserting the union statement through SQL Inject, You can boldly guess that the executed SQL statement is changed:

Select * from Soft where SoftID = 3903 union select username, password, 1 from admin

Under normal circumstances, the username and password fields of admin will be displayed when the Soft 1st and 2 fields are displayed, and the three following ones are replaced by the same. Based on this feature, we can also directly obtain the username and password fields in the Admin_UserInfo table. The constructed statement is as follows:

Http://www.chinakj.com/SoftView.asp? SoftID = 3903% 20 union % 20 select % 20 username, password, 1%, 20 from % 20Admin_UserInfo % 20 where % 20 username <>

The above is the simple use of union to obtain sensitive data, rather than the complex brute force dismantling. To achieve the goal of getting data from a field without knowing its name, we should naturally think of using * to replace the field name. In this way, as long as the number of fields plus a few 1 is the same as the number of fields in the select query table in the script, you can also get data without knowing the field name.

In such a case, there is a statement: select id, hit, softname, softURL from soft where id = 10. The fields that can be normally displayed on the webpage are softname and softURL. When using union, we should adjust *'s location. Generally, the structure of the admin table is id username password, when injecting the preceding assumption statement, we should construct the SQL statement: select 1, * from admin. Place the username and pssword fields replaced by * in the positions of the softname and softURL fields, so that the webpage can hand over the username and password fields we want. Of course, this is just the simplest example. In many cases, there may be more than a dozen fields in a table. The longest field I encounter is forty-three fields. If select * is used in the script for query, we should use 1 to count to forty-three fields in the Construction of union select. Of course, some fields are not displayed on the webpage, so you need to consider the position of the * after the union select statement. I don't need to say much about this.

The preceding syntax fully complies with SQL Server. However, compared with SQL Server, Access is really a little dumb. In SQL Server, when we use the select *, 1 from admin statement to query the records, the set is * 1 1 1. However, the query result of the preceding statement in access is 1 1 *, that is, no matter where you place the * number in the middle of this group of 1, * The data is always at the end of the query result. The following is an example of a complex point:

Http://www.hnp2p.com/mov/view.asp? Id = 1916% 20 union % 20 (select %, from % 20 admin)

This site uses an access database. The fields displayed normally are 2, 3, 7, 8, 10, and 11, but the following fields are not displayed, change the number * after removing the numbers, 15, and 16. The page also displays numbers. That is to say, the number of fields in the admin is three, which must be the id username password structure, however, other fields except the id field cannot be guessed. Follow the method used in the preceding SQL Server to move the * number in order to burst sensitive data, which is not feasible in access. The reason is that access always places * Replaced fields at the end of the query dataset. The Access query results are always like 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13. To represent the fields replaced by *, we must move the fields replaced by * to other positions. First look at the results:

Http://www.hnp2p.com/mov/view.asp? Id = 1916% 20 union % 20 select % 201, * % 20 from % 20 (admin % 20as % 20a % 20 inner % 20 join % 20 admin % 20as % 20b % 20on % 20a. id = B. id) % 20 inner % 20 join % 20 admin % 20as % 20c % 20on % 20c. id = B. id) % 20 inner % 20 join % 20 admin % 20as % 20d % 20on % 20d. id = c. id) % 20 inner % 20 join % 20 admin % 20as % 20e % 20on % 20d. id = e. id

Through the execution of statements constructed in this way, the final data format obtained by the query is
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
1,. id. name. pwd B. id B. name B. pwd c. id c. name c. pwd d. id d. name d. pwd e. id e. name e. pwd

The 3rd and 7th fields are exactly the values of the username and password fields we want. Here I use the join syntax to join two tables (ADD) to construct such a query result that meets our requirements.

Join is divided into full Join, left Join, and right Join. You can view the SQL syntax for specific differences. In access, no matter which connection method we select, the effect is equivalent to all connections. Let's look at a simple join syntax.

SELECT *
FROM (Table 1 inner join table 2 ON table 1. No. = TABLE 2. No)
Inner join table 3
ON Table 1. Sequence Number = TABLE 3. Sequence Number

The conversion to an instance is:

Select 1, 2, 3, 4 ,*
From (admin as a inner join admin as B on a. id = B. id)
Inner join admin as c on c. id = B. id)
Inner join admin as d on d. id = c. id

In this format, you can extract the SQL statement actually executed by the preceding url, instead of using join to connect to the data table admin, and then filling in the number of fields with 1. As long as the statements are properly constructed, all the data of field names can be displayed on the page. This is the technical difficulty.

All of them are described. If you want to write this technology into a program, it is also very likely. However, we recommend that you use the human brain when constructing statement structures ~~~ Haha

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.