In-depth analysis. NET application SQL Injection "compromise"

Source: Internet
Author: User
Tags configuration settings readline

Preface: We have a brief analysis of the above. NET application SQL injection. a friend who has not seen: http://bbs.ichunqiu.com/thread-7636-1-1.html,in the previous article we have learned about SQL's "small harm" simple login bypass.
thinking:in the previous article we can modify our SQL statements with "comments" and "conditions":We are obviously finding that the SQL statement has changed significantly after verifying the user's condition "gone missing",
Well, let's think about it, since we can modify our SQL statements. Can we add an SQL statement?
Experiment:
usingSystem;usingSystem.Collections.Generic;usingSystem.Linq;usingSystem.Text;usingSystem.Threading.Tasks;usingSystem.Data;usingSystem.Data.SqlClient;namespacesqltmp{classProgram {//Database connection String Public StaticString Strcon ="Data Source=.;i Nitial catalog=sqltmp;integrated security=true"; //Create a database connection objectStaticSqlConnection Sqlcon =NewSqlConnection (Strcon); Static voidMain (string[] args) {Console.WriteLine ("Please enter user name:"); String name=Console.ReadLine (); Console.WriteLine ("Please enter your password:"); String Pass=Console.ReadLine (); Try{program P=NewProgram (); //Open a database connectionP.open (); stringsql ="SELECT COUNT (*) from admin WHERE name = '"+ name +"' and pass = '"+ Pass +"'"; SqlCommand sqlcom=NewSqlCommand (SQL, Sqlcon); inti = (int) sqlcom.                ExecuteScalar (); if(I >0) {Console.WriteLine ("Login Successful! "); }                Else{Console.WriteLine ("Login failed!");            } console.readline (); }            Catch(Exception) {Throw; }            finally            {                //To close a database connectionPass.            Clone (); }        }        //Open a database connection Public voidOpen () {//open a database connection in the closed Stateif(Sqlcon.state = =connectionstate.closed) {sqlcon.open (); }            //Open database connection in case of interruptionif(Sqlcon.state = =connectionstate.broken) {//CloseSqlcon.close ();            Sqlcon.open (); }        }        //To close a database connection Public voidClose () {if(sqlcon.state = = ConnectionState.Open | | Sqlcon.state = =connectionstate.broken) {sqlcon.close (); }        }    }}

This is the C # code in our previous article.
We can take a look at executing multiple SQL statements at once.

Experiment One:
by logging in to change the login password arbitrarily modified, we changed the user toWe can clearly see that the user's password has been modified to123456We run SQL Server Profiler to fetch running SQL statementsA careful friend will find that this is a two-piece SQL statement.
And the first one is our modified SQL statement, followed by the SQL UPDATE statement to update the data (updated password), and ";" represents the end of an SQL statement. Of course, we can do it here. Update the user name or any data in another table
 Experiment Two:
through experiment one, we can see that the data inside the database can be updated directly.So here's the problem. My updated data is only in this database can we update the data of other database faces. This is the experiment we're going to do two ,Here we create a database and write a piece of data :Let's construct the username we can clearly see that the password has been modified to: 0nise We open SQL Server Profiler to look at the SQL code crawledWe're wide enough to see the use testadmn in this code. What the hell is this? :use testadmin//use (database name) using a database,This is the legendary beat pants. Modify the data.  Experiment Three: by the above we can modify any data then? Can we not delete it since? we delete this database below: Admin1 tableConstruct the code First:we can see that the original Admin1 table has been deleted. "Sysobjects is the system table for the database"Let's take a look at SQL statements crawled by SQL Server ProfilerWe delete the table "drop table (table name) to delete a table" by dropping tables admin1, and we can remove any table by referring to the experiment two ways.  Experiment Four: through the experiment three we can delete any table and the pants Delete any table, then can we delete the other database? Let's take testadmin data to do the experiment .Construct codetestadmin has been deleted .... old routines Open SQL Server Profiler to view crawled SQL statementsWhat is use master?
Database Role
Master the master database records all system-level information for the SQL Server system, including the following three classes: L All login accounts and system configuration settings l settings for all other databases and database files • Initialization information for SQL Server
Tempdb The tempdb database holds all temporary tables and temporary stored procedures, as well as the temporarily generated worksheets The tempdb database is recreated every time that SQL Server is started
Model The model database can be used to create templates for all databases on the system, for example, using SQL statements to create a new, blank database, using default values defined in default to create
Msdb The msdb database provides SQL Sever agent for dispatching alerts, jobs, and logging operations, as well as database backups and restores, which are also written in the database
Resource The resource database is a special database and is a read-only database that contains all the system objects in SQL Server that physically exist in the resource database, but logically they appear in the SYS schema of each database, so The resource database is a " hidden " database, and we can't use SQL commands that look at all the databases, and so on .

Use the Matser system database to delete the Testadmin database Summary:This article is an in-depth analysis of the hazards, of course, I can also prevent this situation to happen. Defense plan: http://bbs.ichunqiu.com/thread-7636-1-1.html
1. Communication:. NET application has basically ended up in SQL injection. If you have a better "posture" can be at the bottom of the message a lot of communication ..... talking about. NET application SQL injection: http://bbs.ichunqiu.com/thread-7636-1-1.html 2. Disclaimer:the technology discussed in this paper is only used to study technical exchange, strictly prohibited for unlawful acts and vandalism, otherwise all legal liability is unrelated to the author and this website.  RELATED links: http://bbs.ichunqiu.com/thread-8005-1-1.html

In-depth analysis. NET application SQL Injection "compromise"

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.