Understanding of the intrusion of MSSQL SA by Hacker's experience

We must all know what SA privilege is in MSSQL, which is paramount. Today I will talk about its harm, I am talking about with NBSI upload function to get Webshell. It is difficult to get a shell before you say a few things before speaking.

1. There is a SQL injection, and the database type is MSSQL.

2. The permissions to connect to the database must be SA.

3. Background must have the file upload program.

Well, we found a Web site hxxp://www.6x36x.com/fangchan/listpro.asp?id=53, with NBSI a glance at the.

Well, the database type is MSSQL, the permission is SA, and then the third condition is not satisfied. Find the article in the page (news) and see what the address of the picture inside is. Good! I can see the hxxp://www.6x36x.com/admin/uploadpic/2xx5042823082994329.gif, do you understand? Especially 2xx5042823082994329.gif we are sure that the backstage has the function of uploading files. What do we do next? Halo, find the site where the path AH. This is all depends on NBSI NB Commander (NB Tree_list) function (here I recommend you to use NB Commander, why?) Read the article will know), but find out the real path of the site will take a certain amount of time, it depends on your patience. I dare say that if you have the patience, you can definitely find the real path to the site. Here I found the site where the path D:\9x3x9, and then is backstage, and soon get admin/login.asp, then the account and password to guess the solution. But this time I guess the solution is a problem. Said nothing can not get his account number and password, is it empty? I didn't believe it, I tried to log in and failed. So from this beginning, NB Commander function is very important (because we all know that the column directory NB command and NB Tree_list can be implemented), I found the file conn.asp, with type D:\9x3x9\admin\ The logining.asp command looked at the source code.

It's tough enough! Read the code is no problem! The Admin table field is the same, no more, who can tell the reason? Please tell me, also let me this rookie out of confusion. Can not enter the backstage how to upload picture? Here I use the NBSI upload function, I tried, did not succeed. Because I passed it on, I saw the code repeat three times each line, also do not know why, is the Getwebshell with smelly beggar is the same result.

I want to have, see how its session is validated, is also a type D:\9x3x9\admin\quanxian.asp. Through the analysis soon understood that it gave the session ("WSL") assigned a value of 1, haha! I wrote a very simple program. With the NBSI upload function, I think no matter how many times it is true (what do you think?) If the password is MD5, we do not need to explode, get a session on the OK), passed up to save for 1.asp, and then I visited Hxxp://www.6x36x.com/admin/1.asp, then visit hxxp://www.6x36x.com /admin/admin_index.asp, so into the background, the local test.

Tip: The session variable and the cookie are the same type. If a user sets the browser to be incompatible with any cookies, the user cannot use the session variable! When a user accesses a page, the running environment of each session variable is generated automatically, and these session variables remain for 20 minutes after the user leaves the page! (In fact, these variables can always be retained to "timeout".) The length of time for "timeout" is set by the Web server administrator. The variables on some sites only last 3 minutes, some 10 minutes, and others remain to the default value of 20 minutes. So, if you place a larger object in the session (such as ADO recordsets,connections, etc.), then there's trouble! As the amount of site traffic increases, the server will not function properly!

Because the creation of session variables is very arbitrary, can be invoked at any time, do not require the developer to do accurate processing. Therefore, overuse of the session variable will cause the code to be unreadable and difficult to maintain.

So I find the place to upload pictures, the ASP Trojan changed into. gif passed up, remember the upload name, here is uploadpic\2xx56171430123.gif, then what do you think? Haha, I remember, copy the picture into an. asp, or rename it to an. asp.

Well, here our horse even went up, as for the future things will not mention.

Summary: SA does bring us a lot of harm, so the programmer when connecting the MSSQL database must not use it, otherwise the server becomes the possibility of chicken is very very large. Also, the expansion of MSSQL storage function, not to use it to delete, keep the hacker is a sharp weapon.