SQL injection attack is one of the common means for hackers to attack databases. With the development of B/S mode application development, more and more programmers use this mode to write applications. However, due to the uneven level and experience of programmers, a considerable number of programmers did not judge the legitimacy of user input data when writing code, which made the application program have security risks. A user can submit a database query code and get some data he wants to know according to the results returned by the program. This is the so-called SQL injection, which is SQL injection. SQL injection is accessed from the normal WWW port, which seems to be no different from ordinary web page access, so the firewall on the market at present will not inject an alarm into SQL. If the administrator does not have the habit of viewing IIS logs, he may be invaded for a long time without being noticed. However, the method of SQL injection is quite flexible, and many unexpected situations will be encountered during the injection process, so it is necessary to construct clever SQL statements to successfully obtain the desired data.

The general idea of SQL injection attack

Discover the location of SQL injection;

Jud that type of the background database;

Determine the executable conditions of XP_CMDSHELL

Discover WEB virtual directories

Upload ASP Trojan horse;

Obtain administrator rights;

Steps of SQL injection attack

First, the judgment of SQL injection vulnerabilities.

Generally speaking, SQL injection generally exists in the following form: Options-Advanced-Check before displaying friendly HTTP error messages.

In order to explain the problem clearly, the following is the user aabbb/add "-"(master is the main database of SQL-SERVER; The semicolon in the name indicates the name of the statement before SQL-SERVER finishes executing the semicolon, and continues to execute the subsequent statements; The "-"sign is a comment, indicating that everything behind it is just a comment, and the system will not execute it. ) You can directly add an operating system account aaa, and the password is bbb.

4. Local group administrators aaa/add "- Add the newly added account AAA to the administrators group.

5.' pub\wwwroot\save.db' backs up all the data obtained to the WEB directory, and then downloads this file with HTTP (of course, you must know the WEB virtual directory first).

6. Create UNICODE vulnerabilities by copying CMD.

Pub\scripts\cmd.exe "creates a UNICODE vulnerability and controls the whole computer by using this vulnerability (of course, knowing the WEB virtual directory is the first choice).