SQL SERVER 2017 HOSTING – Comprehensive SQL Server Manual Injection Tutorial

Get Basic Information

The first step is get basic information, judgment branch does not support stack query:

To determine whether the station library separation:

See if the xp_regread extended stored procedure exists

Explosion host name:

Explode the current database:

Get User and Privilege Information

Next step is get user and privilege information, explode the current database users:

The following commands only apply to SQL Server 2005 and above

Get The Database Information

After get basic information and get user and privilege information, now get the database information. Number of all databases:

Number of Explosive User Databases:

Explode the database one by one:

All bursts of a database (only mssql2005 and above):

FOR XML PATH can be based on the output of the query results into XML format. Such as the prompt “string or binary data will be truncated. Statement has been terminated.” Error, because the amount of data is too large, available substring function extraction times. Besides that

Get The Table Information In The Database

Blast the number of tables in the specified database:

Explosion-specific designated database table:

A burst database all tables (only mssql2005 and above):

Get The Information From The Columns In The Database Table

Columnar number in the explosion specification table:

Explicitly specify the columns of the table:

Retrieve Data

Exploding the number of records in the specified table:

The column-by-column specification specifies the data for the column:

Burst one by one all the specified table data fields ( limited to mssql2005 and above ):

The N data burst at once all fields ( limited to mssql2005 and above ):

Insert, Update, Delete, Order By, Group By, Top Injection




Order By:

Group By:


Use of Stored Procedures

Commonly used stored procedures:

Check whether it is enabled:

Use The xp_cmdshel

Check if xp_cmdshell is enabled:

Remove xp_cmdshell:

Enable the xp_cmdshell (requires database support stacked queries) :

Use xp_cmdshell to execute system commands:

Permeability of Different Methods

SA Permissions:

+ the target server to open the remote desktop, then the direct establishment of the system account password, remote login, access to the target server permissions:

+ If the target server does not open the remote desktop, use the following command to open it:

DB_OWNER Permissions:

The main idea is to list the directory – the backup to get the shell.

1, access WEB physical path:

Create a table, a total of four fields, the first three fields used to store the implementation of stored procedures xp_dirtree return results, ID field is convenient to query the specified content.

Use xp_dirtree to insert the files and folders of the specified path into the table.

Through the enumeration id value of the temporary table to save a file and directory to check out.

A list of all the files and directories stored in the table to check out. Only mssql2005 and above.