SQL no table creation Injection

The last time I saw an article about xp_dirtree under MSSQL injection PUBLIC permission, I was inspired by some ideas. Do you have to use XP_Dirtree to create a table? Why can't I use tables that have been created by others? Here we only discuss how to use tools. Next we will talk about how to combine them (implemented) find an injection point that can guess the table, first

Last time I saw an article < Tree reuse>

Inspired me to think about how to use XP_DirTreeMust I have the table creation permission? Why can't I use tables already created by others?

Here we will only discuss how to use tools. Next we will talk about how to integrate my ideas (implemented)

Find an injection point for the table that can be guessed, and use HDSI to guess the table name, check the number of data records, and then find a table whose data is preferably 0 to see if there is a column type in it, find two NVARCHAR or VARCHAR columns,

Insert tablename (Col1, col2)ExECutE master .. xp_dirtree 'C :\'

The col1 type must be nvarchar or varchar. The col2 type can be numeric or text, but not ntext or text, because ntext and text are not false,

Then you can guess and use it again. This is where you can use your imagination in the next step.

Another point is that dirtree runs with the public permission, which means that as long as the site database is not separated, you can check the directory.

Public does not have select, insert, upDatePermission, but the actual situation encountered yesterday is that the virtual machine has modified the public permission for the convenience of users. As for the public permission you encountered, you should test it on your own.